Campus Networks Typical Configuration Examples

Campus Networks Typical
Configuration Examples
Issue 01
Date 2020-06-04
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. i

Campus Networks Typical Configuration Examples Contents
Contents
1 About This Document.............................................................................................................1

2 Quick Guide to This Document............................................................................................ 4
3 Campus Network Connectivity Deployment.....................................................................6
3.1 Key Points of Network Connectivity Deployment........................................................................................................ 6
3.2 Deployment Differences Between Two-Layer and Three-Layer Network Architectures................................ 8
3.3 Deployment Differences Between a Standalone AC and an ACU2..................................................................... 10
3.4 Typical CSS and Stack Deployment................................................................................................................................ 11
3.5 Native AC Solution: Core Switches Function as the Gateway for Wired and Wireless Users.....................23
3.6 Native AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users........... 37
3.7 Native AC + SVF Solution: the Parent Containing Core Switches Functions as the Gateway for Wired
and Wireless Users.......................................................................................................................................................................53
3.8 Native AC + SVF Solution: Parents Containing Aggregation Switches Function as Gateways for Wired
and Wireless Users.......................................................................................................................................................................72
3.9 Standalone AC Solution: Core Switches Function as the Gateway for Wired and Wireless Users........... 93
3.10 Standalone AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users
......................................................................................................................................................................................................... 115
3.11 Standalone AC Solution: Core Switches and ACs Function as the Gateways for Wired and Wireless
Users Respectively..................................................................................................................................................................... 139
3.12 Standalone AC Solution: Aggregation Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively....................................................................................................................................................162
4 Campus Egress Deployment............................................................................................. 186

4.1 Key Points of Campus Egress Deployment................................................................................................................ 186
4.2 Deploying Firewalls as Egress Devices........................................................................................................................ 188
4.3 Deploying Firewalls in Off-Path Mode........................................................................................................................207
4.4 Connecting Firewalls to Egress Routers Directly..................................................................................................... 225
4.5 Deploying IPSec on Firewalls for Secure Communication with the Headquarters......................................244
4.6 Deploying IPSec on Egress Routers for Communication Between the Headquarters and Branch........ 262
4.7 Connecting an Egress Router in a Branch to the Headquarters Through a Private Line.......................... 276
5 Wireless Coverage Deployment....................................................................................... 292

5.1 Key Points of Wireless Coverage Deployment..........................................................................................................292
5.2 Common WLAN Coverage...............................................................................................................................................292
5.3 Agile Distributed Wi-Fi Coverage..................................................................................................................................294
5.4 High-Density WLAN Coverage....................................................................................................................................... 297
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. ii

5.5 WDS Backhaul..................................................................................................................................................................... 300
6 Wired and Wireless User Access Authentication Deployment.................................311

6.1 Key Points of User Access Authentication Deployment........................................................................................ 311
6.2 Native AC + Free Mobility Solution: Core Switches Function as the Authentication Point for Wired and
Wireless Users............................................................................................................................................................................. 313
6.3 Native AC + Policy Association Solution: Core Switches Function as the Authentication Point for Wired
and Wireless Users.................................................................................................................................................................... 340
6.4 Native AC + NAC Solution: Core Switches Function as the Authentication Point for Wired and Wireless
Users............................................................................................................................................................................................... 370
6.5 Native AC + Policy Association Solution: Aggregation Switches Function as the Authentication Points
for Wired and Wireless Users................................................................................................................................................ 397
6.6 Native AC + NAC Solution: Aggregation Switches Function as the Authentication Points for Wired and
Wireless Users............................................................................................................................................................................. 430
6.7 Native AC + Free Mobility Solution: Parent (Core Switches) in an SVF System Functions as the
Authentication Point................................................................................................................................................................. 460
6.8 Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions as the Authentication
Point............................................................................................................................................................................................... 486
6.9 Standalone AC + NAC Solution: Core Switches and ACs Function as the Authentication Points for
Wired and Wireless Users Respectively.............................................................................................................................. 512
6.10 Standalone AC + NAC Solution: Aggregation Switches and ACs Function as the Authentication Points
for Wired and Wireless Users Respectively....................................................................................................................... 543
7 Security Deployment.......................................................................................................... 580

7.1 Key Points of Security Deployment.............................................................................................................................. 580
7.2 Campus Internal Network Security.............................................................................................................................. 581
7.2.1 Deployment Roadmap.................................................................................................................................................. 581
7.2.2 Example for Configuring Device Login Security................................................................................................... 595
7.2.3 Example for Configuring Access Device Security................................................................................................. 598
7.2.4 Example for Configuring Core Device Security..................................................................................................... 601
7.2.5 Example for Configuring Wireless Service Security............................................................................................. 603
7.3 Campus Egress Security....................................................................................................................................................604
8 QoS Deployment................................................................................................................. 622

8.1 Key Points of QoS Deployment..................................................................................................................................... 622
8.2 Aggregation Switch: Increasing the Priority of Special Traffic........................................................................... 623
9 Campus Network Deployment Practices....................................................................... 629

9.1 Network Deployment in Small- and Medium-Sized Stores (AR Router Functioning as an Egress
Gateway)...................................................................................................................................................................................... 629
9.1.1 Application Scenario and Service Requirements.................................................................................................. 629
9.1.2 Solution Design................................................................................................................................................................ 630
9.1.3 Deployment Roadmap and Data Plan..................................................................................................................... 631
9.1.4 Deployment Procedure..................................................................................................................................................636
9.1.4.1 Configuring the AR6300............................................................................................................................................ 636
9.1.4.2 Configuring the S5731-S........................................................................................................................................... 639
9.1.4.3 Configuring the AC6605............................................................................................................................................ 645
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. iii

9.1.5 Verifying the Deployment............................................................................................................................................ 651

9.1.6 Configuration Files..........................................................................................................................................................651
9.2 Higher Education Campus Network Deployment (ME60 Used as the Gateway and Authentication
Point + Firewall Used as the Egress)...................................................................................................................................655
9.2.2 Solution Design................................................................................................................................................................ 657
9.2.4 Deployment Procedure.................................................................................................................................................. 676
9.2.4.1 Configuring Access Switches (S5735-L)............................................................................................................... 676
9.2.4.2 Configuring Aggregation Switches (S6730-H).................................................................................................. 678
9.2.4.3 Configuring the Core Switch (S12708E).............................................................................................................. 679
9.2.4.4 Configuring the ME60................................................................................................................................................ 682
9.2.4.5 Configuring Firewalls (USG6315E)........................................................................................................................ 690
9.3 Deployment of a Subway Bearer Network Featuring High-Speed Self Recovery........................................709
9.3.1 Service Requirements and Solution Description...................................................................................................709
9.3.2 Basic Configurations...................................................................................................................................................... 713
9.3.2.1 Data Plan........................................................................................................................................................................ 713
9.3.2.2 Configuring Device Information............................................................................................................................. 717
9.3.2.3 Configuring Interfaces................................................................................................................................................718
9.3.2.4 Enabling BFD................................................................................................................................................................. 720
9.3.3 Deploying OSPF............................................................................................................................................................... 720
9.3.3.1 Deployment Roadmap............................................................................................................................................... 721
9.3.3.2 Configuring OSPF........................................................................................................................................................ 721
9.3.4 Deploying MPLS LDP..................................................................................................................................................... 723
9.3.4.2 Data Plan........................................................................................................................................................................ 724
9.3.4.3 Enabling MPLS LDP.....................................................................................................................................................725
9.3.4.4 Configuring Synchronization Between LDP and OSPF................................................................................... 726
9.3.4.5 Configuring LDP GR.................................................................................................................................................... 727
9.3.4.6 Configuring BFD for LSPs.......................................................................................................................................... 728
9.3.5 Deploying MPLS TE........................................................................................................................................................ 729
9.3.5.2 Data Plan........................................................................................................................................................................ 730
9.3.5.3 Configuring MPLS TE Tunnels and Hot Standby.............................................................................................. 733
9.3.5.4 Configuring RSVP GR..................................................................................................................................................737
9.3.5.5 Configuring BFD for CR-LSPs................................................................................................................................... 737
9.3.6 Deploying L3VPN Services and Protection (HoVPN).......................................................................................... 740
9.3.6.2 Data Plan........................................................................................................................................................................ 742
9.3.6.3 Configuring MP-BGP...................................................................................................................................................746
9.3.6.4 Configuring L3VPN......................................................................................................................................................749
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. iv

9.3.6.5 Configuring Reliability Protection.......................................................................................................................... 751

9.3.7.1 Core_SPE1 configuration file................................................................................................................................... 756
9.3.7.4 Site1_UPE1 configuration file.................................................................................................................................. 774
9.4 ISP Network Deployment for Internet Access of Home Users and Enterprise Users................................. 795
9.4.2 Solution Design................................................................................................................................................................ 796
9.4.4.1 Configuring Egress Gateways (S6730-H)............................................................................................................ 804
9.4.4.2 Configuring a Stack of Aggregation Switches (S5731-H-5)......................................................................... 807
9.4.4.3 Configuring Aggregation Switches (S6730-H).................................................................................................. 809
9.4.4.4 Configuring the Access Switch S5735-L-6........................................................................................................... 810
9.5 ISP Network Deployment for Integrated Access in Large Enterprises............................................................. 823
9.5.2 Solution Design................................................................................................................................................................ 824
9.5.4.1 Configuring PE1............................................................................................................................................................829
9.5.4.2 Configuring PE2............................................................................................................................................................836
9.5.4.3 Configuring P Devices................................................................................................................................................ 842
9.5.4.4 Configuring RRs............................................................................................................................................................ 848
9.5.4.5 Configuring Router......................................................................................................................................................851
9.5.4.6 Configuring SW1.......................................................................................................................................................... 855
9.5.4.7 Configuring SW2.......................................................................................................................................................... 856
9.6 ISP Backbone Network Deployment for Mutual Access of Sites in an Enterprise....................................... 877
9.6.2 Solution Design................................................................................................................................................................ 878
9.6.4.1 Configuring S12700E-4_P1....................................................................................................................................... 883
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. v

9.6.4.2 Configuring S12700E-4_P3....................................................................................................................................... 887

9.6.4.3 Configuring RR_1......................................................................................................................................................... 890
9.6.4.4 Configuring Router_1................................................................................................................................................. 893
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. vi

Campus Networks Typical Configuration Examples 1 About This Document
1 About This Document
Intended Audience
This document is intended for network engineers responsible for switch
configuration and management. You should be familiar with basic Ethernet
knowledge and have extensive experience in network deployment and
management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a potentially hazardous

situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.
Supplements the important

information in the main text.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 1

Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are

optional.
{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. Several items or no item
can be selected.
&<1-n> The parameter before the & sign can be repeated 1

to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this document are examples and must be replaced
according to the actual configuration requirements.
Security Conventions
● Password setting
– To ensure device security, use ciphertext when configuring a password
and change the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#
%#, %@%@ or @%@% as ciphertext and attempts to decrypt them. If
you configure a plaintext password that starts and ends with %^%#, %#
%#, %@%@ or @%@%, the switch decrypts it and records it into the
configuration file (plaintext passwords are not recorded for the sake of
security). Therefore, do not set a password starting and ending with %^
%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use
different ciphertext passwords. For example, the ciphertext password set
for the AAA feature cannot be used for other features.
● Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5.
3DES, RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are

irreversible. Using the encryption algorithms DES, 3DES, RSA (RSA-1024 or

lower), MD5 (in digital signature scenarios and password encryption), or
SHA1 (in digital signature scenarios) is a security risk. If protocols allow, use
more secure encryption algorithms, such as AES, RSA (RSA-2048 or higher),
SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator
password. SHA2 is recommended for this purpose.
● Personal data
Some personal data (such as MAC or IP addresses of terminals) may be
obtained or used during operation or fault location of your purchased
products, services, features, so you have an obligation to make privacy policies
and take measures according to the applicable law of the country to protect
personal data.
● Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of
communication error or failure detection, and do not involve collection or
processing of any personal information or communication data of users.
● Reliability design declaration
Network planning and site design must comply with reliability design
principles and provide device- and solution-level protection. Device-level
protection includes planning principles of dual-network and inter-board dual-
link to avoid single point or single link of failure. Solution-level protection
refers to a fast convergence mechanism, such as FRR and VRRP. If solution-
level protection is used, ensure that the primary and backup paths do not
share links or transmission devices. Otherwise, solution-level protection may
fail to take effect.
Disclaimer
● This document is designed as a reference for you to configure your devices. Its
contents, including web pages, command line input and output, are based on
laboratory conditions. It provides instructions for general scenarios, but does
not cover all use cases of all product models. The examples given may differ
from your use case due to differences in software versions, models, and
configuration files. When configuring your device, alter the configuration
depending on your use case.
● The specifications provided in this document are tested in lab environment
(for example, a certain type of cards have been installed on the tested device
or only one protocol is run on the device). Results may differ from the listed
specifications when you attempt to obtain the maximum values with multiple
functions enabled on the device.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.

Campus Networks Typical Configuration Examples 2 Quick Guide to This Document
2 Quick Guide to This Document
This document provides typical campus network networking modes and a variety
of function-centered deployment examples, allowing you to quickly find
deployment examples of specific features and flexibly combine different
deployment modes based on your networking requirements. This document also
provides end-to-end scenario-tailored deployment practices for your reference,
facilitating network deployment according to the network design solution.
The following table describes the chapters in this document.
Category Chapter Description
Feature- Campus Network Describes how to deploy campus network

centered Connectivity connectivity based on the gateway
deployment Deployment locations and AC attributes (native AC,
examples standalone AC, or ACU2).
Campus Egress Describes how to deploy the

Deployment interconnection between the campus
egress, branches, and headquarters,
covering the scenario where only firewalls
are deployed at the campus egress and
that where both firewalls and routers are
deployed.
Wireless Coverage Provides typical wireless coverage

Deployment scenarios, such as the agile distributed
scenario and high-density scenario.
Wired and Wireless Describes how to deploy wired and wireless

User Access user access authentication based on
Authentication authentication point locations, AC
Deployment attributes, and authentication policy
management and control solution.
Security Describes how to deploy campus internal

Deployment network security and egress security.

Campus Networks Typical Configuration Examples 2 Quick Guide to This Document
Category Chapter Description
QoS Deployment Describes how to deploy QoS for some

special service flows including video
streaming, voice, and VIP user services.
Scenario- Campus Network Provides complete end-to-end campus

tailored Deployment network deployment examples in specific
deployment Practices industries.
examples
● For typical configuration examples of switch features, such as stacking, cluster switch
system (CSS), super virtual fabric (SVF), device login, upgrade, and access control list
(ACL), see S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical
Configuration Examples.
● For details about configuration examples of features, such as Virtual Extensible LAN
(VXLAN), hierarchical quality of service (HQoS), and cloud-based management, used in
solutions, see CloudCampus Solution Typical Configuration Examples.

Campus Networks Typical Configuration Examples 3 Campus Network Connectivity Deployment
3 Campus Network Connectivity

Deployment
3.1 Key Points of Network Connectivity Deployment

3.2 Deployment Differences Between Two-Layer and Three-Layer Network
Architectures
3.3 Deployment Differences Between a Standalone AC and an ACU2
3.4 Typical CSS and Stack Deployment
3.5 Native AC Solution: Core Switches Function as the Gateway for Wired and
Wireless Users
3.6 Native AC Solution: Aggregation Switches Function as Gateways for Wired and
Wireless Users
3.7 Native AC + SVF Solution: the Parent Containing Core Switches Functions as
the Gateway for Wired and Wireless Users
3.8 Native AC + SVF Solution: Parents Containing Aggregation Switches Function
as Gateways for Wired and Wireless Users
3.9 Standalone AC Solution: Core Switches Function as the Gateway for Wired and
Wireless Users
3.10 Standalone AC Solution: Aggregation Switches Function as Gateways for
Wired and Wireless Users
3.11 Standalone AC Solution: Core Switches and ACs Function as the Gateways for
Wired and Wireless Users Respectively
3.12 Standalone AC Solution: Aggregation Switches and ACs Function as the
Gateways for Wired and Wireless Users Respectively
3.1 Key Points of Network Connectivity Deployment

Network connectivity deployment aims to enable Layer 2 and Layer 3
communication between devices at the core, aggregation, and access layers of a
campus network, so that wired and wireless users can access the campus network

and communicate with each other. Network connectivity deployment is the basis
of campus network construction.
Based on the services and scale of the campus network, the network connectivity
deployment on the campus network has the following key points:
● Determine whether to use a two-layer or three-layer network architecture.

A two-layer network architecture consists of the core and access layers. A
three-layer network architecture consists of the core, aggregation, and access
layers. During network design, determine the network architecture based on
the network scale or the number of users.
● Determine the devices that need to set up a Cluster Switch System (CSS) or
stack. Preferentially deploy a CSS or stack.
To improve network reliability, you are advised to configure CSS on core
devices and stacking on aggregation devices. You can determine whether to
configure stacking on access devices based on network reliability and port
quantity requirements.
● Determine the wireless network deployment solution.
Use the native AC function or a standalone AC or an Access Controller Unit 2
(ACU2) based on campus network requirements. When the ACU2 solution is
used, an ACU2 is installed on a core switch. When the standalone AC solution
is used, a standalone AC can be connected to a core switch or an aggregation
switch in off-path mode.
● Determine whether to use an off-path or in-path deployment for the AC.
An off-path deployment is recommended for a live network that is partially
reconstructed. For small- and medium-sized new networks, an in-path
deployment is used to simplify the network architecture.
● Determine whether to use direct forwarding or tunnel forwarding for wireless
user data.
Tunnel forwarding applies to scenarios where service data needs to be
managed and controlled in a centralized manner. Direct forwarding applies to
scenarios where high packet forwarding efficiency is required.
In the standalone AC solution:
– When a switch functions as the wireless gateway, direct forwarding is
recommended for wireless data if free mobility is not deployed, and
tunnel forwarding is recommended if free mobility is deployed.
– When a standalone AC functions as the wireless gateway, tunnel
forwarding is recommended for wireless data.
● Determine the locations of gateways on the network (that is, the boundary
between Layer 2 and Layer 3).
In most cases, Layer 2 switching services are deployed on downstream devices
connected to gateways, and Layer 3 routing services are deployed on
upstream devices connected to gateways.
If the native AC solution is used, you are advised to deploy both wired and
wireless gateways on a switch that supports the native AC function. If the
standalone AC or ACU2 solution is used, you can deploy both wired and
wireless gateways on a switch; alternatively, deploy the wired gateway on a
switch and the wireless gateway on a standalone AC or an ACU2.

● Determine whether to deploy Super Virtual Fabric (SVF).
Deployment Description
● There are two-layer and three-layer network architectures. Compared with the
three-layer architecture, the two-layer architecture does not have the
aggregation layer. This chapter uses the three-layer architecture as an
example. For differences between the two architectures, see 3.2 Deployment
Differences Between Two-Layer and Three-Layer Network Architectures.
● Multiple switches configured with the CSS or stacking function are virtualized
into one logical switch, simplifying the configuration and networking. For a
deployment example, see 3.4 Typical CSS and Stack Deployment.
● An ACU2 is an AC card that can be deployed in the same way as a standalone
AC. The only difference is that internal interconnection interfaces need to be
configured between an ACU2 and a modular switch. For details about the
deployment differences, see 3.3 Deployment Differences Between a
Standalone AC and an ACU2.
● The wireless network deployment examples described in this chapter apply to
common and high-density WLAN scenarios. For details about wireless
network deployment examples in agile distributed Wi-Fi and WDS backhaul
scenarios, see 5 Wireless Coverage Deployment.
3.2 Deployment Differences Between Two-Layer and

Three-Layer Network Architectures
The tree topology is recommended as the physical architecture of a campus
network. This topology facilitates network deployment and management, and has
good scalability. In most cases, a campus network using the tree topology has a
hierarchical architecture that consists of the terminal layer, access layer,
aggregation layer, and core layer. In actual deployment, you can flexibly select a
two-layer or three-layer network architecture based on the network scale and
service requirements.
Two-Layer Network Architecture

Figure 3-1 shows a two-layer network architecture that consists of a core layer
and an access layer.
Figure 3-1 Two-layer network architecture
CSS
Core layer
Access layer

To ensure device-level and link-level reliability on the network, it is recommended

that CSS be configured at the core layer, stacking be configured at the access
layer, and core and access devices be connected through Eth-Trunk interfaces. If
standalone access devices can provide sufficient access capacity for downstream
terminals, you do not need to configure stacking at the access layer.
The networking where CSS, stacking, and Eth-Trunk are used is loop-free. The
configuration is simple because complex ring network protocols (such as RSTP,
MSTP, and RRPP) and reliability protocols do not need to be configured. The
networking ensures device-level and link-level reliability, simplifies the network
topology, and reduces the deployment and maintenance workload.
Three-Layer Network Architecture

Figure 3-2 shows a three-layer network architecture that consists of a core layer,
an aggregation layer, and an access layer.
Figure 3-2 Three-layer network architecture
CSS
Core layer
Stack
Aggregation layer
Access layer
To ensure device-level and link-level reliability on the network, it is recommended

that CSS be configured at the core layer, stacking be configured at the
aggregation and access layers, and core, aggregation, and access devices be
connected through Eth-Trunk interfaces. If standalone access devices can provide
sufficient access capacity for downstream terminals, you do not need to configure
stacking at the access layer.
Deployment Differences
The difference between the two network architectures is that the three-layer
network architecture has the aggregation layer, whereas the two-layer network
architecture does not have the layer. The aggregation layer is between the core
and access layers and connects to both layers. Aggregation switches aggregate
traffic from access switches, process the traffic, and provide uplinks to the core
layer.
The selection of the two network architectures depends on the following factors:

1. Network scale: For example, the number of NEs is related to the investment
cost.
2. Network complexity: The network maintenance cost and fault locating
complexity vary depending on the network complexity. The more complex the
network is and the more failure points are, the more difficult fault locating is
and the higher the maintenance cost is.
3. Transmission distance: A network using the three-layer architecture is larger
than a network using the two-layer architecture when the differences
between transmission media are not considered.
In general, the two-layer network architecture is applicable to small-scale
campuses because it is simple and contains a small number of NEs, and a network
constructed using this architecture has fewer failure points. The three-layer
network architecture is applicable to large-scale campuses because it is complex
and contains a large number of NEs, and a network constructed using this
architecture has more failure points.
The two-layer network architecture is usually used in actual deployment. If the
transmission distance is short and access devices can be directly connected to core
devices that provide enough interfaces, the aggregation layer can be omitted,
which is a common practice. This reduces the total cost and maintenance
workload, and facilitates network status monitoring.
3.3 Deployment Differences Between a Standalone AC

and an ACU2
Different from a traditional standalone AC, an ACU2 is a value-added service card
of a modular switch. It can be installed in any LPU slot of a modular switch to
provide the WLAN AC function.
As shown in Figure 3-3, an ACU2 is installed on a modular switch, and internal
interfaces XGE0/0/1 and XGE0/0/2 of the ACU2 are connected to internal
interfaces XGE1/0/1 and XGE1/0/2 of the switch, respectively. The switch can be
connected to an AP directly or through another network device.
The switch is connected to the ACU2 through XGE1/0/1 and XGE1/0/2, in which the first
digit 1 indicates the slot ID of the ACU2 on the switch. XGE1/0/1 indicates that the ACU2 is
installed in slot 1 of the switch. If the ACU2 is installed in slot 2 of the switch, the switch is
connected to the ACU2 through XGE2/0/1 and XGE2/0/2.
Figure 3-3 Communication between an ACU2 and a switch
Switch ACU2
XGE1/0/1 XGE0/0/1
XGE1/0/2 XGE0/0/2
To increase the link bandwidth and improve the link reliability between the ACU2
and the switch, add the XGE interfaces connecting the ACU2 and the switch to

Eth-Trunk interfaces. Otherwise, only XGE0/0/1 on the ACU2 can be used, and
XGE0/0/2 remains Down.
Procedure
● Configure the ACU2.
● After you run the connect slot command, the command output varies according to
the version. Perform operations as prompted.
● To log in to the ACU2 on the standby switch in a CSS, run the local-telnet
command on the MPU of the master switch to log in to the standby switch, and
then run the connect slot command to log in to the ACU2.
<HUAWEI> connect slot 1
******************************************************
* Slot 1 output to mainboard *
******************************************************
Press Ctrl+D to quit
//Press Enter. The system redirects you to the console interface of the ACU2 to log in to the
ACU2.
<ACU2> system-view
[ACU2] vlan batch 100 101 //In this example, assume that the management VLAN is VLAN 100 and
the service VLAN is VLAN 101.
[ACU2] interface eth-trunk 0
[ACU2-Eth-Trunk0] port link-type trunk
[ACU2-Eth-Trunk0] port trunk allow-pass vlan 100 101
[ACU2-Eth-Trunk0] trunkport xgigabitethernet 0/0/1 0/0/2
[ACU2-Eth-Trunk0] quit
//Press Ctrl+D to log out of the ACU2.
● Configure the switch.

<HUAWEI> system-view
[HUAWEI] vlan batch 100 10
[HUAWEI] load-distribution mode slot 1 enhanced //Configure the ACU2 to provide the maximum
forwarding capacity.
[HUAWEI] interface eth-trunk 0
[HUAWEI-Eth-Trunk0] port link-type trunk
[HUAWEI-Eth-Trunk0] port trunk allow-pass vlan 100 101
[HUAWEI-Eth-Trunk0] trunkport xgigabitethernet 0/0/1 0/0/2
[HUAWEI-Eth-Trunk0] quit
3.4 Typical CSS and Stack Deployment

Networking Requirements
At the core layer, two modular switches set up a CSS. At the aggregation layer,
every two fixed switches set up a stack. The CSS at the core layer is connected to
stacks at the aggregation layer through Eth-Trunk interfaces.

Figure 3-4 Campus network
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 /0/2
/1/
0/2 E2/1
Eth-Trunk 10 XG Eth-Trunk 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2

GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Device Requirements and Versions

Location Device Device Used in This Version Used in
Requirement Example This Example
Core layer Modular switches S12700E-8 V200R019C10

that support the CSS
function
Aggregati Fixed switches that S5731-H V200R019C10

on layer support the stacking
function
Access - S5735-L V200R019C10

layer
The stack connection mode, CSS connection mode, and support for the stacking and CSS
functions vary according to device models. You can use the Stack & SVF Assistant or query
Stack Support and Version Requirements and Licensing Requirements and Limitations
for CSS to obtain detailed information about each device model.

Deployment Roadmap
Step Deployment Roadmap Devices Involved
1 Configure CSS and multi-active Core switches

detection (MAD) on core switches.
2 Configure stacking and MAD on Aggregation switches

aggregation switches.
3 Configure uplink and downlink Eth- Core, aggregation, and

Trunk interfaces on switches. access switches
Data Plan
Table 3-1 Software and hardware configuration plan for the CSS
Item Data
CSS connection Service port connection

mode
Number of 2
member switches
Hardware MPU: two MPUE cards

configuration of Service card: two LST7X24BX6E0 cards. To ensure reliability,
each switch you are advised to configure two cards on each switch. If
each switch is configured with one card, two such switches
can also set up a CSS.
CSS cable: four 3 m SFP+ AOC cables
CSS master The switch with the CSS ID 1 is the CSS master.
CSS priority The CSS priority of the switch with the CSS ID 1 is 150.
The switch with the CSS ID 2 uses the default CSS priority 1.
MAD The two member switches in the CSS are directly connected
using an independent cable for MAD. The cable connects
XGE1/1/0/10 and XGE2/1/0/10.
Table 3-2 Software and hardware configuration plan for a stack
Item Data
Stack connection Service interface connection

mode
Number of 2
member switches

Item Data
Hardware Stack interface: two uplink 10GE service interfaces

configuration of XGE0/0/3 and XGE1/0/3
each switch Stack topology: ring topology
Stack cable: two 3 m SFP+ AOC cables
Stack master Change the stack IDs of the two member switches to 0 and
1 respectively. The switch with the stack ID 0 is the master
switch.
Stack priority The stack priority of the switch with the stack ID 0 is 150.
The switch with the stack ID 1 uses the default stack
priority 100.
MAD The two member switches in the stack are directly

connected using an independent cable for MAD. The cable
connects GE0/0/10 and GE1/0/10.
Table 3-3 Plan for the connections between CSS and stack interfaces
Item Interface Number
CSS's downlink Eth-Trunk 10 connected to stack AGG1, containing physical

interfaces member interfaces XGE1/1/0/1 and XGE2/1/0/2
connected to Eth-Trunk 20 connected to stack AGG2, containing physical
stacks member interfaces XGE1/1/0/2 and XGE2/1/0/1
Stack AGG1's Eth-Trunk 10 containing physical member interfaces

uplink interface XGE0/0/1 and XGE1/0/1
connected to the
CSS

uplink interface XGE0/0/1 and XGE1/0/1
connected to the
CSS

downlink GE0/0/3 and GE1/0/3
interface
connected to
ACC1

downlink GE0/0/3 and GE1/0/3
interface
connected to
ACC2

ACC1's uplink Eth-Trunk 30 containing physical member interfaces

interface GE0/0/1 and GE0/0/2
connected to
AGG1
ACC2's uplink Eth-Trunk 40 containing physical member interfaces

interface GE0/0/1 and GE0/0/2
connected to
AGG2
Procedure
Step 1 Set up a CSS.
1. Power off the switches, install service cards, and connect CSS cables and the
MAD cable according to the following figure.
Figure 3-5 Connecting cables to set up a CSS
To ensure reliability, you are advised to connect cables as follows:

– You are advised to add at least two physical member interfaces on a service card
to a logical CSS interface.
– It is not recommended that you use interfaces on a service card used to set up a
CSS as uplink interfaces or configure an MAD-enabled interface on the card.
2. Power on the two switches and configure them according to the data plan.
[HUAWEI] sysname Switch1
[Switch1] set css id 1

[Switch1] set css priority 150 //Set the CSS priority of Switch1 to 150.
[Switch1] interface css-port 1
[Switch1-css-port1] port interface xgigabitethernet 4/0/1 to xgigabitethernet 4/0/2 enable
[Switch1-css-port1] quit
[Switch1] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off LPU 150 Off
[Switch1] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch. To ensure that Switch1 becomes the master switch, restart it first.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
[Switch2] set css id 2 //Set the CSS ID to 2. Retain the default CSS priority of Switch2.
[Switch2] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 2 Off LPU 1 Off
[Switch2] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
3. After the switches are restarted, check whether the CSS is set up successfully.
# Check the CSS status by observing CSS indicators on MPUs of the switches.
The ACT indicator on an MPU of Switch1 is steady on, indicating that the
MPU is the CSS master MPU and Switch1 is the master switch.
The ACT indicator on an MPU of Switch2 is blinking green, indicating that the
MPU is the CSS standby MPU and Switch2 is the master switch.
# Log in to the CSS through the console interface on any MPU and run the
following commands to check whether the CSS is set up successfully.
Switch1 with a higher CSS priority becomes the master switch of the CSS.
When you run the display device command to check the CSS status, the CSS
name is Switch1.
<Switch1> display device
Chassis 1 (Master Switch)
S12700E-8's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
1 - LST7X24BX6E0 Present PowerOn Registered Normal NA
3 - - Present PowerOn Unregistered - NA
9 - LST7MPUE0000 Present PowerOn Registered Normal Master
10 - LST7MPUE0000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12700E-8's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------


3 - - Present PowerOn Unregistered - NA
9 - LST7MPUE0000 Present PowerOn Registered Normal Master
10 - LST7MPUE0000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present - Unregistered - NA
<Switch1> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master LPU 150 Off
2 On Standby LPU 1 Off
<Switch1> display css channel all //Check whether the CSS topology is consistent with hardware
connections.
CSS link-down-delay: 500ms
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/4/0/1 XGigabitEthernet2/4/0/1 2/1
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
<Switch1> system-view
[Switch1] sysname CORE //Change the CSS name to make it easy to remember.
4. Configure MAD after the CSS is set up.

If the CSS splits, services will be affected because two master switches exist.
To avoid this problem, use a cable to directly connect the two member
switches for MAD after the CSS is set up. To be specific, the cable connects
XGE1/1/0/10 and XGE2/1/0/10, as shown in Figure 3-5.
[CORE] interface xgigabitethernet 1/1/0/10
[CORE-XGigabitEthernet1/1/0/10] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is
recommended. Continue?[Y/N]:y [CORE-XGigabitEthernet1/1/0/10] quit
[CORE-XGigabitEthernet2/1/0/10] mad detect mode direct
recommended. Continue?[Y/N]:y [CORE-XGigabitEthernet2/1/0/10] return
<CORE> display mad verbose //Check the MAD configuration.
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
XGigabitEthernet1/1/0/10
XGigabitEthernet2/1/0/10
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
Step 2 Set up a stack.

The following uses AGG1 as an example to describe how to set up a stack. The
stack setup and configuration procedure of AGG2 is the same as that of AGG1.
1. Configure the two fixed switches according to the data plan.

If dedicated stack cables are used, skip this step.

[Switch1] interface stack-port 0/1
[Switch1-stack-port0/1] port interface xgigabitethernet 0/0/3 xgigabitethernet 0/0/4 enable
Warning: Enabling stack function may cause configuration loss on the interface. Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait......
[Switch1-stack-port0/1] quit
[Switch1] stack slot 0 priority 150 //Set the stack priority to 150 so that the switch becomes the
master switch.
Warning: Please do not frequently modify Priority because it will make the stack split. Continue?
[Y/N]:y
[Switch1] quit
<Switch1> save //You do not need to manually save the stack configuration because it is
automatically written into the flash memory. To prevent other configurations from being lost, you are
advised to run the save command to save the configurations.
The current configuration will be written to flash:/
vrpcfg.zip.
Are you sure to continue?[Y/N]y
Now saving the current configuration to the slot
0.......
Save the configuration successfully.
[Switch2] interface stack-port 0/2 //Logical stack interface 1 can only be connected to logical stack
interface 2. Therefore, configure logical stack interface 2.
[Switch2-stack-port0/2] port interface xgigabitethernet 0/0/3 xgigabitethernet 0/0/4 enable
Warning: Enabling stack function may cause configuration loss on the interface. Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait......
[Switch2-stack-port0/2] quit
[Switch2] stack slot 0 renumber 1 //Set the stack ID to 1 and use the default stack priority 100.
Warning: All the configurations related to the slot ID will be lost after the slot ID is modified.
Please do not frequently modify slot ID because it will make the stack split. Continue? [Y/N]:y
Info: Stack configuration has been changed, and the device needs to restart to make the
configuration effective.
[Switch2] quit
<Switch2> save //You do not need to manually save the stack configuration because it is
automatically written into the flash memory. To prevent other configurations from being lost, you are
advised to run the save command to save the configurations.
The current configuration will be written to flash:/
vrpcfg.zip.
Are you sure to continue?[Y/N]y
Now saving the current configuration to the slot
0.......
Save the configuration successfully.
2. Power off the switches, and connect stack cables and the MAD cable
according to the following figure.
As shown in Figure 3-6, two S5720-56C-HI-AC switches set up a stack, and
the stack interfaces are the same as the interfaces configured in the preceding
step.
Figure 3-6 Connecting cables to set up a stack
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ETH CONSOLE
PWR1
PWR2
Switch1
SYS
STAT
SPED
STCK
MODE
S5720-56C-HI 1 2 10G/1G 3 4
MAD cable Stack cable

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ETH CONSOLE
PWR1
Switch2
PWR2
SYS
STAT
SPED
STCK
MODE
S5720-56C-HI 1 2 10G/1G 3 4
3. After the switches are restarted, check whether the stack is set up successfully.

<Switch1> display stack //The command output shows that the stack is set up successfully, and
Switch1 is the master switch.
Stack mode: Service-port
Stack topology type : Ring
Stack system MAC: 0018-82d2-2e85
MAC switch delay time: 10 min
Stack reserved vlan : 4093
Slot of the active management port: --
Slot Role Mac address Priority Device type
-------------------------------------------------------------
0 Master 0018-82d2-2e85 150 S5720-56C-HI-AC
1 Standby 0018-82c6-1f44 100 S5720-56C-HI-AC
<Switch1> system-view
[Switch1] sysname AGG1 //Change the stack name to one that is easier to remember.
4. Configure MAD after the stack is set up.

If the stack splits, services will be affected because two master switches exist.
To avoid this problem, use a cable to directly connect the two member
switches for MAD after the stack is set up. To be specific, the cable connects
GE0/0/10 and GE1/0/10, as shown in Figure 3-6.
[AGG1] interface gigabitethernet 0/0/10
[AGG1-GigabitEthernet0/0/10] mad detect mode direct
recommended. Continue?[Y/N]:y
[AGG1-GigabitEthernet0/0/10] quit
[AGG1-GigabitEtherne/1/0/10] mad detect mode direct
recommended. Continue?[Y/N]:y
[AGG1-GigabitEthernet1/0/10] return
<AGG1> display mad verbose //Check the MAD configuration.
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
GigabitEthernet0/0/10
GigabitEthernet1/0/10
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
Step 3 Configure Eth-Trunk interfaces between the CSS and stacks and between the
stacks and access switches.
1. Configure Eth-Trunk interfaces in the CSS.
<CORE> system-view
[CORE] interface eth-trunk 10 //Create an Eth-Trunk interface for connecting to AGG1.
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE-XGigabitEthernet1/1/0/1] eth-trunk 10
[CORE-XGigabitEthernet1/1/0/1] quit
[CORE] interface eth-trunk 20 //Create an Eth-Trunk interface for connecting to AGG2.
2. Configure Eth-Trunk interfaces on stack AGG1.

<AGG1> system-view
[AGG1] interface eth-trunk 10 //Create an Eth-Trunk interface for connecting to the CSS.
[AGG1-Eth-Trunk10] mode lacp

[AGG1-Eth-Trunk10] quit
[AGG1] interface xgigabitethernet 0/0/1
[AGG1-XGigabitEthernet0/0/1] eth-trunk 10
[AGG1-XGigabitEthernet0/0/1] quit
[AGG1] interface eth-trunk 30 //Create an Eth-Trunk interface for connecting to access switch ACC1.
[AGG1-GigabitEthernet0/0/3] eth-trunk 30
3. Configure Eth-Trunk interfaces on stack AGG2.

<AGG2> system-view
[AGG2] interface eth-trunk 20 //Create an Eth-Trunk interface for connecting to the CSS.
[AGG2] interface eth-trunk 40 //Create an Eth-Trunk interface for connecting to access switch ACC2.
4. Configure an Eth-Trunk interface on access switch ACC1.

<ACC1> system-view
[ACC1] interface eth-trunk 30 //Create an Eth-Trunk interface for connecting to stack AGG1.
[ACC1-Eth-Trunk30] mode lacp
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/1
[ACC1-GigabitEthernet0/0/1] eth-trunk 30
[ACC1-GigabitEthernet0/0/1] quit
5. Configure an Eth-Trunk interface on access switch ACC2.

<ACC2> system-view
[ACC2] interface eth-trunk 40 //Create an Eth-Trunk interface for connecting to stack AGG2.
----End

Configuration Scripts
The CSS and stack configurations are not recorded in the configuration file, but are instead
directly written into the flash memory. Therefore, the configuration file does not contain
the CSS and stack configurations, and contains only the MAD and Eth-Trunk interface
configurations.
● CSS configuration file
#
sysname CORE
#
interface Eth-Trunk10
mode lacp
#
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
eth-trunk 20
#
mad detect mode direct
#
eth-trunk 20
#
eth-trunk 10
#
#
return
● Stack AGG1 configuration file

#
sysname AGG1
#
mode lacp
#
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
#
eth-trunk 30
#
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
eth-trunk 10
#
return

● Stack AGG2 configuration file

#
sysname AGG2
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return
● ACC1 configuration file

#
sysname ACC1
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
return

#
sysname ACC2
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
return

3.5 Native AC Solution: Core Switches Function as the

Gateway for Wired and Wireless Users
Core switches set up a CSS that functions as the core of the entire campus
network to implement high network reliability and forwarding of a large amount
of data. In addition, core switches are configured with the native AC function to
manage APs and transmit wireless service traffic on the entire network,
implementing wired and wireless convergence. Aggregation switches set up stacks
to implement device-level backup and increase the interface density and
forwarding bandwidth.
In this example, a CSS of core switches functions as the gateway for wired and
wireless users on the entire network and is responsible for routing and forwarding
of user services on the entire network.
Figure 3-7 Core switches functioning as the gateway for wired and wireless users
Server zone
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1
/1/ /0/2
0/2 E2/1
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2

GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2


Core layer ● Modular switches S12700E V200R019C10

configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure CSS, stacking, MAD, and Core and aggregation

uplink and downlink Eth-Trunk switches
interfaces on switches.
2 Configure interfaces and VLANs on Core, aggregation, and

switches to implement Layer 2 access switches
communication.
3 Configure DHCP on the CSS so that the Core switches

CSS functions as the DHCP server to
assign IP addresses to wired and
wireless users.
4 Configure wireless services on switches Core switches

so that APs and STAs can go online.

Data Plan
Table 3-4 Service data plan for core switches
Item VLAN ID Network Segment
Management VLAN for VLAN 20 192.168.20.0/24

APs
Service VLANs for VLAN 30 172.16.30.0/24

wireless users
VLAN 40 172.16.40.0/24
Service VLAN for a wired VLAN 50 172.16.50.0/24

user (PC1)

user (PC2)
VLAN for communication VLAN 1000 192.168.11.254/24

with servers
Table 3-5 Wireless service data plan for core switches
Item Data
AP group ap-group1
Regulatory domain profile domain1
SSID profiles test01, test02
VAP profiles vap1, vap2 (The data forwarding mode in

the VAP profiles is tunnel forwarding.)
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that

connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see 3.4 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on core switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Configure an Eth-Trunk interface for connecting to AGG1. The configuration of

the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] description con to AGG1
[CORE-Eth-Trunk10] port link-type trunk
[CORE-Eth-Trunk10] port trunk allow-pass vlan 20 50
[CORE-Eth-Trunk10] undo port trunk allow-pass vlan 1
# Add the interface connected to Agile Controller-Campus to VLAN 1000.

[CORE-XGigabitEthernet1/2/0/1] port link-type access
[CORE-XGigabitEthernet1/2/0/1] port default vlan 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 50
# Configure an Eth-Trunk interface for connecting to CORE.

[AGG1] interface eth-trunk 10
[AGG1-Eth-Trunk10] description connect to CORE
[AGG1-Eth-Trunk10] port link-type trunk
[AGG1-Eth-Trunk10] port trunk allow-pass vlan 20 50
[AGG1-Eth-Trunk10] undo port trunk allow-pass vlan 1
# Configure a downlink interface for connecting to ACC1.

[AGG1-Eth-Trunk30] port-isolate enable
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 50
# Configure an uplink interface for connecting to AGG1.

[ACC1] interface eth-trunk 30

[ACC1-Eth-Trunk30] port link-type trunk
[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 50
[ACC1-Eth-Trunk30] undo port trunk allow-pass vlan 1
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 50
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
Step 5 Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP
addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 30
[CORE-vlan30] dhcp snooping enable
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] quit
# Create VLANIF 20 for wireless management and configure CORE to assign IP

addresses to APs from the interface address pool.
[CORE] interface vlanif 20
[CORE-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-Vlanif20] dhcp select interface
[CORE-Vlanif20] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services and
configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE-Vlanif30] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.


# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
# Create Layer 3 interface VLANIF 1000 for connecting to a server.

Step 6 Configure APs to go online on CORE.

# Configure the AC's source interface.
[CORE] capwap source interface vlanif 20 //VLAN 20 is the management VLAN for APs.
# Create an AP group to add APs with the same configurations to the AP group.
[CORE] wlan
[CORE-wlan-view] ap-group name ap-group1
[CORE-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[CORE-wlan-view] regulatory-domain-profile name domain1
[CORE-wlan-regulate-domain-domain1] country-code cn
[CORE-wlan-regulate-domain-domain1] quit
[CORE-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-wlan-view] ap auth-mode mac-auth
[CORE-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-wlan-ap-1] ap-name area_1
[CORE-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-1] quit


[CORE-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE to check
the AP running status. The command output shows that the State field displays
nor, indicating that the APs are in normal state.
[CORE] display ap all
Total AP information:
nor : normal [2]
ExtraInfo : Extra information
P : insufficient power supply
------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------------------------
1 ac85-3d95-d801 area_1 ap-group1 192.168.20.220 AP6050DN nor 0 58S -
2 ac85-3d95-d802 area_2 ap-group1 192.168.20.163 AP6050DN nor 0 1M:40S -
------------------------------------------------------------------------------------------------------
Step 7 Configure CORE so that STAs can go online.
# Configure WLAN service parameters.

[CORE] wlan
[CORE-wlan-view] security-profile name sec1
[CORE-wlan-sec-prof-sec1] quit
[CORE-wlan-view] ssid-profile name ssid1
[CORE-wlan-ssid-prof-ssid1] ssid test01
[CORE-wlan-ssid-prof-ssid1] quit
[CORE-wlan-view] traffic-profile name traff1
[CORE-wlan-traffic-prof-traff1] user-isolate l2
[CORE-wlan-traffic-prof-traff1] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-wlan-vap-prof-vap1] security-profile sec1
[CORE-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap1] quit

IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
# Bind VAP profiles to the AP group.

[CORE-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0
----End
Verifying the Deployment

Expected Result
Wired and wireless users can access the campus network.
Verification Method
● Run the following command on CORE. The command output shows that APs
have obtained IP addresses successfully.
[CORE] display ip pool interface Vlanif20 used
Pool-name : Vlanif20
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :2
Idle :252 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 252(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address

IPSec : user-id/portnumber/vrf PPP : interface index

L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
162 192.168.20.163 ac85-3d95-d802 DHCP 82322 Used
219 192.168.20.220 ac85-3d95-d801 DHCP 77430 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command outputs show that
wired users have obtained IP addresses successfully.
Pool-No :2
Domain-name :-
DNS-server0 : 10.88.77.157
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
166 172.16.50.167 001b-21c4-820f DHCP 85922 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :4
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section


-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
132 172.16.60.133 001b-21c4-820f DHCP 85899 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Wired and wireless users can communicate with each other.

# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1
PING 192.168.11.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=63 time=1 ms
--- 192.168.11.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE.
[CORE] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the wireless user connected to AP1.

C:\Users>ping 172.16.30.180
Pinging 172.16.30.180 with 32 bytes of data:

Reply from 172.16.30.180: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.30.180:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable

#
dhcp snooping enable
#
vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
description con to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
port link-type access
port default vlan 1000

#
eth-trunk 20
#
eth-trunk 10
#
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
user-isolate l2
security-profile name sec1
ssid-profile name ssid1
ssid test01
ssid test02
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
forward-mode tunnel
ssid-profile ssid2
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
radio 1
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
return
# AGG1 configuration file

#
sysname AGG1
#
vlan batch 20 50
#
description connect to CORE

mode lacp
#
mode lacp
port-isolate enable group 1
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

# ACC1 configuration file

#
sysname ACC1
#
vlan batch 20 50
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
stp edged-port enable
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return

3.6 Native AC Solution: Aggregation Switches Function

as Gateways for Wired and Wireless Users
of data. Aggregation switches set up stacks to implement device-level backup and
increase the interface density and forwarding bandwidth. In addition, aggregation
switches are configured with the native AC function to manage APs and transmit
wireless service traffic on the entire network, implementing wired and wireless
convergence.
In this example, aggregation switches set up stacks that function as gateways for
wired and wireless users on the entire network and are responsible for routing and
forwarding of user services.
Figure 3-8 Aggregation switches functioning as gateways for wired and wireless
users
Server zone
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1/0/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2

GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2


Core layer - S12700E V200R019C10
Aggregati ● Modular switches S5731-H

on layer configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap


communication.
3 Configure VLANIF interfaces on switches Core and aggregation

and assign IP addresses to the VLANIF switches
interfaces.
4 Configure DHCP on switches so that the Aggregation switches

switches function as DHCP servers to
wireless users.
5 Configure routing on switches to Core and aggregation

implement Layer 3 communication. switches
6 Configure wireless services on switches Aggregation switches


Data Plan
Network segment for VLAN 70 172.16.70.0/24

communication with
AGG1

communication with
AGG2

communication with
servers
Table 3-7 Service data plan for aggregation switches
Device Item VLAN ID Network Segment
AGG1 Management VLAN 20 192.168.20.0/24

VLAN for APs
Service VLANs VLAN 30 172.16.30.0/24

for wireless users (employee)
VLAN 31 (guest) 172.16.31.0/24
Service VLAN for VLAN 50 172.16.50.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for APs

VLAN 41 (guest) 172.16.41.0/24

wired users
Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE

Table 3-8 Wireless service data plan for aggregation switches
Item AGG1 Data AGG2 Data
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Security profiles ● Employee: sec1

● Guest: sec2
SSID profiles ● Employee: ssid1

● Guest: ssid2
AP group ap-group1 ap-group2
Regulatory domain domain1 domain2

profile
VAP profiles ● Employee: vap1

● Guest: vap2
● Data forwarding mode: tunnel forwarding
from all VLANs.
Procedure
Step 2 Configure interfaces and VLANs on CORE.
# Create VLANs.
[CORE] vlan batch 70 80 1000

# Configure an Eth-Trunk interface for connecting to AGG1. The configuration of

the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE-Eth-Trunk10] description connect to AGG1
[CORE-Eth-Trunk10] port trunk allow-pass vlan 70
# Add the interface connected to a server to VLAN 1000.

# Create VLANs.
<AGG1> system-view
[AGG1] vlan batch 20 30 31 50 70

[AGG1-Eth-Trunk10] port trunk allow-pass vlan 70

# Create VLANs.



Step 5 Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF
interfaces.
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.


Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 30
[AGG1-vlan30] dhcp snooping enable
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] quit
# Create VLANIF 20 for wireless management and configure AGG1 to assign IP

[AGG1] interface vlanif 20
[AGG1-Vlanif20] ip address 192.168.20.1 255.255.255.0
[AGG1-Vlanif20] dhcp select interface
[AGG1-Vlanif20] quit
configure AGG1 to assign IP addresses to STAs from the interface address pools.
[AGG1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
[AGG1-Vlanif31] dhcp server dns-list 192.168.100.2

[AGG1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable

# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
[AGG1-Vlanif50] dhcp server dns-list 192.168.100.2
[AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable
# Create Layer 3 interface VLANIF 70 for connecting to CORE.

Step 7 Configure routing on core and aggregation switches to implement Layer 3

communication. You can configure a routing protocol based on actual
requirements. In this example, OSPF is used.
# Configure OSPF on CORE.

[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
# Configure OSPF on AGG1. The configuration on AGG2 is similar.

[AGG1] ospf 1 router-id 2.2.2.2
[AGG1-ospf-1] area 0
[AGG1-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255
[AGG1-ospf-1-area-0.0.0.0] quit
[AGG1-ospf-1] quit
Step 8 Configure wireless services on AGG1 so that AP1 can go online. The configuration
on AGG2 is similar.

[AGG1] capwap source interface vlanif 20
[AGG1] wlan
[AGG1-wlan-view] ap-group name ap-group1
[AGG1-wlan-ap-group-ap-group1] quit
[AGG1-wlan-view] regulatory-domain-profile name domain1
[AGG1-wlan-regulate-domain-domain1] country-code cn
[AGG1-wlan-regulate-domain-domain1] quit
[AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1

# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG1-wlan-view] ap auth-mode mac-auth
[AGG1-wlan-view] ap-id 1 ap-mac ac85-3da6-a420
[AGG1-wlan-ap-1] ap-name area_1
[AGG1-wlan-ap-1] ap-group ap-group1
[AGG1-wlan-ap-1] quit
[AGG1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1 to check the
AP running status. The command output shows that the State field displays nor,
indicating that AP1 is in normal state.
[AGG1] display ap all
nor : normal [1]
-----------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
ExtraInfo
-----------------------------------------------------------------------------------------------------
1 ac85-3da6-a420 area_1 ap-group1 192.168.20.43 AP6050DN nor 0 4S
-
-----------------------------------------------------------------------------------------------------
Step 9 Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
# Configure WLAN service parameters, and create security profiles, SSID profiles,
and a traffic profile.
[AGG1] wlan
[AGG1-wlan-view] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] quit
[AGG1-wlan-view] ssid-profile name ssid1
[AGG1-wlan-ssid-prof-ssid1] ssid Employee
[AGG1-wlan-ssid-prof-ssid1] quit
[AGG1-wlan-view] security-profile name sec2
[AGG1-wlan-ssid-prof-ssid2] ssid Guest
[AGG1-wlan-view] traffic-profile name traff
[AGG1-wlan-traffic-prof-traff] user-isolate l2
[AGG1-wlan-traffic-prof-traff] quit
# Create VAP profiles, configure the service data forwarding mode and service
VLANs, apply security profiles, SSID profiles, and the traffic profile, and enable
IPSG, dynamic ARP inspection, and strict STA IP address learning through DHCP.
[AGG1-wlan-view] vap-profile name vap1
[AGG1-wlan-vap-prof-vap1] forward-mode tunnel
[AGG1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[AGG1-wlan-vap-prof-vap1] security-profile sec1
[AGG1-wlan-vap-prof-vap1] ssid-profile ssid1
[AGG1-wlan-vap-prof-vap1] traffic-profile traff
[AGG1-wlan-vap-prof-vap1] ip source check user-bind enable
[AGG1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[AGG1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[AGG1-wlan-vap-prof-vap1] quit


follows:

[AGG1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0
----End

Expected Result
Verification Method
The following uses AGG1 as an example. The verification method on AGG2 is
similar.
● Run the following command on AGG1. The command output shows that an
AP has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable

-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 1 253(0) 0

0
-------------------------------------------------------------------------------------

DHCP : mac-address PPPoE : mac-
address
IPSec : user-id/portnumber/vrf PPP : interface
index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
42 192.168.20.43 ac85-3da6-a420 DHCP 85890

Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Run the following command on AGG1. The command outputs show that a
wired user has obtained an IP address successfully.
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0

0

-------------------------------------------------------------------------------------

address
index
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
173 172.16.50.174 001b-21c4-820f DHCP 86380

Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

<area_1> ping 192.168.100.2
--- 192.168.100.2 ping statistics ---

0.00% packet loss
wireless user on AGG1.
[AGG1] display station ssid Employee
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
-----------------------------------------------------------------------------------------------
483f-e95a-eee0 1 area_1 1/1 5G 11n 144/133 -47 30
172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1

C:\Users>ping 172.16.30.180



Configuration Files
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
description connect to AGG1
port trunk allow-pass vlan 70
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#

dhcp enable
#
#
vlan 30
vlan 31
vlan 50
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#

area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
#
wlan
traffic-profile name traff
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
traffic-profile traff
forward-mode tunnel
ssid-profile ssid2
regulatory-domain-profile name domain1
radio 0
radio 1
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
dhcp enable
#
#
vlan 40
vlan 41
vlan 60
#
interface Vlanif21

ip address 192.168.21.1 255.255.255.0

#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.21.0 0.0.0.255
#
#
wlan
user-isolate l2


ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
#
return

#
sysname ACC1
#
vlan batch 20 50
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#

#
return

#
sysname ACC2
#
vlan batch 21 60
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return
3.7 Native AC + SVF Solution: the Parent Containing

Core Switches Functions as the Gateway for Wired and
Wireless Users
implementing wired and wireless convergence.
Aggregation switches set up stacks to implement device-level backup and increase
the interface density and forwarding bandwidth.
There are a large number of wired and wireless access devices that are widely
distributed. To implement unified management and configuration and reduce
management costs, SVF is deployed on the network. Core, aggregation, and access
switches set up an SVF system. In the SVF system, the CSS of core switches
functions as the parent, and aggregation and access switches function as ASs. The
parent manages and configures ASs in a unified manner.

In this example, core switches set up a CSS that functions as the gateway for
wired and wireless users on the entire network and is responsible for routing and
forwarding of user services on the entire network.
Figure 3-9 Native AC + SVF solution: the parent containing core switches
functioning as the gateway for wired and wireless users
Server zone
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
E1 /0/2
/1/
0/2 E2/1
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation AGG1 AGG2
layer as-layer1-1 Level-1 AS as-layer1-2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
ACC1 ACC2
Access layer as-layer2-1 Level-2 AS as-layer2-2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches


Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure CSS and stacking on switches. Core and aggregation

switches
2 Configure interfaces and VLANs on Core switches

switches to implement Layer 2
communication.
3 Configure DHCP on the CSS so that the Core switches

CSS functions as the DHCP server to
wireless users.
4 Configure the CSS of core switches as Core, aggregation, and

the parent to set up an SVF system with access switches
level-1 and level-2 ASs.
5 Configure wireless services on core Core switches

switches so that APs and STAs can go
online.
Data Plan
Management VLAN VLAN 20 192.168.20.0/24

wireless users (AP1)
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)


communication with
servers

Item Data
AP group ap-group
Regulatory domain profile domain
SSID profiles ssid1, ssid2

Table 3-11 Data plan for the SVF system

Item Data
Parent CSS of two S12700E switches
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
MAC addresses of ASs and APs as-layer1-1: 00e0-0001-0011

as-layer1-2: 00e0-0001-0022
as-layer2-1: 00e0-0001-0033
as-layer2-2: 00e0-0001-0044
Management VLAN of the SVF VLAN 20

system
IP address of the management 192.168.20.1/24

VLANIF interface
Parent's interfaces connected to GE1/1/0/1 and GE2/1/0/2

as-layer1-1 Add the interfaces to Eth-Trunk 10 and bind
them to fabric port 1.

as-layer1-1's interfaces GE0/0/3 and GE1/0/3

connected to as-layer2-1 Add the interfaces to Eth-Trunk 30 and bind

Item Data

as-layer2-1's interface connected GE0/0/4

to AP1 Add the interface to an AP port group.

AS authentication mode Whitelist authentication
Service configuration of an AS Administrator profile admin_profile, in

administrator profile which the administrator user name and
password are configured
AS group admin_group, which includes all
ASs
Bind the administrator profile
admin_profile to the AS group
admin_group.

Item Data
Service configuration of AS Network basic profile basic_profile_1, in

network basic profiles which VLAN 50 is configured as the VLAN
from which packets are allowed to pass
through
Network basic profile basic_profile_2, in
which VLAN 60 is configured as the VLAN
through
through
through
Port group port_group_1, which includes all
downlink interfaces of as-layer1-1
downlink interfaces (except GigabitEthernet
0/0/4 connected to an AP) of as-layer2-1
Bind network basic profile basic_profile_1
to port group port_group_1.
from all VLANs.

● When an AS goes online, it must be unconfigured (has no startup
configuration file) and has no input on the console interface. Before
connecting an AS to an SVF system, you are advised to remove the cable on
the console interface.
● Each AS can be a stack of up to five member devices that are the same model
and provide the same number or different numbers of interfaces. An AS can
be a stack of devices of the same series but different models. In such an AS,
you can run the slot command to change the preconfigured device model.
● Each AS has a unique management MAC address. By default, the device MAC
address is used as the management MAC address. In this case, you can view
the MAC address on the MAC address label attached to the device. To specify
the management MAC address of an AS, run the as access manage-mac
command.
● If an AS is a stack, its name and MAC address have been preconfigured on the
parent of an SVF system, and the AS goes online and is connected to the SVF
system, you are advised to set up the stack for the AS and configure the
preconfigured MAC address as the management MAC address. When
preconfiguring the name and MAC address of the AS, configure the MAC
address of the stack master switch as the MAC address. In this case, the
management MAC address of the AS is the same as the preconfigured MAC
address by default, and no management MAC address needs to be configured.
If you configure the name and MAC address of the AS after it goes online and
is connected to the SVF system, the management MAC address does not need
to be configured.
● If switches whose downlink service interfaces can be configured as stack
member interfaces set up a stack through these interfaces, the switches
cannot join an SVF system as ASs.
● If downlink service interfaces of an AS are configured as member interfaces of
an uplink fabric port, all the downlink interfaces of the AS cannot be
configured as stack member interfaces.
● When replacing a faulty AS, pay attention to the following points:
– The AS can be replaced with only a device of the same model. If the new
device is of a different model, it joins the SVF system as a new AS and
does not inherit services of the replaced AS.
– Only a standalone AS can be replaced. If an AS is a stack, it cannot be
replaced.
– To ensure that a new AS that replaces the faulty AS can be successfully
authenticated, run the auth-mode none command to set the AS
authentication mode to none authentication, or run the whitelist mac-
address command to add the management MAC address of the new AS
to the whitelist. If the new AS has no management MAC address

configured, the system MAC address is used as the management MAC

address.
Procedure
configure MAD on the switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000

[CORE] dhcp enable
[CORE] vlan 30
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] quit

[CORE-Vlanif20] dhcp server option 43 ip-address 192.168.20.1 //Configure the parent to send its IP
address to ASs so that ASs establish CAPWAP links with only the specified IP address.

address pools.

[CORE] quit
Step 4 Configure CORE as the parent to set up an SVF system with level-1 and level-2
ASs.
# Activate the license of the SVF system.
<CORE> license active xxxxxx.dat
# Set the STP mode to STP or RSTP.

<CORE> system-view
[CORE] stp mode rstp
# Configure the source interface of the CAPWAP tunnel.

[CORE] capwap source interface vlanif 20
# (Optional) Preconfigure the names of ASs. The MAC addresses specified in the
following commands are the management MAC addresses of the ASs.
● If you do not perform this step, the system will generate AS information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you perform this step, ensure that the configured model and mac-address are the
same as the actual AS information. The value of mac-address must be the management
or system MAC address of an AS. To view the management MAC address of an AS, run
the display as access configuration command on the AS. If the management MAC
address is displayed as --, set mac-address to the system MAC address when
configuring the AS name. If the parameter settings are different from the actual AS
information, the AS cannot go online.
[CORE] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
[CORE-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011 //Level-1
AS
[CORE-um-as-as-layer1-1] quit
AS
AS
AS
# Configure fabric ports that connect the parent to level-1 ASs.

[CORE-um] interface fabric-port 1

[CORE-um-fabric-port-1] port member-group interface Eth-Trunk 10
[CORE-um-fabric-port-1] quit
[CORE-um] quit
[CORE] interface xgigabitEthernet 1/1/0/1
[CORE] uni-mng
[CORE-um] interface fabric-port 2
[CORE-um-fabric-port-2] port member-group interface Eth-Trunk 20
[CORE-um-fabric-port-2] quit
[CORE-um] quit
# Configure fabric ports that connect level-1 ASs to level-2 ASs.

[CORE] uni-mng
[CORE-um] as name as-layer1-1
[CORE-um-as-as-layer1-1] down-direction fabric-port 3 member-group interface Eth-Trunk 30
[CORE-um-as-as-layer1-1] port Eth-Trunk 30 trunkmember interface GigabitEthernet 0/0/3
[CORE-um] as name as-layer1-2
[CORE-um-as-as-layer1-2] down-direction fabric-port 4 member-group interface Eth-Trunk 40
[CORE-um-as-as-layer1-2] port Eth-Trunk 40 trunkmember interface GigabitEthernet 0/0/3
[CORE-um] quit
# Configure whitelist authentication for ASs to connect to the SVF system.
To view the management MAC address of an AS, run the display as access configuration
command on the AS. If the management MAC address is displayed as --, the MAC address
configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC
address configured in the whitelist is the management MAC address of the AS.
[CORE] as-auth
[CORE-as-auth] undo auth-mode
[CORE-as-auth] whitelist mac-address 0200-0000-0011
[CORE-as-auth] quit
# Clear the configuration of AGG1 and restart AGG1. The SVF system can then be
set up. The configurations of AGG2, ACC1, and ACC2 are similar to the
configuration of AGG1.
Before restarting an AS, check whether the interface that connects the AS to the parent is a
downlink interface. To view all downlink interfaces on the AS, run the display port
connection-type access all command on the AS. If this interface is a downlink interface,
run the uni-mng up-direction fabric-port command in the user view on the AS to
configure this interface as a member interface of an uplink fabric port before restarting the
AS. Otherwise, the AS cannot go online. To check whether the interface has been
configured as a member interface of an uplink fabric port, run the display uni-mng up-
direction fabric-port command on the AS.

<AGG1> reset saved-configuration

Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
<AGG1> reboot
# After access switches are restarted successfully, you can view that ASs have gone
online on the parent.
[CORE] display as all
Total: 4, Normal: 4, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5720-SI 0200-0000-0011 192.168.20.254 normal as-layer1-1
--------------------------------------------------------------------------------
# Configure an AS administrator profile and bind it to all ASs.

[CORE] uni-mng
[CORE-um] as-admin-profile name admin_profile
[CORE-um-as-admin-admin_profile] user asuser password hello@123
[CORE-um-as-admin-admin_profile] quit
[CORE-um] as-group name admin_group
[CORE-um-as-group-admin_group] as name-include as
[CORE-um-as-group-admin_group] as-admin-profile admin_profile
[CORE-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to interfaces of ASs.

[CORE-um] network-basic-profile name basic_profile_1
[CORE-um-net-basic-basic_profile_1] pass-vlan 50
[CORE-um-net-basic-basic_profile_1] quit
[CORE-um-net-basic-basic_profile_2] pass-vlan 60
[CORE-um-net-basic-basic_profile_3] user-vlan 50
[CORE-um-net-basic-basic_profile_4] user-vlan 60
[CORE-um] port-group name port_group_1
[CORE-um-portgroup-port_group_1] as name as-layer1-1 interface all
[CORE-um-portgroup-port_group_1] network-basic-profile basic_profile_1
[CORE-um-portgroup-port_group_1] quit
[CORE-um-portgroup-port_group_2] as name as-layer1-2 interface all
[CORE-um-portgroup-port_group_3] as name as-layer2-1 interface GigabitEthernet 0/0/2
GigabitEthernet 0/0/4 to 0/0/24
[CORE-um-portgroup-port_group_4] as name as-layer2-2 interface GigabitEthernet 0/0/2
# Commit the configurations so that the configurations in service profiles can be

delivered to ASs.
[CORE-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y

# Run the display uni-mng commit-result profile command to check whether

the configurations in service profiles have been delivered to ASs successfully.
[CORE-um] display uni-mng commit-result profile
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute
Result
--------------------------------------------------------------------------------
as-layer1-1 2019-10-16 08:55:25 Success/Success
--------------------------------------------------------------------------------
Step 5 Configure wireless services on CORE so that APs can go online.

# Run the port-group connect-ap name command to create an AP port group
and bind it to ASs so that APs can go online in the SVF system.
[CORE-um] port-group connect-ap name ap
[CORE-um-portgroup-ap-ap] as name as-layer2-1 interface GigabitEthernet 0/0/3
[CORE-um-portgroup-ap-ap] as name as-layer2-2 interface GigabitEthernet 0/0/3
[CORE-um-portgroup-ap-ap] quit
[CORE-um] commit as all
Warning: Committing the configuration will take a long time. Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait...
[CORE-um] quit
[CORE] wlan
[CORE-wlan-view] ap-group name ap-group
[CORE-wlan-ap-group-ap-group] quit
[CORE-wlan-view] regulatory-domain-profile name domain
[CORE-wlan-regulate-domain-domain] country-code cn
[CORE-wlan-regulate-domain-domain] quit
[CORE-wlan-ap-group-ap-group] regulatory-domain-profile domain
[CORE-wlan-ap-1] ap-group ap-group
[CORE-wlan-ap-2] ap-group ap-group
# After powering on the APs, run the display ap all command on CORE to check
nor, indicating that the APs go online normally.

[CORE] display ap all

nor : normal [2]
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
1 ac85-3d95-d801 area_1 ap-group 192.168.20.220 AP6050DN nor 0 14H:32M:47S -
2 ac85-3d95-d802 area_2 ap-group 192.168.20.163 AP6050DN nor 0 1M:40S -
----------------------------------------------------------------------------------------------------------
Step 6 Configure CORE so that STAs can go online.

[CORE] wlan
[CORE-wlan-ssid-prof-test01] quit
[CORE-wlan-ssid-prof-test02] quit

follows:

[CORE-wlan-ap-group-ap-group] vap-profile vap1 wlan 1 radio 0
----End

Expected Result
Verification Method
● Run the following command on CORE. The command output shows that ASs
and APs have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 5 252(0) 0 0
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
162 192.168.20.163 ac85-3d95-d802 DHCP 82322 Used
219 192.168.20.220 ac85-3d95-d801 DHCP 77430 Used
250 192.168.20.251 0200-0000-0044 DHCP 80403 Used
251 192.168.20.252 0200-0000-0033 DHCP 79523 Used
252 192.168.20.253 0200-0000-0022 DHCP 79893 Used
253 192.168.20.254 0200-0000-0011 DHCP 80002 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command outputs show that
Pool-No :3
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
202 172.16.50.203 0300-0000-0011 DHCP 75074 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :4
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable

-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
132 172.16.60.133 0300-0000-0022 DHCP 85899 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

<area_1> ping 192.168.11.1
--- 192.168.11.1 ping statistics ---

0.00% packet loss
wireless user on CORE.
[CORE] display station ssid test01
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1

C:\Users>ping 172.16.30.180


Configuration Files
#
sysname CORE
#

vlan batch 20 30 40 50 60 1000

#
stp mode rstp
#
dhcp enable
#
#
drop-profile default
#
vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp server option 43 ip-address 192.168.20.1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
port link-type hybrid
port hybrid tagged vlan 1 20 50
stp root-protection
stp edged-port disable
mode lacp
loop-detection disable
mad relay
#
#
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10

#
#
#
#
wlan
user-isolate l2
traffic-profile name default
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid test01
ssid test02
ssid-profile name default
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
radio 0
radio 1
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#

as-auth
undo auth-mode
whitelist mac-address 0200-0000-0011
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011
down-direction fabric-port 1 member-group interface Eth-Trunk 30
port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
interface fabric-port 1
port member-group interface Eth-Trunk 10
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
network-basic-profile name basic_profile_1
pass-vlan 50
pass-vlan 60
pass-vlan 50
pass-vlan 60
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface all
as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
port-group connect-ap name ap
as name as-layer2-1 interface GigabitEthernet 0/0/3
#
return

3.8 Native AC + SVF Solution: Parents Containing

Aggregation Switches Function as Gateways for Wired
and Wireless Users
of data.
the interface density and forwarding bandwidth. In addition, aggregation switches
are configured with the native AC function to manage APs and transmit wireless
service traffic on the entire network, implementing wired and wireless
convergence.
management costs, SVF is deployed on the network. Aggregation and access
switches set up SVF systems. In such an SVF system, the stack of aggregation
switches functions as the parent, and access switches function as ASs. The parent
manages and configures ASs in a unified manner.

Figure 3-10 Native AC + SVF solution: parents containing aggregation switches

functioning as gateways for wired and wireless users
Server zone
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0 /2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation AGG1 Parent AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Level-1 AS
as-layer1-1 as-layer1-2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2



Aggregati ● Modular switches S5731-H

on layer that are
configured with X
series cards and
can function as
parents
● Layer 3 fixed
switches that
support the
native AC
function and can
function as
parents, such as
S5731-H switches
Access Fixed switches that S5735-L

layer can function as ASs
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure CSS, stacking, and MAD on Core and aggregation

switches. switches

communication.
3 Configure VLANIF interfaces on switches Core and aggregation

and assign IP addresses to the VLANIF switches
interfaces.
3 Configure DHCP on switches so that the Aggregation switches

switches function as DHCP servers to
assign IP addresses to wired and wireless
users.
4 Configure routing on switches to Core and aggregation

implement Layer 3 communication. switches
5 Configure stacks of aggregation switches Aggregation switches

as parents to set up SVF systems with
level-1 ASs.
6 Configure wireless services on switches Aggregation switches


Data Plan


communication with
AGG1

communication with
AGG2

communication with
servers

De Item VLAN ID Network Segment
vic
e
AG Management VLAN for VLAN 20 192.168.20.0/24

G1 APs

wireless users
VLAN 31 172.16.31.0/24
Service VLAN for wired VLAN 50 172.16.50.0/24

users

communication with
CORE
AG Management VLAN for VLAN 21 192.168.21.0/24

G2 APs

wireless users
VLAN 41 172.16.41.0/24

users

communication with
CORE


Item AGG1 Data AGG2 Data
Traffic profile traff: The user isolation mode is Layer 2 isolation and Layer 3
communication.
Security ● Employee: sec1

profiles ● Guest: sec2
SSID profiles ● Employee: ssid1

● Guest: ssid2
AP group ap-group1 ap-group2
Regulatory domain1 domain2

domain
profile
VAP profiles ● Employee: vap1

● Guest: vap2
● Data forwarding mode: tunnel forwarding
Table 3-15 Data plan for the SVF system containing AGG1 and ACC1
Item Data
Parent AGG1
MAC address of the AS and AP as-layer1-1 (ACC1): 00e0-0001-0033

system

VLANIF interface
Parent's interface connected to GE0/0/3

as-layer1-1 Add the interface to Eth-Trunk 30 and bind
it to fabric port 1.


Item Data
Service configuration of an AS Administrator profile admin_profile1, in

AS group admin_group1, which includes all
ASs
admin_profile1 to the AS group
admin_group1.
Service configuration of an AS Network basic profile basic_profile_1, in

network basic profile which VLAN 50 is configured as the VLAN
through
Table 3-16 Data plan for the SVF system containing AGG2 and ACC2
Item Data
Parent AGG2
MAC address of the AS and AP as-layer1-2 (ACC2): 00e0-0001-0044

system

VLANIF interface
Parent's interface connected to GE0/0/3

as-layer1-2 Add the interface to Eth-Trunk 40 and bind
it to fabric port 2.


Item Data
Service configuration of an AS Administrator profile admin_profile2, in

AS group admin_group2, which includes all
ASs
admin_profile2 to the AS group
admin_group2.
Service configuration of an AS Network basic profile basic_profile_2, in

network basic profile which VLAN 60 is configured as the VLAN
through
from all VLANs.
● When an AS goes online, it must be unconfigured (has no startup
configuration file) and has no input on the console interface. Before
connecting an AS to an SVF system, you are advised to remove the cable on
the console interface.
● Each AS can be a stack of up to five member devices that are the same model
and provide the same number or different numbers of interfaces. An AS can
be a stack of devices of the same series but different models. In such an AS,
you can run the slot command to change the preconfigured device model.
● Each AS has a unique management MAC address. By default, the device MAC
address is used as the management MAC address. You can view the MAC

address on the MAC address label attached to the device or run the as access
manage-mac command to specify the management MAC address of the AS.
● If an AS is a stack, its name and MAC address have been preconfigured on the
parent of an SVF system, and the AS goes online and is connected to the SVF
system, you are advised to set up the stack for the AS and configure the
preconfigured MAC address as the management MAC address. When
preconfiguring the name and MAC address of the AS, configure the MAC
address of the stack master switch as the MAC address. In this case, the
management MAC address of the AS is the same as the preconfigured MAC
address by default, and no management MAC address needs to be configured.
If you configure the name and MAC address of the AS after it goes online and
is connected to the SVF system, the management MAC address does not need
to be configured.
● If switches whose downlink service interfaces can be configured as stack
member interfaces set up a stack through these interfaces, the switches
cannot join an SVF system as ASs.
● If downlink service interfaces of an AS are configured as member interfaces of
an uplink fabric port, all the downlink interfaces of the AS cannot be
configured as stack member interfaces.
● When replacing a faulty AS, pay attention to the following points:
– The AS can be replaced with only a device of the same model. If the new
device is of a different model, it joins the SVF system as a new AS and
does not inherit services of the replaced AS.
– Only a standalone AS can be replaced. If an AS is a stack, it cannot be
replaced.
– To ensure that a new AS that replaces the faulty AS can be successfully
authenticated, run the auth-mode none command to set the AS
authentication mode to none authentication, or run the whitelist mac-
address command to add the management MAC address of the new AS
to the whitelist. If the new AS has no management MAC address
configured, the system MAC address is used as the management MAC
address.
Procedure
configure MAD on the switches.
# Create VLANs.
# Create Eth-Trunk 10 for connecting to AGG1 and add interfaces to the Eth-
Trunk. The configuration of the Eth-Trunk interface for connecting to AGG2 is
similar.


# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70

[AGG1] interface xgigabitEthernet 0/0/1
[AGG1] interface xgigabitEthernet 1/0/1
Step 4 Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF
interfaces.


Step 5 Configure VLANIF interfaces on AGG1 and assign IP addresses to the VLANIF
interfaces. The configuration on AGG2 is similar.

[AGG1] dhcp enable
[AGG1] vlan 30
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] quit
# Create VLANIF 20 for wireless management and configure AGG1 to assign an IP

address to AP1 from the interface address pool.
[AGG1-Vlanif20] dhcp server option 43 ip-address 192.168.20.1 //Configure the parent to send its IP
address to the AS so that the AS establishes a CAPWAP link with only the specified IP address.
configure AGG1 to assign IP addresses to STAs from the interface address pools.

communication. You can configure a routing protocol based on actual
requirements. In this example, OSPF is used.
[CORE-ospf-1] quit


[AGG1-ospf-1] quit
[AGG1] quit
Step 8 Configure AGG1 as the parent to set up an SVF system with an AS. The
configuration on AGG2 is similar.
# Activate the license of the SVF system.
<AGG1> license active xxxxxx.dat
# Set the STP mode to STP or RSTP.

<AGG1> system-view
[AGG1] stp mode rstp
# Configure the source interface of the CAPWAP tunnel.

# (Optional) Preconfigure the name of the AS. The MAC address specified in the
following command is the management MAC address of the AS.
● If you do not perform this step, the system will generate AS information when the AS
connects to the SVF system. An AS name is in the format of system default name-
system MAC address.
● If you perform this step, ensure that the configured model and mac-address are the
same as the actual AS information. The value of mac-address must be the management
or system MAC address of an AS. To view the management MAC address of an AS, run
the display as access configuration command on the AS. If the management MAC
address is displayed as --, set mac-address to the system MAC address when
configuring the AS name. If the parameter settings are different from the actual AS
information, the AS cannot go online.
[AGG1] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
[AGG1-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
[AGG1-um-as-as-layer1-1] quit
# Configure a fabric port that connects the parent to the AS.

[AGG1-um] interface fabric-port 1
[AGG1-um-fabric-port-1] port member-group interface Eth-Trunk 30
[AGG1-um-fabric-port-1] quit
[AGG1-um] quit
[AGG1] interface gigabitEthernet 0/0/3
# Configure whitelist authentication for the AS to connect to the SVF system.
To view the management MAC address of an AS, run the display as access configuration
command on the AS. If the management MAC address is displayed as --, the MAC address
configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC
address configured in the whitelist is the management MAC address of the AS.

[AGG1] as-auth
[AGG1-as-auth] undo auth-mode
[AGG1-as-auth] whitelist mac-address 00e0-0001-0033
[AGG1-as-auth] quit
# Clear the configuration of ACC1 and restart ACC1. The SVF system can then be
set up. The configuration on ACC2 is similar.
Before restarting an AS, check whether the interface that connects the AS to the parent is a
downlink interface. To view all downlink interfaces on the AS, run the display port
connection-type access all command on the AS. If this interface is a downlink interface,
run the uni-mng up-direction fabric-port command in the user view on the AS to
configure this interface as a member interface of an uplink fabric port before restarting the
AS. Otherwise, the AS cannot go online. To check whether the interface has been
configured as a member interface of an uplink fabric port, run the display uni-mng up-
direction fabric-port command on the AS.
<ACC1> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
<ACC1> reboot
# After the access switch is restarted successfully, you can view that the AS has
gone online on the parent.
[AGG1] display as all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 S5720-SI 00e0-0001-0033 192.168.20.66 normal as-layer1-1
--------------------------------------------------------------------------------
# Configure an AS administrator profile and bind it to the AS.

[AGG1] uni-mng
[AGG1-um] as-admin-profile name admin_profile1
[AGG1-um-as-admin-admin_profile1] user asuser password hello@123
[AGG1-um-as-admin-admin_profile1] quit
[AGG1-um] as-group name admin_group1
[AGG1-um-as-group-admin_group1] as name-include as
[AGG1-um-as-group-admin_group1] as-admin-profile admin_profile1
[AGG1-um-as-group-admin_group1] quit
# Configure a network basic profile and bind it to interfaces of the AS.

[AGG1-um] network-basic-profile name basic_profile_1
[AGG1-um-net-basic-basic_profile_1] user-vlan 50
[AGG1-um-net-basic-basic_profile_1] quit
[AGG1-um] port-group name port_group_1
[AGG1-um-portgroup-port_group_1] as name as-layer1-1 interface GigabitEthernet 0/0/2
[AGG1-um-portgroup-port_group_1] network-basic-profile basic_profile_1
[AGG1-um-portgroup-port_group_1] quit
# Commit the configurations so that the configurations in service profiles can be

delivered to the AS.
[AGG1-um] commit as all
# Check whether the configurations in service profiles are successfully delivered to

the AS.
[AGG1-um] display uni-mng commit-result profile
Result of profile:

--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Step 9 Configure wireless services on AGG1 so that AP1 can go online. The configuration
on AGG2 is similar.
# Run the port-group connect-ap name command to create an AP port group
and bind it to the AS so that APs can go online in the SVF system.
[AGG1] uni-mng
[AGG1-um] port-group connect-ap name ap
[AGG1-um-portgroup-ap-ap] as name as-layer1-1 interface GigabitEthernet 0/0/3
[AGG1-um-portgroup-ap-ap] quit
[AGG1-um] commit as all
Warning: Committing the configuration will take a long time. Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait...
[AGG1-um] quit
[AGG1] wlan
[AGG1-wlan-view] regulatory-domain-profile name domain1
[AGG1-wlan-regulate-domain-domain1] country-code cn
[AGG1-wlan-regulate-domain-domain1] quit
[AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
[AGG1-wlan-view] ap auth-mode mac-auth
[AGG1-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[AGG1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG1-wlan-ap-1] ap-group ap-group1
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AGG1-wlan-ap-1] quit
# After powering on AP1, run the display ap all command on AGG1 to check the
AP running status. The command output shows that the State field displays nor,
indicating that AP1 is in normal state.
[AGG1] display ap all
nor : normal [1]
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------

Step 10 Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
[AGG1] wlan
[AGG1h-wlan-view] security-profile name sec1
[AGG1-wlan-ssid-prof-ssid1] ssid Employee
[AGG1h-wlan-view] security-profile name sec2
[AGG1-wlan-ssid-prof-ssid2] ssid Guest
[AGG1-wlan-view] traffic-profile name traff
[AGG1-wlan-traffic-prof-traff] user-isolate l2
[AGG1-wlan-traffic-prof-traff] quit
service VLANs, apply security profiles, SSID profiles, and the traffic profile, and
enable IPSG, dynamic ARP inspection, and strict STA IP address learning through
DHCP.
follows:



----End

Expected Result
Verification Method
The following uses AGG1 as an example. The verification method on AGG2 is
similar.
● Run the following command on AGG1. The command output shows that an
AP has obtained an IP address successfully.
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 252(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
65 192.168.20.66 000b-099d-eb3b DHCP 74620 Used
242 192.168.20.243 ac85-3da6-a420 DHCP 83235 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :3
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-

Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
231 172.16.50.232 001b-21c4-820f DHCP 82799 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
<area_1> ping 192.168.11.1
--- 192.168.11.1 ping statistics ---

0.00% packet loss
wireless user on AGG1.
[AGG1] display station ssid Employee
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 1 area_1 1/1 5G 11n 107/72 -58 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
C:\Users>ping 172.16.30.180




Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#

stp mode rstp

#
dhcp enable
#
#
vlan 30
vlan 31
vlan 50
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#

eth-trunk 10
#
area 0.0.0.0
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.31.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
as-auth
whitelist mac-address 00e0-0001-0033
#
uni-mng
as-admin-profile name admin_profile1
user asuser password %^%#sq5k3X.(.$5$SNQ$c%lMO&+13%>0}:$k#+2rG-06%^%#
user-vlan 50
as-group name admin_group1
as-admin-profile admin_profile1
as name as-layer1-1


#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
stp mode rstp
#
dhcp enable
#
#
vlan 40
vlan 41
vlan 60
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 40
#
#

eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.21.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.41.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
as-auth
whitelist mac-address 00e0-0001-0044
#
uni-mng

as-admin-profile name admin_profile2

user asuser password %^%#3Ag*%O5C-!I90O"cF.vRg;LU'.]J02Uy7z>I:yhB%^%#
user-vlan 60
as-group name admin_group2
as-admin-profile admin_profile2
as name as-layer1-2
#
return
3.9 Standalone AC Solution: Core Switches Function as

the Gateway for Wired and Wireless Users
of data. A standalone AC is deployed in off-path mode. It functions as a gateway
to assign IP addresses to APs and centrally manages APs on the entire network.
In this example, core switches set up a CSS that functions as the gateway for
wired and wireless users on the entire network and is responsible for routing and

Figure 3-11 Core switches functioning as the gateway + standalone ACs
GE0/0/2 GE0/0/2
CORE-AC1 HSB CORE-AC2
XGE0/0/21 XGE0/0/21
XGE0/0/22 XGE0/0/22
Eth-Trunk 1
Server zone Eth-Trunk 2
(including RADIUS and
DNS servers) XGE1/1/0/3 XGE2/1/0/3
XGE1/1/0/4 XGE2/1/0/4
Core XGE1/2/0/1 CSS
layer CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access
layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2

Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap


2 Configure interfaces and VLANs on the Core, aggregation, and

switches and ACs and configure IP access switches and ACs
addresses and routes for Layer 3
interfaces to ensure network
connectivity.
3 Configure DHCP on the CSS and ACs so Core switches and ACs
that the CSS function as a DHCP server
to assign IP addresses to wired and
wireless users and that the ACs function
as DHCP servers to assign IP addresses
to APs.
4 Configure VRRP and HSB on ACs. ACs
5 Configure wireless services on ACs so ACs

that APs and STAs can go online.
6 Configure wireless configuration ACs

synchronization in the scenario where
VRRP and HSB are configured.
Data Plan


VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

with CORE-ACs

with servers

Table 3-18 Service data plan for CORE-ACs

APs

between CORE-AC1 and
CORE-AC2
VLAN for wireless VLAN 200 172.16.200.0/24

configuration
synchronization between
CORE-AC1 and CORE-
AC2 in an HSB group
Table 3-19 Wireless service data plan for CORE-ACs
Item Data
AP group ap-group1

the VAP profiles is direct forwarding.)
CAPWAP source interface and IP VLANIF 20: 192.168.20.1/24

address (CORE-AC1)

address (CORE-AC2)
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions
may occur. If a VLAN is configured as both the management VLAN and
service VLAN, and the interface connecting a switch to an AP has the
management VLAN ID as the PVID, downstream packets in the service VLAN
are terminated when going out from the switch. In this case, services are
interrupted.
● In direct forwarding mode, service packets from APs are not encapsulated in
CAPWAP tunnels, but are directly forwarded to the upper-layer network.

Service packets and management packets can be transmitted properly only if

the network between APs and the upper-layer network is added to the service
VLAN and the network between ACs and APs is added to the management
VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
Procedure
Step 2 Configure interfaces and VLANs on CORE, which is a CSS of core switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Configure an Eth-Trunk interface for connecting to AGG1, which is a stack of

aggregation switches. The configuration of an Eth-Trunk interface for connecting
to AGG2 (also a stack of aggregation switches) is similar.
[CORE-Eth-Trunk10] port trunk allow-pass vlan 20 30 40 50
# Create an Eth-Trunk 1 interface for connecting to CORE-AC1 and add the

interface to the Eth-Trunk. The configuration of the Eth-Trunk interface for
connecting to CORE-AC2 is similar.


[CORE-Eth-Trunk1] description con to CORE-AC1
# Add the interface connected to the server zone to VLAN 1000.

# Create VLANs.
[AGG1] vlan batch 20 30 40 50

[AGG1-Eth-Trunk10] port trunk allow-pass vlan 20 30 40 50

# Create VLANs.
[ACC1] vlan batch 20 30 40 50

[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 30 40 50
# Configure downlink interfaces connected to a user PC and AP1, and configure

the interfaces as edge ports.

[ACC1-GigabitEthernet0/0/4] port link-type trunk
[ACC1-GigabitEthernet0/0/4] port trunk pvid vlan 20
[ACC1-GigabitEthernet0/0/4] port trunk allow-pass vlan 20 30 40
Step 5 Configure interfaces and VLANs on CORE-AC1. The configuration on CORE-AC2 is

similar.
# Configure a downlink interface for connecting to CORE.
<AC6605> system-view
[AC6605] sysname CORE-AC1
[CORE-AC1] vlan batch 20 100
[CORE-AC1] interface eth-trunk 1
[CORE-AC1-Eth-Trunk1] mode lacp
[CORE-AC1-Eth-Trunk1] port link-type trunk
[CORE-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[CORE-AC1-Eth-Trunk1] port trunk allow-pass vlan 20
[CORE-AC1-Eth-Trunk1] quit
[CORE-AC1] interface xgigabitethernet0/0/21
[CORE-AC1-XGigabitEthernet0/0/21] eth-trunk 1
[CORE-AC1-XGigabitEthernet0/0/21] quit
[CORE-AC1] interface xgigabitethernet0/0/22
[CORE-AC1] interface vlanif 20
[CORE-AC1-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-AC1-Vlanif20] quit
# Configure an interface for connecting CORE-AC1 to CORE-AC2.

[CORE-AC1] interface gigabitethernet 0/0/2
[CORE-AC1-GigabitEthernet0/0/2] port link-type trunk
[CORE-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[CORE-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[CORE-AC1-GigabitEthernet0/0/2] quit
[CORE] dhcp enable
[CORE] vlan 30
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] quit


address pools.
# Create Layer 3 interface VLANIF 20 for connecting to the ACs.


Step 7 Configure DHCP on CORE-AC1 so that CORE-AC1 functions as a DHCP server to

assign IP addresses to APs. The configuration on CORE-AC2 is similar.
[CORE-AC1] dhcp enable
[CORE-AC1-Vlanif20] dhcp select interface
[CORE-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
Step 8 Configure routes from CORE-AC1 to the network segments of wired users and the
server area. The configuration on CORE-AC2 is similar.
[CORE-AC1] ip route-static 0.0.0.0 24 192.168.20.20
Step 9 Configure VRRP and HSB on CORE-AC1. The configuration on CORE-AC2 is similar.
# Set the recovery delay of the VRRP group to 60 seconds.

[CORE-AC1] vrrp recover-delay 60

# Create a management VRRP group on CORE-AC1. Set the priority of CORE-AC1

in the VRRP group to 120 and set the preemption time to 1200 seconds.
[CORE-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[CORE-AC1-Vlanif20] vrrp vrid 1 priority 120
[CORE-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[CORE-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on CORE-AC1 and configure IP addresses and port

numbers for the HSB channel.
[CORE-AC1] hsb-service 0
[CORE-AC1-hsb-service-0] service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port
10241 peer-data-port 10241
[CORE-AC1-hsb-service-0] quit
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[CORE-AC1] hsb-group 0
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[CORE-AC1-hsb-group-0] quit
# Bind the CORE-AC1 service to HSB group 0.

[CORE-AC1] hsb-service-type access-user hsb-group 0
[CORE-AC1] hsb-service-type ap hsb-group 0
[CORE-AC1] hsb-service-type dhcp hsb-group 0
[CORE-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on CORE-
AC1 and CORE-AC2. The command output shows that the State field of CORE-
AC1 displays Master and that of CORE-AC2 displays Backup.
[CORE-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31
State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100

TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. The following
command output shows that the Service State field displays Connected,
indicating that the HSB channel has been established.
[CORE-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.1
Peer IP Address : 172.16.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on CORE-AC1 and CORE-AC2 to check

the service status of HSB group 0.
[CORE-AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif20
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C10
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0

Group Vrrp Status : Backup

Group Status : Inactive
DHCP
AP
----------------------------------------------------------
Step 10 Configure APs to go online on CORE-AC1.

[CORE-AC1] capwap source interface vlanif 20
[CORE-AC1] wlan
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] quit
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code cn
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
[CORE-AC1-wlan-view] ap auth-mode mac-auth
[CORE-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-AC1-wlan-ap-1] ap-name area_1
[CORE-AC1-wlan-ap-1] ap-group ap-group1
[CORE-AC1-wlan-ap-1] quit
[CORE-AC1-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. The command output shows that the State field
displays nor, indicating that the APs are in normal state.
[CORE-AC1] display ap all
nor : normal [2]
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------

Step 11 Configure STAs to go online on CORE-AC1.

[CORE-AC1] wlan
[CORE-AC1-wlan-view] security-profile name sec1
[CORE-AC1-wlan-sec-prof-sec1] quit
[CORE-AC1-wlan-view] ssid-profile name ssid1
[CORE-AC1-wlan-ssid-prof-ssid1] ssid test01
[CORE-AC1-wlan-ssid-prof-ssid1] quit
[CORE-AC1-wlan-view] traffic-profile name traff1
[CORE-AC1-wlan-traffic-prof-traff1] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff1] quit
[CORE-AC1-wlan-ssid-prof-ssid2] ssid test02
[CORE-AC1-wlan-view] traffic-profile name traff2
[CORE-AC1-wlan-traffic-prof-traff2] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff2] quit
[CORE-AC1-wlan-view] vap-profile name vap1
[CORE-AC1-wlan-vap-prof-vap1] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-AC1-wlan-vap-prof-vap1] security-profile sec1
[CORE-AC1-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-AC1-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap1] quit
[CORE-AC1-wlan-vap-prof-vap2] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff2
follows:

[CORE-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0


Step 12 Configure wireless configuration synchronization in the scenario where VRRP and
HSB are configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Configure the source interface of CORE-AC2.
# Configure wireless configuration synchronization on CORE-AC1.

[CORE-AC1] wlan
[CORE-AC1-wlan-view] master controller
[CORE-AC1-master-controller] master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address
172.16.100.1 psk Huawei@123
[CORE-AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 20
[CORE-AC1-master-controller] quit

[CORE-AC2] wlan
172.16.100.2 psk Huawei@123
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. The command output shows that
the Status field displays cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC is restarted.
[CORE-AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AP6050DN V200R007C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
After wireless configuration synchronization is manually triggered, the backup AC

automatically restarts. After the backup AC restarts, run the display sync-configuration
status command to check whether the wireless configuration synchronization function is
normal.
# Check whether the wireless configuration synchronization function is normal. If

the status field displays up, the wireless configuration synchronization function is
normal.
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------

172.16.100.2 Backup AP6050DN V200R007C10 up 2019-11-05/19:09:14

----------------------------------------------------------------------------------------------------
Total: 1
----End

Expected Result
Verification Method
● Run the following command on CORE-AC1. The command output shows that
APs have obtained IP addresses successfully.
[CORE-AC1] display ip pool interface vlanif20 used
Pool-name : vlanif20
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
40 192.168.20.41 ac85-3d95-d801 DHCP 72528 Used
163 192.168.20.164 ac85-3d95-d802 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --

Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
109 172.16.50.110 001b-21c4-820f DHCP 48538 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :3
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
236 172.16.60.237 2cab-0098-15b1 DHCP 48050 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

<area_1> ping 192.168.11.1

--- 192.168.11.1 ping statistics ---

0.00% packet loss
wireless user on CORE-AC1.
[CORE-AC1] display station ssid test01
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 173/144 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the user connected to AP1.

C:\Users>ping 172.16.30.168


Configuration Files
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
#
vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50

ip address 172.16.50.1 255.255.255.0

#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
description con to CORE-AC1
mode lacp
#
mode lacp
#
port trunk allow-pass vlan 20 30 40 50
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1

#
eth-trunk 2
#
#
return

#
vlan batch 20 30 40 50
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
#
mode lacp
#
interface Eth-trunk40
mode lacp
#
#

eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
port trunk pvid vlan 20
port trunk allow-pass vlan 20 30 40
#
return

#
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#


#
return
# CORE-AC1 configuration file

#
sysname CORE-AC1
#
vrrp recover-delay 60
#
vlan batch 20 100
#
dhcp enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp server excluded-ip-address 192.168.20.2
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#
#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 172.16.50.0 255.255.255.0 192.168.20.20
ip route-static 172.16.60.0 255.255.255.0 192.168.20.20
ip route-static 192.168.100.0 255.255.255.0 192.168.20.20
#
#
hsb-service 0
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan


user-isolate l2
user-isolate l2
ssid test01
ssid test02
forward-mode direct-forward
ssid-profile ssid1
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
return

#
sysname CORE-AC2
#
#
vlan batch 20 100
#
dhcp enable
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif100

ip address 172.16.100.2 255.255.255.0

#
mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 172.16.50.0 255.255.255.0 192.168.20.20
ip route-static 172.16.60.0 255.255.255.0 192.168.20.20
ip route-static 192.168.100.0 255.255.255.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
ssid-profile ssid1
ssid-profile ssid2


radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk %^%#QKK0'nRL
%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
return
3.10 Standalone AC Solution: Aggregation Switches

Function as Gateways for Wired and Wireless Users
of data.
the interface density and forwarding bandwidth. A standalone AC is deployed in
off-path mode. It centrally manages APs on the entire network.

Figure 3-12 Aggregation switches functioning as gateways + standalone ACs
Server zone
DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
AGG-AC1
E1
/1/ /1/0/ AGG-AC3
0/2 E2
GE0/0/1 XGE0/0/1 XGE0/0/1 GE0/0/1

XGE1/0/1 XGE1/0/1
Aggregation GE0/0/5 GE0/0/5
layer HSB Eth-Trunk 1 AGG1 AGG2 Eth-Trunk 2
HSB
GE0/0/4 GE0/0/4
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40 GE0/0/1
GE0/0/1
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access
layer ACC1 ACC2
AGG-AC2 GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4 AGG-AC4
PC1 AP1 PC2 AP2

Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure CSS, stacking, and uplink and Core and aggregation

downlink Eth-Trunk interfaces on switches
switches.


switches and ACs and configure IP access switches
connectivity.
3 Configure DHCP on the aggregation Aggregation switches

switches and ACs so that the switches and ACs
and ACs function as DHCP servers to
wireless users and APs.
4 Configure VRRP and HSB on ACs. ACs
5 Configure wireless services on ACs so ACs

6 Configure wireless configuration ACs

Data Plan


communication with
AGG1

communication with
AGG2

communication with
servers

Device Item VLAN ID Network
Segment
AGG1 Service VLANs for VLAN 30 172.16.30.0/24

wireless users
VLAN 31 172.16.31.0/24


Segment

wired users
Network segment VLAN 70 172.16.70.0/24

for
communication
with CORE

for
communication
with AGG-ACs
AGG2 Service VLANs for VLAN 40 172.16.40.0/24

wireless users
VLAN 41 172.16.41.0/24

wired users

for
communication
with CORE

for
communication
with AGG-ACs
Table 3-22 Service data plan for AGG-ACs

Segment
AGG-AC1 and Management VLAN 20 192.168.20.0/24

AGG-AC2 VLAN for APs

for
communication
with CORE

configuration
synchronization
between AGG-
AC1 and AGG-
AC2 in an HSB
group


Segment


for
communication
with CORE

configuration
synchronization
between AGG-
AC3 and AGG-
AC4 in an HSB
group
Table 3-23 Wireless service data plan for AGG-ACs

Item Data
AP groups ap-group1, ap-group2
VAP profiles vap1, vap2 (The data forwarding mode

in the VAP profiles is direct
forwarding.)
Configuration Precautions
from all VLANs.
interrupted.

VLAN.
same.
the backup AC.
backed up.
Procedure
# Create VLANs.
# Configure an Eth-Trunk interface for connecting to AGG1, which is a stack of

aggregation switches. The configuration of an Eth-Trunk interface for connecting
to AGG2 (also a stack of aggregation switches) is similar.





# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70

# Create an Eth-Trunk 1 interface for connecting to AGG-AC1 and add the

interface to the Eth-Trunk.
[AGG1-Eth-Trunk1] description con to AC

[AGG1] interface Vlanif 70



Step 4 Configure interfaces and VLANs on AGG-AC1. The configurations on AGG-AC2,

AGG-AC3, and AGG-AC4 are similar.
# Create VLANs.
[AC6605] sysname AGG-AC1
[AGG-AC1] vlan batch 20 200
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add the
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
[AGG-AC1] interface gigabitethernet 0/0/21
[AGG-AC1-GigabitEthernet0/0/21] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/21] quit
# On AGG-AC1, configure the interface connected to AGG-AC2.

[AGG-AC1-GigabitEthernet0/0/2] port link-type trunk
[AGG-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[AGG-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AGG-AC1] interface vlanif 200
[AGG-AC1-Vlanif200] ip address 172.16.200.1 255.255.255.0
[AGG-AC1-Vlanif200] quit
# Create VLANs.
[HUAWEI] sysname ACC1
[ACC1] vlan batch 20 30 31 50

[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 30 31 50
[ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 30 31

[AGG1] dhcp enable
[AGG1] vlan 30
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 30 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
# Create Layer 3 interface VLANIF 31 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.

communication.


[CORE-ospf-1] quit
# Configure OSPF on AGG-AC1.

[AGG-AC1] ospf 1 router-id 3.3.3.3
[AGG-AC1-ospf-1] area 1
[AGG-AC1-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255
[AGG-AC1-ospf-1-area-0.0.0.1] quit
[AGG-AC1-ospf-1] quit
Step 8 Configure DHCP on AGG-AC1 so that AGG-AC1 can function as a DHCP server to
assign IP addresses to APs. The configuration on AGG-AC3 is similar.
[AGG-AC1] dhcp enable
[AGG-AC1] interface Vlanif 20
[AGG-AC1-Vlanif20] dhcp select interface
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
Step 9 Configure VRRP and HSB on AGG-AC1. The configuration on AGG-AC2 is similar.
[AGG-AC1] vrrp recover-delay 60
# Create a management VRRP group on AGG-AC1. Set the priority of AGG-AC1 in

the VRRP group to 120 and set the preemption time to 1200 seconds.
[AGG-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[AGG-AC1-Vlanif20] vrrp vrid 1 priority 120
[AGG-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.
[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
[AGG-AC1] hsb-group 0
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[AGG-AC1-hsb-group-0] quit
# Bind the AGG-AC1 service to HSB group 0.

[AGG-AC1] hsb-service-type access-user hsb-group 0
[AGG-AC1] hsb-service-type ap hsb-group 0
[AGG-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. The command output shows that the State field of AGG-AC1
displays Master and that of AGG-AC2 displays Backup.
[AGG-AC1] display vrrp
State : Master
Virtual IP : 192.168.20.3

Master IP : 192.168.20.3
PriorityRun : 120
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17

State : Backup
Virtual IP : 172.168.20.3
Master IP : 192.168.20.2
PriorityRun : 120
MasterPriority : 0
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 07:15:11
Last change time : 2019-11-30 14:23:17
# Check the HSB service status on AGG-AC1 and AGG-AC2. The following
[AGG-AC1] display hsb-service 0
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------

# Run the display hsb-group 0 command on AGG-AC1 and AGG-AC2 to check

[AGG-AC1] display hsb-group 0
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.
[AGG-AC1] capwap source interface vlanif 20
[AGG-AC1] wlan
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] quit
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code cn
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d800
[AGG-AC1-wlan-ap-1] ap-name area_1
V200R009C00.
[AGG-AC1-wlan-ap-1] ap-group ap-group1

[AGG-AC1-wlan-ap-1] quit
[AGG-AC1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1-AC1 to check
nor, indicating that AP1 is in normal state.
[AGG-AC1] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
nor : normal [1]
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
1 ac85-3d95-d800 area_1 ap-group1 192.168.20.254 AP6010DN-AGN nor 0 2M:44S
-----------------------------------------------------------------------------------------------
nor : normal [1]
----------------------------------------------------------------------------------------------------------

ExtraInfo
----------------------------------------------------------------------------------------------------------
1 ac85-3da6-a420 area_1 ap-group1 192.168.20.148 AP5010DN-AGN nor 0 1H:19M:18S

-
----------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on AGG-AC1.
and traffic profiles.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] quit
[AGG-AC1-wlan-view] ssid-profile name ssid1
[AGG-AC1-wlan-ssid-prof-ssid1] ssid test01
[AGG-AC1-wlan-ssid-prof-test01] quit
[AGG-AC1-wlan-view] traffic-profile name traff1
[AGG-AC1-wlan-traffic-prof-traff1] user-isolate l2
[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-traffic-prof-traff2] quit
service VLANs, apply security profiles, SSID profiles, and enable IPSG, dynamic ARP
inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name vap1
[AGG-AC1-wlan-vap-prof-test01] forward-mode direct-forward
[AGG-AC1-wlan-vap-prof-test01] service-vlan vlan-id 30
[AGG-AC1-wlan-vap-prof-test01] security-profile sec1
[AGG-AC1-wlan-vap-prof-test01] ssid-profile ssid1
[AGG-AC1-wlan-vap-prof-test01] traffic-profile traff1
[AGG-AC1-wlan-vap-prof-test01] ip source check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] arp anti-attack check user-bind enable

[AGG-AC1-wlan-vap-prof-test01] learn-client-address dhcp-strict

[AGG-AC1-wlan-vap-prof-test01] quit
[AGG-AC1-wlan-vap-prof-test02] forward-mode direct-forward
follows:

[AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0
----End

Expected Result
Verification Method
The following uses AGG1 and AGG-AC1 as an example. The verification methods
on AGG2 and AGG-AC3 are similar.
● Run the following command on AGG-AC1. The command output shows that
an AP has obtained an IP address successfully.
[AGG-AC1] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0

Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 1 251(0) 0

2
-------------------------------------------------------------------------------------

address
index
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
147 192.168.20.148 ac85-3da6-a420 DHCP 80426

Used
-------------------------------------------------------------------------------------
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.11.1
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------

172.16.50.1 172.16.50.254 254 0 254(0) 0

0
-------------------------------------------------------------------------------------

<area_1> ping 192.168.11.1
--- 192.168.11.1 ping statistics ---

0.00% packet loss
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP

address
-----------------------------------------------------------------------------------------------
d016-b415-cb2e 1 area_1 0/1 2.4G 11n 24/1 -38 30

172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

C:\Users>ping 172.16.30.180


Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#

ip address 192.168.11.254 255.255.255.0

#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
# AGG-AC1 configuration file

#
sysname AGG-AC1
#
#
vlan batch 20 200
#
dhcp enable
#
#
interface vlanif 20
ip address 192.168.20.1 255.255.255.0
#
interface vlanif 200
ip address 172.16.200.1 255.255.255.0
#

interface eth-trunk 1
mode lacp
#
interface gigabitethernet 0/0/1
eth-trunk 1
#
#
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
ssid-profile ssid1
ssid-profile ssid2
radio 0
radio 1


ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#

#
sysname AGG-AC2
#
#
vlan batch 20 200
#
interface vlanif 20
ip address 192.168.20.2 255.255.255.0
#
ip address 172.16.200.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

#
sysname AGG-AC2
#
#
vlan batch 21 200
#
dhcp enable
#
#
interface vlanif 21
ip address 192.168.21.1 255.255.255.0


#
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.2
network 192.168.21.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test03
ssid test04
ssid-profile ssid3
ssid-profile ssid2

radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#

#
sysname AGG-AC4
#
#
vlan batch 21 200
#
interface vlanif 21
ip address 192.168.21.2 255.255.255.0
#
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
dhcp enable

#
#
vlan 30
vlan 31
vlan 50
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
description con to AC
mode lacp
#
description con to CORE
mode lacp
#
port trunk allow-pass vlan 20 30 to 31 50
mode lacp
port-isolate enable
#
eth-trunk 30
#
eth-trunk 1
#
eth-trunk 1
#
#
eth-trunk 30

#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
dhcp enable
#
#
vlan 40
vlan 41
vlan 60
#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
description con to CORE
mode lacp
#


mode lacp
port-isolate enable
#
eth-trunk 40
#
eth-trunk 2
#
eth-trunk 2
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60

#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return
3.11 Standalone AC Solution: Core Switches and ACs

Function as the Gateways for Wired and Wireless Users
Respectively
to assign IP addresses to APs and wireless users, and centrally manages APs and
wireless users on the entire network.
In this example, core switches and standalone ACs function as the gateways for
wired and wireless users on the entire network, respectively.

Figure 3-13 Core switches and standalone ACs functioning as the gateways for
wired and wireless users respectively
GE0/0/2 GE0/0/2
CORE-AC1 HSB CORE-AC2
XGE0/0/21 XGE0/0/21
XGE0/0/22 XGE0/0/22
Eth-Trunk 1
Server zone Eth-Trunk 2
DNS servers) XGE1/1/0/3 XGE2/1/0/3
XGE1/1/0/4 XGE2/1/0/4
Core XGE1/2/0/1 CSS
layer CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access
layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2

Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap



switches and ACs and configure IP access switches and ACs
connectivity.
3 Configure DHCP on CORE and ACs so Core switches and ACs

that CORE and ACs function as DHCP
servers to assign IP addresses to wired
and wireless users and APs.
4 Configure VRRP and HSB on ACs. AC
5 Configure wireless services on ACs so AC

6 Configure wireless configuration AC

Data Plan


VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

with CORE-ACs

with servers
Table 3-25 Service data plan for CORE-ACs


APs


CORE-AC2

configuration
synchronization between
CORE-AC1 and CORE-
AC2 in an HSB group
Table 3-26 Wireless service data plan for CORE-ACs

Item Data
AP group ap-group1
SSID profiles Employee, Guest


address (CORE-AC1)

address (CORE-AC2)
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.


same.
the backup AC.
backed up.
Procedure
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Configure Eth-Trunk 10 for connecting to AGG1, which is a stack of aggregation

switches. The configuration of an Eth-Trunk interface for connecting to AGG2 (also
a stack of aggregation switches) is similar.
[CORE-Eth-Trunk10] port trunk allow-pass vlan 20 50
# Create an Eth-Trunk 1 interface for connecting to CORE-AC1 and add the

interface to the Eth-Trunk. The configuration of the Eth-Trunk interface for
connecting to CORE-AC2 is similar.
[CORE-Eth-Trunk1] description con to CORE-AC1
[CORE-Eth-Trunk1] port trunk allow-pass vlan 20 30 40

# Add the interface connected to Agile Controller-Campus to VLAN 1000.

# Create VLANs.


# Create VLANs.


Step 5 Configure interfaces and VLANs on CORE-AC1. The configuration on CORE-AC2 is

similar.
# Configure an interface for connecting to CORE.
[AC6605] sysname CORE-AC1
[CORE-AC1] vlan batch 20 30 40 100
[CORE-AC1] interface eth-trunk 1
[CORE-AC1-Eth-Trunk1] mode lacp
[CORE-AC1-Eth-Trunk1] port link-type trunk
[CORE-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[CORE-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 30 40
[CORE-AC1-Eth-Trunk1] quit
[CORE-AC1] interface xgigabitethernet 0/0/21
[CORE-AC1] interface xgigabitethernet 0/0/22
# Configure an interface for connecting CORE-AC1 to CORE-AC2.

[CORE-AC1] interface gigabitethernet 0/0/2
[CORE-AC1-GigabitEthernet0/0/2] port link-type trunk
[CORE-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[CORE-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[CORE-AC1-GigabitEthernet0/0/2] quit
Step 6 Configure DHCP on CORE so that CORE functions as the DHCP server to assign IP
addresses to wired users.
[CORE] dhcp enable
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] quit
address pools.
# Create Layer 3 interfaces for connecting to the ACs.



Step 7 Configure DHCP on CORE-AC1 so that CORE-AC1 functions as a DHCP server to

assign IP addresses to APs and wireless users. The configuration on CORE-AC2 is
similar.
[CORE-AC1] dhcp enable
[CORE-AC1] dhcp snooping enable
[CORE-AC1] vlan 30
[CORE-AC1-vlan30] dhcp snooping enable
[CORE-AC1-vlan30] quit
[CORE-AC1] vlan 40
[CORE-AC1-vlan40] dhcp snooping enable
[CORE-AC1-vlan40] quit

configure CORE to assign IP addresses to wireless terminals from the interface
address pools.
[CORE-AC1-Vlanif30] dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
[CORE-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
[CORE-AC1-Vlanif40] dhcp server excluded-ip-address 172.16.40.2 172.16.40.3
[CORE-AC1-Vlanif40] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
Step 8 Configure a default route on CORE-AC1. The configuration on CORE-AC2 is similar.

[CORE-AC1] ip route-static 0.0.0.0 0.0.0.0 192.168.20.20

Step 9 Configure VRRP and HSB on CORE-AC1. The configuration on CORE-AC2 is similar.
[CORE-AC1] vrrp recover-delay 60
# Create a management VRRP group on CORE-AC1. Set the priority of CORE-AC1

in the VRRP group to 120 and set the preemption time to 1200 seconds.
[CORE-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[CORE-AC1-Vlanif20] vrrp vrid 1 priority 120
[CORE-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[CORE-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on CORE-AC1 and configure IP addresses and port

numbers for the HSB channel.
[CORE-AC1] hsb-service 0
[CORE-AC1-hsb-service-0] service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port
[CORE-AC1-hsb-service-0] quit
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
# Bind the CORE-AC1 service to HSB group 0.

[CORE-AC1] hsb-service-type access-user hsb-group 0
[CORE-AC1] hsb-service-type ap hsb-group 0
[CORE-AC1] hsb-service-type dhcp hsb-group 0
[CORE-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on CORE-
AC1 and CORE-AC2. The command output shows that the State field of CORE-
AC1 displays Master and that of CORE-AC2 displays Backup.
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31
State : Backup

Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. The following
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on CORE-AC1 and CORE-AC2 to check

----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
DHCP
----------------------------------------------------------


----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
Group Status : Inactive
DHCP
AP
----------------------------------------------------------
Step 10 Configure APs to go online on CORE-AC1.

[CORE-AC1] capwap source interface vlanif 20 //VLAN 20 is the management VLAN for wireless APs.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code cn
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
[CORE-AC1-wlan-view] ap auth-mode mac-auth
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. The command output shows that the State field
displays nor, indicating that the APs are in normal state.
[CORE-AC1] display ap all
nor : normal [2]


---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on CORE-AC1.

[CORE-AC1] wlan
[CORE-AC1-wlan-ssid-prof-ssid1] ssid Employee
[CORE-AC1-wlan-view] traffic-profile name traff
[CORE-AC1-wlan-traffic-prof-traff] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff] quit
[CORE-AC1-wlan-ssid-prof-ssid2] ssid Guest
[CORE-AC1-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff
[CORE-AC1-wlan-vap-prof-vap2] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff
follows:


Step 12 Configure wireless configuration synchronization in the scenario where VRRP and
HSB are configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Configure the source interface of CORE-AC2.


[CORE-AC1] wlan
172.16.100.1 psk Huawei@123

[CORE-AC2] wlan
172.16.100.2 psk Huawei@123
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. The command output shows that
the Status field displays cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC is restarted.
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AP6050DN V200R007C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
After wireless configuration synchronization is manually triggered, the backup AC

automatically restarts. After the backup AC restarts, run the display sync-configuration
status command to check whether the wireless configuration synchronization function is
normal.
# Check whether the wireless configuration synchronization function is normal. If

the status field displays up, the wireless configuration synchronization function is
normal.


----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
172.16.100.2 Backup AP6050DN V200R007C10 up 2019-11-05/19:09:14
----------------------------------------------------------------------------------------------------
Total: 1
----End

Expected Result
Verification Method
● Run the following command on the AC. The command output shows that APs
have obtained IP addresses successfully.
[CORE-AC1] display ip pool interface vlanif20 used
Pool-name : vlanif20
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
40 192.168.20.41 ac85-3d95-d801 DHCP 72528 Used
163 192.168.20.164 ac85-3d95-d802 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-

Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
109 172.16.50.110 001b-21c4-820f DHCP 84875 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :3
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
236 172.16.60.237 2cab-0098-15b1 DHCP 84434 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

<area_1> ping 192.168.100.2


--- 192.168.100.2 ping statistics ---

0.00% packet loss
wireless user on CORE-AC1.
[CORE-AC1] display station ssid Employee
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 1 area_1 1/1 5G 11ac 173/115 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1

C:\Users>ping 172.16.30.180


Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
#
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0


#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2

#
#
return

#
sysname AGG1
#
vlan batch 20 50
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
mode lacp
#
mode lacp
#
eth-trunk 40
#


#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#


#
#
return

#
sysname CORE-AC1
#
#
vlan batch 20 30 40 100
#
dhcp enable
#
#
vlan 30
vlan 40
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#
#
eth-trunk 1

#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller

#
return

#
sysname CORE-AC2
#
#
vlan batch 20 30 40 100
#
dhcp enable
#
#
vlan 30
vlan 40
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0


#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk %^%#QKK0'nRL
%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
return

3.12 Standalone AC Solution: Aggregation Switches

and ACs Function as the Gateways for Wired and
Wireless Users Respectively
of data.
A standalone AC is deployed in off-path mode. It functions as a DHCP server to
assign IP addresses to APs and centrally manages APs on the entire network.
In this example, aggregation switches and ACs function as the gateways for wired
and wireless users on the entire network respectively and are responsible for
routing and forwarding of user services.
Figure 3-14 Aggregation switches and standalone ACs functioning as the

gateways for wired and wireless users respectively
Server zone
DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
AGG-AC1
E1
/1/ /1/0/ AGG-AC3
0/2 E2
GE0/0/1 XGE0/0/1 XGE0/0/1 GE0/0/1

XGE1/0/1 XGE1/0/1
layer HSB Eth-Trunk 1 AGG1 AGG2 Eth-Trunk 2
HSB
GE0/0/4 GE0/0/4
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40 GE0/0/1
GE0/0/1
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access
layer ACC1 ACC2
AGG-AC2 GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4 AGG-AC4
PC1 AP1 PC2 AP2



Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure CSS, stacking, and uplink and Core and aggregation

downlink Eth-Trunk interfaces on switches
switches.

switches and ACs and configure IP access switches
connectivity.
3 Configure DHCP on the aggregation Aggregation switches

switches and ACs so that the switches and ACs
and ACs function as DHCP servers to
wireless users and APs.
4 Configure VRRP and HSB on ACs. AC
5 Configure wireless services on ACs so AC

6 Configure wireless configuration AC

Data Plan

communication with
AGG1


communication with
AGG2

communication with
servers

Segment
AGG1 Service VLAN for VLAN 50 172.16.50.0/24

wired users

for
communication
with CORE

for
communication
with AGG-ACs

wired users

for
communication
with CORE

for
communication
with AGG-ACs
Table 3-29 Service data plan for ACs

Segment


wireless users
VLAN 31 172.16.31.0/24


Segment

wired users

for
communication
with CORE

configuration
synchronization
between AGG-
AC1 and AGG-
AC2 in an HSB
group


wireless users
VLAN 41 172.16.41.0/24

wired users

for
communication
with CORE

configuration
synchronization
between AGG-
AC3 and AGG-
AC4 in an HSB
group
Table 3-30 Wireless service data plan for AGG-ACs

Item Data

Item Data
VAP profiles vap1, vap2 (The data forwarding mode

in the VAP profiles is tunnel
forwarding.)
same.
the backup AC.
backed up.

Procedure
# Create VLANs.
# Configure Eth-Trunk 10 for connecting to AGG1, which is a stack of aggregation

switches. The configuration of an Eth-Trunk interface for connecting to AGG2 (also
a stack of aggregation switches) is similar.




# Create VLANs.
<AGG1> system-view
[AGG1] vlan batch 20 30 31 50 70

# Create an Eth-Trunk 1 interface for connecting to AGG-AC1 and add the



[AGG1-Eth-Trunk1] description con to AC
[AGG1-Eth-Trunk1] port trunk allow-pass vlan 20 30 31



Step 4 Configure interfaces and VLANs on AGG-AC1. The configurations on AGG-AC2,

AGG-AC3, and AGG-AC4 are similar.
# Create VLANs.
[AC6605] sysname AGG-AC1
[AGG-AC1] vlan batch 20 30 31 200
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add the
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 30 31
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
# On AGG-AC1, configure the interface connected to AGG-AC2.

[AGG-AC1-GigabitEthernet0/0/2] port link-type trunk
[AGG-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[AGG-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1

# Create VLANs.
<ACC1> system-view

[ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 20
# Enable DHCP globally and configure DHCP snooping for the service VLAN.
[AGG1] dhcp enable
[AGG1] vlan 50
[AGG1-vlan50] quit

communication.



[CORE-ospf-1] quit
# Configure OSPF on AGG-AC1.

[AGG-AC1] ospf 1 router-id 3.3.3.3
[AGG-AC1-ospf-1] area 1
[AGG-AC1-ospf-1-area-0.0.0.1] quit
[AGG-AC1-ospf-1] quit
Step 8 Configure DHCP on AGG-AC1. The configuration on AGG-AC3 is similar.
# Create Layer 3 interface VLANIF 20 for wireless services and configure AGG-AC1
to assign IP addresses to APs from the interface address pool.
[AGG-AC1] dhcp enable
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1-Vlanif31] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
Step 9 Configure VRRP and HSB on AGG-AC1. The configuration on AGG-AC2 is similar.

[AGG-AC1] vrrp recover-delay 60
# Create a management VRRP group on AGG-AC1. Set the priority of AGG-AC1 in

the VRRP group to 120 and set the preemption time to 1200 seconds.
[AGG-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[AGG-AC1-Vlanif20] vrrp vrid 1 priority 120
[AGG-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[AGG-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.

[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
# Bind the AGG-AC1 service to HSB group 0.

[AGG-AC1] hsb-service-type access-user hsb-group 0
[AGG-AC1] hsb-service-type ap hsb-group 0
[AGG-AC1] hsb-service-type dhcp hsb-group 0
[AGG-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. The command output shows that the State field of AGG-AC1
displays Master and that of AGG-AC2 displays Backup.
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.3
PriorityRun : 120
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17

State : Backup
Virtual IP : 172.168.20.3
Master IP : 192.168.20.2
PriorityRun : 120
MasterPriority : 0
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 07:15:11
Last change time : 2019-11-30 14:23:17

# Check the HSB service status on AGG-AC1 and AGG-AC2. The following
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on AGG-AC1 and AGG-AC2 to check

----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.

[AGG-AC1] capwap source interface vlanif 20
[AGG-AC1] wlan
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code cn
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d800
[AGG-AC1-wlan-ap-1] ap-name area_1
V200R009C00.
[AGG-AC1-wlan-ap-1] ap-group ap-group1
[AGG-AC1-wlan-ap-1] quit
# After powering on AP1, run the display ap all command on AGG1-AC1 to check
nor, indicating that AP1 is in normal state.
[AGG-AC1] display ap all
nor : normal [1]
----------------------------------------------------------------------------------------------------------

ExtraInfo
----------------------------------------------------------------------------------------------------------
1 ac85-3da6-a420 area_1 ap-group1 192.168.20.148 AP6050DN nor 0 1H:19M:18S

-
----------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on AGG-AC1.

[AGG-AC1] wlan

[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-traffic-prof-traff2] quit
service VLANs, apply security profiles, SSID profiles, and enable IPSG, dynamic ARP
inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name test01
[AGG-AC1-wlan-vap-prof-test01] forward-mode tunnel
[AGG-AC1-wlan-view] vap-profile name test02
[AGG-AC1-wlan-vap-prof-test02] forward-mode tunnel
follows:

----End

Expected Result


Verification Method
The following uses AGG1 and AGG-AC1 as an example. The verification methods
on AGG2 and AGG-AC3 are similar.
● Run the following command on AGG-AC1. The command output shows that
an AP has obtained an IP address successfully.
[AGG-AC1] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 1 251(0) 0

2
-------------------------------------------------------------------------------------

address
index
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
147 192.168.20.148 ac85-3da6-a420 DHCP 80426

Used
-------------------------------------------------------------------------------------
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-

Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.216 254 0 254(0) 0

0
-------------------------------------------------------------------------------------

<area_1> ping 192.168.100.2
--- 192.168.100.2 ping statistics ---

0.00% packet loss
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the user connected to AP1.

C:\Users>ping 172.16.30.180



Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG-AC1
#
#
vlan batch 20 30 to 31 200

#
dhcp enable
#
#
vlan 30
vlan 31
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
interface Eth-Trunk 1
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

#
wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
vap-profile name test01
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#

#
sysname AGG-AC2
#
#
vlan batch 20 200
#
interface vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface vlanif200
ip address 172.16.200.1 255.255.255.0
#
mode lacp

#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#

#
sysname AGG-AC3
#
#
vlan batch 21 200
#
dhcp enable
#
#
vlan 40
vlan 41
#
interface vlanif21
ip address 192.168.21.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface vlanif201
ip address 172.16.201.1 255.255.255.0
#


mode lacp
#
eth-trunk 1
#
#
area 0.0.0.2
network 192.168.21.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test03
ssid test04
forward-mode tunnel
ssid-profile ssid3
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1

ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#

#
sysname AGG-AC4
#
#
vlan batch 21 200
#
interface vlanif21
ip address 192.168.21.2 255.255.255.0
admin-vrrp vrid 1
#
interface vlanif201
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#

#
sysname AGG1
#
vlan batch 20 50 70
#
dhcp enable
#
#
vlan 50
#
interface Vlanif20

ip address 192.168.20.20 255.255.255.0

#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 1
#
eth-trunk 1
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 21 60 80
#
dhcp enable
#
#
vlan 60

#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
port-isolate enable
#
eth-trunk 40
#
eth-trunk 2
#
eth-trunk 2
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#


mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

Campus Networks Typical Configuration Examples 4 Campus Egress Deployment
4 Campus Egress Deployment
4.1 Key Points of Campus Egress Deployment

4.2 Deploying Firewalls as Egress Devices
4.3 Deploying Firewalls in Off-Path Mode
4.4 Connecting Firewalls to Egress Routers Directly
4.5 Deploying IPSec on Firewalls for Secure Communication with the Headquarters
4.6 Deploying IPSec on Egress Routers for Communication Between the
Headquarters and Branch
4.7 Connecting an Egress Router in a Branch to the Headquarters Through a
Private Line
4.1 Key Points of Campus Egress Deployment

Campus egress deployment aims to enable end users on a campus network to
access the WAN or Internet and connect branches to the headquarters. Routers
and firewalls are typically deployed at the campus egress. Routers provide
communication between the internal and external networks, and firewalls provide
border security protection. In real-world networking, Ethernet links are typically
used, and the number of egress routes is small (usually less than 1,000 routes). To
reduce network construction costs, firewalls are recommended as egress devices.
Table 4-1 describes the key points of egress deployment on a campus network
based on the services and scale of the campus network.

Table 4-1 Campus egress deployment

Key Points Description
Determine the campus egress solution Select egress devices based on the
and egress devices to be deployed. egress link type, number and density
of interfaces, routing protocol, and
costs. In real-world networking,
Ethernet links are typically used, and
the number of egress routes is small
(usually less than 1,000 routes). To
reduce network construction costs,
firewalls are recommended as egress
devices.
Determine the reliability solution for In most cases, Huawei Redundancy

egress gateways. Protocol (HRP) or Virtual Router
Redundancy Protocol (VRRP)
technology implements device backup
or load balancing of two egress
devices, which improves the reliability
of egress devices.
Determine the locations of user In most cases, Layer 2 switching

gateways on the network (that is, the services are deployed on downstream
boundary between Layer 2 and Layer devices connected to user gateways,
3). and Layer 3 routing services are
deployed on upstream devices
connected to user gateways.
Determine the routing solution used When egress devices are connected to
by egress gateways and user gateways. the Internet, static routing or Border
Gateway Protocol (BGP) is used. Static
routing can address service
requirements in most campus
networks. BGP needs to be deployed
only when multiple links are available
between an enterprise and an Internet
service provider (ISP) to provide
differentiated routing services.
The routing solution for the campus
internal network must support
communication between devices,
between terminals, and between
devices and terminals on the campus
network, as well as communication
between these devices and the
Internet and between terminals and
the Internet. Static routing or Open
Shortest Path First (OSPF) is typically
used.

4.2 Deploying Firewalls as Egress Devices

Two firewalls at the campus egress set up a hot standby group that functions as
the egress gateway of the campus network to filter service traffic that enters and
leaves the campus network, ensuring network security. Two core switches set up a
cluster switch system (CSS), which functions as the core of the campus network
and functions as the user gateway to allocate IP addresses to users. The specific
service requirements are as follows:
● Service traffic can be automatically distributed to different ISP networks at

the network egress, preventing the waste of link resources.
● Internal network users can access Internet resources but cannot play online
games or watch online videos during working hours.
● External network users can access the HTTP server on the internal network.
In this example, two aggregation switches set up a stack named AGG and connect
to core switches, which set up a CSS named CORE. For details about the
networking below the core layer, see 3 Campus Network Connectivity
Deployment.
Figure 4-1 Campus network with firewalls as egress devices
ISPA ISPB
GE1/0/1 GE1/0/5
GE1/0/5 GE1/0/1
Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/4 GE1/0/3
GE1/0/3 GE1/0/4
GE1/1/0/0
HTTP server GE2/1/0/1
GE1/1/0/1 GE2/1/0/0
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk30
GE1/0/1 GE2/0/1
Aggregation layer AGG


Location Device Used in This Version Used in This
Example Example
Egress USG6300E V600R007C00
Core layer S12700E V200R019C10
Aggregation layer S6730-H V200R019C10
Deployment Roadmap
1 Configure CSS, stacking, and multi-active Core and aggregation

detection (MAD) to improve device switches
reliability.
2 Configure Eth-Trunk interfaces to improve Core switches,

link reliability. aggregation switches,
and egress firewalls
3 Configure interfaces, IP addresses, and Core switches,

routing to enable network connectivity. aggregation switches,
4 Configure DHCP to allocate IP addresses to Core switches

users.
5 Enable the intelligent uplink selection Egress firewalls

function to dynamically select outbound
interfaces based on the egress link
bandwidth, improving link resource
efficiency and user experience.
6 Configure HRP to improve device reliability. Egress firewalls
7 Configure security policies to allow services Egress firewalls

to pass through firewalls.
8 Configure NAT policies to enable internal Egress firewalls

network users to access external networks.
9 Configure NAT Server to enable external Egress firewalls

network users to access the HTTP server on
the internal network.
10 Enable the smart domain name service Egress firewalls

(DNS) function to ensure that users from
different ISPs can obtain addresses on their
own ISP networks.

11 Configure attack defense and application Egress firewalls

behavior control to ensure network security
and prevent internal network users from
playing online games or watching online
videos during working hours.
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
FWA GE1/0/1 - - 202.1.1.1/24
GE1/0/5 - - 202.2.1.2/24
GE1/0/2 - - 172.16.111.1/
24
Eth-Trunk 10 GE1/0/3 - 172.16.10.1/2

4
GE1/0/4
FWB GE1/0/1 - - 202.1.1.2/24
GE1/0/5 - - 202.2.1.1/24
GE1/0/2 - - 172.16.111.2/
24
Eth-Trunk 20 GE1/0/3 - 172.16.10.2/2

4
GE1/0/4
CORE GE1/1/0/10 - VLANIF 50 172.16.50.1/2

4
Eth-Trunk 10 GE1/1/0/0 VLANIF 10 172.16.10.3/2

4
GE2/1/0/0

4
GE2/1/0/1

4
GE2/2/0/0
AGG Eth-Trunk 30 GE1/0/1 - -
GE2/0/1
HTTP server Ethernet - - 172.16.50.10/

interface 24

Deployment Procedure
Step 1 Configure the CSS and MAD functions on core switches, and configure the
stacking function on aggregation switches. For details, see 3.4 Typical CSS and
Stack Deployment.
Step 2 Configure Eth-Trunk interfaces.
# On FWA, create Eth-Trunk 10 to connect FWA to CORE, and add member
interfaces to Eth-Trunk 10.
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] mode lacp-static
[FWA-Eth-Trunk10] quit
[FWA] interface gigabitethernet 1/0/3
[FWA-GigabitEthernet1/0/3] eth-trunk 10
[FWA-GigabitEthernet1/0/3] quit
# On FWB, create Eth-Trunk 20 to connect FWB to CORE, and add member

[sysname] sysname FWB
[FWB] interface eth-trunk 20
[FWB-Eth-Trunk20] mode lacp-static
[FWB-Eth-Trunk20] quit
[FWB] interface gigabitethernet 1/0/3
[FWB-GigabitEthernet1/0/3] eth-trunk 20
[FWB-GigabitEthernet1/0/3] quit
# On CORE, create Eth-Trunk 10, Eth-Trunk 20, and Eth-Trunk 30 to connect CORE
to FWA, FWB, and AGG respectively, and add member interfaces to these Eth-
Trunks.
[CORE] interface gigabitethernet 1/1/0/0
[CORE-GigabitEthernet1/1/0/0] eth-trunk 10
[CORE-GigabitEthernet1/1/0/0] quit

# On AGG, create Eth-Trunk 30 to connect AGG to CORE, and add member

[AGG] interface eth-trunk 30
[AGG-Eth-Trunk30] mode lacp
[AGG-Eth-Trunk30] quit
[AGG] interface gigabitethernet 1/0/1
[AGG-GigabitEthernet1/0/1] eth-trunk 30
[AGG-GigabitEthernet1/0/1] quit
Step 3 Configure interfaces, IP addresses, and routing.

1. Configure interfaces, and configure IP addresses for interfaces.
# Configure IP addresses for interfaces of FWA, and add the interfaces to
security zones.
[FWA] interface loopback 0
[FWA-LoopBack0] ip address 1.1.1.1 32 //Configure an IP address for loopback 0, which is also used
as the router ID of FWA.
[FWA-LoopBack0] quit
[FWA-GigabitEthernet1/0/1] ip address 202.1.1.1 24 //Configure an IP address for the interface
connected to the ISPA network.
[FWA-GigabitEthernet1/0/1] gateway 202.1.1.254
connected to the ISPB network.
[FWA-GigabitEthernet1/0/2] ip address 172.16.111.1 24 //Configure an IP address for the heartbeat
interface.
[FWA-Eth-Trunk10] ip address 172.16.10.1 24 //Configure an IP address for the Eth-Trunk interface
connected to CORE.
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 10 //Add Eth-Trunk 10 connected to the internal network
to the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name isp1 //Add the interface connected to the ISPA network to
the security zone isp1.
[FWA-zone-isp1] set priority 10
[FWA-zone-isp1] add interface gigabitethernet 1/0/1
[FWA-zone-isp1] quit
[FWA] firewall zone name isp2 //Add the interface connected to the ISPB network to
[FWA-zone-isp2] add interface gigabitethernet 1/0/5
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/2 //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit
# Configure IP addresses for interfaces of FWB, and add the interfaces to
security zones.
[FWB] interface loopback 0
[FWB-LoopBack0] ip address 2.2.2.2 32 //Configure an IP address for loopback 0, which is also used
as the router ID of FWB.

[FWB-LoopBack0] quit
[FWB-GigabitEthernet1/0/1] ip address 202.1.1.2 24 //Configure an IP address for the interface
connected to the ISPA network.
[FWB-GigabitEthernet1/0/1] gateway 202.1.1.254
connected to the ISPB network.
[FWB-GigabitEthernet1/0/2] ip address 172.16.111.2 24 //Configure an IP address for the heartbeat
interface.
[FWB-Eth-Trunk20] ip address 172.16.10.2 24 //Configure an IP address for the Eth-Trunk interface
connected to CORE.
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 20 //Add Eth-Trunk 20 connected to the internal network
[FWB-zone-trust] quit
[FWB] firewall zone name isp1 //Add the interface connected to the ISPA network to
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/1
[FWB-zone-isp1] quit
[FWB] firewall zone name isp2 //Add the interface connected to the ISPB network to
[FWB-zone-isp2] add interface gigabitethernet 1/0/5
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/2 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
# Configure IP addresses for interfaces on CORE.
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used
as the router ID of CORE.
[CORE-LoopBack0] quit
[CORE-Eth-Trunk10] port link-type access
[CORE-Eth-Trunk10] port default vlan 10
[CORE-Vlanif10] ip address 172.16.10.3 24 //Configure an IP address for the VLANIF interface
connected to the firewalls.
[CORE-Vlanif40] ip address 172.16.40.1 24 //Configure an IP address for the service VLANIF
interface connected to AGG.
[CORE-GigabitEthernet1/1/0/10] port link-type access
[CORE-GigabitEthernet1/1/0/10] port default vlan 50

[CORE-Vlanif50] ip address 172.16.50.1 24

# Configure interfaces on AGG.
[AGG] vlan batch 40
[AGG-Eth-Trunk30] port link-type trunk
[AGG-Eth-Trunk30] port trunk allow-pass vlan 40
2. Configure routing.
# Configure OSPF on FWA to advertise the network segments where
downlink interfaces belong.
[FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit
# Configure OSPF on FWB to advertise the network segments where downlink
interfaces belong.
[FWB] ospf 1 router-id 2.2.2.2
[FWB-ospf-1] area 0.0.0.0
[FWB-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit
# On CORE, configure OSPF to advertise the network segments where uplink
and downlink interfaces belong.
[CORE] router id 3.3.3.3
[CORE] ospf 1
[CORE-ospf-1] area 0.0.0.0
[CORE-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 //Advertise the network segment
connected to users.
connected to the HTTP server.
[CORE-ospf-1] quit
# On CORE, configure default routes with the next hops being the IP
addresses of the firewalls.
[CORE] ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
Step 4 Configure DHCP on CORE.

[CORE] dhcp enable
Step 5 Configure intelligent uplink selection on egress firewalls.

# Enable the IP-link function on FWA to detect whether ISP links are working
properly.
[FWA] ip-link check enable
[FWA] ip-link name ip_link_1
[FWA-iplink-ip_link_1] destination 202.1.1.254 interface gigabitethernet 1/0/1
[FWA-iplink-ip_link_1] quit
[FWA] ip-link name ip_link_2
[FWA-iplink-ip_link_2] destination 202.2.1.254 interface gigabitethernet 1/0/5
[FWA-iplink-ip_link_2] quit
# Enable the IP-link function on FWB to detect whether ISP links are working
properly.

[FWB] ip-link name ip_link_1

[FWB-iplink-ip_link_1] destination 202.1.1.254 interface gigabitethernet 1/0/1
[FWB-iplink-ip_link_1] quit
[FWB] ip-link name ip_link_2
[FWB-iplink-ip_link_2] destination 202.2.1.254 interface gigabitethernet 1/0/5
[FWB-iplink-ip_link_2] quit
# Configure two default routes on FWA, with the next hops pointing to the access
points of the two ISP networks respectively.
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
# Configure two default routes on FWB, with the next hops pointing to the access
points of the two ISP networks respectively.
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
# Configure intelligent uplink selection on FWA to implement load balancing

based on link bandwidth.
[FWA] multi-interface
[FWA-multi-inter] mode proportion-of-bandwidth
[FWA-multi-inter] add interface GigabitEthernet1/0/1
[FWA-multi-inter] add interface GigabitEthernet1/0/5
[FWA-multi-inter] quit
[FWA] interface GigabitEthernet 1/0/1
[FWA-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWA-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWA-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWA-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
# Configure intelligent uplink selection on FWB to implement load balancing

[FWB] multi-interface
[FWB-multi-inter] mode proportion-of-bandwidth
[FWB-multi-inter] add interface GigabitEthernet1/0/1
[FWB-multi-inter] add interface GigabitEthernet1/0/5
[FWB-multi-inter] quit
[FWB] interface GigabitEthernet 1/0/1
[FWB-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWB-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWB-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWB-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
Step 6 Configure HRP on egress firewalls.
# Configure a VRRP Group Management Protocol (VGMP) group on FWA to

monitor downlink service interfaces.
[FWA] hrp track interface eth-trunk 10
# Configure a VGMP group on FWB to monitor downlink service interfaces.

[FWB] hrp track interface eth-trunk 20
# On FWA, configure quick session backup, specify the heartbeat interface, and
enable HRP.

[FWA] hrp mirror session enable

[FWA] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
[FWA] hrp enable
# On FWB, configure quick session backup, specify the heartbeat interface, and
enable HRP.
[FWB] hrp mirror session enable
[FWB] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
[FWB] hrp enable
Step 7 Configure security policies.

# After a hot standby group is successfully established between the active and
standby firewalls, the security policies configured on FWA will be automatically
synchronized to FWB.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local zone and
DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access
external networks.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 172.16.40.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust //Allow external network users to access the
HTTP server.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 172.16.50.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit
Step 8 Configure NAT policies.

# On FWA, create NAT address pools addressgroup1 (202.10.1.1 to 202.10.1.5)
and addressgroup2 (202.20.1.1 to 202.20.1.5). The NAT address pools configured
on FWA will be automatically synchronized to FWB.
HRP_M[FWA] nat address-group addressgroup1
HRP_M[FWA-nat-address-group-addressgroup1] section 0 202.10.1.1 202.10.1.5
HRP_M[FWA-nat-address-group-addressgroup1] mode pat
HRP_M[FWA-nat-address-group-addressgroup1] route enable
HRP_M[FWA-nat-address-group-addressgroup1] quit
# Configure source NAT policies to allow internal network users to access external
networks through post-NAT public IP addresses.
HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 172.16.40.1 172.16.40.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust

HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust

HRP_M[FWA-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit
HRP_M[FWA-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup2
HRP_M[FWA-policy-nat] quit
# Contact ISP network administrators to configure routes with the destination

addresses in addressgroup1 and addressgroup2 and with the next hops being the
interface addresses of the firewalls.
Step 9 Configure NAT Server.
# Assume that the HTTP server on the internal network applies to ISPA and ISPB
for public IP addresses (202.10.1.10 and 202.20.1.10) so that the external network
users of ISPA and ISPB access the HTTP server through their respective public IP
addresses.
# Configure static server mapping.
HRP_M[FWA] nat server web_for_isp1 zone isp1 protocol tcp global 202.10.1.10 8080 inside
172.16.50.10 80 no-reverse
HRP_M[FWA] nat server web_for_isp2 zone isp2 protocol tcp global 202.20.1.10 8080 inside
172.16.50.10 80 no-reverse

addresses being the public IP addresses of the HTTP server and with the next hops
being the interface addresses of the firewalls.
# Configure blackhole routes on FWA.
HRP_M[FWA] ip route-static 202.10.1.100 32 NULL 0
HRP_M[FWA] ip route-static 202.20.1.100 32 NULL 0
# Configure blackhole routes on FWB.

HRP_S[FWB] ip route-static 202.10.1.100 32 NULL 0
HRP_S[FWB] ip route-static 202.20.1.100 32 NULL 0
# On FWA, configure the same interface to receive and send packets.

HRP_M[FWA] interface GigabitEthernet 1/0/1
HRP_M[FWA-GigabitEthernet1/0/1] redirect-reverse next-hop 202.1.1.254
HRP_M[FWA-GigabitEthernet1/0/1] quit
HRP_M[FWA-GigabitEthernet1/0/5] redirect-reverse next-hop 202.2.1.254
# On FWB, configure the same interface to receive and send packets.

HRP_S[FWB] interface GigabitEthernet 1/0/1
HRP_S[FWB-GigabitEthernet1/0/1] redirect-reverse next-hop 202.1.1.254
HRP_S[FWB-GigabitEthernet1/0/1] quit
HRP_S[FWB] interface GigabitEthernet 1/0/5
HRP_S[FWB-GigabitEthernet1/0/5] redirect-reverse next-hop 202.2.1.254
HRP_S[FWB-GigabitEthernet1/0/5] quit
Step 10 Configure smart DNS.
This function requires a license and dynamic installation of the corresponding component
package.

HRP_M[FWA] dns-smart enable

HRP_M[FWA] dns-smart group 1 type multi
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/1 map 202.10.1.10
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 202.20.1.10
HRP_M[FWA-dns-smart-group-1] quit
Step 11 Configure attack defense and application behavior control.
# Configure attack defense.

HRP_M[FWA] firewall defend land enable
HRP_M[FWA] firewall defend smurf enable
HRP_M[FWA] firewall defend fraggle enable
HRP_M[FWA] firewall defend winnuke enable
HRP_M[FWA] firewall defend source-route enable
HRP_M[FWA] firewall defend route-record enable
HRP_M[FWA] firewall defend time-stamp enable
HRP_M[FWA] firewall defend ping-of-death enable
HRP_M[FWA-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic
# Configure application behavior control.
package.
Create an application behavior control file to prohibit HTTP and FTP operations
during working hours.
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit
Create an application behavior control file to permit only HTTP web browsing,
HTTP proxy surfing, and HTTP file download during break time.
HRP_M[FWA] profile type app-control name profile_app_rest
HRP_M[FWA-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_rest] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_rest] quit
Create a time range named working_hours, which indicates working hours.

HRP_M[FWA] time-range working_hours

HRP_M[FWA-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FWA-time-range-working_hours] quit
Create a time range named off_hours, which indicates non-working hours.

HRP_M[FWA] time-range off_hours
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FWA-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
HRP_M[FWA-time-range-off_hours] quit
Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to control
the application behavior of users during working hours.
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
Configure the security policy policy_sec_rest and reference the time range
off_hours and application behavior control file profile_app_rest to control the
application behavior of users during non-working hours.
HRP_M[FWA-policy-security] rule name policy_sec_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_rest] user any
HRP_M[FWA-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_M[FWA-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] action permit
HRP_M[FWA-policy-security-rule-policy_sec_rest] quit
----End

# Perform ping tests to verify that internal network users can access Internet
resources and external network users can access the HTTP server on the internal
network. Besides, internal network users cannot play online games or watch
online videos during working hours.
# Verify that services are automatically switched to the link of ISPB when the link
of ISPA is congested.
Configuration Files
● FWA configuration file
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
hrp track interface Eth-Trunk 10
hrp mirror session enable
#

ip address 172.16.10.1 255.255.255.0

mode lacp-static
#
undo shutdown
ip address 202.1.1.1 255.255.255.0
anti-ddos flow-statistic enable
gateway 202.1.1.254
bandwidth ingress 800000 threshold 95
bandwidth egress 800000 threshold 95
redirect-reverse next-hop 202.1.1.254
#
undo shutdown
ip address 172.16.111.1 255.255.255.0
#
undo shutdown
eth-trunk 10
#
undo shutdown
eth-trunk 10
#
undo shutdown
ip address 202.2.1.2 255.255.255.0
gateway 202.2.1.254
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk10
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name isp1
set priority 10
#
set priority 15
#
area 0.0.0.0
network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
destination 202.1.1.254 interface GigabitEthernet1/0/1
#
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
ip route-static 202.10.1.100 255.255.255.255 NULL 0
#
multi-interface

mode proportion-of-bandwidth
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 172.16.40.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
source-zone isp2
destination-zone trust
destination-address 172.16.50.0 mask 255.255.255.0
action permit
rule name policy_sec_work
source-zone trust
time-range working_hours
profile app-control profile_app_work
action permit
rule name policy_sec_rest
source-zone trust
time-range off_hours
profile app-control profile_app_rest
action permit
#
nat address-group addressgroup1
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
mode pat
route enable
section 1 202.20.1.1 202.20.1.5
#
nat-policy
rule name policy_nat_1
source-zone trust
source-address range 172.16.40.1 172.16.40.127
action source-nat address-group addressgroup1
source-zone trust
#
nat server web_for_isp1 zone isp1 protocol tcp global 202.10.1.10 8080 inside 172.16.50.10 80 no-
reverse
reverse
#
dns-smart enable
dns-smart group 1 type multi

out-interface GigabitEthernet 1/0/1 map 202.10.1.10

#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
#
period-range 09:00:00 to 17:30:00 working-day
#
period-range 00:00:00 to 23:59:59 off-day
#
return
● FWB configuration file

#
sysname FWB
#
hrp enable
#
ip address 172.16.10.2 255.255.255.0
mode lacp-static
#
ip address 202.1.1.2 255.255.255.0
gateway 202.1.1.254
#

undo shutdown
ip address 172.16.111.2 255.255.255.0
#
undo shutdown
eth-trunk 20
#
undo shutdown
eth-trunk 20
#
undo shutdown
ip address 202.2.1.1 255.255.255.0
gateway 202.2.1.254
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
set priority 10
#
set priority 15
#
area 0.0.0.0
network 172.16.10.0 0.0.0.255
#
ip-link check enable
#
#
#
multi-interface
mode proportion-of-bandwidth
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust

action permit
source-zone isp1
source-zone isp2
action permit
source-zone trust
action permit
rule name policy_sec_rest
source-zone trust
profile app-control profile_app_rest
action permit
#
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
mode pat
route enable
section 1 202.20.1.1 202.20.1.5
#
nat-policy
source-zone trust
source-zone trust
#
reverse
reverse
#
dns-smart enable
dns-smart group 1 type multi
#
#


#
#
profile type app-control name profile_app_rest
#
#
period-range 00:00:00 to 23:59:59 off-day
#
return
● CORE configuration file

#
sysname CORE
#
router id 3.3.3.3
#
vlan batch 10 40 50
#
dhcp enable
#
interface Vlanif10
ip address 172.16.10.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
mode lacp
#
mode lacp
#
interface Eth-trunk30
mode lacp
#

interface gigabitethernet1/1/0/0
eth-trunk 10
#
interface GigabitEthernet1/1/1/7
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 20
#
#
eth-trunk 30
#
eth-trunk 30
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.16.10.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 172.16.50.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
ip route-static 0.0.0.0 0.0.0.0 172.16.10.2
#
return
● AGG configuration file

#
sysname AGG
#
vlan batch 40
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
return

4.3 Deploying Firewalls in Off-Path Mode

At the egress of a large campus network, core switches connect to routers to
access the Internet through uplink interfaces. Firewalls connect to the core
switches in off-path mode to filter service traffic. Networking requirements are as
follows:
● Core switches typically set up a CSS to simplify network and improve
reliability.
● HRP is deployed on firewalls, which are then working in active/standby mode.
If one firewall fails, services are switched to the other firewall.
● Each of the core switches is dual homed to two egress routers, and VRRP is
deployed on the two routers to ensure reliability.
● To improve link reliability, Eth-Trunk interfaces are used to connect core
switches and egress routers, connect core switches and firewalls, and connect
two firewalls.
In this example, two aggregation switches (AGG1 and AGG2) connect to core
switches, which set up a CSS named CORE. For details about the networking
below the core layer, see 3 Campus Network Connectivity Deployment.
Figure 4-2 Deploying firewalls in off-path mode
Egress RouterA RouterB
FWA FWB
CORE
Core
layer CSS
Hot standby group
Aggregation
layer AGG1 AGG2

In Layer 3 forwarding, internal and external traffic of a campus network is directly

forwarded by switches without passing through FWA and FWB. When traffic needs
to be forwarded between core switches and firewalls for filtering, the VPN routing
and forwarding (VRF) function must be configured on core switches to divide the
switches into a virtual switch VRF-A and a root switch Public, which are separated
from each other.
In Figure 4-3, Public connects to egress routers. Public forwards traffic from the
Internet to firewalls for filtering and traffic from firewalls to egress routers.
VRF-A connects to the internal network. VRF-A forwards traffic from firewalls to
the internal network and traffic from the internal network to firewalls for filtering.
Figure 4-3 Physical interface connections of the campus egress where firewalls are
deployed in off-path mode
Path for traffic from

the Internet to the
internal network
Path for traffic from
the internal network
to the Internet
GE1/1/1 RouterA RouterB

XGE1/0/1 XGE1/0/2 XGE1/0/1 XGE1/0/2
GE1/1/0
XGE1/4/0/0 XGE1/4/0/1 XGE2/4/0/0 XGE2/4/0/1
Internet-side CSS
Public
CORE
FWA FWB
Internal network-side
VRF-A
GE2/0/0 GE2/0/1 Eth-Trunk 1 GE2/0/1 GE2/0/0
GE1/3/0/1 GE1/3/0/2 GE2/3/0/1 GE2/3/0/2
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
AGG1 AGG2

Locat Device Used in This Example Version Used in This Example
ion
Egres AR6300 V300R019C10

s
USG6300E V600R007C00
Core S12700E V200R019C10

layer

Locat Device Used in This Example Version Used in This Example

ion
Aggre S6730-H V200R019C10

gatio
n
layer
Deployment Roadmap
1 Configure CSS and MAD to improve device Core switches

reliability.

link reliability and configure IP addresses aggregation switches,
for interfaces. egress routers, and
firewalls

users.
4 Configure VRRP to ensure reliability Egress routers

between core switches and egress routers.

5 Configure routing to enable network Core switches, egress

connectivity. routers, and firewalls
● Configure the VRF function on core
switches to divide the switches into a
virtual switch VRF-A and a root switch
Public, which separate service network
routes and public network routes.
● To steer the uplink traffic on each
device, configure a default route on core
switches, of which the next hop is the
VRRP virtual IP address of two egress
routers.
● To steer the return traffic of two egress
routers, configure OSPF between the
egress routers and core switches, and
advertise all user network segments on
the core switches into OSPF on the
egress routers.
● To steer the uplink traffic of service
networks to firewalls, configure a
default route on core switches, of which
the next hop is the virtual IP address of
the VRRP group with VRID 2 of firewalls.
● To steer the downlink traffic of service
networks 1 and 2 to firewalls, configure
a default route on core switches, of
which the next hop is the virtual IP
address of the VRRP group with VRID 1
of firewalls.
● To steer the uplink traffic of service
networks to core switches, configure a
default route on firewalls, of which the
next hop is the IP address of VLANIF 20
on core switches.
● To steer the downlink traffic of service
networks 1 and 2 to core switches,
configure a default route on firewalls, of
which the next hop is the IP address of
VLANIF 30 on core switches.
6 Configure HRP to improve device reliability. Firewalls
7 Configure security policies to allow services Firewalls


Data Plan
RouterA Eth-Trunk XGE1/0/1 - 10.10.4.2/24

1.100 XGE1/0/2
RouterB Eth-Trunk XGE1/0/1 - 10.10.4.3/24

1.100 XGE1/0/2
VRRP of - - - 10.10.4.100/24
RouterA
and
RouterB
CORE Eth-Trunk 1 XGE1/4/0/0 VLANIF 10 10.10.4.1/24

XGE2/4/0/0
Eth-Trunk 2 XGE1/4/0/1 VLANIF 10 10.10.4.1/24

XGE2/4/0/1

GE2/1/0/7

GE2/1/0/8

GE2/2/0/7

GE2/2/0/8

GE2/3/0/1

GE2/3/0/2
AGG1 Eth-Trunk 1 GE0/0/1 - -

GE0/0/2
AGG2 Eth-Trunk 1 GE0/0/1 - -

GE0/0/2
FWA Eth-Trunk 1 GE2/0/0 - 10.1.1.1/24

GE2/0/1
Eth-Trunk 4 GE1/0/0 - 10.10.2.2/24

GE1/0/1


Eth-Trunk 5 GE1/1/0 - 10.10.3.2/24

GE1/1/1
FWB Eth-Trunk 1 GE2/0/0 - 10.1.1.2/24

GE2/0/1
Eth-Trunk 6 GE1/0/0 - 10.10.2.3/24

GE1/0/1
Eth-Trunk 7 GE1/1/0 - 10.10.3.3/24

GE1/1/1
VRRP1 of - - - 10.10.2.5/24
FWA and
FWB (in
uplink
direction
)
VRRP2 of - - - 10.10.3.5/24
FWA and
FWB (in
downlink
direction
)
Step 1 Configure the CSS and MAD functions on core switches. For details, see 3.4
Typical CSS and Stack Deployment.
Step 2 Configure Eth-Trunk interfaces and configure IP addresses for interfaces.
1. Configure RouterA. The configuration of RouterB is similar to that of RouterA.
# Create Eth-Trunk 1 and add member interfaces to Eth-Trunk 1.
[HUAWEI] sysname RouterA
[RouterA] interface Eth-Trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface XGigabitethernet 1/0/1
[RouterA-XGigabitEthernet1/0/1] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/1] quit
[RouterA] interface XGigabitethernet 1/0/2
[RouterA-XGigabitEthernet1/0/2] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/2] quit
# Configure a sub-interface for dot1q VLAN tag termination, configure an IP
address for the sub-interface, and configure the sub-interface to terminate
VLAN 10.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.4.2 24

[RouterA-Eth-Trunk1.100] dot1q termination vid 10

[RouterA-Eth-Trunk1.100] quit
2. Configure CORE.
# Create Eth-Trunk 1 to connect CORE to RouterA, and add member
[HUAWEI] sysname CORE
[CORE] interface Eth-Trunk 1
[CORE] interface XGigabitethernet 1/4/0/0
[CORE-XGigabitEthernet1/4/0/0] Eth-Trunk 1
# Create Eth-Trunk 2 to connect CORE to RouterB, and add member interfaces
to Eth-Trunk 2.
# Create Eth-Trunk 4 to connect Public to FWA, and add member interfaces to
Eth-Trunk 4.
[CORE] interface Gigabitethernet 1/1/0/7
[CORE-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CORE-Gigabitethernet1/1/0/7] quit
# Create Eth-Trunk 5 to connect VRF-A to FWB, and add member interfaces to
Eth-Trunk 5.
# Create Eth-Trunk 6 to connect Public to FWA and add member interfaces to
Eth-Trunk 6.
# Create Eth-Trunk 7 to connect VRF-A to FWB, and add member interfaces to
Eth-Trunk 7.


# Create Eth-Trunk 8 to connect CORE to AGG1, and add member interfaces
to Eth-Trunk 8.
# Create Eth-Trunk 9 to connect CORE to AGG2, and add member interfaces
to Eth-Trunk 9.
# Create VLANIF interfaces and configure IP addresses to them.
[CORE] vlan batch 10 20 30 100 200
[CORE] interface Eth-Trunk 1 //Add Eth-Trunk 1 to VLAN 10.
[CORE] interface Vlanif 10 //Create VLANIF 10 to enable CORE to communicate with RouterA and
RouterB.
[CORE] interface Vlanif 20 //Create VLANIF 20 to connect Public to FWA and FWB.
[CORE] interface Vlanif 30 //Create VLANIF 30 to connect VRF-A to FWA and FWB.

[CORE] interface Vlanif 100 //Create VLANIF 100 to connect CORE to AGG1.
[CORE] interface Vlanif 200 //Create VLANIF 200 to connect CORE to AGG2.
3. Configuring the AGGs.
# On AGG1, create Eth-Trunk 1 to connect AGG1 to CORE, and add member
interfaces to Eth-Trunk 1. The configuration of AGG2 is similar to the
configuration of AGG1, and is not mentioned here.
[HUAWEI] sysname AGG1
[AGG1] vlan batch 100
4. Configure the firewalls.
# Configure interfaces and add interfaces to security zones on FWA.
[FWA] interface Eth-Trunk 4 //Configure the interface connected to CORE and allocate an IP
address to the interface.
[FWA-Eth-Trunk4] ip address 10.10.2.2 24
[FWA] interface Gigabitethernet 1/0/0 //Add a member interface to Eth-Trunk 4.
[FWA-GigabitEthernet1/0/0] Eth-Trunk 4
[FWA] interface Eth-Trunk 5 //Configure the interface connected to CORE and allocate an IP
[FWA] interface Eth-Trunk 1 //Configure the interface connecting FWA to FWB.


[FWA-zone-trust] add interface Eth-Trunk 5 //Add Eth-Trunk 5 connected to the internal network
[FWA] firewall zone untrust
[FWA-zone-untrust] add interface Eth-Trunk 4 //Add Eth-Trunk 4 connected to the external
network to the untrusted zone.
[FWA-zone-untrust] quit
[FWA-zone-dmz] add interface Eth-Trunk 1 //Add the interface connected to FWB to the DMZ.
[FWA-zone-dmz] quit
# Configure interfaces and add interfaces to security zones on FWB.

[FWB] interface Eth-Trunk 6 //Configure the interface connected to CORE and allocate an IP
[FWB-Eth-Trunk6] ip address 10.10.2.3 24
[FWB] interface Gigabitethernet 1/0/0 //Add a member interface to Eth-Trunk 6.
[FWB-GigabitEthernet1/0/0] Eth-Trunk 6
[FWB] interface Eth-Trunk 7 //Configure the interface connected to CORE and allocate an IP
[FWB] interface Eth-Trunk 1 //Configure the interface connecting FWB to FWA.
[FWB-zone-trust] add interface Eth-Trunk 7 //Add Eth-Trunk 7 connected to the internal network
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface Eth-Trunk 6 //Add Eth-Trunk 6 connected to the external
[FWB-zone-untrust] quit
[FWB-zone-dmz] add interface Eth-Trunk 1 //Add the interface connected to FWA to the DMZ.
[FWB-zone-dmz] quit

[CORE] dhcp enable


Step 4 Configure VRRP. Configure RouterA as the VRRP master and RouterB as the VRRP
backup.
# Configure RouterA.
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address.
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of RouterA to make it become
the master router.
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address.
[RouterB-Eth-Trunk1.100] quit
Step 5 Configure routing.

1. Configure CORE.
# On CORE, create a VPN instance Public, and bind the interfaces connected
to routers and firewalls to Public.
[CORE] ip vpn-instance Public //Create the VPN instance Public.
[CORE-vpn-instance-Public] ipv4-family
[CORE-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CORE-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CORE-vpn-instance-Public-af-ipv4] quit
[CORE-vpn-instance-Public] quit
[CORE] interface Vlanif 10
[CORE-Vlanif10] ip binding vpn-instance Public //Bind VLANIF 10 connecting CORE to RouterA to
Public.
[CORE-Vlanif10] ip address 10.10.4.1 24 //Reconfigure an IP address for VLANIF 10. When VLANIF
10 is bound to Public, the IP address of the interface is deleted.
[CORE-Vlanif20] ip binding vpn-instance Public //Bind VLANIF 20 that connects CORE to the
uplink interface of FWA to Public.
20 is bound to Public, the IP address of the interface is deleted.
# Configure a static route in Public to forward uplink traffic, and set the next
hop of the route to the VRRP virtual IP address of routers.
[CORE] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
# Configure static routes in Public to forward downlink traffic, and set the
next hops of the routes to the virtual IP address of the VRRP group with VRID
1 of firewalls.
# Configure OSPF between CORE and routers to forward downlink traffic.

Routers can learn the return routes to service networks using OSPF.
[CORE] ospf 100 router-id 1.1.1.1 vpn-instance Public
connected to routers into OSPF.
[CORE-ospf-100] import-route static //Import static routes into OSPF.
[CORE-ospf-100] quit
# Create the VPN instance VRF-A on CORE to forward uplink traffic, and bind
the interfaces connected to service networks and interfaces connected to

firewalls to VRF-A. Besides, configure a default route in VRF-A, with the next
hop being the virtual IP address of the VRRP group with VRID 2 of firewalls.
[CORE] ip vpn-instance VRF-A //Create the VPN instance VRF-A.
[CORE-vpn-instance-VRF-A] ipv4-family
[CORE-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CORE-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CORE-vpn-instance-VRF-A-af-ipv4] quit
[CORE-vpn-instance-VRF-A] quit
[CORE-Vlanif100] ip binding vpn-instance VRF-A //Bind VLANIF 100 connecting CORE to service
network 1 to VRF-A.
[CORE-Vlanif100] ip address 10.10.100.1 24 //Reconfigure an IP address for VLANIF 100. When
VLANIF 100 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif200] ip binding vpn-instance VRF-A //Bind VLANIF 200 connecting CORE to service
network 2 to VRF-A.
[CORE-Vlanif200] ip address 10.10.200.1 24 //Reconfigure an IP address for VLANIF 200. When
VLANIF 200 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif30] ip binding vpn-instance VRF-A //Bind VLANIF 30 connecting CORE to firewalls to
VRF-A.
30 is bound to VRF-A, the IP address of the interface is deleted.
# Configure a default route in VRF-A, and set the next hop to the virtual IP
address of the VRRP group with VRID 2 of firewalls.
[CORE] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
2. Configure routers.
# Configure OSPF on RouterA.
[RouterA] ospf 100 router-id 2.2.2.2
[RouterA-ospf-100] area 0
[RouterA-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment
connected to CORE into OSPF.
[RouterA-ospf-100-area-0.0.0.0] quit
[RouterA-ospf-100] quit
# Configure OSPF on RouterB.

[RouterB] ospf 100 router-id 3.3.3.3
[RouterB-ospf-100] area 0
[RouterB-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment
connected to CORE into OSPF.
[RouterB-ospf-100-area-0.0.0.0] quit
[RouterB-ospf-100] quit

# Configure a static route on FWA. The configuration of FWB is similar to that
of FWA, and is not mentioned here.
[FWA] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //Configure a default route to forward uplink traffic,
and set the next hop to the IP address of VLANIF 20 on CORE.
[FWA] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 //Configure a static route to forward
downlink traffic, and set the destination address to service network 1 and the next hop to the IP
address of VLANIF 30 on CORE.
[FWA] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1 //Configure a static route to forward
downlink traffic, and set the destination address to service network 2 and the next hop to the IP
address of VLANIF 30 on CORE.
Step 6 Configure HRP.

# Configure HRP on FWA and set FWA as the active.
[FWA] interface Eth-Trunk 4
[FWA-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 active

[FWA] interface Eth-Trunk 5
[FWA] hrp interface Eth-Trunk 1 remote 10.1.1.2 //Configure the heartbeat interface and enable HRP.
[FWA] hrp enable
# Configure HRP on FWB and set FWB as the standby.

[FWB] interface Eth-Trunk 6
[FWB-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 standby
[FWB] interface Eth-Trunk 7
[FWB] hrp interface Eth-Trunk 1 remote 10.1.1.1 //Configure the heartbeat interface and enable HRP.
[FWB] hrp enable
After a hot standby group is successfully established between the active and standby
firewalls, the configurations and sessions on the active firewall are automatically
synchronized to the standby firewall. Therefore, you only need to perform the following
configurations on the active firewall FWA.

This example describes only the configurations for connections between firewalls
and switches and the HRP configurations on firewalls. For details about the
security service plan and campus security policies on firewalls, see 4.2 Deploying
Firewalls as Egress Devices.
----End

After the configurations are complete, check whether CORE and routers can ping
each other successfully.
# Ping Eth-Trunk 1.100 of RouterA from CORE. The ping result shows that the
uplink between CORE and RouterA is reachable.
<CORE> ping -vpn-instance Public 10.10.4.2
Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break
Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms
--- 10.10.4.2 ping statistics ---

0.00% packet loss
# Ping VLANIF 100 bound to VRF-A on CORE from RouterA to verify that the
downlink between RouterA and VLANIF 100 is reachable.
<RouterA> Ping 10.10.100.1
Ping 10.10.100.1: 32 data bytes, Press Ctrl_C to break

--- 10.10.100.1 ping statistics ---

0.00% packet loss
Configuration Files
● RouterA configuration file
#
sysname RouterA
#
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.2 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
● RouterB configuration file
#
sysname RouterB
#
undo portswitch
mode lacp-static
#
ip address 10.10.4.3 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
#
sysname CORE
#
vlan batch 10 20 30 100 200
#
ip vpn-instance Public
ipv4-family

route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
ip vpn-instance VRF-A
ipv4-family
#
interface Vlanif10
ip binding vpn-instance Public
ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance Public
ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance VRF-A
ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif200
ip address 10.10.200.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#


mode lacp
#
eth-trunk 4
#
eth-trunk 5
#
eth-trunk 6
#
eth-trunk 7
#
eth-trunk 8
#
eth-trunk 9
#
eth-trunk 4
#
eth-trunk 5
#
eth-trunk 6
#
eth-trunk 7
#
eth-trunk 8
#
eth-trunk 9
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 1
#
eth-trunk 2
#
ospf 100 router-id 1.1.1.1 vpn-instance Public
import-route static
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
#
return
● AGG1 configuration file

#
sysname AGG1
#
vlan batch 100
#


mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname AGG2
#
vlan batch 200
#
mode lacp-static
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname FWA
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.2
#
ip address 10.1.1.1 255.255.255.0
mode lacp-static
#
ip address 10.10.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 active
mode lacp-static
#
ip address 10.10.3.2 255.255.255.0
mode lacp-static
#
undo shutdown
eth-trunk 4
#
undo shutdown
eth-trunk 4
#
undo shutdown
eth-trunk 5
#
undo shutdown
eth-trunk 5
#
undo shutdown

eth-trunk 1
#
undo shutdown
eth-trunk 1
#
firewall zone trust
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
return
#
sysname FWB
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
ip address 10.1.1.2 255.255.255.0
mode lacp-static
#
ip address 10.10.2.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 standby
mode lacp-static
#
ip address 10.10.3.3 255.255.255.0
mode lacp-static
#
undo shutdown
eth-trunk 6
#
undo shutdown
eth-trunk 6
#
undo shutdown
eth-trunk 7
#
undo shutdown
eth-trunk 7
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
firewall zone trust

set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
return
4.4 Connecting Firewalls to Egress Routers Directly

At the egress of a large campus network, core switches are directly connected to
upstream firewalls and connected to egress gateways through firewalls. Two
routers function as egress gateways and are directly connected to the Internet.
Two firewalls set up a hot standby group to filter service traffic that enters and
leaves the campus network, ensuring network security. Two core switches set up a
CSS, which functions as the core of the campus network and functions as the user
gateway to allocate IP addresses to users. The specific service requirements are as
follows:
● Users in department A can access the Internet, whereas users in department B
cannot.
● Users on internal and external networks can access the HTTP server.
In this example, every two of four aggregation switches set up a stack (a total of
two stacks, AGG1 and AGG2) and connect to core switches, which set up a CSS
named CORE. For details about the networking below the core layer, see 3
Campus Network Connectivity Deployment.

Figure 4-4 Campus network where firewalls are directly connected to egress
routers
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/1
GE1/0/1 GE1/0/1
GE1/0/7 GE1/0/7
FWA FWB
GE2/0/4 GE2/0/4
GE2/0/3 GE2/0/3
HTTP server GE1/1/0/3 GE2/1/0/4

GE1/1/0/4 GE2/1/0/3
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/4 GE2/2/0/3
GE1/2/0/3 GE2/2/0/4

GE1/0/1 GE2/0/1
GE1/0/5 GE2/0/1 GE1/0/1 GE2/0/5
layer AGG1 AGG2
Department A Department B

Location Device Used in This Example Version Used in This
Example
Egress AR6300 V300R019C10
USG6300E V600R007C00
Aggregation S6730-H V200R019C10

layer

Deployment Roadmap
1 Configure CSS, stacking, and Core and aggregation switches

MAD to improve device
reliability.
2 Configure Eth-Trunk interfaces to Core switches, firewalls, and

improve link reliability. aggregation switches
3 Configure IP addresses for Egress routers, firewalls, core

interfaces. switches, and aggregation
switches
4 Configure routing to enable Egress routers, firewalls, core

network connectivity. switches, and aggregation
switches
5 Configure security zones and Firewalls

security policies for interfaces so
that service traffic can pass
through firewalls.
6 Configure HRP on firewalls to Firewalls

implement load balancing.
7 Configure DHCP to allocate IP Core and aggregation switches

addresses to users.
8 Configure NAT to enable users in Egress routers

department A to access the
Internet and external network
users to access the HTTP server
on the internal network.
Data Plan
RouterA GE0/0/1 - - 10.1.1.1/24
GE0/0/2 - - 8.8.8.1/24
RouterB GE0/0/1 - - 10.2.1.1/24
GE0/0/2 - - 9.9.9.1/24
FWA GE1/0/1 - - 10.1.1.2/24
GE1/0/7 - - 10.10.1.1/24
Eth-Trunk 10 GE2/0/3 - 10.3.1.1/24


GE2/0/4
FWB GE1/0/1 - - 10.2.1.2/24
GE1/0/7 - - 10.10.1.2/24
Eth-Trunk 20 GE2/0/3 - 10.4.1.1/24
GE2/0/4
CORE GE1/1/0/10 - VLANIF 300 10.100.1.1
Eth-Trunk 10 GE1/1/0/3 - 10.3.1.2/24
GE2/1/0/3
Eth-Trunk 20 GE1/1/0/4 - 10.4.1.2/24
GE2/1/0/4
GE2/2/0/3
GE2/2/0/4
AGG1 Eth-Trunk 100 GE1/0/1 VLANIF 100 10.5.1.2/24
GE2/0/1
Eth-Trunk 115 GE1/0/5 VLANIF 500 192.168.1.1/2

4
GE2/0/5
AGG2 Eth-Trunk 102 GE1/0/1 VLANIF 200 10.6.1.2/24
GE2/0/1

4
GE2/0/5
HTTP server Ethernet - - 10.100.1.10/2

interface 4
Stack Deployment.



2. Configure CORE.
# On CORE, create Eth-Trunk 10 to connect CORE to FWA, and add member
# On CORE, create Eth-Trunk 20 to connect CORE to FWB, and add member

# On CORE, create Eth-Trunk 100 to connect CORE to AGG1, and add

member interfaces to Eth-Trunk 100.

# On CORE, create Eth-Trunk 102 to connect CORE to AGG2, and add

3. Configure AGGs.
# On AGG1, create Eth-Trunk 100 and Eth-Trunk 115 to connect AGG1 to
CORE and an access switch respectively, and add member interfaces to Eth-
Trunk 100 and Eth-Trunk 115.
[AGG1t2/0/5] eth-trunk 115
# On AGG2, create Eth-Trunk 102 and Eth-Trunk 116 to connect AGG2 to

CORE and an access switch respectively, and add member interfaces to Eth-
Trunk 102 and Eth-Trunk 116.
Step 3 Configure IP addresses for interfaces.

[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 1.1.1.1 32 //Configure an IP address for loopback 0, which is also used as
the router ID of RouterA.
[RouterA-LoopBack0] quit

[RouterA] interface gigabitethernet 0/0/1

[RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //Configure an IP address for the interface
connected to FWA.
[RouterA-GigabitEthernet0/0/1] quit
[RouterA-GigabitEthernet0/0/2] ip address 202.10.1.1 24 //Configure an IP address for the interface
connected to the Internet.
[HUAWEI] sysname RouterB
[RouterB] interface loopback 0
[RouterB-LoopBack0] ip address 2.2.2.2 32 //Configure an IP address for loopback 0, which is also used as
the router ID of RouterB.
[RouterB-LoopBack0] quit
[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //Configure an IP address for the interface
connected to FWB.
[RouterB-GigabitEthernet0/0/1] quit
[RouterB-GigabitEthernet0/0/2] ip address 202.10.2.1 24 //Configure an IP address for the interface
# Configure FWA.
[FWA-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used as the
router ID of FWA.
[FWA-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //Configure an IP address for the interface connected
to RouterA.
[FWA-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //Configure an IP address for the heartbeat interface.
[FWA-Eth-Trunk10] ip address 10.3.1.1 24 //Configure an IP address for the Eth-Trunk interface connected
to CORE.
# Configure FWB.
[FWB-LoopBack0] ip address 4.4.4.4 32 //Configure an IP address for loopback 0, which is also used as the
router ID of FWB.
[FWB-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //Configure an IP address for the interface connected
to RouterB.
[FWB-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //Configure an IP address for the heartbeat interface.
[FWB-Eth-Trunk20] ip address 10.4.1.1 24 //Configure an IP address for the Eth-Trunk interface connected
to CORE.
# Configure CORE.
[CORE-LoopBack0] ip address 5.5.5.5 32 //Configure an IP address for loopback 0, which is also used as
the router ID of CORE.
[CORE-Eth-Trunk10] undo portswitch //By default, an Eth-Trunk interface works in Layer 2 mode. To use

an Eth-Trunk interface as a Layer 3 interface, run the undo portswitch command to change the Eth-Trunk
interface to Layer 3 mode.
[CORE-Eth-Trunk10] ip address 10.3.1.2 24 //Configure an IP address for Eth-Trunk 10 connected to FWA.
[CORE-Eth-Trunk20] undo portswitch
[CORE-Eth-Trunk20] ip address 10.4.1.2 24 //Configure an IP address for Eth-Trunk 20 connected to FWB.
[CORE-Eth-Trunk100] port link-type hybrid
[CORE-Eth-Trunk100] port hybrid pvid vlan 100
[CORE-Eth-Trunk100] port hybrid untagged vlan 100
[CORE-Vlanif100] ip address 10.5.1.1 24 //Configure an IP address for the interface connected to AGG1.
[CORE-Eth-Trunk102] port link-type hybrid
[CORE-Eth-Trunk102] port hybrid pvid vlan 200
[CORE-Eth-Trunk102] port hybrid untagged vlan 200
[CORE-Vlanif200] ip address 10.6.1.1 24 //Configure an IP address for the interface connected to AGG2.
[CORE-GigabitEthernet1/1/0/10] port link-type access
[CORE-GigabitEthernet1/1/0/10] port default vlan 300
# Configure AGG1.
[AGG1] interface loopback 0
[AGG1-LoopBack0] ip address 6.6.6.6 32 //Configure an IP address for loopback 0, which is also used as
the router ID of AGG1.
[AGG1-LoopBack0] quit
[AGG1-Eth-Trunk100] port link-type hybrid
[AGG1-Eth-Trunk100] port hybrid pvid vlan 100
[AGG1-Eth-Trunk100] port hybrid untagged vlan 100
[AGG1-Vlanif100] ip address 10.5.1.2 24 //Configure an IP address for the interface connected to CORE.
[AGG1-Vlanif500] ip address 192.168.1.1 24 //Configure an IP address for the interface connected to an
access switch.
# Configure AGG2.
[AGG2] interface loopback 0
[AGG2-LoopBack0] ip address 7.7.7.7 32 //Configure an IP address for loopback 0, which is also used as
the router ID of AGG2.
[AGG2-LoopBack0] quit


[AGG2-Vlanif200] ip address 10.6.1.2 24 //Configure an IP address for the interface connected to CORE.
[AGG2-Vlanif600] ip address 192.168.2.1 24 //Configure an IP address for the interface connected to an
access switch.

1. Configure the area where interfaces connecting routers and firewalls and
interfaces connecting firewalls and core switches belong as the OSPF
backbone area Area 0.
[RouterA] router id 1.1.1.1
[RouterA] ospf 1
[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Advertise the network segment
connected to FWA into the OSPF backbone area.
[RouterA-ospf-1] quit
[RouterB] router id 2.2.2.2
[RouterB] ospf 1
[RouterB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //Advertise the network segment
connected to FWB into the OSPF backbone area.
[RouterB-ospf-1] quit
# Configure FWA.
[FWA] router id 3.3.3.3
[FWA] ospf 1
[FWA-ospf-1] area 0
[FWA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Advertise the network segment connected
to RouterA into the OSPF backbone area.
[FWA-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into the OSPF backbone area.
[FWA-ospf-1] quit
# Configure FWB.
[FWB] router id 4.4.4.4
[FWB] ospf 1
[FWB-ospf-1] area 0
[FWB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //Advertise the network segment connected
to RouterB into the OSPF backbone area.
[FWB-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into the OSPF backbone area.
[FWB-ospf-1] quit
# Configure CORE.
[CORE] ospf 1
[CORE-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Advertise the network segment connected
to FWA into the OSPF backbone area.
to FWB into the OSPF backbone area.
connected to the HTTP server into the OSPF backbone area.

[CORE-ospf-1] quit
2. Configure the areas where downlink interfaces of CORE and uplink interfaces
of AGG1 and AGG2 belong as NSSAs 1 and 2 respectively.
# Configure CORE.
[CORE] ospf 1
to AGG1 into OSPF Area 1.
[CORE-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA.
to AGG2 into OSPF Area 2.
[CORE-ospf-1-area-0.0.0.2] nssa //Configure Area 2 as an NSSA.
[CORE-ospf-1] quit
# Configure AGG1.
[AGG1] ospf 1
[AGG1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into OSPF Area 1.
[AGG1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Advertise the network segment
connected to users into OSPF Area 1.
[AGG1-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA.
[AGG1-ospf-1] quit
# Configure AGG2.
[AGG2] ospf 1
[AGG2-ospf-1-area-0.0.0.2] network 10.6.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into OSPF Area 2.
[AGG2-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 //Advertise the network segment
connected to users into OSPF Area 2.
[AGG2-ospf-1-area-0.0.0.2] nssa //Configure Area 2 as an NSSA.
[AGG2-ospf-1] quit
3. Configure default routes.
# On CORE, configure default routes with the next hops pointing to firewalls.
# On FWA, configure a default route with the next hop pointing to RouterA.
[FWA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
# On FWB, configure a default route with the next hop pointing to RouterB.
[FWB] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
# On RouterA, configure a default route with the next hop being the IP
address of the connected carrier network device (public network gateway).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
# On RouterB, configure a default route with the next hop being the IP
address of the connected carrier network device (public network gateway).
[RouterB] ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
Step 5 Configure security zones, add interfaces to security zones, and configure security
policies on firewalls.
# Configure FWA.
[FWA-zone-trust] add interface Eth-Trunk 10 //Add Eth-Trunk 10 connected to the internal network to

the trusted zone.

[FWA] firewall zone untrust
[FWA-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the Internet to the
untrusted zone.
[FWA-zone-dmz] quit
[FWA] security-policy
[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local zone and DMZ.
[FWA-policy-security-rule-policy_dmz] source-zone local
[FWA-policy-security-rule-policy_dmz] source-zone dmz
[FWA-policy-security-rule-policy_dmz] destination-zone local
[FWA-policy-security-rule-policy_dmz] destination-zone dmz
[FWA-policy-security-rule-policy_dmz] action permit
[FWA-policy-security-rule-policy_dmz] quit
[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access the Internet.
[FWA-policy-security-rule-trust_to_untrust] source-zone trust
[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust] source-address 10.3.1.0 24
[FWA-policy-security-rule-trust_to_untrust] action permit
[FWA-policy-security-rule-trust_to_untrust] quit
[FWA-policy-security] rule name untrust_to_trust //Allow external network users to access the HTTP
server.
[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
[FWA-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWA-policy-security-rule-untrust_to_trust] action permit
[FWA-policy-security-rule-untrust_to_trust] quit
[FWA-policy-security] quit
# Configure FWB.
[FWB-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the internal network to the
trusted zone.
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the Internet to the
untrusted zone.
[FWB-zone-dmz] quit
[FWB] security-policy
[FWB-policy-security] rule name policy_dmz //Allow mutual access between the local zone and DMZ.
[FWB-policy-security-rule-policy_dmz] source-zone local
[FWB-policy-security-rule-policy_dmz] source-zone dmz
[FWB-policy-security-rule-policy_dmz] destination-zone local
[FWB-policy-security-rule-policy_dmz] destination-zone dmz
[FWB-policy-security-rule-policy_dmz] action permit
[FWB-policy-security-rule-policy_dmz] quit
[FWB-policy-security] rule name trust_to_untrust //Prohibit internal network users from accessing the
Internet.
[FWB-policy-security-rule-trust_to_untrust] source-zone trust
[FWB-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust] source-address 10.4.1.0 24
[FWB-policy-security-rule-trust_to_untrust] action deny
[FWB-policy-security-rule-trust_to_untrust] quit
[FWB-policy-security] rule name untrust_to_trust //Allow external network users to access the HTTP
server.
[FWB-policy-security-rule-untrust_to_trust] source-zone untrust
[FWB-policy-security-rule-untrust_to_trust] destination-zone trust
[FWB-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWB-policy-security-rule-untrust_to_trust] action permit

[FWB-policy-security-rule-untrust_to_trust] quit
[FWB-policy-security] quit
Step 6 Configure HRP on firewalls.

# Configure a VGMP group on FWA to monitor uplink and downlink service
interfaces.
[FWA] hrp track interface gigabitethernet 1/0/1 //Configure a VGMP group to monitor the uplink
interface.
[FWA] hrp track interface eth-trunk 10 //Configure a VGMP group to monitor the downlink interface.
# On FWA, adjust the OSPF cost based on the HRP status.

[FWA] hrp adjust ospf-cost enable
# Configure a VGMP group on FWB to monitor uplink and downlink service

interfaces.
[FWB] hrp track interface gigabitethernet 1/0/1
[FWB] hrp track interface eth-trunk 20
# On FWB, adjust the OSPF cost based on the HRP status.

[FWB] hrp adjust ospf-cost enable
# On FWA, specify a heartbeat interface and enable HRP.

[FWA] hrp interface gigabitethernet 1/0/7 remote 10.10.1.2 //Configure a heartbeat interface and
enable HRP.
[FWA] hrp enable //Enable HRP.
HRP_M[FWA] hrp mirror session enable //Enable quick session backup.
firewalls, the configurations and sessions on the active firewall are automatically
synchronized to the standby firewall.
# On FWB, specify a heartbeat interface and enable HRP.

[FWB] hrp interface gigabitethernet 1/0/7 remote 10.10.1.1
[FWB] hrp enable
HRP_B[FWB] hrp mirror session enable
Step 7 Configure the DHCP server function on CORE and the DHCP relay function on
AGG1 and AGG2.
# Configure CORE as the DHCP server to allocate IP addresses to users.
[CORE] dhcp enable
[CORE] interface vlanif 100 //Configure CORE to allocate IP addresses to users in department A through
VLANIF 100.
[CORE-Vlanif100] dhcp select global
[CORE] interface vlanif 200 //Configure CORE to allocate IP addresses to users in department B through
VLANIF 200.
[CORE-Vlanif200] dhcp select global
[CORE] ip pool poola //Configure the IP address pool poola to allocate IP addresses to users in
department A.
[CORE-ip-pool-poola] network 192.168.1.0 mask 24
[CORE-ip-pool-poola] gateway-list 192.168.1.1
[CORE-ip-pool-poola] quit
[CORE] ip pool poolb //Configure the IP address pool poolb to allocate IP addresses to users in
department B.
[CORE-ip-pool-poolb] network 192.168.2.0 mask 24
[CORE-ip-pool-poolb] gateway-list 192.168.2.1
[CORE-ip-pool-poolb] quit

# Configure AGG1 as a DHCP relay agent.

[AGG1] dhcp enable
[AGG1-Vlanif500] dhcp select relay
[AGG1-Vlanif500] dhcp relay server-ip 10.5.1.1 //Specify the IP address of the DHCP server.
# Configure AGG2 as a DHCP relay agent.

[AGG2] dhcp enable
[AGG2-Vlanif600] dhcp select relay
[AGG2-Vlanif600] dhcp relay server-ip 10.6.1.1 //Specify the IP address of the DHCP server.
Step 8 Configure NAT on egress routers.
Assume that the carrier allocates the following public IP addresses to enterprise users:
8.8.8.2 to 8.8.8.10 and 9.9.9.2 to 9.9.9.10. IP addresses 8.8.8.2 and 9.9.9.2 are used by
RouterA and RouterB respectively to connect to the Internet. IP addresses 8.8.8.10 and
9.9.9.10 are the public IP addresses used by external network users to access the HTTP
server. Internal network users use the remaining public IP addresses to access the Internet.
# Configure outbound NAT on RouterA to translate private IP addresses of users

in department A into public IP addresses so that the users can access the Internet.
[RouterA] nat address-group 1 8.8.8.3 8.8.8.9 //Configure a NAT address pool, which includes the public
IP addresses allocated by the carrier.
[RouterA] acl number 2000
[RouterA-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure an IP address segment for
users to access the Internet.
[RouterA-acl-basic-2000] quit
[RouterA-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Apply NAT to the interface
# Configure outbound NAT on RouterB to translate the private IP addresses of

users in department A into public IP addresses.
[RouterB] nat address-group 1 9.9.9.3 9.9.9.10 //Configure a NAT address pool, which includes the public
IP addresses allocated by the carrier.
[RouterB] acl number 2000
[RouterB-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure an IP address segment for
users to access the Internet.
[RouterB-acl-basic-2000] quit
[RouterB-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Apply NAT to the interface
# Configure NAT Server on RouterA and RouterB so that external network users
can access the HTTP server on the internal network.
[RouterA-GigabitEthernet0/0/2] nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
[RouterB-GigabitEthernet0/0/2] nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
----End


1. Users in department A can access the Internet, whereas users in department B
cannot.
2. Users in departments A and B and external network users can ping the HTTP
server.
Configuration Files
#
sysname RouterA
#
router id 1.1.1.1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 8.8.8.3 8.8.8.9
#
ip address 10.1.1.1 255.255.255.0
#
ip address 8.8.8.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
#
return
#
sysname RouterB
#
router id 2.2.2.2
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 9.9.9.3 9.9.9.10 mask 255.255.255.0
#
ip address 10.2.1.1 255.255.255.0
#
ip address 9.9.9.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
#
return


#
sysname FWA
#
router id 3.3.3.3
#
hrp adjust ospf-cost enable
hrp enable
hrp track interface GigabitEthernet1/0/1
#
ip address 10.3.1.1 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
undo shutdown
eth-trunk 10
#
undo shutdown
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
add interface GigabitEthernet 1/0/7
#
set priority 5
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
destination-zone untrust
action permit


source-zone untrust
action permit
#
return

#
sysname FWB
#
router id 4.4.4.4
#
hrp adjust ospf-cost enable
hrp enable
hrp track interface GigabitEthernet1/0/1
#
ip address 10.4.1.1 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
undo shutdown
eth-trunk 20
#
undo shutdown
eth-trunk 20
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
set priority 5
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
security-policy
source-zone local
source-zone dmz
action permit


source-zone trust
action deny
source-zone untrust
action permit
#
return

#
sysname CORE
#
router id 5.5.5.5
#
#
dhcp enable
#
ip pool poola
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
ip pool poolb
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.5.1.1 255.255.255.0
dhcp select global
#
interface Vlanif200
ip address 10.6.1.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.100.1.100 255.255.255.0
#
undo portswitch
ip address 10.3.1.2 255.255.255.0
mode lacp-static
#
undo portswitch
ip address 10.4.1.2 255.255.255.0
mode lacp-static
#
port hybrid pvid vlan 100
port hybrid untagged vlan 100
mode lacp-static
#
mode lacp-static
#
#

eth-trunk 10
#
eth-trunk 20
#
eth-trunk 100
#
eth-trunk 102
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 100
#
eth-trunk 102
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
area 0.0.0.1
network 10.5.1.0 0.0.0.255
area 0.0.0.2
network 10.6.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return

#
sysname AGG1
#
vlan batch 100 500
#
dhcp enable
#
interface Vlanif100
ip address 10.5.1.2 255.255.255.0
#
interface Vlanif500
ip address 192.168.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.5.1.1
#
mode lacp-static
#
mode lacp-static
#

eth-trunk 100
#
eth-trunk 100
#
eth-trunk 115
#
eth-trunk 115
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
nssa
#
return

#
sysname AGG2
#
vlan batch 200 600
#
dhcp enable
#
interface Vlanif200
ip address 10.6.1.2 255.255.255.0
#
interface Vlanif600
ip address 192.168.2.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.6.1.1
#
mode lacp-static
#
mode lacp-static
#
eth-trunk 102
#
eth-trunk 102
#
eth-trunk 116
#
eth-trunk 116
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
area 0.0.0.2
network 10.6.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255

nssa
#
return
4.5 Deploying IPSec on Firewalls for Secure

Communication with the Headquarters
Two firewalls at the egress of a branch set up a hot standby group that functions
as the egress gateway of the campus network to filter service traffic that enters
and leaves the campus network, ensuring network security. Two core switches set
up a CSS, which functions as the core of the campus network and functions as the
user gateway to allocate IP addresses to users. The specific service requirements
are as follows:
● External network users are not allowed to access the internal network.
Internal network users can access the Internet but cannot play online games
or watch online videos.
● The branch and headquarters need to securely communicate with each other
over the Internet.
Deployment.

Figure 4-5 Deploying IPSec on firewalls for secure communication with the
headquarters
Headquarters
GE2/0/0
Router
GE1/0/0
IPS
l
ne
ec
tun
t
un
ec
ne
IPS
l
GE1/0/0 GE1/0/0
GE1/0/3 GE1/0/3
Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
GE1/1/1/0 GE2/1/1/0
GE1/1/1/1 GE2/1/1/1
CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation
AGG
layer

Example Example
USG6300E V600R007C00

Deployment Roadmap
1 Configure CSS, stacking, and MAD to Core and aggregation

improve device reliability. switches

3 Configure interfaces, IP addresses, and Core switches,

routing to enable network connectivity. aggregation switches,
egress firewalls, and
egress router

users.
5 Configure VRRP and HRP to improve device Egress firewalls

reliability.

7 Configure outbound NAT to enable internal Egress routers

network users to access the Internet.


behavior control to ensure network
security.
10 Configure IPSec VPN to implement secure Egress firewalls and

communication between the branch and egress router
headquarters.
Data Plan
Router GE1/0/0 - - 202.2.1.1/24
GE2/0/0 - - 10.10.0.1/24
FWA GE1/0/0 - - 202.1.1.1/24
GE1/0/3 - - 10.4.0.1/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.1/24
GE1/0/2


FWB GE1/0/0 - - 202.1.1.2/24
GE1/0/3 - - 10.4.0.2/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.2/24
GE1/0/2
CORE Eth-Trunk 10 GE1/1/1/0 VLANIF 20 10.3.0.254/24
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
GE2/2/0/0
GE2/0/1
Stack Deployment.



2. Configure CORE.
# On CORE, create Eth-Trunk 30 to connect CORE to AGG, and add member
3. Configure AGG.
Step 3 Configure interfaces, IP addresses, and routing.

1. Configure IP addresses for interfaces.
# Configure IP addresses for interfaces on the router.
[HUAWEI] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 202.2.1.1 24
[Router-GigabitEthernet1/0/0] quit
[Router-GigabitEthernet2/0/0] ip address 10.10.0.1 24


security zones.
interface.
connected to CORE.
[FWA-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWA] firewall zone name isp1
[FWA-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet
to the security zone isp1.
[FWA-zone-dmz] quit
security zones.
interface.
connected to CORE.
[FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWB] firewall zone name isp1
[FWB-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the
Internet to the security zone isp1.
[FWB-zone-dmz] quit


[CORE] vlan batch 20 30
[CORE-Vlanif30] ip address 10.5.0.1 24 //Configure an IP address for the VLANIF interface connected
to AGG.

[AGG] vlan batch 30
# Configure a default route on the router and set the next hop to a public IP
address.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254

[FWA-ospf-1] quit
# Configure a default route on FWA and set the next hop to a public IP
address.

interfaces belong.
[FWB-ospf-1] quit
# Configure a default route on FWB and set the next hop to a public IP
address.



[CORE] ospf 1
to the firewalls.
to AGG.
to users.
[CORE-ospf-1] quit
# On CORE, configure a default route with the next hop being the VRRP
virtual IP address of the firewalls.

[CORE] dhcp enable
Step 5 Configure VRRP and HRP on the firewalls.

1. Configure VRRP groups.
# On FWA, configure VRRP group 1 on the uplink service interface GE1/0/0,
and set the VRRP group status to active. Configure VRRP group 2 on the
downlink service interface Eth-Trunk 1, and set the VRRP group status to
active.
[FWA-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 202.1.1.3 24 active
# On FWB, configure VRRP group 1 on the uplink service interface GE1/0/0,

and set the VRRP group status to standby. Configure VRRP group 2 on the
standby.
[FWB-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 202.1.1.3 24 standby
2. Configure HRP.
[FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2
[FWA] hrp enable

[FWB] hrp enable

DMZ.
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access the
Internet.
HRP_M[FWA-policy-security] rule name untrust_to_trust //Prohibit external network users from accessing
HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny
Step 7 Configure outbound NAT.

# Define the data flows that require NAT on the router. If both IPSec and NAT are
configured on an interface, NAT is performed first. Therefore, to prevent NAT from
being performed on IPSec-protected data flows, the ACL rule referenced by NAT
needs to deny these data flows.
[Router] acl 3000
[Router-acl-adv-3000] rule 5 deny ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255 //
Define IPSec-protected data flows.
[Router-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //Define the data flows that
require NAT.
[Router-acl-adv-3000] quit
# Configure NAT on the router.

[Router] interface GigabitEthernet1/0/0
[Router-GigabitEthernet1/0/0] nat outbound 3000

# On FWA, create a NAT address pool addressgroup1 (202.10.1.1 to 202.10.1.5).
The NAT address pool configured on FWA will be automatically synchronized to
FWB.
# Configure source NAT policies to allow internal network users using the IP
address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses. If
both IPSec and NAT are configured on an interface, NAT is performed first.
Therefore, to prevent NAT from being performed on IPSec-protected data flows,
the ACL rule referenced by NAT needs to deny these data flows.
HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-address 10.10.0.0 24 //Assume that the private IP

address of the headquarters is 10.10.0.0/24.

HRP_M[FWA-policy-nat-rule-policy_nat_1] action no-nat
HRP_M[FWA-policy-nat-rule-policy_nat_2] action nat address-group addressgroup1

addresses in addressgroup1 and the next hops being the interface addresses of
the firewalls.
package.
# Create an application behavior control file to prohibit HTTP and FTP operations
# Create a time range named working_hours.

HRP_M[FWA-time-range-working_hours] period-range all
working_hours and application behavior control file profile_app_work to prohibit
HTTP and FTP operations during working hours.

Step 10 Configure IPSec VPN.

1. Configure ACLs to define IPSec-protected data flows.
# Configure the router.
[Router] acl 3001
[Router-acl-adv-3001] rule 5 permit ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
[Router-acl-adv-3001] quit
# Configure the firewalls.

HRP_M[FWA] acl 3001
HRP_M[FWA-acl-adv-3001] rule 5 permit ip source 10.6.0.0 0.0.0.255 destination 10.10.0.0
0.0.0.255
HRP_M[FWA-acl-adv-3001] quit
2. Configure an IPSec proposal.

[Router] ipsec authentication sha2 compatible enable
[Router] ipsec proposal tran1
[Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router-ipsec-proposal-tran1] quit

HRP_M[FWA] ipsec proposal tran1
HRP_M[FWA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
HRP_M[FWA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
HRP_M[FWA-ipsec-proposal-tran1] quit
3. Configure an IKE proposal.

[Router] ike proposal 5
[Router-ike-proposal-5] authentication-method pre-share
[Router-ike-proposal-5] encryption-algorithm aes-128
[Router-ike-proposal-5] authentication-algorithm sha2-256
[Router-ike-proposal-5] dh group14
[Router-ike-proposal-5] quit

HRP_M[FWA] ike proposal 5
HRP_M[FWA-ike-proposal-5] authentication-method pre-share
HRP_M[FWA-ike-proposal-5] encryption-algorithm aes-128
HRP_M[FWA-ike-proposal-5] authentication-algorithm sha2-256
HRP_M[FWA-ike-proposal-5] dh group14
HRP_M[FWA-ike-proposal-5] quit
4. Configure IKE peers.

[Router] ike peer vpn
[Router-ike-peer-vpn] undo version 2
[Router-ike-peer-vpn] pre-shared-key cipher huawei123
[Router-ike-peer-vpn] ike-proposal 5
[Router-ike-peer-vpn] dpd type periodic //Configure periodic dead peer detection (DPD).
[Router-ike-peer-vpn] dpd idle-time 10 //Set the DPD idle time to 10s.
[Router-ike-peer-vpn] quit

HRP_M[FWA] ike peer vpn

HRP_M[FWA-ike-peer-vpn] undo version 2
HRP_M[FWA-ike-peer-vpn] pre-shared-key huawei@123
HRP_M[FWA-ike-peer-vpn] ike-proposal 5
HRP_M[FWA-ike-peer-vpn] dpd type periodic
HRP_M[FWA-ike-peer-vpn] dpd idle-time 10
HRP_M[FWA-ike-peer-vpn] remote-address 202.2.1.1
HRP_M[FWA-ike-peer-vpn] quit
5. Configure security policies.

[Router] ipsec policy-template use1 10
[Router-ipsec-policy-templet-use1-10] security acl 3001
[Router-ipsec-policy-templet-use1-10] ike-peer vpn
[Router-ipsec-policy-templet-use1-10] proposal tran1
[Router-ipsec-policy-templet-use1-10] quit
[Router] ipsec policy ipsec_vpn 10 isakmp template use1

HRP_M[FWA] ipsec policy ipsec_vpn 10 isakmp
HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] tunnel local 202.1.1.3
HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] quit
6. Apply an IPSec policy group to an interface.

[Router] interface GigabitEthernet1/0/0
[Router-GigabitEthernet1/0/0] ipsec policy ipsec_vpn

HRP_M[FWA] interface GigabitEthernet1/0/0
HRP_M[FWA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
----End

# After the preceding configurations are complete, run the display ike sa
command to check information about the security association (SA) established
through IKE negotiation. The following uses the command output of FWA as an
example.
[FWA] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
16 202.2.1.1:500 RD|ST v1:2 IP 202.2.1.1
14 202.2.1.1:500 RD|ST v1:1 IP 202.2.1.1
Number of IKE SA : 2
--------------------------------------------------------------------------------
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# Perform ping tests to verify that devices on the private networks of the
headquarters and branch can ping each other successfully. External network users
cannot access the internal network. Internal network users can access the Internet
but cannot play online games or watch online videos.

Configuration Files
● Router configuration file
#
sysname Router
#
ipsec authentication sha2 compatible enable
#
acl number 3000
rule 5 deny ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6![M%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
ipsec policy-template use1 10
security acl 3001
ike-peer vpn
proposal tran1
#
ipsec policy ipsec_vpn 10 isakmp template use1
#
ip address 202.2.1.1 255.255.255.0
ipsec policy ipsec_vpn
nat outbound 3000
#
ip address 10.10.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.2.1.254
#
return
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.2
#
acl number 3001
rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0
#
#
ike proposal 5
dh group14

#
ike peer vpn
undo version 2
pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 202.2.1.1
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
tunnel local 202.1.1.3
#
ip address 10.3.0.1 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 202.1.1.1 255.255.255.0
gateway 202.1.1.254
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
ip address 10.4.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
set priority 10
#
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#


#
#
#
period-range all
#
nat address-group addressgroup1 0
mode pat
section 0 202.10.1.1 202.10.1.5
route enable
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
action permit
source-zone isp1
action deny
source-zone trust
action permit
#
nat-policy
source-zone trust
action nat no-nat
source-zone trust
source-address range 10.6.0.1 mask 10.6.0.127
action nat address-group addressgroup1
#
return

#
sysname FWB

#
hrp enable
#
acl number 3001
rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0
#
#
ike proposal 5
dh group14
#
ike peer vpn
undo version 2
pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpn
proposal tran1
tunnel local 202.1.1.3
#
ip address 10.3.0.2 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 202.1.1.2 255.255.255.0
gateway 202.1.1.254
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
ip address 10.4.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#

set priority 10
#
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
#
#
#
period-range all
#
mode pat
section 0 202.10.1.1 202.10.1.5
route enable
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
action permit
source-zone isp1
action deny
source-zone trust
action permit
#

nat-policy
source-zone trust
action nat no-nat
source-zone trust
source-address range 10.6.0.1 mask 10.6.0.127
#
return

sysname CORE
#
router id 3.3.3.3
#
vlan batch 20 30
#
dhcp enable
#
interface Vlanif20
ip address 10.3.0.254 255.255.255.0
#
interface Vlanif30
ip address 10.5.0.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
eth-trunk 20
#
eth-trunk 10
#
#
eth-trunk 30
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#

ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.5.0.0 0.0.0.255
network 10.6.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return

#
sysname AGG
#
vlan batch 30
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
return
4.6 Deploying IPSec on Egress Routers for

Communication Between the Headquarters and Branch
Two routers (RouterA and RouterB) are deployed at the campus headquarters as
egress routers for redundancy to ensure device reliability. RouterC is deployed in a
branch as an egress router. Two core switches set up a stack to ensure device
reliability. The stack functions as the user gateway to allocate IP addresses to
users. The specific service requirements are as follows:
● Users in department A can access the Internet, whereas users in department B
cannot.
● The headquarters has a web server deployed to provide WWW services so
that external network users can access internal servers.
● The headquarters and branch need to securely communicate through VPNs
over the Internet.
In this example, two access switches (ACC1 and ACC2) connect to core switches,
which set up a stack named CORE. For details about the networking below the
core layer, see 3 Campus Network Connectivity Deployment.

Figure 4-6 Deploying IPSec on egress routers for communication between the
headquarters and branch
Branch
GE2/0/0
RouterC
GE1/0/0
IPS
l
ne
ec
tun
tun
ec
ne
IPS
l
GE1/0/0 GE1/0/0

GE2/0/1 GE2/0/1
GE2/0/0 GE2/0/0
Web server GE0/0/3 GE1/0/4

GE0/0/4 GE1/0/3
CORE
Core layer
GE0/0/5
GE0/0/2 CSS GE1/0/1
GE0/0/1 GE1/0/2
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
Access
ACC1 ACC2
layer
Department A Department B

Example Example
Access layer S5735-L V200R019C10

Deployment Roadmap
1 Configure the stacking function to improve Core switches

device reliability.
2 Configure Eth-Trunk interfaces to improve Core switches, access

link reliability. switches, and egress
router at the
headquarters
3 Configure interfaces, VLANs, and IP Core switches and egress

addresses. routers
4 Configure VRRP to improve device Egress routers at the

reliability. headquarters
5 Configure routing to enable network Core switches and egress

connectivity. routers

users.
7 Configure outbound NAT to enable users in Egress routers

department A to access the Internet.
8 Configure NAT Server to enable external Egress routers at the

network users to access the web server on headquarters
9 Configure IPSec to implement secure Egress routers

communication between the headquarters
and branch.
Data Plan
RouterA GE1/0/0 - - 1.1.1.2/24

4
GE2/0/1
RouterB GE1/0/0 - - 2.2.2.2/24

4
GE2/0/1
RouterC GE1/0/0 - - 3.3.3.2/24
GE2/0/0 - - 10.10.200.1/2
4


CORE GE0/0/5 - VLANIF 30 10.10.30.1/24
GE1/0/1
GE1/0/2

4
GE1/0/3
Eth-Trunk 4 GE0/0/4
GE1/0/4
ACC1 Eth-Trunk 1 GE0/0/1 - -
GE0/0/2
ACC2 Eth-Trunk 1 GE0/0/1 - -
GE0/0/2
Web server Ethernet - - 10.10.30.2/24

interface
Step 1 Configure the stacking function on core switches. For details, see 3.4 Typical CSS
and Stack Deployment.
# Configure RouterA. The configuration of RouterB is similar to that of RouterA.
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
[RouterA-GigabitEthernet2/0/1] eth-trunk 1
# Configure CORE.
[HUAWEI] sysname CORE


[CORE] interface gigabitethernet 0/0/1
[CORE-GigabitEthernet0/0/1] eth-trunk 1
[CORE-GigabitEthernet0/0/1] quit
# Configure ACC1. The configuration of ACC2 is similar to that of ACC1.

[HUAWEI] sysname ACC1
Step 3 Configure interfaces, VLANs, and IP addresses.

# Configure RouterC.
[HUAWEI] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 3.3.3.2 24
[RouterC-GigabitEthernet1/0/0] quit
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] ip address 10.10.200.1 24
# Configure RouterA. The configuration of RouterB is similar to that of RouterA.

[RouterA-Eth-Trunk1.100] ip address 10.10.100.2 24
[RouterA-Eth-Trunk1.100] dot1q termination vid 100 //Configure a single VLAN ID for Dot1q VLAN tag
termination on a sub-interface.
[RouterA-Eth-Trunk1.100] arp broadcast enable //Enable the sub-interface to process ARP broadcast
packets.

[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.2 24

# Configure CORE.
[CORE] vlan batch 10 20 30 100
# Configure ACC1. The configuration of ACC2 is similar to that of ACC1.

[ACC1] vlan 10
[ACC1-vlan10] quit
[ACC1-Eth-Trunk1] port trunk allow-pass vlan 10
Step 4 Configure VRRP.

[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120
[RouterA-Eth-Trunk1.100] vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40 //Associate the
VRRP status with the uplink interface of RouterA to ensure that traffic can be rapidly switched if the uplink
of RouterA is disconnected.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit

1. Configure default routes to steer uplink traffic of devices.
virtual IP address of egress routers.

# Configure a default route on each egress router of the headquarters and

branch, with the next hop being the IP address of the connected carrier
network device (public network gateway).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
[RouterB] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
[RouterC] ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
2. Configure OSPF.
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterB] ospf 1 router-id 10.2.2.2
[RouterB-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
# Configure CORE.

[CORE] dhcp enable
Step 7 Configure outbound NAT.

1. Define data flows that require NAT on the egress routers.
At the headquarters, only users in department A can access the Internet using
the source IP address segment 10.10.10.0/24. In the branch, all users can
access the Internet using the source IP address segment 10.10.200.0/24. If
both IPSec and NAT are configured on an interface, NAT is performed first.
Therefore, to prevent NAT from being performed on IPSec-protected data
flows, the ACL rule referenced by NAT needs to deny these data flows.
# Configure RouterA. The configuration of RouterB is similar to that of
RouterA.
[RouterA] acl 3000
[RouterA-acl-adv-3000] rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255 //Define IPSec-protected data flows.
[RouterA-acl-adv-3000] rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
[RouterA-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //Define the data flows
that require NAT.
[RouterA-acl-adv-3000] quit
[RouterC] acl 3000
[RouterC-acl-adv-3000] rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0
[RouterC-acl-adv-3000] rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0


[RouterC-acl-adv-3000] rule 15 permit ip source 10.10.200.0 0.0.0.255 //Define the data flows
that require NAT.
[RouterC-acl-adv-3000] quit
2. Configure NAT on the uplink interfaces of the egress routers.
# Configure RouterA. The configurations of RouterB and RouterC are similar
to that of RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat outbound 3000

[RouterA-GigabitEthernet1/0/0] nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
Step 9 Configure IPSec VPN.

1. Configure ACLs to define IPSec-protected data flows.
[RouterA] acl 3001
[RouterA-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterA-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterA-acl-adv-3001] quit
[RouterB] acl 3001
[RouterB-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterB-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterB-acl-adv-3001] quit
[RouterC] acl 3001
[RouterC-acl-adv-3001] rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0
0.0.0.255
[RouterC-acl-adv-3001] rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0
0.0.0.255
[RouterC-acl-adv-3001] quit
2. Configure an IPSec proposal.
to that of RouterA.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterA-ipsec-proposal-tran1] quit
3. Configure an IKE proposal.
to that of RouterA.
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] authentication-method pre-share

[RouterA-ike-proposal-5] encryption-algorithm aes-128

[RouterA-ike-proposal-5] authentication-algorithm sha2-256
[RouterA-ike-proposal-5] dh group14
[RouterA-ike-proposal-5] quit
4. Configure IKE peers.

[RouterA] ike peer vpn
[RouterA-ike-peer-vpn] undo version 2
[RouterA-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterA-ike-peer-vpn] ike-proposal 5
[RouterA-ike-peer-vpn] dpd type periodic //Configure DPD.
[RouterA-ike-peer-vpn] dpd idle-time 10 //Set the DPD idle time to 10s.
[RouterA-ike-peer-vpn] remote-address 3.3.3.2
[RouterA-ike-peer-vpn] quit
[RouterB] ike peer vpn
[RouterB-ike-peer-vpn] undo version 2
[RouterB-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterB-ike-peer-vpn] ike-proposal 5
[RouterB-ike-peer-vpn] dpd type periodic
[RouterB-ike-peer-vpn] dpd idle-time 10
[RouterB-ike-peer-vpn] remote-address 3.3.3.2
[RouterB-ike-peer-vpn] quit
[RouterC] ike peer vpnr1
[RouterC-ike-peer-vpnr1] undo version 2
[RouterC-ike-peer-vpnr1] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr1] ike-proposal 5
[RouterC-ike-peer-vpnr1] dpd type periodic
[RouterC-ike-peer-vpnr1] dpd idle-time 10
[RouterC-ike-peer-vpnr1] remote-address 1.1.1.2
[RouterC-ike-peer-vpnr1] quit
[RouterC] ike peer vpnr2
[RouterC-ike-peer-vpnr2] undo version 2
[RouterC-ike-peer-vpnr2] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr2] ike-proposal 5
[RouterC-ike-peer-vpnr2] dpd type periodic
[RouterC-ike-peer-vpnr2] dpd idle-time 10
[RouterC-ike-peer-vpnr2] remote-address 2.2.2.2
[RouterC-ike-peer-vpnr2] quit

[RouterA] ipsec policy ipsec_vpn 10 isakmp
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterB] ipsec policy ipsec_vpn 10 isakmp
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 10 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpnr1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 20 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] ike-peer vpnr2

[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] proposal tran1

[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] quit
6. Apply an IPSec policy group to an interface.
# Apply an IPSec policy group to an interface of RouterA.
[RouterA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
# Apply an IPSec policy group to an interface of RouterB.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
# Apply an IPSec policy group to an interface of RouterC.
[RouterC] interface GigabitEthernet1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
----End

# After the preceding configurations are complete, run the display ike sa
command to check information about the security association (SA) established
through IKE negotiation. The following uses the command output of RouterA as
an example.
[RouterA] display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
16 3.3.3.2:500 RD|ST v1:2 IP 3.3.3.2
14 3.3.3.2:500 RD|ST v1:1 IP 3.3.3.2
Number of IKE SA : 2
--------------------------------------------------------------------------------
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
headquarters and branch can ping each other successfully. Users in department A
can access the Internet, whereas users in department B cannot.
Configuration Files
#
sysname RouterA
#
acl number 3000
acl number 3001
#
#
ike proposal 5

dh group14
#
ike peer vpn
undo version 2
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpn
proposal tran1
#
undo portswitch
mode lacp-static
#
ip address 10.10.100.2 255.255.255.0
vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40
arp broadcast enable
#
ip address 1.1.1.2 255.255.255.0
nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
nat outbound 3000
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
return

#
sysname RouterB
#
acl number 3000
acl number 3001
#
#
ike proposal 5
dh group14

#
ike peer vpn
undo version 2
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpn
proposal tran1
#
undo portswitch
mode lacp-static
#
ip address 10.10.100.3 255.255.255.0
#
ip address 2.2.2.2 255.255.255.0
nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
nat outbound 3000
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
#
return

#
sysname CORE
#
vlan batch 10 20 30 100
#
dhcp enable
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface Vlanif100
ip address 10.10.100.4 255.255.255.0
#
mode lacp

#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
eth-trunk 4
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
eth-trunk 4
#
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
#
return

#
sysname ACC1
#
vlan batch 10
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
return


#
sysname ACC2
#
vlan batch 20
#
mode lacp
#
eth-trunk 2
#
eth-trunk 2
#
return
● RouterC configuration file
#
sysname RouterC
#
acl number 3000
acl number 3001
#
#
ike proposal 5
dh group14
#
ike peer vpnr1
undo version 2
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
ike peer vpnr2
undo version 2
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpnr1
proposal tran1
#
security acl 3001
ike-peer vpnr2
proposal tran1
#
ip address 3.3.3.2 255.255.255.0

nat outbound 3000

#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
#
return
4.7 Connecting an Egress Router in a Branch to the

Headquarters Through a Private Line
Two firewalls in a campus branch set up a hot standby group that functions as the
egress gateway of the campus network and connects to the Internet to filter
service traffic that enters and leaves the campus network, ensuring network
security. In addition, a router also functions as the egress gateway of the campus
network and connects to the headquarters through a private line. Two core
switches set up a CSS, which functions as the core of the campus network and
functions as the user gateway to allocate IP addresses to users. The specific service
requirements are as follows:
● Internal network users can access Internet resources but cannot play online
games or watch online videos.
● External network users are prohibited from accessing the internal network.
Deployment.

Figure 4-7 Connecting an egress router in a branch to the headquarters through a

private line
Head
Priv
GE1/0/0 GE1/0/0 GE3/0/0
GE1/0/3 HSB GE1/0/3

Egress FWA FWB Router
0/
GE1/0/2 1/0
GE1/0/1 GE1/0/2 GE1/0/1 GE
GE
Eth-Trun
/1
/1
/1 GE2/1/1/0
/0
/1
/6
E1
E1
G
GE1/1/1/0 XG XGE2/6/0/1
GE2/1/1/1
CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer AGG

Example Example
Egress USG6300E V600R007C00
AR6300 V300R019C10
Deployment Roadmap
1 Configure CSS, stacking, and MAD to Core and aggregation

improve device reliability. switches


3 Configure IP addresses and routing to Core switches,

enable network connectivity. aggregation switches,

users.
5 Configure VRRP and HRP to improve device Egress firewalls

reliability.



behavior control to ensure network
security.
9 Configure IPSec VPN to implement secure Egress router

communication between the branch and
headquarters.
Data Plan
FWA GE1/0/0 - - 202.1.1.1/24
GE1/0/3 - - 10.4.0.1/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.1/24
GE1/0/2
FWB GE1/0/0 - - 202.1.1.2/24
GE1/0/3 - - 10.4.0.2/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.2/24
GE1/0/2
Router GE3/0/0 - - 10.7.0.1/24
Eth-Trunk 40 GE1/0/0 - 10.8.0.254/24
GE2/0/0


CORE Eth-Trunk 10 GE1/1/1/0 VLANIF 20 10.3.0.254/24
GE2/1/1/1
GE1/1/1/1
GE2/2/0/0
Eth-Trunk 40 XGE1/6/0/1 VLANIF 50 10.8.0.1/24
XGE2/6/0/1
GE2/0/1
Procedure
Stack Deployment.



2. Configure the egress router.

# On the router, create Eth-Trunk 40 to connect the router to CORE, and add
[HUAWEI] sysname Router
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] mode lacp-static
[Router-Eth-Trunk40] quit
[Router] interface XGigabitethernet 1/0/0
[Router-XGigabitEthernet1/0/0] eth-trunk 40
[Router-XGigabitEthernet1/0/0] quit
[Router] interface XGigabitethernet 2/0/0
3. Configure CORE.

# On CORE, create Eth-Trunk 30 to connect CORE to AGG, and add member

# On CORE, create Eth-Trunk 40 to connect CORE to the router, and add

[CORE-XGigabitEthernet2/6/0/1] quit/
4. Configure AGG.


Step 3 Configure IP addresses and routing.

1. Configure IP addresses for interfaces.
security zones.
interface.
connected to CORE.
the trusted zone.
[FWA] firewall zone name isp1
[FWA-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet
[FWA-zone-dmz] quit

security zones.
interface.
connected to CORE.

the trusted zone.
[FWB] firewall zone name isp1
[FWB-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet
[FWB-zone-dmz] quit
# Configure IP addresses for interfaces on the router.
[Router] interface loopback 0
[Router-LoopBack0] ip address 4.4.4.4 32 //Configure an IP address for loopback 0, which is also
used as the router ID of the router.
[Router-LoopBack0] quit
[Router-GigabitEthernet3/0/0] ip address 10.7.0.1 24 //Configure an IP address for the interface
[Router-Eth-Trunk40] ip address 10.8.0.254 24 //Configure an IP address for the interface connected
to CORE.
[CSS-Eth-Trunk10] quit
[CORE-Eth-Trunk40] port trunk pvid vlan 50
to AGG.
to the router.
[AGG] vlan batch 40


[FWA-ospf-1] quit
# Configure a default route on FWA and set the next hop to a public IP
address.

interfaces belong.
[FWB-ospf-1] quit
# Configure a default route on FWB and set the next hop to a public IP
address.
# Configure OSPF on the router to advertise the network segments where

uplink and downlink interfaces belong.
[Router] ospf 1 router-id 4.4.4.4
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] network 10.7.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 10.8.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit

[CORE] ospf 1
to the firewalls.
to AGG.
to users.
to the router.
[CORE-ospf-1] quit
virtual IP address of the firewalls.

[CORE] dhcp enable

Step 5 Configure VRRP and HRP on the firewalls.

1. Configure VRRP groups.
# On FWA, configure VRRP group 1 on the uplink service interface GE1/0/0,
and set the VRRP group status to active. Configure VRRP group 2 on the
active.
[FWA-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 202.1.1.3 24 active
# On FWB, configure VRRP group 1 on the uplink service interface GE1/0/0,
and set the VRRP group status to standby. Configure VRRP group 2 on the
standby.
[FWB-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 202.1.1.3 24 standby
2. Configure HRP.
[FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2
[FWA] hrp enable
[FWB] hrp enable

DMZ.
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access the
Internet.
HRP_M[FWA-policy-security] rule name untrust_to_trust //Prohibit external network users from accessing
HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny


# On FWA, create a NAT address pool addressgroup1 (202.10.1.1 to 202.10.1.5).
The NAT address pool configured on FWA will be automatically synchronized to
FWB.
# Configure source NAT policies to allow internal network users using the IP
address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses.
HRP_M[FWA-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1

addresses in addressgroup1 and the next hops being the interface addresses of
the firewalls.
package.


# Create a time range named working_hours.

HRP_M[FWA-time-range-working_hours] period-range all
working_hours and application behavior control file profile_app_work to prohibit
HTTP and FTP operations during working hours.
----End

headquarters and branch can ping each other successfully. External network users
cannot access the internal network. Internal network users can access the Internet
but cannot play online games or watch online videos.
Configuration Files
#
sysname FWA
#
hrp enable
#
ip address 10.3.0.1 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 202.1.1.1 255.255.255.0
gateway 202.1.1.254
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
ip address 10.4.0.1 255.255.255.0

#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
set priority 10
#
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
#
#
#
period-range all
#
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
security-policy
source-zone local
source-zone dmz
action permit

source-zone trust
action permit
source-zone isp1
action deny
source-zone trust
action permit
#
nat-policy
source-zone trust
#
return

#
sysname FWB
#
hrp enable
#
ip address 10.3.0.2 255.255.255.0
mode lacp-static
#
undo shutdown
ip address 202.1.1.2 255.255.255.0
gateway 202.1.1.254
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
ip address 10.4.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#

set priority 10
#
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
#
#
#
period-range all
#
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
action permit
source-zone isp1
action deny
source-zone trust
action permit
#

nat-policy
source-zone trust
#
return
● Router configuration file

#
sysname Router
#
undo portswitch
ip address 10.8.0.254 255.255.255.0
mode lacp-static
#
eth-trunk 40
#
eth-trunk 40
#
ip address 10.7.0.1 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
area 0.0.0.0
network 10.7.0.0 0.0.0.255
network 10.8.0.0 0.0.0.255
#
return

sysname CORE
#
router id 3.3.3.3
#
#
dhcp enable
#
interface Vlanif20
ip address 10.3.0.254 255.255.255.0
#
interface Vlanif40
ip address 10.6.0.1 255.255.255.0
#
interface Vlanif50
ip address 10.8.0.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp

#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
eth-trunk 20
#
eth-trunk 10
#
#
eth-trunk 30
#
eth-trunk 40
#
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.5.0.0 0.0.0.255
network 10.6.0.0 0.0.0.255
network 10.8.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return

#
sysname AGG
#
vlan batch 40
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
return

Campus Networks Typical Configuration Examples 5 Wireless Coverage Deployment
5 Wireless Coverage Deployment
5.1 Key Points of Wireless Coverage Deployment

5.2 Common WLAN Coverage
5.3 Agile Distributed Wi-Fi Coverage
5.4 High-Density WLAN Coverage
5.5 WDS Backhaul
5.1 Key Points of Wireless Coverage Deployment

Wireless coverage allows user terminals to access a network during movements,
freeing users from the access restriction of Ethernet cables required by wired
networks. Users can access the Internet while moving, and wireless network
deployment is more flexible.
Different wireless coverage solutions are available based on actual deployment
scenarios. The details are as follows:
● Common WLAN coverage solution for most scenarios, such as offices,
classrooms, and meeting rooms
● Agile distributed Wi-Fi coverage solution for scenarios with densely locate
rooms, such as hotel guest rooms, campus dormitories, and hospital wards
● High-density WLAN coverage solution for scenarios with high user density,
such as stadiums and lecture halls
● Wireless distribution system (WDS) backhaul solution for scenarios where
wired network deployment is difficult, such as campuses, plantations, and
mountainous areas
Configurations vary for these wireless coverage solutions and are described in the
following sections.
5.2 Common WLAN Coverage

This section describes the recommended configurations that need to be
supplemented for common WLAN coverage in specific scenarios. For details about

how to configure common WLAN coverage, see 3 Campus Network Connectivity

Deployment. User authentication modes are described in 6 Wired and Wireless
User Access Authentication Deployment.

Location Device Device Used in This Version Used in This
Requirement Example Example
AC - AC6605 V200R019C10
AP - AP6050DN V200R019C00
Traffic Optimization in Large Broadcast Domain Scenarios

On an enterprise campus network, a single large subnet is usually designed. Such
a single large subnet simplifies VLAN configuration, roaming configuration, and
fault location. However, due to the use of a large broadcast domain on this
subnet, a large number of packets are replicated and sent, causing high CPU
usage.
To lower the CPU usage and support large broadcast domain scenarios, you can
leverage various methods such as broadcast-to-unicast conversion, unknown
unicast traffic suppression, and rate limiting for multicast and broadcast packets
on APs.
# Enable the function of sending mDNS unicast response packets so that the AC
functions as the mDNS gateway to respond to mDNS service request packets
using unicast packets, reducing the packet duplication load on the AC. This
function is disabled by default. You are advised to enable it. This configuration is
available only for standalone ACs but not switches that support the native AC
function.
<AC> system-view
[AC] mdns unicast-reply enable
# Enable the IGMP snooping function and the function of discarding unknown
multicast flows in a VLAN. IGMP snooping runs on a Layer 2 device and analyzes
IGMP messages exchanged between a Layer 3 device and hosts to create and
maintain a Layer 2 multicast forwarding table. Based on this table, the Layer 2
device forwards multicast packets at the data link layer.
<AC> system-view
[AC] wlan
[AC-wlan-view] traffic-profile name traff
[AC-wlan-traffic-prof-traff] igmp-snooping enable
[AC-wlan-traffic-prof-traff] quit
[AC-wlan-view] quit
[AC] vlan 10
[AC-vlan10] multicast drop-unknown
# Enable the function of converting ARP, ND, and DHCP packets to unicast
packets. This function is enabled by default. You are advised to retain the default
setting.
<AC> system-view
[AC] wlan


[AC-wlan-traffic-prof-traff] traffic-optimize bcmc unicast-send arp nd dhcp
# Enable the function of suppressing ARP, ND, and DHCP packets. Broadcast or
multicast packets that failed to be converted to unicast packets are then discarded
on the air interface. This function is enabled by default. You are advised to retain
the default setting.
<AC> system-view
[AC] wlan
[AC-wlan-traffic-prof-traff] traffic-optimize bcmc unicast-send mismatch-action drop
Traffic Optimization in VR Scenarios

When an AP is connected to a VR device, packet loss and retransmission have a
great impact on user experience. Therefore, you can set the service guarantee
mode to reliability first. That is, when the VR throughput requirement is met, the
air interface rate can be lowered properly to reduce jitter and delay caused by
packet loss and retransmission, improving user experience. It is recommended that
the service guarantee mode be set to reliability-first in VR gaming scenarios and
to performance first in VR video scenarios.
# Set the service guarantee mode to reliability-first. The default service guarantee
mode is performance-first.
<AC> system-view
[AC] wlan
[AC-wlan-view] ssid-profile name ssid1
[AC-wlan-ssid-prof-ssid1] service-guarantee reliability-first
5.3 Agile Distributed Wi-Fi Coverage

This section describes how to deploy agile distributed Wi-Fi coverage in a native
AC solution. For details about deploying the native AC solution, see 3.5 Native AC
Solution: Core Switches Function as the Gateway for Wired and Wireless
Users. In this example, the networking is similar to that in the native AC solution,
but AP2 is used as a central AP to provide access to RUs deployed in hotel guest
rooms, campus dormitories, and hospital wards. If more RUs are involved, the
central AP can be connected to a switch for capacity expansion.

Figure 5-1 Networking diagram for agile distributed Wi-Fi coverage

Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /0/
Eth-Trunk 0/2 E2/1 Eth-Trunk
XG
10 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

Eth-Trunk Eth-Trunk
30 GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2 40
Access
layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
GE0/0/24
Central AP:
PC1 AP1 PC2
AP2
GE0/0/1 GE0/0/2
GE0/0/24
Switch RU: ru_2
GE0/0/1
RU: ru_1

Core layer Modular switches S12708 V200R019C10

configured with X
series cards
Layer 3 fixed
switches that
support the native
AC function, such as
S5720-HI switches
AP2 Central AP AD9430DN-24 V200R019C00
RU RU R450D V200R019C00
Data Plan
Table 5-1 RU data plan
Item Data
AP group ap-group1

Item Data
Name ru_1
ru_2
Procedure
Step 1 Configure network connectivity and WLAN services on AP1 and AP2. For details,
see 3.5 Native AC Solution: Core Switches Function as the Gateway for Wired
and Wireless Users.
The following describes how to configure RUs and the access switch.
Step 2 Configure Switch to enable Layer 2 communication between the central AP and
RUs. If a Huawei switch is used, this configuration can be skipped as interfaces on
Huawei switches are added to VLAN 1 by default and can communicate at Layer
2. If a non-Huawei switch is used, perform the configuration to enable Layer 2
communication of uplink and downlink interfaces.
On the network between the central AP and RUs, service packets of STAs must be properly
forwarded. This example uses the tunnel forwarding mode. Therefore, you do not need to
configure packets in service VLANs to pass between the central AP and RUs. If the direct
forwarding mode is used, configure packets in the service VLANs to pass between the
central AP and RUs. The configuration varies depending on the central AP model as follows:
● For a gigabit central AP, such as AD9430DN-24, no configuration is required on Switch.
All packets from RUs are transmitted to the central AP through the MAC-IN-MAC
tunnel. Therefore, you only need to allow packets in the service VLANs to pass on the
central AP in the uplink direction.
● For a 10GE central AP, such as AD9431DN-24X, add the uplink and downlink
interfaces on Switch to the service VLANs. Service packets are forwarded in the
upstream direction of an RU. Therefore, packets in the service VLANs must be allowed
in the uplink direction of RUs.
Step 3 Configure names for the RUs and add them to the AP group.
<CORE> system-view
[CORE] wlan
[CORE-wlan-view] ap-id 3 ap-mac 00e0-fc00-1220
[CORE-wlan-ap-3] ap-name ru_1
[CORE-wlan-view] ap-id 4 ap-mac 00e0-fc00-1240
[CORE-wlan-ap-4] ap-name ru_2
Step 4 Run the display ap all command to check the RU state. If the State field is
displayed as nor, the RUs go online properly.
[AC-wlan-view] display ap all

nor : normal [4]

------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
3 00e0-fc00-1220 ru_1 ap-group1 192.168.20.165 R240D nor 0 3M:14S -
4 00e0-fc00-1240 ru_2 ap-group1 192.168.20.137 R240D nor 0 3M:14S -
------------------------------------------------------------------------------------------------------
Total: 4
After STAs find and associate with the SSID, wireless users can access the agile
distributed Wi-Fi network.
----End
Configuration Files
# AC configuration file
#
ap-id 3 type-id 84 ap-mac 00e0-fc00-1220 ap-sn 21500826400000000208
ap-name ru_1
ap-group ap-group1
ap-id 4 type-id 84 ap-mac 00e0-fc00-1240 ap-sn 21500826400000000209
ap-name ru_2
ap-group ap-group1
#
return
5.4 High-Density WLAN Coverage

This section describes the recommended high-density network parameter settings.
For details about how to configure APs and STAs to go online in high-density
coverage scenarios, see 3 Campus Network Connectivity Deployment. For
details about user access authentication modes, see 6 Wired and Wireless User
Access Authentication Deployment.

AC - AC6605 V200R019C10
AP - AP6050DN V200R019C00
Network Optimization in High-Density Scenarios

Network parameters in high-density scenarios are mainly set in the following
profiles: VAP, SSID, traffic, RRM, 2G radio, and 5G radio profiles. After profiles are
configured, configure their reference relationships to deliver high-density network
parameter settings to APs in high-density scenarios. This example shows how to
configure the reference relationships between profiles. The profile names are
subject to the network plan.

<AC> system-view
[AC] wlan
[AC-wlan-view] ssid-profile name ssid1
[AC-wlan-ssid-prof-ssid1] max-sta-number 128 //Set the maximum number of STAs on the SSID profile to
128.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-ssid1] association-timeout 1 //Reduce the association aging time of STAs. The
recommended value is 1 minute.
[AC-wlan-ssid-prof-ssid1] beacon-2g-rate 11 //Increase the rate at which Beacon frames are sent on the
2.4 GHz radio. The recommended rate is 11 Mbit/s.
[AC-wlan-ssid-prof-ssid1] quit
[AC-wlan-view] vap-profile name vap1
[AC-wlan-vap-prof-vap1] undo band-steer disable //Enable band steering so that APs steer STAs to the 5
GHz radio preferentially, reducing the load and interference on the 2.4 GHz radio.
[AC-wlan-vap-prof-vap1] quit
[AC-wlan-traffic-prof-traff] rate-limit client down 4000 //Limit the STA rate. For example, set the rate
limit for downstream packets of STAs to 4000 kbit/s.
[AC-wlan-traffic-prof-traff] rate-limit client up 4000 //Limit the STA rate. For example, set the rate limit
for upstream packets of STAs to 4000 kbit/s.
[AC-wlan-traffic-prof-traff] quit
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0 //Configure radio 0.
[AC-wlan-radio-0/0] calibrate auto-channel-select disable //Disable automatic channel selection.
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable //Disable automatic transmit power selection.
[AC-wlan-radio-0/0] channel 20mhz 1 //Adjust the AP channel to reduce interference between APs. It is
recommended that channels be configured in a staggered manner, such as 1, 9, 5, and 13. This example
configures channel 1 on radio 0 with 20 MHz bandwidth. The specific channel configuration is subject to
the network planning result.
[AC-wlan-radio-0/0] eirp 127 //Lower AP power to reduce interference between APs as much as possible.
However, the RSSI at the edge of the AP coverage area must be greater than -65 dBm. This example
configures the transmit power of 127 dBm. The specific transmit power configuration is subject to the
network planning result.
[AC-wlan-radio-0/0] quit
[AC-wlan-ap-0] radio 1 //Configure radio 1.
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 40mhz-plus 44
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] undo smart-roam disable //Enable smart roaming.
[AC-wlan-rrm-prof-rrm1] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-rrm1] smart-roam roam-threshold snr 15 //Set the SNR threshold to 15 dB.
[AC-wlan-rrm-prof-rrm1] airtime-fair-schedule enable // Enable airtime fair scheduling so that radio
channel resources are allocated to each user more properly.
[AC-wlan-rrm-prof-rrm1] dynamic-edca enable //Enable dynamic EDCA parameter adjustment. The
default value of the EDCA Best-Effort service threshold is recommended.
[AC-wlan-rrm-prof-rrm1] quit
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rts-cts-mode rts-cts //Set the RTS-CTS operation mode to rts-cts.
[AC-wlan-radio-2g-prof-radio2g] rts-cts-threshold 1400 //Set the RTS threshold to 1400 bytes.
[AC-wlan-radio-2g-prof-radio2g] beacon-interval 160 //Adjust the interval for sending Beacon frames. The
recommended interval is 160 TUs.
[AC-wlan-radio-2g-prof-radio2g] guard-interval-mode short //Set the GI mode to short to reduce extra
overheads and improve the transmission rate of APs.
[AC-wlan-radio-2g-prof-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54 //Modify the basic rate set. It
is recommended that low rates be removed from the basic rate set.
[AC-wlan-radio-2g-prof-radio2g] multicast-rate 11 //Configure the multicast rate. The default value is
recommended.
[AC-wlan-radio-2g-prof-radio2g] undo short-preamble disable //Enable the short preamble. If some STAs
on the network are equipped with outdated network adapters, disable this function.
[AC-wlan-radio-2g-prof-radio2g] quit

[AC-wlan-radio-5g-prof-radio5g] rts-cts-mode rts-cts //Set the RTS-CTS operation mode to rts-cts.

[AC-wlan-radio-5g-prof-radio5g] rts-cts-threshold 1400 //Set the RTS threshold to 1400 bytes.
[AC-wlan-radio-5g-prof-radio5g] beacon-interval 160 //Adjust the interval for sending Beacon frames. The
recommended interval is 160 TUs.
[AC-wlan-radio-5g-prof-radio5g] guard-interval-mode short //Set the GI mode to short to reduce extra
overheads and improve the transmission rate of APs.
[AC-wlan-radio-5g-prof-radio5g] multicast-rate 6 //Configure the multicast rate. The default value is
recommended.
[AC-wlan-view] vap-profile name vap1
[AC-wlan-net-prof-vap1] ssid-profile ssid1 //Bind an SSID profile.
[AC-wlan-net-prof-vap1] traffic-profile traff //Bind a traffic profile.
[AC-wlan-net-prof-vap1] quit
[AC-wlan-radio-2g-prof-radio2g] rrm-profile rrm1 //Bind an RRM profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile rrm1 //Bind an RRM profile.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g radio 0 //Bind a 2G radio profile.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g radio 1 //Bind a 5G radio profile.
Configuration Files
#
wlan
rate-limit client up 4000
rate-limit client down 4000
association-timeout 1
max-sta-number 128
beacon-2g-rate 11
ssid-profile ssid1
rrm-profile name rrm1
airtime-fair-schedule enable
smart-roam roam-threshold snr 15
dynamic-edca enable
radio-2g-profile name radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
rrm-profile rrm1
radio-5g-profile name radio5g
beacon-interval 160
multicast-rate 6
rrm-profile rrm1
radio 0
radio-2g-profile radio2g
radio 1
radio-5g-profile radio5g
ap-id 0 type-id 30 ap-mac 00fc-e0a6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 1
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 44

eirp 127
#
return
5.5 WDS Backhaul

This section describes how to deploy WDS backhaul in a native AC solution to
eliminate the restriction of wired network deployment. For details about deploying
the native AC solution, see 3.5 Native AC Solution: Core Switches Function as
the Gateway for Wired and Wireless Users. In this example, the networking is
similar to that in the native AC solution, but Area C where AP5 resides requires
wireless coverage. The existing access layer cannot support a wired connection to
AP5 due to construction difficulties. Therefore, WDS backhaul in Area A where AP2
is located allows for network data transmission to Area B where AP3 and AP4 are
located. Then AP4 transmits the data to AP5 through WDS backhaul, and AP5
provides wireless access to users.

Figure 5-2 Networking diagram for WDS backhaul

Server zone
(including RADIUS
XGE1/2/0/1 CSS
Core
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
Eth-Trunk 0 /2 E2 Eth-Trunk
XG
10 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk Eth-Trunk
30 GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2 40
Access ACC1 ACC2
layer
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Area A
PC1 AP1 PC2 AP2

(root)
Area B
AP3
(leaf)
GE0/0/2
Switch_C
GE0/0/1
AP4
(root)
Area C
AP5
(leaf)
: Wireless virtual link

Core layer Modular switches S12708 V200R019C10

configured with X
series cards
Layer 3 fixed
switches that
support the native
AC function, such as
S5720-HI switches
AP - AP6050DN V200R019C00

Deployment Roadmap
1 Configure a WDS link between Area A Core switches

and Area B so that AP2 and AP3 can go
online on the AC.
2 Configure Switch_C to enable AP3 and Switch_C

AP4 to communicate through the wired
network.
3 Configure a WDS link between Area B Core switches

and Area C so that AP5 can go online on
the AC.
Data Plan


APs
Service VLAN for wireless VLAN 40 172.16.40.0/24 (for

users wireless users connected
to AP5)

Item Data
AP groups wds-root1: AP2

wds-root2: AP4
wds-leaf1: AP3
wds-leaf2: AP5
SSID profile test02
VAP profile vap2

Item Data
WDS profiles ● wds-net1 (WDS profile used by AP2):

WDS mode root, referenced WDS
whitelist wds-list1, permitting access
only from AP3
● wds-net2 (WDS profile used by AP4):
WDS mode root, referenced WDS
whitelist wds-list2, permitting access
only from AP5
● wds-net3 (WDS profile used by AP3 and
AP5): referencing no WDS whitelist
WDS role ● AP2: root

● AP3: leaf
● AP4: root
● AP5: leaf
WDS name wds-net
WDS whitelists ● wds-list1: contains the MAC address of

AP3 and is bound to AP2.
● wds-list2: contains the MAC address of
AP5 and is bound to AP4.
Radios used by WDS Radio 1 (AP2 and AP3)

● Bandwidth: 40 MHz plus
● Channel: 157
● Radio coverage distance parameter: 4
(unit: 100 m)
Radio 1 (AP4 and AP5)
● Bandwidth: 40 MHz plus
● Channel: 149
● Radio coverage distance parameter: 4
(unit: 100 m)
Security profile Security profile referenced by WDS

● Name: wds-sec
● Security policy: WPA2+PSK+AES
● Password type: PASS-PHRASE
● Password: a1234567

Procedure
Step 1 Configure network connectivity and WLAN services on AP1. For details, see 3.5
Native AC Solution: Core Switches Function as the Gateway for Wired and
Wireless Users.
The following focuses on how to configure AP2, AP3, AP4, and AP5.
Step 2 Configure APs to go online on CORE.
# In the back-to-back WDS networking, create AP groups wds-root1 and wds-
root2 for root APs and AP groups wds-leaf1 and wds-leaf2 for leaf APs, and bind
the regulatory domain profile domain1 to the AP groups.
[CORE] wlan
[CORE-wlan-view] ap-group name wds-root1
[CORE-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
[CORE-wlan-ap-group-wds-root1] quit
[CORE-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
[CORE-wlan-view] ap-group name wds-leaf1
[CORE-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
[CORE-wlan-ap-group-wds-leaf1] quit
[CORE-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
# Add AP2 to the AP group wds-root1, AP4 to the AP group wds-root2, AP3 to
the AP group wds-leaf1, and AP5 to the AP group wds-leaf2.
[CORE] wlan
[CORE-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[CORE-wlan-ap-2] ap-name AP2
[CORE-wlan-ap-2] ap-group wds-root1
[CORE-wlan-view] ap-id 3 ap-mac dcd2-fc04-b500
[CORE-wlan-ap-3] ap-group wds-leaf1
[CORE-wlan-view] ap-id 4 ap-mac dcd2-fcf6-76a0
[CORE-wlan-ap-4] ap-group wds-root2

[CORE-wlan-view] ap-id 5 ap-mac 60de-4476-e360
[CORE-wlan-ap-5] ap-group wds-leaf2
# Configure radio parameters for WDS nodes. Radio 1 on the 5 GHz frequency
band is used as an example. The parameter coverage distance indicates the radio
coverage distance parameter, which is 3 (unit: 100 m) by default. This example
sets the radio coverage distance parameter to 4. You can configure the parameter
based on site requirements
[CORE-wlan-ap-group-wds-root1] radio 1
[CORE-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157 //Configure the channel and bandwidth
for the WDS link, which must be the same on the two ends of the link.
[CORE-wlan-group-radio-wds-root1/1] coverage distance 4 //Configure the radio coverage distance
parameter based on the actual distance between APs, based on which the APs adjust the values of
slottime, acktimeout, and ctstimeout.
[CORE-wlan-group-radio-wds-root1/1] quit
[CORE-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[CORE-wlan-group-radio-wds-root2/1] coverage distance 4
[CORE-wlan-ap-group-wds-leaf1] radio 1
[CORE-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[CORE-wlan-group-radio-wds-leaf1/1] coverage distance 4
[CORE-wlan-group-radio-wds-leaf1/1] quit
[CORE-wlan-ap-group-wds-leaf2] radio 1
[CORE-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[CORE-wlan-group-radio-wds-leaf2/1] coverage distance 4
[CORE-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec referenced by WDS links. Configure the
security policy of WPA2+PSK+AES for this security profile.
[CORE-wlan-view] security-profile name wds-sec
[CORE-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[CORE-wlan-sec-prof-wds-sec] quit
# Configure WDS whitelists. Configure the WDS whitelist wds-list1 to be bound to

AP2 and add only the MAC address of AP3 to the whitelist. Configure the WDS
whitelist wds-list2 to be bound to AP4 and add only the MAC address of AP5 to
the whitelist.
[CORE-wlan-view] wds-whitelist-profile name wds-list1
[CORE-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[CORE-wlan-wds-whitelist-wds-list1] quit
[CORE-wlan-view] wds-whitelist-profile name wds-list2
[CORE-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[CORE-wlan-wds-whitelist-wds-list2] quit

# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS
mode to root. Bind the WDS profile to the security profile wds-sec and allow
packets from service VLAN 40 to pass through in tagged mode.
[CORE-wlan-view] wds-profile name wds-net1
[CORE-wlan-wds-prof-wds-net1] wds-name wds-net //Only APs with the same WDS name can set up
WDS links with each other.
[CORE-wlan-wds-prof-wds-net1] wds-mode root
[CORE-wlan-wds-prof-wds-net1] security-profile wds-sec
[CORE-wlan-wds-prof-wds-net1] vlan tagged 40
[CORE-wlan-wds-prof-wds-net1] quit
mode to root. Bind the WDS profile to the security profile wds-sec and allow
[CORE-wlan-wds-prof-wds-net2] wds-name wds-net
[CORE-wlan-wds-prof-wds-net2] wds-mode root
mode to leaf. Bind the WDS profile to the security profile wds-sec and allow
[CORE-wlan-wds-prof-wds-net3] wds-name wds-net
[CORE-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in the AP group wds-root1 to

permit access only from AP3. Bind the WDS whitelist wds-list2 to radio 1 in the
AP group wds-root2 to permit access only from AP5.
[CORE-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[CORE-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
# Bind the WDS profile wds-net1 to the AP group wds-root1.

[CORE-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Bind the WDS profile wds-net2 to the AP group wds-root2.

[CORE-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Bind the WDS profile wds-net3 to the AP group wds-leaf1.

[CORE-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1


# Bind the WDS profile wds-net3 to the AP group wds-leaf2.

[CORE-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow
packets from the service VLAN to pass through.
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 40
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 40
[Switch_C-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/1] stp edged-port enable
[Switch_C-GigabitEthernet0/0/1] port-isolate enable
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 40
[Switch_C-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/2] quit
Step 3 Configure WLAN services.

# Configure WLAN service parameters for AP5.
address learning through DHCP, IPSG, and dynamic ARP inspection. For user access
authentication modes, see 6 Wired and Wireless User Access Authentication
Deployment.
[CORE-wlan-vap-prof-vap2] forward-mode direct

The prerequisites for running the ip source check user-bind enable command are as
follows:
As the IP packet check is based on the binding table:
● For DHCP users, DHCP snooping on the device has been enabled to automatically
generate dynamic binding entries.
● For users using static IP addresses, static binding entries have been manually configured.
follows:
ipv6 } disable command.
# Bind the VAP profile to the AP group wds-leaf2 to use the 2.4 GHz radio for
WLAN coverage.
[CORE-wlan-ap-group-wds-leaf2] vap-profile vap2 wlan 2 radio 0
----End

Expected Result
WDS links are established and wireless users can access the network through AP5.
Verification Method
# Run the display ap all command to verify that WDS nodes go online
successfully. If State displays as nor, APs have gone online successfully.
[CORE-wlan-view] display ap all
nor : normal [4]
Extra information: P : insufficient power supply
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
2 60de-4474-9640 AP2 wds-root1 172.168.20.250 AP6050DN nor 0 1M:06S -
3 dcd2-fc04-b500 AP3 wds-leaf1 172.168.20.251 AP6050DN nor 0 1M:23S -
4 dcd2-fcf6-76a0 AP4 wds-root2 172.168.20.252 AP6050DN nor 0 1M:11S -
5 60de-4476-e360 AP5 wds-leaf2 172.168.20.253 AP6050DN nor 0 2M:06S -
---------------------------------------------------------------------------------------------------
Total: 4
# Run the display wlan wds link all command to check information about the
WDS links.
[CORE-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
-------------------------------------------------------------------------------------------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TSNR SNR(Ch0~2:dB)
-------------------------------------------------------------------------------------------------
AP2 AP3 1 3 157 root normal -44 -40 0 3 50 45/49/-

AP3 AP2 1 3 157 leaf normal -38 -36 0 49 57 36/31/57

AP4 AP5 1 3 149 root normal -11 -7 0 1 83 81/80/-
AP5 AP4 1 3 149 leaf normal -4 -4 0 0 91 90/85/-
-------------------------------------------------------------------------------------------------
Total: 4
wireless user on the AC.
[CORE-wlan-view] display station ssid test02
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 5 AP5 0/2 2.4G 11n 117/115 -71 40 172.16.40.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
Configuration Files
#
wlan
user-isolate l2
security-profile name wds-sec
security wpa2 psk pass-phrase %^%#"G$t160(|>N&R$"<Z@6:\VY@T(}}]BJpHqK95`T6%^%# aes
ssid test02
ssid-profile ssid2
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac 60de-4476-e360
wds-profile name wds-net1
security-profile wds-sec
vlan tagged 40
wds-name wds-net
wds-mode root
vlan tagged 40
wds-name wds-net
wds-mode root
vlan tagged 40
wds-name wds-net
ap-group name wds-leaf1
radio 1
wds-profile wds-net3
coverage distance 4
ap-group name wds-leaf2
radio 0
radio 1

coverage distance 4
ap-group name wds-root1
radio 1
wds-whitelist-profile wds-list1
coverage distance 4
ap-group name wds-root2
radio 1
wds-whitelist-profile wds-list2
coverage distance 4
ap-id 2 ap-mac 60de-4474-9640
ap-name AP2
ap-group wds-root1
ap-id 3 ap-mac dcd2-fc04-b500
ap-name AP3
ap-group wds-leaf1
ap-id 4 ap-mac dcd2-fcf6-76a0
ap-name AP4
ap-group wds-root2
ap-id 5 ap-mac 60de-4476-e360
ap-name AP5
ap-group wds-leaf2
provision-ap
#
return
# Switch_C configuration file

#
sysname Switch_C
#
vlan batch 40
#
#
#
return

6 Wired and Wireless User Access Authentication
Campus Networks Typical Configuration Examples Deployment
6 Wired and Wireless User Access

Authentication Deployment
6.1 Key Points of User Access Authentication Deployment

6.2 Native AC + Free Mobility Solution: Core Switches Function as the
Authentication Point for Wired and Wireless Users
6.3 Native AC + Policy Association Solution: Core Switches Function as the
Authentication Point for Wired and Wireless Users
6.4 Native AC + NAC Solution: Core Switches Function as the Authentication Point
for Wired and Wireless Users
6.5 Native AC + Policy Association Solution: Aggregation Switches Function as the
Authentication Points for Wired and Wireless Users
6.6 Native AC + NAC Solution: Aggregation Switches Function as the
Authentication Points for Wired and Wireless Users
6.7 Native AC + Free Mobility Solution: Parent (Core Switches) in an SVF System
Functions as the Authentication Point
6.8 Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions
as the Authentication Point
6.9 Standalone AC + NAC Solution: Core Switches and ACs Function as the
Authentication Points for Wired and Wireless Users Respectively
6.10 Standalone AC + NAC Solution: Aggregation Switches and ACs Function as
the Authentication Points for Wired and Wireless Users Respectively
6.1 Key Points of User Access Authentication

Deployment
This chapter provides typical examples for deploying user access authentication
based on access controller (AC) deployment solutions, authentication point
locations, and policy-based control solutions.

● Authentication point location: The devices that function as user gateways are
typically configured as authentication points. As described in 3 Campus
Network Connectivity Deployment, when the native AC solution is used, you
are advised to deploy a switch that supports the native AC function as the
gateway for both wired and wireless users. When the standalone AC or ACU2
solution is used, you can deploy both wired and wireless gateways on a
switch, or deploy the wired gateway on a switch and the wireless gateway on
a standalone AC or an ACU2. In the examples where the standalone AC
solution is used, the gateway and authentication point for wireless users are
both deployed on a standalone AC or an ACU2.
● Policy-based control solutions: include Network Admission Control (NAC), free
mobility, and policy association. In the policy association solution, aggregation
or core switches are typically deployed as authentication points and access
switches as access points. This solution prevents users connected to the same
access device from communicating with each other before they are
authenticated, and allows administrators to easily obtain online user
information such as the interfaces on which users go online and the VLANs to
which users belong. A standalone AC or an ACU2 does not support the free
mobility solution for wireless users.
● In the following examples, Agile Controller-Campus functions as both the
access authentication server and user data source server.
User access authentication aims to implement user authentication and policy-
based control, which involves the following key nodes:
● Authentication point: a device or node responsible for user access
authentication.
● Access point: a device or node that determines whether a terminal is allowed
to access the network.
● Group policy enforcement point: a device or node that executes group policies
used in free mobility.
Figure 6-1 shows the positions of authentication points and access points when
core switches function as the authentication points for wired and wireless users.

Figure 6-1 Authentication points and access points
Server zone
(including RADIUS
Core CSS
layer
Aggregation
layer AGG1 AGG2
PC1 AP1 PC2 AP2
Authentication point
Access point
6.2 Native AC + Free Mobility Solution: Core Switches

Function as the Authentication Point for Wired and
Wireless Users
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired and wireless users on the entire network. These
users can access the network only after being authenticated. The specific
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.

● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.
Figure 6-2 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1/1 0 /2
/0/ /1/
2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point
Group policy
enforcement point


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
1 Configure authentication, authorization, Core switches (CORE)

and accounting (AAA), including
configuring a RADIUS server template,
AAA schemes, and authentication
domains to enable user authentication,
authorization, and accounting through
RADIUS, as well as configuring
parameters for interconnection between
switches and the RADIUS server.
2 Configure a pre-authentication domain Core switches (CORE)

and a post-authentication domain, so
that users have corresponding rights
before and after being authenticated as
well as when Agile Controller-Campus is
faulty.
3 Configure 802.1X authentication for Core switches (CORE)

employees.
4 Configure MAC address-prioritized Core switches (CORE)

Portal authentication for guests.
5 Enable the free mobility function and Core switches (CORE)

configure XMPP parameters for
interconnection with Agile Controller-
Campus.
6 Configure transparent transmission for Aggregation switches

802.1X packets. (AGG1 and AGG2) and
access switches (ACC1
and ACC2)
7 Log in to Agile Controller-Campus and Agile Controller-Campus

perform the following operations:
1. Configure parameters for
interconnection with CORE, and
configure RADIUS and Portal
parameters.
2. Configure security groups and inter-
group policies.

Data Plan


APs

wireless users
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

with servers

Item Data
AP group ap-group1

Table 6-3 Authentication service data plan for core switches

Item Data
AAA schemes Authentication scheme:

● Name: auth
● Authentication mode: RADIUS
Accounting scheme:
● Name: acco
● Accounting mode: RADIUS

Item Data
RADIUS server ● RADIUS server template name:

tem_rad
● IP address of the authentication
server: 192.168.11.1
● Port number of the authentication
server: 1812
● IP address of the accounting server:
192.168.11.1
● Port number of the accounting
server: 1813
● Accounting interval: 15 minutes
● Authentication and accounting
keys: Admin@123
● Authorization key: Admin@123
Portal server ● Portal server template name:

tem_portal
● IP address: 192.168.11.1
● Port number: 50200
● Shared key: Admin@123
● Portal server detection: enabled
802.1X access profile ● Name: d1

● Authentication mode: EAP
Portal access profile Name: web1
MAC access profile Name: mac1
Pre-authentication domain IP address of the DNS server:

192.168.11.2. Employees and guests
can send domain names to the DNS
server for resolution before being
authenticated.
Table 6-4 Service data plan for Agile Controller-Campus

Item Data
IP address of CORE 192.168.11.254

Item Data
RADIUS parameters ● Device series: Huawei S series

switches
keys: Admin@123
● Real-time accounting interval: 15
minutes
Portal parameters ● Port number: 2000

● Portal key: Admin@123
● IP addresses of access terminals:
Wireless: 192.168.30.0/24
Wired: 192.168.40.0/24
XMPP password Admin@123
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● Password: Guest@123
Security groups ● employee_group

● guest_group
● Email server: 192.168.11.100
● Video server: 192.168.11.110
Post-authentication domains ● Employees can access the mail and

video servers after being
authenticated.
● Guests can access the video server
but not the mail server after they
are authenticated.
● Employees and guests cannot
communicate with each other.
● Free mobility is supported only in NAC unified mode.
● In this example, Agile Controller-Campus runs V100R003C50.
For details about other precautions, see "Licensing Requirements and Limitations for Free
Mobility" in the Product Use Precautions.

Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
User Access Security Policy

Authentication Mode
MAC address authentication Open system authentication

or Portal authentication
802.1X authentication WPA/WPA2-802.1X authentication. WPA2

authentication is used in this example.
For employees who use 802.1X authentication, configure a security policy in

security profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
For guests who use MAC address-prioritized Portal authentication, configure a

security policy in security profile sec2 as follows:
[CORE-wlan-sec-prof-sec2] security open
Step 2 Configure AAA on CORE.

# Configure the RADIUS server template tem_rad and configure parameters for
interconnection between CORE and the RADIUS server. The parameters include the
IP addresses, port numbers, and shared keys of the RADIUS authentication and
accounting servers.
<CORE> system-view
[CORE] radius-server template tem_rad
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813
[CORE-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-radius-tem_rad] quit
# Configure a RADIUS authorization server.

[CORE] radius-server authorization 192.168.11.1 shared-key cipher Huawei@123
# Configure AAA schemes, set the authentication, authorization, and accounting

modes to RADIUS, and set the accounting interval to 15 minutes.
[CORE] aaa
[CORE-aaa] authentication-scheme auth
[CORE-aaa-authen-auth] authentication-mode radius
[CORE-aaa-authen-auth] quit
[CORE-aaa] accounting-scheme acco
[CORE-aaa-accounting-acco] accounting-mode radius
[CORE-aaa-accounting-acco] accounting realtime 15
[CORE-aaa-accounting-acco] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco

[CORE-aaa-domain-huawei.com] radius-server tem_rad

[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
Step 4 Configure 802.1X authentication for employees on CORE.

# Change the NAC mode to unified.
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
# Configure an 802.1X access profile.
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.

[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink

interfaces Eth-Trunk 10 and Eth-Trunk 20.
[CORE-Eth-Trunk10] authentication-profile p1
# Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
[CORE] wlan
[CORE-wlan-vap-prof-vap1] authentication-profile p1
Step 5 Configure MAC address-prioritized Portal authentication for guests on CORE.

# Configure Portal server template tem_portal, and set parameters for
interconnection between CORE and the Portal server. The parameters include the
IP address, port number, and shared key of the Portal server.

[CORE] web-auth-server tem_portal

[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1
[CORE-web-auth-server-tem_portal] port 50200 //The Portal server port number is fixed at 50200 when
Agile Controller-Campus functions as the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher Admin@123
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal
[CORE-web-auth-server-tem_portal] quit
# Configure a Portal access profile.

[CORE] portal-access-profile name web1
[CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-portal-acces-profile-web1] quit
# Configure a MAC access profile.

[CORE] mac-access-profile name mac1
[CORE-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.

[CORE-authen-profile-p2] portal-access-profile web1
[CORE-authen-profile-p2] mac-access-profile mac1
forcible domain.
# Configure MAC address-prioritized Portal authentication for guests in the VAP

profile vap2.
[CORE] wlan
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
Step 7 Configure transparent transmission of 802.1X packets on both aggregation and

access switches. The following uses access switch ACC1 (S5735-L) as an example.
The configuration of other switches is similar to that of ACC1.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
Step 8 Configure Agile Controller-Campus.

1. Add a switch.

Table 6-5 Parameter settings on Agile Controller-Campus and CORE

Parameter Configuration Configuration on CORE
on Agile on Agile
Controller- Controller-
Campus Campus
Name CORE -
IP address 192.168.11.254 IP address of VLANIF 1000, which is used

by CORE to communicate with Agile
Controller-Campus
Device series Huawei S -

Series
Authenticati Admin@123 radius-server shared-key cipher

on/ Admin@123
Accounting
key
Authorizatio Admin@123 radius-server authorization 192.168.11.1

n key shared-key cipher Admin@123
Real-time 15 accounting realtime 15

accounting
interval
(minute)
Port 2000 Port 2000 is used by default. You can run

the web-auth-server listening-port port-
number command in the system view to
change the port number.
Portal key Admin@123 shared-key cipher Admin@123
Access 172.16.30.0/24; IP addresses of guests, corresponding to IP

terminal 172.16.40.0/24 address pools on VLANIF 30 and VLANIF
IPv4 list 40
XMPP Admin@123 group-policy controller 192.168.11.1

password password Admin@123 src-ip
192.168.11.254
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.

Figure 6-3 Adding a device

b. Click the XMPP tab and set XMPP parameters.

Figure 6-4 XMPP
c. Click OK, select CORE, and click Synchronize. The communication status
of the switch becomes , and the synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address:
192.168.11.1
Controller port: 5222
Backup controller IP address:
-
Backup controller port:
-
Source IP address:
192.168.11.254
State: working
Connected controller:
master
Device protocol version:

2
Controller protocol version: 2
2. Enable MAC address-prioritized Portal authentication.

a. Choose System > Terminal Configuration > Global Parameters >
Access Management.
b. On the Configure MAC Address-Prioritized Portal Authentication tab
page, enable MAC address-prioritized Portal authentication, and set
Validity period of MAC address (min) to 60.
Figure 6-5 Configuring MAC address-prioritized Portal authentication
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.

Choose Resource > User > User Management. Click Add and create
employee account user1.
Figure 6-6 Adding an account
4. Configure security groups employee_group and guest_group to represent

users, as well as security groups email_server and video_server to represent
resources.
a. Choose Policy > Permission Control > Security Group > Dynamic
Security Group Management.
Click Add and create security group employee_group.

Figure 6-7 Adding dynamic security group employee_group
b. Click Add and create security group guest_group.
Figure 6-8 Adding dynamic security group guest_group

c. Choose Static Security Group Management, click Add, and create

security group email_server.
Figure 6-9 Adding static security group mail_server
d. Click Add and create security group video_server.

Figure 6-10 Adding static security group video_server
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. According to the
following table, bind employees to employee_group and click OK. Then bind
guests to guest_group and click OK.
Table 6-6 Quick authorization

User User Access User Permission >
Informatio Information > Mode Security group
n > User > Location > SSID
Account
Wire user1 - Wired employee_group

d Access
emp
loye
e
user

User User Access User Permission >

Informatio Information > Mode Security group
n > User > Location > SSID
Account
Wire user1 test01 Wireless employee_group

less Access
emp
loye
e
user
Gue user2 test02 - guest_group

st
Figure 6-11 Quick authorization
6. Configure access control policies and perform global deployment.

a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-7.

Table 6-7 Inter-group policies

Sour Destination Destination Destinat Destinati Destinati
ce Group Group ion on Group on Group
Secu email_server video_serve Group employe guest_gr
rity r Any e_group oup
Gro
up
emp Permit Permit Permit N/A Deny

loye
e_gr
oup
gues Deny Permit Permit Deny N/A

t_gr
oup
Figure 6-12 Adding network access rights
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
▪ display ucl-group all: checks security groups.

[CORE] display ucl-group all
ID UCL group
name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
▪ display acl all: checks access control policies.

[CORE] display acl
all

Total nonempty ACL number is

2
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0

rule
Acl's step is
5
Ucl-group ACL Auto_PGM_U2 9997, 4

rules
Acl's step is
5
rule 1 deny ip source ucl-group 2 destination 192.168.11.100
0
rule 2 permit ip source ucl-group 2 destination 192.168.11.110
0
rule 3 deny ip source ucl-group 2 destination ucl-group
1
rule 4 permit ip source ucl-group
2

rules
Acl's step is
5
0
0
2
1
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0

rule
Acl's step is 5
a. Save the configuration of CORE.

Choose Resource > Device > Device Management and click to save
the configuration.
The save operation on Agile Controller-Campus is equivalent to running the save

command on the device, which saves all the device configurations (including
security groups and access control policies configured on Agile Controller-
Campus) to the configuration file.
When security groups and access right control policies are saved to the
configuration file of a device, these configurations can be restored from the
configuration file after the device is restarted, without the need to request
configurations from Agile Controller-Campus. If these configurations are not
saved to the configuration file, user authentication will fail because such
configurations are unavailable after the device is restarted.
----End

● Run the display access-user username user-name detail command on CORE
to check detailed user login information, such as the authentication mode
(802.1X or Portal), terminal IP address, and security group.
[CORE] display access-user username user1 detail
Basic:

User ID : 49523
User name : user1
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.30.133
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5111
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/08/08 08:45:00
User accounting session ID : CORE00220000000030aa****0104173
User access type : 802.1x
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test01
Online time : 43(s)
Dynamic group index(Effective) : 1
Service Scheme Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Basic:
User ID : 115814
User name : user1
User MAC : 001b-21c4-820f
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20
User access time : 2019/08/08 08:12:29
User accounting session ID : CORE002200000000604e****0304466
Terminal Device Type : Data Terminal
AAA:
User authentication type : 802.1x authentication
Current authorization method :-
------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 52993
User name : user2
User MAC : dc72-9b7e-70a2
User access Interface : Wlan-Dbss5112

User access time : 2019/08/08 08:57:47
User accounting session ID : CORE0022000000004005****0104f01
User access type : WEB
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test02
Online time : 23(s)
Web-server IP address : 192.168.100.10
AAA:
User authentication type : WEB authentication
------------------------------------------------------------------------------
● Choose Resource > User > Online User Management on Agile Controller-
Campus to check the user login information and the security groups to which
users belong.
● Verify that you can access the mail and video servers using the employee
account after passing 802.1X authentication, no matter where the terminals
are located.
Verify that you can access only the video server using the guest account after
passing MAC address-prioritized Portal authentication, no matter where the
terminal is located.
Verify that the employee and guest can communicate with each other.
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
mac-access-profile mac1
portal-access-profile web1
ucl-group 1
ucl-group 2
#
dhcp enable
#
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#

acl name Auto_PGM_OPEN_POLICY 3999

#
acl name Auto_PGM_U9 9997
rule 1 deny ip source ucl-group 9 destination 192.168.11.100 0
rule 2 permit ip source ucl-group 9 destination 192.168.11.110 0
rule 3 deny ip source ucl-group 9 destination ucl-group 8
rule 4 permit ip source ucl-group 9
acl name Auto_PGM_U8 9998
rule 3 deny ip source ucl-group 8 destination ucl-group 9
rule 4 permit ip source ucl-group 8
acl name Auto_PGM_PREFER_POLICY 9999
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60

ip address 172.16.60.1 255.255.255.0

#
ip address 192.168.11.254 255.255.255.0
#
authentication-profile p1
#
#
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10
#
traffic-secure inbound acl name Auto_PGM_OPEN_POLICY
traffic-filter inbound acl name Auto_PGM_PREFER_POLICY
traffic-filter inbound acl name Auto_PGM_U8
traffic-filter inbound acl name Auto_PGM_U9
traffic-filter inbound acl 9996
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
#
wlan
user-isolate l2
user-isolate l2
security wpa2 dot1x aes
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1


forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return

#
sysname AGG1
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
l2protocol-tunnel user-defined-protocol 802.1x enable
#
#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#

eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#
0100-0000-0002
#
#
eth-trunk 30
#
eth-trunk 30
#


#
#
return
#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
sysname ACC2
#
vlan batch 20 60
#
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return
6.3 Native AC + Policy Association Solution: Core

Switches Function as the Authentication Point for
Wired and Wireless Users

● Policy association is deployed between core switches and access switches. The
core switches function as control devices to centrally authenticate users and
manage user access policies, and access devices only need to execute user
access policies. This function not only controls network access rights of users,
but also simplifies the configuration and management of access devices.
authentication.
wireless users
Server zone CORE

Core XGE1/2/0/1 CSS
layer
DNS server Authentication XGE1/1/0/1 XGE XGE2/1/0/1
server 1 0/2
/1/ /1/
0/2 E2
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point



configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure AAA on core switches that Core switches (CORE)

function as control devices, including
configuring a RADIUS server template,
AAA schemes, and authentication
domains to enable user authentication,
authorization, and accounting through
RADIUS, as well as configuring
parameters for interconnection between
2 Configure a pre-authentication domain, Core switches (CORE)

a post-authentication domain, and the
escape function, so that users have
corresponding rights before and after
being authenticated as well as when
Agile Controller-Campus is faulty.
3 Configure the policy association Core switches (CORE)

function on core and access switches. and access switches
(ACC1 and ACC2)

employees. and access switches
(ACC1 and ACC2)

5 Configure MAC address-prioritized Core switches (CORE)

Portal authentication for guests. and access switches
(ACC1 and ACC2)

and ACC2)
7 Log in to Agile Controller-Campus, Agile Controller-Campus

configure parameters for
parameters.
Data Plan


APs

wireless users
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

with servers

Item Data
AP group ap-group1



Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Item Data
Post-authentication domains ● Employees: service server and

Internet
● Guests: Internet
The IP addresses of the service server
and campus egress device are
192.168.11.3 and 172.16.3.1,
respectively.

Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:

Internet
● Employees and guests cannot

● In this example, Huawei's Agile Controller-Campus in V100R003C50 functions
as the Portal server and RADIUS server.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● For details about the devices that can function as control and access devices
in a policy association scenario and other precautions, see "Licensing
Requirements and Limitations for Policy Association" in S12700 Series Agile
Switches Product Use Precautions.
Procedure

Authentication Mode



[CORE] wlan

security policy in security profile sec2 as follows (the default security policy is
open):


accounting servers.
[CORE] radius-server authorization 192.168.11.1 shared-key cipher Admin@123

[CORE] aaa
[CORE-aaa] quit
DNS server and CAPWAP management network segment to pass through.
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
Step 4 Configure the policy association function on core and access switches.
# Configure Eth-Trunk 10 and Eth-Trunk 20 on CORE as control points.
[CORE-Eth-Trunk10] authentication control-point
[CORE-Eth-Trunk20] authentication control-point
# Configure GE0/0/3 on ACC1 as the access point. The configuration of ACC2 is

similar to that of ACC1.
<ACC1> system-view
[ACC1-GigabitEthernet0/0/3] authentication access-point
# Configure ACLs and ACL rules for user authorization on CORE. Specifically,
configure ACL 3001 and ACL 3002 to control the network access rights of
employees and guests, respectively.
[CORE] acl 3001 //Configure an ACL for authorization of employees, so that they can access the Internet
and service server after being authenticated.

[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255

[CORE-acl-adv-3001] rule 3 deny ip destination any
[CORE-acl-adv-3001] quit
[CORE] acl 3002 //Configure an ACL for authorization of guests, so that they can access the Internet after
being authenticated.
# Set the access switch login authentication mode to none authentication on

CORE.
[CORE] as-auth
[CORE-as-auth] auth-mode none
[CORE-as-auth] quit
# Configure the source interface of the CAPWAP tunnel on CORE.

[CORE] capwap source interface vlanif 20
# Configure the source interface for establishing a CAPWAP tunnel on each access
switch. The following uses ACC1 as an example. The configuration of ACC2 is
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on CORE
# Enable access switches to allow packets destined for the DNS server to pass
through. The following uses ACC1 as an example. The configuration of ACC2 is
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.2 mask 24
[ACC1-free-rule-default_free_rule] quit
Step 5 On CORE, configure 802.1X authentication for employees and MAC address-
prioritized Portal authentication for guests.
Configure 802.1X authentication for employees.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.


forcible domain.




vap1.
[CORE] wlan
Configure MAC address-prioritized Portal authentication for guests.

[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1 //Configure the IP address of the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher Admin@123 //Configure a shared key used by
CORE to exchange information with the Portal server, which must be the same as that configured on Agile
Controller-Campus.
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal //Configure a URL for the Portal
server.
[CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
Enable the Portal server detection function so that you can learn the Portal server status in real time and
users can still access the network even if the Portal server is faulty. Note that the value of interval must be
greater than or equal to 15, in seconds; the recommended value is 100.



forcible domain.

profile vap2.
[CORE] wlan
Step 6 Configure 802.1X authentication for employees on access switches. The following
uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.


[ACC1] dot1x-access-profile name d1
[ACC1-dot1x-access-profile-d1] quit

[ACC1] authentication-profile name p1
[ACC1-authen-profile-p1] dot1x-access-profile d1
[ACC1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on the downlink

interface GE0/0/3.
[ACC1] interface GigabitEthernet 0/0/3
[ACC1-GigabitEthernet0/0/3] authentication-profile p1
Step 7 Configure transparent transmission of 802.1X packets on both aggregation

switches (AGG1 and AGG2) and access switches (ACC1 and ACC2).
# Configure aggregation switches. The following uses AGG1 as an example. The
configuration of AGG2 is similar to that of AGG1.
[AGG1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[AGG1-Eth-Trunk10] l2protocol-tunnel user-defined-protocol 802.1x enable
[AGG1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
# Configure access switches. The following uses ACC1 as an example. The

configuration of ACC2 is similar to that of ACC1.
0100-0000-0002

1. Log in to Agile Controller-Campus.
Open a browser, enter the access address of Agile Controller-Campus in the
address box, and press Enter.
The following table describes addresses for accessing Agile Controller-
Campus.
Access Address Description
https://Agile Controller- Agile Controller-Campus-IP indicates the IP

Campus-IP:8443 address of Agile Controller-Campus.

Access Address Description
IP address of Agile If port 80 is enabled during installation, you

Controller-Campus can access Agile Controller-Campus by
simply entering its IP address without the
port number. In this case, the Agile
Controller-Campus URL will automatically
change to https://Agile Controller-Campus-
IP:8443.
If you log in to Agile Controller-Campus for the first time, use the super
administrator user name admin and password Changeme123. Change the
password immediately after the first login. Otherwise, Agile Controller-
Campus cannot be used.
2. Add switches so that they can communicate with Agile Controller-Campus.
Choose Resource > Device > Device Management, click Add, and configure
device information and authentication parameters.
Table 6-12 RADIUS and Portal parameters
Parameter Value Description
Name CORE -
IP address 192.168.11.254 IP address of a switch's interface that can

communicate with the service controller.
Authenticati Admin@123 Same as the shared key of the RADIUS

on/ server configured on the switch.
Accounting
key
Authorizatio Admin@123 Same as the authorization key of the

n key RADIUS server configured on the switch.
Real-time 15 Same as that configured on the switch.

accounting
interval
(minute)
Port 2000 Port used by the switch to communicate

with the Portal server. Use the default
value.
Portal key Admin@123 Same as that configured on the switch.
Enable Selected Only when Enable heartbeat between

heartbeat access device and Portal server is
between selected and the Portal server IP address is
access added to the Portal server IP address list,
device and the Portal server can periodically send
Portal server heartbeat packets to CORE, based on

Portal server 192.168.11.1 which CORE determines the Portal server

IP address status. This configuration corresponds to
list the server-detect command configured in
the Portal server template view on CORE.
3. Create user groups and accounts. The following describes how to configure
the user group employee. The configuration of the user group guest is
similar.

a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
employee.
Figure 6-15 Adding a user group
c. Click Add in the operation area on the right, and add an account.

d. Click Transfer in the operation area on the right, and add the account to
the user group employee.

Figure 6-17 Adding an account to a user group

Access Management.

5. Configure authorization. End users will match authorization rules based on

specified conditions. The following describes how to configure authorization
for employees. The configuration for guests is similar.
a. Choose Policy > Permission Control > Authentication & Authorization>
Authorization Result, and configure a post-authentication domain for
employees.

Figure 6-19 Adding an authorization result
b. Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24 and
172.16.60.0/24.

Figure 6-20 Adding an IP address range
c. Choose Policy > Permission Control > Authentication & Authorization

> Authorization Rule, and configure authorization rules for employees
and guests according to the following tables. The following describes how
to configure authorization rules for employees. The configuration for
guests is similar.

Table 6-13 Authorization rule for wired access of employees

Name User Group Terminal IP Authorization
Address Range Result
wire_employee_ employee wire employee_dom

auth_rule ain
Table 6-14 Authorization rule for wireless access of employees

Name User Group SSID Authorization
Result
wireless_employ employee test01 employee_dom

ee_auth_rule ain
Table 6-15 Authorization rule for guests

Name User Group SSID Authorization
Result
guest_auth_rule guest test02 guest_domain

Figure 6-22 Authorization rule for wired access of employees


Figure 6-23 Authorization rule for wireless access of employees

----End

Check Expected Result
Item
Employee ● An employee can use the 802.1X client on a wired terminal to

authenticat complete 802.1X authentication.
ion ● The employee can use a mobile terminal to associate with the
SSID test01 and complete 802.1X authentication to access the
Wi-Fi network.
● After the employee is authenticated, you can run the display
access-user username user1 detail command on CORE to
check the online, authentication, and authorization information
of the employee account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
employee account.


Item
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
of the guest account.
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
Basic:
User ID : 115871
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User access Interface : Eth-Trunk10 //Interface on which the user goes online
User access time : 2019/08/13 10:02:31
User accounting session ID : CORE00210000000050ab****030449f
User access type : 802.1x //User access type
AS ID :0 //ID of the access device
AS name : acc1 //Name of the access device
AS IP : 192.168.20.56 //IP address of the access device IP
AS MAC : 000b-099d-eb3b //MAC address of the access device MAC
AS Interface : GigabitEthernet0/0/2 //Access point
Dynamic ACL ID(Effective) : 3001 //Authorization ACL
Dynamic service scheme : test //Service scheme
AAA:
User authentication type : 802.1x authentication //Authentication mode
------------------------------------------------------------------------------

Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
#
dhcp enable
#
#
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
free-rule 2 source vlan 20
#
server-ip 192.168.11.1
port 50200
url http://192.168.11.1:8080/portal
server-detect interval 100 max-times 5 action log
#
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa

domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
authentication control-point
#
#
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10
#
#

wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
as-auth
auth-mode none
#
#
#
return

#
sysname AGG1
#
vlan batch 20 50
#
0100-0000-0002
#

#
#
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 30
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 20
#
eth-trunk 40
#
eth-trunk 20
#
eth-trunk 40
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
0100-0000-0002
#
as access interface vlanif 20
as access controller ip-address 192.168.20.1

#
#
interface Vlanif20
ip address dhcp-alloc
#
#
eth-trunk 30
#
eth-trunk 30
#
authentication access-point
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
#
0100-0000-0002
#
#
#
interface Vlanif20
#
#
eth-trunk 40
#
eth-trunk 40
#

#
#
#
return
6.4 Native AC + NAC Solution: Core Switches Function

as the Authentication Point for Wired and Wireless
Users
authentication.
● The authentication server delivers authorization ACLs to control network
access rights of different users.

wireless users
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
1 Configure AAA, including configuring a Core switches (CORE)

RADIUS server template, AAA schemes, and
authentication domains to enable user
authentication, authorization, and
accounting through RADIUS, as well as
configuring parameters for interconnection
between switches and the RADIUS server.
2 Configure a pre-authentication domain, a Core switches (CORE)

post-authentication domain, and the escape
function, so that users have corresponding
rights before and after being authenticated
as well as when Agile Controller-Campus is
faulty.

employees.
4 Configure MAC address-prioritized Portal Core switches (CORE)

authentication for guests.

and ACC2)
6 Log in to Agile Controller-Campus, add users, Agile Controller-Campus

and configure parameters for
interconnection with CORE, RADIUS and
Portal parameters, as well as the
authentication and authorization functions.
Data Plan


APs

wireless users
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)


with servers

Item Data
AP group ap-group1


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

Item Data

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Internet
192.168.11.3 and 172.16.3.1,
respectively.
Escape function (RADIUS server Down ● Status: enabled

and Portal server Down) ● Network access rights: same as
those in the post-authentication
domain

Item Data

switches
keys: Admin@123
minutes

Item Data

172.16.30.0/24, 172.16.40.0/24
Accounts Employee:
Guest:
● In this example, Huawei's Agile Controller-Campus in V100R001 functions as
the Portal server and RADIUS server. In addition to V100R001, Agile
Controller-Campus can also run V100R002 or V100R003.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
For other precautions, see "Licensing Requirements and Limitations for NAC Unified Mode"
in the S12700 Series Agile Switches Product Use Precautions.
Procedure


Authentication Mode




security policy in security profile sec2 as follows (the default security policy is
open):
accounting servers.
<CSS> system-view
[CSS] sysname CORE


[CORE] aaa
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain, a post-authentication domain, and the

escape function on CORE.

# Configure a pre-authentication domain to allow packets destined for the DNS

server to pass through before users are authenticated.
# Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to

control the network access rights of employees and guests, respectively.
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[CORE] aaa
[CORE-aaa] service-scheme s1 //Configure service scheme s1 for authorization of employees if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s1] acl-id 3001
[CORE-aaa-service-s1] quit
[CORE-aaa] service-scheme s2 //Configure service scheme s1 for authorization of guests if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s2] acl-id 3002
[CORE-aaa-service-s2] quit
[CORE-aaa] quit
Step 4 Configure 802.1X authentication for employees on CORE.


forcible domain.
[CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
s1 //Enable the switch to grant network access rights to users if the authentication server is faulty.
[CORE-authen-profile-p1] authentication event authen-server-up action re-authen



vap1.
[CORE] wlan
Step 5 Configure MAC address-prioritized Portal authentication for guests on CORE.

[CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //

[CORE-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the authentication server is faulty.
[CORE-portal-acces-profile-web1] authentication event portal-server-up action re-authen


forcible domain.
[CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
[CORE-authen-profile-p1] authentication event authen-server-up action re-authen

profile vap2.
[CORE] wlan

Step 6 Configure transparent transmission of 802.1X packets on both aggregation and

access switches. The following uses access switch ACC1 (S5720-SI) as an example.
The configuration of other switches is similar to that of ACC1.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
0100-0000-0002


on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


on Agile on Agile
Campus Campus


IPv4 list 40

which CORE determines the Portal server
Portal server 192.168.11.1 status. This configuration corresponds to
IP address the server-detect command configured in
list the Portal server template view on CORE.


the user group Employee. The configuration of the user group Guest is
similar.
Employee.


the user group Employee.


Access Management.


employees.

b. Configure authorization rules for employees and guests according to

Table 6-21. The following describes how to configure authorization rules
for wired access of employees. The configuration for guests is similar.
Table 6-21 Authorization rules for employees and guests

Name User Terminal IP SSID Authorizati
Group Address on Result
Range
Wired Employee wire - Employees_

employees post-
authorizatio authenticat
n rule ion_domain
Wireless Employee - test01 Employees_

employees post-
n rule ion_domain


Range
Guests Guest - test02 Guests_post

authorizatio -
n rule authenticat
ion_domain
▪ Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24
and 172.16.60.0/24.
▪ Choose Policy > Permission Control > Authentication &

Authorization > Authorization Rule.

Figure 6-32 Adding an authorization rule

----End

Item
Employee ● An employee can use the 802.1X client on a wired terminal to

authenticat complete 802.1X authentication.
ion ● The employee can use a mobile terminal to associate with the
Wi-Fi network.
guest account.


Item
guest account.
Basic:
User ID : 118293
User access Interface : Eth-Trunk20 //Interface on which the user goes online
User access time : 2019/08/05 03:15:16
User accounting session ID : CORE00220000000060ad****0304e15
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
------------------------------------------------------------------------------
Configuration Files
#
sysname CORE

#
vlan batch 20 30 40 50 60 1000
#
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
#
dhcp enable
#
#
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2

acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
#
#
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10
#
#
#
wlan


user-isolate l2
user-isolate l2
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
#
return

#
sysname AGG1
#
vlan batch 20 50
#
0100-0000-0002
#
#


#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1

#
vlan batch 20 50
#
0100-0000-0002
#
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
sysname ACC2
#
vlan batch 20 60
#
#
eth-trunk 40
#
eth-trunk 40
#
#


#
return
6.5 Native AC + Policy Association Solution:

Aggregation Switches Function as the Authentication
Points for Wired and Wireless Users
convergence.
In this example, aggregation switches function as the gateways and
authentication points for wired and wireless users on the entire network. These
authentication.
● Policy association is deployed between aggregation switches and access
switches. The aggregation switches function as control devices to centrally
authenticate users and manage user access policies, and access devices only
need to execute user access policies. This function not only controls network
access rights of users, but also simplifies the configuration and management
of access devices.

Figure 6-33 Aggregation switches functioning as authentication points for wired

and wireless users
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication CSS
DNS server XGE1/2/0/1
Core layer
server
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
Service server Special server Eth-Trunk 10 0/2 E2 Eth-Trunk 20
XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller- Agile Controller- V100R003C60SPC20

ation Campus running Campus 6
server V100R001,
V100R002, or
V100R003
Aggregati Modular switches S5731-H

on layer equipped with X
series cards or Layer
3 fixed switches that
support native AC
function
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
Configu 1. Enable campus network connectivity. All switches

re
switches 2. Configure AAA, including configuring a Aggregation switches
. RADIUS server template, AAA schemes, (AGG1 and AGG2)
and authentication domains, as well as
configuring parameters for
interconnection between switches and the
RADIUS server.
3. Configure policy association. Aggregation switches

(AGG1 and AGG2) and
and ACC2)
4. Configure resources accessible to users Aggregation switches

before they are authenticated (referred to (AGG1 and AGG2) and
as authentication-free resources), post- access switches (ACC1
authentication domains, and escape and ACC2)
function, so that users have corresponding
network access rights in different
authentication phases.
5. Configure 802.1X authentication for Aggregation switches

employees. (AGG1 and AGG2) and
and ACC2)
6. Configure MAC address-prioritized Aggregation switches

Portal authentication for guests. (AGG1 and AGG2)
7. Configure Layer 2 transparent Access switches (ACC1

transmission for 802.1X authentication and ACC2)
packets.
Configu 8. Add devices that need to communicate -

re Agile with Agile Controller-Campus, and
Controll configure RADIUS and Portal
er- authentication parameters.
Campus.
9. Add user groups and user accounts.
10. Enable MAC address-prioritized Portal

authentication.
11. Configure network access rights for

successfully authenticated employees and
guests.

Data Plan
Network segment for - 172.16.3.0/24

connecting to the
Internet

communication with
AGG1

communication with
AGG2

communication with
servers

VLAN for access
devices and APs

VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for access
devices and APs

VLAN 41 (guest) 172.16.41.0/24

wired users

Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation

and Layer 3 communication.
Security profiles sec1: WPA/WPA2-802.1X sec2: open system

authentication authentication (default
security policy)
SSID profiles ssid1 ssid2
AP groups ap-group1 (AGG1) and ap-group2 (AGG2)
Regulatory domain domain1 (AGG1) and domain2 (AGG2)

profiles
Service data forwarding Tunnel forwarding

mode
Service VLANs VLAN 30 and VLAN 40 VLAN 31 and VLAN 41
VAP profiles vap1 vap2
Table 6-25 Authentication service data plan for aggregation switches

Item Data
AAA schemes ● auth: authentication scheme for RADIUS

authentication
● acco: accounting scheme for RADIUS accounting
RADIUS server ● RADIUS server template name: tem_rad

● IP addresses of the authentication, accounting,
and authorization servers: 192.168.100.10
● Port number of the authentication server: 1812
● Port number of the accounting server: 1813
● Authentication and accounting keys: Admin@123

Item Data
Portal server ● Portal server template name: tem_portal

● IP address of the Portal server: 192.168.100.10
● Shared key of the Portal server: Admin@123

Authentication-free DNS server: 192.168.100.2

resources
Post-authentication ● Employees: service server, Internet, and network

domains segments of employees
● Guests: Internet and network segments of guests
The IP addresses of the service server, special server,
and campus egress device are 192.168.100.3,
192.168.100.100, and 172.16.3.1, respectively.
Escape function Same network access rights as those in post-

authentication domains
Table 6-26 Policy association data plan

Item Data
Control points ● Eth-Trunk 30 on AGG1

● Eth-Trunk 40 on AGG2
Access points ● GE0/0/3 on ACC1

● GE0/0/3 on ACC2

Item Data
User accounts (user name/password) ● Employees: user1/Huawei@123,

user2/Huawei@456
● Guest: guest4/Guest@123
IP addresses of aggregation switches ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2

Item Data
RADIUS authentication parameters ● Device series: Huawei S series

switches
keys: Admin@123
minutes
Portal authentication parameters ● Portal key: Admin@123

● IP address list of access terminals
(AGG1): 172.16.30.0/24,
172.16.31.0/24
(AGG2): 172.16.40.0/24,
172.16.41.0/24
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] ip address 172.16.3.1 24

[CORE-ospf-1] quit
Step 2 Configure AAA parameters.

# Configure the RADIUS server template tem_rad, and configure the parameters
for interconnection between aggregation switches and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
# Configure a RADIUS authorization server and an authorization key.

[AGG1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123
# Configure an AAA authentication scheme and an AAA accounting scheme, set

the authentication and accounting modes to RADIUS, and set the accounting
interval to 15 minutes.
[AGG1] aaa
[AGG1-aaa] authentication-scheme auth
[AGG1-aaa-authen-auth] authentication-mode radius
[AGG1-aaa-authen-auth] quit
[AGG1-aaa] accounting-scheme acco
[AGG1-aaa-accounting-acco] accounting-mode radius
[AGG1-aaa-accounting-acco] accounting realtime 15
[AGG1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
Step 3 Configure policy association.

# Configure Eth-Trunk 30 on the control device AGG1 as a control point.
[AGG1] interface Eth-Trunk 30
[AGG1-Eth-Trunk30] authentication control-point
# Enable access devices to establish CAPWAP tunnels with the control device
without authentication.
[AGG1] as-auth
[AGG1-as-auth] auth-mode none
Warning: None authentication is configured, which has security risks. Continue? [Y/N]:y
[AGG1-as-auth] quit
# Configure the source interface used by the control device to establish a CAPWAP
tunnel.
# Configure GE0/0/3 on the access device ACC1 as an access point.

<ACC1> system-view

[ACC1-GigabitEthernet0/0/3] authentication access-point

# Configure the source interface used by the access device to establish a CAPWAP
tunnel, and specify the IP address of the control device.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on AGG1
Step 4 Configure authentication-free resources, post-authentication domains, and the

escape function.
# On the control device, configure authentication-free resources to allow packets

destined for the DNS server and packets in the management VLAN for policy
association to pass through.
[AGG1] free-rule-template name default_free_rule
[AGG1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20
[AGG1-free-rule-default_free_rule] quit
# Configure authentication-free resources on the access device so that it can send

all user packets to the control devices for processing.
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 1 destination any source any
[ACC1-free-rule-default_free_rule] quit

ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
DNS server after being authenticated.
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
[AGG1-acl-adv-3001] rule 8 deny ip destination any
[AGG1-acl-adv-3001] quit
[AGG1] acl 3002
[AGG1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the
[AGG1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate
with each other.
with each other.

[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa] quit
Step 5 Configure 802.1X authentication for employees.

# Configure an 802.1X access profile on the control device. By default, an 802.1X
access profile uses EAP authentication. Ensure that the RADIUS server supports
EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[AGG1] dot1x-access-profile name d1
[AGG1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the control device.

[AGG1] authentication-profile name p1
[AGG1-authen-profile-p1] dot1x-access-profile d1
[AGG1-authen-profile-p1] free-rule-template default_free_rule
[AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[AGG1-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
[AGG1-authen-profile-p1] authentication event authen-server-up action re-authen //Configure the
switch to re-authenticate employees after the authentication server recovers.
[AGG1-authen-profile-p1] quit

interface Eth-Trunk 30 of the control device.
[AGG1-Eth-Trunk30] authentication-profile p1
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
User Wireless Security Policy Remarks

Role User
Authenticati
on Mode
Emplo 802.1X WPA/WPA2-802.1X In this example, WPA2

yee authenticatio authentication authentication is used.
n
Guest MAC address- Open system The default security policy is

prioritized authentication open system authentication.
Portal Therefore, you do not need to
authenticatio configure a security policy for
n guests.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1

[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes

#Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
[AGG1-wlan-vap-prof-vap1] authentication-profile p1
# Configure an 802.1X access profile on the access device.

[ACC1] dot1x-access-profile name d1
[ACC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the access device.

[ACC1] authentication-profile name p1
[ACC1-authen-profile-p1] dot1x-access-profile d1
[ACC1-authen-profile-p1] quit

interface GE0/0/3 of the access device.
[ACC1] interface GigabitEthernet 0/0/3
[ACC1-GigabitEthernet0/0/3] authentication-profile p1
Step 6 Configure MAC address-prioritized Portal authentication for guests.

interconnection between aggregation switches and the Portal server. The
parameters include the IP address, port number, and shared key of the Portal
server, as well as the URL of the Portal page.
[AGG1] web-auth-server tem_portal
[AGG1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG1-web-auth-server-tem_portal] port 50200
[AGG1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
[AGG1-web-auth-server-tem_portal] quit

[AGG1] portal-access-profile name web1
[AGG1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG1-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the Portal server is faulty.
[AGG1-portal-acces-profile-web1] authentication event portal-server-up action re-authen //Configure
the switch to re-authenticate guests after the Portal server recovers.
[AGG1-portal-acces-profile-web1] quit

[AGG1] mac-access-profile name mac1
[AGG1-mac-access-profile-mac1] quit

[AGG1-authen-profile-p2] portal-access-profile web1
[AGG1-authen-profile-p2] mac-access-profile mac1
forcible domain.

switch to re-authenticate guests after the authentication server recovers.


profile vap2.
[AGG1] wlan
Step 7 Configure Layer 2 transparent transmission for 802.1X authentication packets on

the access device. This function needs to be configured on all interfaces through
which 802.1X authentication packets pass. If a switch does not support the bpdu
enable command, you only need to run the l2protocol-tunnel user-defined-
protocol 802.1x enable command on its interface.
<ACC1> system-view
0100-0000-0002
[ACC1] interface Eth-Trunk 30
Step 8 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-28, and click OK.
Table 6-28 Parameter settings on Agile Controller-Campus and AGG1

Parameter on Configuration Configuration on AGG1
Agile on Agile
Campus Campus
Name AGG1 -
IP address 172.16.70.2 IP address of VLANIF 70, which is used by

AGG1 to communicate with Agile Controller-
Campus


Agile on Agile
Campus Campus
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)

Series
Authentication Admin@123 [AGG1-radius-tem_rad] radius-server shared-key cipher

Admin@123
/Accounting
key
Authorization Admin@123 [AGG1] radius-server authorization 192.168.100.10

shared-key cipher Admin@123
key
Real-time 15 [AGG1-aaa-accounting-acco] accounting realtime 15

accounting
interval
(minute)
Enable Portal Selected -

(mandatory
for Portal
authentication
)
Portal protocol HUAWEI portal -

type protocol
Portal key Admin@123 [AGG1-web-auth-server-tem_portal] shared-key cipher

Admin@123
Access 172.16.30.0/24; List of IP addresses used by employees and

terminal IPv4 172.16.31.0/24 guests for accessing the network in wireless
list mode

heartbeat access device and Portal server is selected
between and the Portal server IP address is added to
access device the Portal server IP address list, the Portal
and Portal server can periodically send heartbeat
server packets to AGG1, based on which AGG1
determines the Portal server status. This
configuration corresponds to the server-


Agile on Agile
Campus Campus
Portal server 192.168.100.10 detect command configured in the Portal

IP address list server template view on AGG1.


Step 9 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.

Step 10 Enable MAC address-prioritized Portal authentication.

# Choose System > Terminal Configuration > Global Parameters > Access
Management. On the Configure MAC Address-Prioritized Portal
Authentication tab page, enable MAC address-prioritized Portal authentication,
set Validity period of MAC address (min) to 60, and click OK.

Step 11 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-29, and click OK. Here, the employee
authorization result is used as an example.

Table 6-29 Authorization results for employees and guests

Name Authorization Parameter: ACL
Number/AAA User Group
Employee authorization result 3001
Guest authorization result 3002
# Configure authorization rules. Choose Policy > Permission Control >

Authentication & Authorization > Authorization Rule, click Add, set parameters
according to Table 6-30, and click OK. Here, the employee authorization rule is
used as an example.


Name Authorization Authorization Result
Condition: User Group
Employee authorization Employee Employee authorization

rule result
Guest authorization rule Guest Guest authorization

result
----End
Expected Results
1. Access devices can go online on the control device.

2. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
3. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
4. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
5. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.

1. Verify that access devices can go online on the control device.
# Run the display as all command on the control device. The command
output shows that the access device is online.
[AGG1] display as all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 S5735-L 000b-099d-eb3b 192.168.20.220 normal acc1
--------------------------------------------------------------------------------
2. Verify that the employees and guest can access only the authentication-free
resources, but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication. The following uses wired
access of an employee as an example.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on AGG1 to view information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC

Status
------------------------------------------------------------------------------------------------------
49208 user1 172.16.50.172 001b-21c4-820f Pre-

authen
------------------------------------------------------------------------------------------------------

# On PC1, ping an authentication-free resource, for example, the DNS server

with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>
# On PC1, ping a resource in the post-authentication domain, for example,
the campus egress device with IP address 172.16.3.1. The ping operation fails.
C:\Users\*******>ping 172.16.3.1

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
3. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
49208 user1 172.16.50.172 001b-21c4-820f

Success
49212 user2 172.16.30.81 38ca-da5e-441a
Success
49216 guest4 172.16.31.153 64b0-a6a3-f913 Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on AGG1 to
view the authentication, authorization, and access location (GE0/0/3 on
ACC1) information of user1.
[AGG1] display access-user username user1 detail
Basic:
User ID : 49208
User name : user1

User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access time : 2019/09/03
17:16:16
User accounting session ID : LSW5-
AG0001800000005061****0300038
AS ID :0
AS name : acc1
AS IP : 192.168.20.220
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/3
Dynamic ACL ID(Effective) : 3001
Dynamic service scheme :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current accounting method :
RADIUS
------------------------------------------------------------------------------

view the authentication, authorization, and access location (AP area_1)
information of user2.
Basic:
User ID : 49212
User name : user2
User MAC : 38ca-da5e-441a
User access Interface : Wlan-
Dbss2177
17:16:38
AG000180000000308a****030003e
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 251(s)


AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username guest4 detail command on AGG1
to view the authentication, authorization, and access location (AP area_1)
information of guest4.
[AGG1] display access-user username guest4 detail
Basic:
User ID : 49216
User name : guest4
User MAC : 64b0-a6a3-f913
Dbss2180
17:37:22
AG0001800000003172****0300040
AP name : area_1
Radio ID :1
SSID : Guest
Web-server IP address :
192.168.100.10
AAA:
User authentication type : WEB
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
4. Verify that the successfully authenticated employees and guest can access
domains. The following uses wired access of an employee as an example.


C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

the campus egress device with IP address 172.16.3.1. The ping operation
succeeds.
C:\Users\*******>ping 172.16.3.1
Pinging 172.16.3.1 with 32 bytes of dataa:


C:\Users\*******>
# On PC1, ping a resource denied in the post-authentication domain, for

example, the special server with IP address 192.168.100.100. The ping
operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
5. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81

Reply from 172.16.30.81: bytes=32 time=106ms TTL=63


C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
#

eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#QM@-!k^FcW*pZR2\4y93zY`;XY`TG356P_:6g7*O%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#S"vi.B|D80}JJgD*N%h&6+AUO7X-T/l0V
$;|PU$A%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10

port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 30
vlan 31
vlan 50
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#

mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
as-auth

auth-mode none
#
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#fax3=MV"r//"O"5FMI;5&H_R7f2k$Tfj6[1Xa0$5%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#3xW1/X3Dv=QAh^+{A2SA<g5cJ#]\5B:|
Jl)|;GB2%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
#

#
vlan 40
vlan 41
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40

#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
as-auth
auth-mode none
#
#
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
#
free-rule 1 destination any source any
#
interface Vlanif20
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
#
#
free-rule 1 destination any source any
#
interface Vlanif21

#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
#
return
6.6 Native AC + NAC Solution: Aggregation Switches

Function as the Authentication Points for Wired and
Wireless Users
convergence.
In this example, aggregation switches function as the gateways and
authentication points for wired and wireless users on the entire network. These
authentication.

● Agile Controller-Campus delivers ACLs for authorization of successfully

authenticated users to control network access rights of these users of
different roles.
● Port isolation needs to be configured on access switches to control Layer 2
traffic of users.
Figure 6-34 Aggregation switches functioning as authentication points for wired

and wireless users
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication
DNS server
server XGE1/2/0/1 CSS
Core layer
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
Service server Special server
E1
/1/ /1/0/
0/2 E2 Eth-Trunk 20
Eth-Trunk 10 XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller- Agile Controller- V100R003C60SPC20

ation Campus running Campus 6
server V100R001,
V100R002, or
V100R003
Aggregati Modular switches S5731-H

on layer equipped with X
series cards or Layer
3 fixed switches that
support native AC
function


Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices
Involved
Configure 1. Enable campus network connectivity. All switches

switches.
2. Configure AAA, including configuring a RADIUS Aggregation
server template, AAA schemes, and authentication switches
domains, as well as configuring parameters for (AGG1 and
interconnection between switches and the RADIUS AGG2)
server.
3. Configure resources accessible to users before Aggregation

they are authenticated (referred to as switches
authentication-free resources), post- (AGG1 and
authentication domains, and escape function, so AGG2)
that users have corresponding network access
rights in different authentication phases.
4. Configure 802.1X authentication for employees. Aggregation

switches
(AGG1 and
AGG2)
5. Configure MAC address-prioritized Portal Aggregation

authentication for guests. switches
(AGG1 and
AGG2)
6. Configure Layer 2 transparent transmission for Access switches

802.1X authentication packets. (ACC1 and
ACC2)
Configure 7. Add devices that need to communicate with -

Agile Agile Controller-Campus, and configure RADIUS
Controlle and Portal authentication parameters.
r-
Campus. 8. Add user groups and user accounts.
9. Enable MAC address-prioritized Portal

authentication.
10. Configure network access rights for

successfully authenticated employees and guests.

Data Plan


connecting to the
Internet

communication with
AGG1

communication with
AGG2

communication with
servers


VLAN for APs

VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for APs

VLAN 41 (guest) 172.16.41.0/24

wired users

Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation

and Layer 3 communication.
Security profiles sec1: WPA/WPA2-802.1X sec2: open system

authentication authentication (default
security policy)
AP groups ap-group1 (AGG1) and ap-group2 (AGG2)
Regulatory domain domain1 (AGG1) and domain2 (AGG2)

profiles
Service data forwarding Tunnel forwarding

mode
Service VLANs VLAN 30 and VLAN 40 VLAN 31 and VLAN 41
Table 6-34 Authentication service data plan for aggregation switches

Item Data

authentication
● acco: accounting scheme for RADIUS accounting

● Authentication and accounting keys: Admin@123

Item Data



resources
Post-authentication ● Employees: service server, Internet, and network

domains segments of employees
● Guests: Internet and network segments of guests
The IP addresses of the service server, special server,
and campus egress device are 192.168.100.3,
192.168.100.100, and 172.16.3.1, respectively.
Escape function Same network access rights as those in post-

authentication domains

Item Data
User accounts (user name/password) ● Employees: user1/Huawei@123,

user2/Huawei@456
IP addresses of aggregation switches ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2
RADIUS authentication parameters ● Device series: Huawei S series

switches
keys: Admin@123
minutes

Item Data
Portal authentication parameters ● Portal key: Admin@123

(AGG1): 172.16.30.0/24,
172.16.31.0/24
(AGG2): 172.16.40.0/24,
172.16.41.0/24
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE-Eth-Trunk30] description connect to Internet
[CORE-ospf-1] quit
Step 2 Configure AAA parameters.

# Configure the RADIUS server template tem_rad, and configure the parameters
for interconnection between aggregation switches and the RADIUS server,

including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view

# Configure an AAA authentication scheme and an AAA accounting scheme, set

the authentication and accounting modes to RADIUS, and set the accounting
interval to 15 minutes.
[AGG1] aaa
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] quit
Step 3 Configure authentication-free resources, post-authentication domains, and the

escape function.
# Configure authentication-free resources to allow packets destined for the DNS
server to pass through.

control the network access rights of successfully authenticated employees and
guests, respectively.
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
service server after being authenticated.


[AGG1] acl 3002
with each other.
with each other.
[AGG1] aaa
s1 to employees if Agile Controller-Campus is faulty.
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa] quit
Step 4 Configure 802.1X authentication for employees.

# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP
authentication. Ensure that the RADIUS server supports EAP; otherwise, the
RADIUS server cannot process 802.1X authentication requests.

forcible domain.
switch to re-authenticate employees after the authentication server recovers.

interface Eth-Trunk 30.
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.

User Wireless Security Policy Remarks

Role User
Authenticati
on Mode
Emplo 802.1X WPA/WPA2-802.1X In this example, WPA2

yee authenticatio authentication authentication is used.
n
Guest MAC address- Open system The default security policy is

prioritized authentication open system authentication.
Portal Therefore, you do not need to
authenticatio configure a security policy for
n guests.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes
#Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
Step 5 Configure MAC address-prioritized Portal authentication for guests.

interconnection between aggregation switches and the Portal server. The
parameters include the IP address, port number, and shared key of the Portal
server, as well as the URL of the Portal page.
[AGG1] web-auth-server tem_portal
[AGG1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG1-web-auth-server-tem_portal] port 50200
[AGG1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
[AGG1-web-auth-server-tem_portal] quit

[AGG1] portal-access-profile name web1
[AGG1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG1-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the Portal server is faulty.
[AGG1-portal-acces-profile-web1] authentication event portal-server-up action re-authen //Configure
the switch to re-authenticate guests after the Portal server recovers.
[AGG1-portal-acces-profile-web1] quit

[AGG1] mac-access-profile name mac1
[AGG1-mac-access-profile-mac1] quit


[AGG1-authen-profile-p2] portal-access-profile web1
[AGG1-authen-profile-p2] mac-access-profile mac1
forcible domain.
switch to re-authenticate guests after the authentication server recovers.

profile vap2.
[AGG1] wlan

the access switch. This function needs to be configured on all interfaces through
which 802.1X authentication packets pass. If a switch does not support the bpdu
enable command, you only need to run the l2protocol-tunnel user-defined-
protocol 802.1x enable command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.
Table 6-36 Parameter settings on Agile Controller-Campus and AGG1

Agile on Agile
Campus Campus
Name AGG1 -
IP address 172.16.70.2 IP address of VLANIF 70, which is used by

AGG1 to communicate with Agile Controller-
Campus


Agile on Agile
Campus Campus
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)

Series
Authentication Admin@123 [AGG1-radius-tem_rad] radius-server shared-key cipher

Admin@123
/Accounting
key
Authorization Admin@123 [AGG1] radius-server authorization 192.168.100.10

shared-key cipher Admin@123
key
Real-time 15 [AGG1-aaa-accounting-acco] accounting realtime 15

accounting
interval
(minute)
Enable Portal Selected -

(mandatory
for Portal
authentication
)
Portal protocol HUAWEI portal -

type protocol
Portal key Admin@123 [AGG1-web-auth-server-tem_portal] shared-key cipher

Admin@123
Access 172.16.30.0/24; List of IP addresses used by employees and

terminal IPv4 172.16.31.0/24 guests for accessing the network in wireless
list mode

heartbeat access device and Portal server is selected
between and the Portal server IP address is added to
access device the Portal server IP address list, the Portal
and Portal server can periodically send heartbeat
server packets to AGG1, based on which AGG1
determines the Portal server status. This
configuration corresponds to the server-


Agile on Agile
Campus Campus
Portal server 192.168.100.10 detect command configured in the Portal

IP address list server template view on AGG1.





guests.



used as an example.



rule result

result
----End
Expected Results

domains.
4. The employees can communicate with each other, but cannot communicate
with the guest.

access-user command on AGG1 to view information about online users. The
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------------------------------
49175 user1 172.16.50.230 001b-21c4-820f Pre-authen
------------------------------------------------------------------------------------------------------

C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

C:\Users\*******>ping 172.16.3.1

Request time out.

Request time out.

Request time out.
Request time out.

C:\Users\*******>
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
49175 user1 172.16.50.172 001b-21c4-820f

Success
49176 user2 172.16.30.81 38ca-da5e-441a Success
49177 guest4 172.16.31.153 64b0-a6a3-f913 Success
------------------------------------------------------------------------------------------------------

check the authentication and authorization information of user1.
Basic:
User ID : 49175
User name : user1
9FE9:95F9:C499
9FE9:95F9:C499
17:14:30
User accounting session ID :
AG00018000000050ce****0300017
AAA:
authentication
RADIUS


RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>

C:\Users\*******>ping 172.16.30.81


C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp

#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#QM@-!k^FcW*pZR2\4y93zY`;XY`TG356P_:6g7*O%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#S"vi.B|D80}JJgD*N%h&6+AUO7X-T/l0V
$;|PU$A%^%#
#
acl number 3001


rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 30
vlan 31
vlan 50
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#

interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#fax3=MV"r//"O"5FMI;5&H_R7f2k$Tfj6[1Xa0$5%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#3xW1/X3Dv=QAh^+{A2SA<g5cJ#]\5B:|
Jl)|;GB2%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#

server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 40
vlan 41
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#


mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#

#
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#


#
#
return
6.7 Native AC + Free Mobility Solution: Parent (Core

Switches) in an SVF System Functions as the
Authentication Point
In this example, core switches set up an SVF system, which functions as the
gateway and authentication point for wired and wireless users on the entire
network. These users can access the network only after being authenticated. The
specific requirements are as follows:
● Users include employees and guests. Wired users use combined 802.1X + MAC
+ Portal authentication, and wireless users use 802.1X authentication and
MAC address-prioritized Portal authentication.
● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.

Figure 6-35 Parent (core switches) in an SVF system functioning as the

authentication point
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
2
E1
/1 /1/0/
/0/ E2
Eth-Trunk 10 2 XG Eth-Trunk 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer Level-1 ASs
as-layer1-1 as-layer1-2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access ACC1 ACC2
layer as-layer2-1 Level-2 ASs as-layer2-2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point
Group policy
enforcement point


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap

RADIUS server template, AAA schemes,
and authentication domains to enable
user authentication, authorization, and
interconnection between switches and
the RADIUS server.
2 Configure a pre-authentication domain, Core switches (CORE)

a post-authentication domain, and the
escape function, so that users have
corresponding rights before and after
being authenticated as well as when
Agile Controller-Campus is faulty.
3 Configure combined 802.1X + MAC + Core switches (CORE)

Portal authentication for wired users.
4 Configure 802.1X authentication and Core switches (CORE)

MAC address-prioritized Portal
authentication for wireless users.
5 Enable the free mobility function and Core switches (CORE)

configure XMPP parameters for
interconnection with Agile Controller-
Campus.
6 Log in to Agile Controller-Campus and Agile Controller-Campus

1. Configure parameters for
parameters.
2. Configure security groups and inter-
group policies.
Data Plan

VLAN 40 172.16.40.0/24


user (PC1)

user (PC2)

communication with
servers

Item Data
AP group ap-group


Item Data

as-layer1-2: 00e0-0001-0022
as-layer2-1: 00e0-0001-0033
as-layer2-2: 00e0-0001-0044

system

VLANIF interface


Item Data






ASs
admin_group.

Item Data

through
through
through
through


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2. Employees and guests
can send domain names to the DNS
server for resolution before being
authenticated.


Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:
Security group ● employee_group

● guest_group
● Email server: 192.168.11.100
● Video server: 192.168.11.110
Post-authentication domains ● Employees can access the mail and

video servers after being
authenticated.
● Guests cannot access the mail or
video server even after they are
authenticated.
● Employees and guests can
● For service security purposes, users
from unknown sources are not
allowed to access any resources.


Sour Destination Destination Destinati Destinatio Destinatio
ce Group Group on Group n Group n Group
Secu email_server video_server Any employee_ guest_gro
rity group up
Grou
p
empl Permit Permit Permit N/A Permit

oyee_
grou
p
guest Deny Permit Permit Permit N/A

_grou
p
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.

Authentication Mode


For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
For users who use MAC address-prioritized Portal authentication, configure a


accounting servers.
<CORE> system-view




[CORE] aaa
[CORE-aaa] quit
Step 4 Configure combined 802.1X + MAC + Portal authentication for wired users on
CORE.





# Configure an authentication profile for wired users, and bind the 802.1X access
profile, MAC access profile, and Portal access profile to the authentication profile.
forcible domain.
# Configure combined 802.1X + MAC + Portal authentication for wired users.

[CORE] uni-mng
[CORE-um] user-access-profile name test01 //Configure a user access profile, which needs to be
bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1
[CORE-um-user-access-test01] quit
[CORE-um] port-group name port_group_3 //Configure a port group, which needs to be bound to
the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_1] user-access-profile test01
[CORE-um-portgroup-port_group_1] as name as-layer2-1 interface gigabitEthernet 0/0/2
gigabitEthernet 0/0/4 to 0/0/24
[CORE-um] commit as all //Commit the configuration. Configurations in service profiles
then are delivered to ASs.
[CORE-um] quit
Step 5 On CORE, configure 802.1X authentication and MAC address-prioritized Portal

# Configure an authentication profile for wireless users, and set the authentication
mode to MAC address-prioritized Portal authentication.
forcible domain.
mode to 802.1X authentication.


forcible domain.
# Configure 802.1X authentication for wireless users in VAP profile vap1.

[CORE] wlan
# Configure MAC address-prioritized Portal authentication for wireless users in the

VAP profile vap2.
[CORE] wlan
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.

1. Add CORE.

on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


on Agile on Agile
Campus Campus

Access 172.16.30.0/24; IP address lists of fixed and mobile

terminal 172.16.40.0/24; terminals, corresponding to the interface
IPv4 list 172.16.50.0/24; address pools on VLANIF 30, VLANIF 40,
172.16.60.0/24 VLANIF 50, and VLANIF 60
XMPP Admin@123 group-policy controller 192.168.11.1

password password Admin@123 src-ip
192.168.11.254
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.


b. Click the XMPP tab and set XMPP parameters.

Figure 6-37 XMPP
c. Click OK. The communication status of the switch becomes , and the
synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1

Access Management.


3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.

4. Configure security groups employee_group and guest_group to represent

users, as well as security groups email_server and video_server to represent
resources.
a. Choose Policy > Permission Control > Security Group > Dynamic
Security Group Management.
Click Add and create security group employee_group.

Figure 6-40 Adding dynamic security group employee_group
b. Click Add and create security group guest_group.
Figure 6-41 Adding dynamic security group guest_group

c. Choose Static Security Group Management, click Add, and create

security group email_server.
Figure 6-42 Adding static security group mail_server
d. Click Add and create security group video_server.

Figure 6-43 Adding static security group video_server
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. The following
describes how to add employee user1 to employee_group. The procedure of
adding guest user2 to guest_group is similar.
Figure 6-44 Add employee user1 to employee_group.
6. Configure access control policies and perform global deployment.

a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-46.

Sour Destination Destination Destinat Destinati Destinati
ce Group Group ion on Group on Group
Secu email_server video_serve Group employe guest_gr
rity r Any e_group oup
Gro
up
emp Permit Permit Permit N/A Deny

loye
e_gr
oup
gues Deny Permit Permit Deny N/A

t_gr
oup
Figure 6-45 Adding network access rights
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
▪ display ucl-group all: checks security groups.

[CORE] display ucl-group all
ID UCL group

name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
▪ display acl all: checks access control policies.

[CORE] display acl
all
Total nonempty ACL number is
2
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0

rule
Acl's step is
5

rules
Acl's step is
5
rule 1 deny ip source ucl-group 2 destination 192.168.11.100
0
0
1
2

rules
Acl's step is
5
0
0
2
1
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0

rule
Acl's step is 5
a. Save the configuration of CORE.

Choose Resource > Device > Device Management and click to save
the configuration.

The save operation on Agile Controller-Campus is equivalent to running the save

command on the device, which saves all the device configurations (including
security groups and access control policies configured on Agile Controller-
Campus) to the configuration file.
When security groups and access right control policies are saved to the
configuration file of a device, these configurations can be restored from the
configuration file after the device is restarted, without the need to request
configurations from Agile Controller-Campus. If these configurations are not
saved to the configuration file, user authentication will fail because such
configurations are unavailable after the device is restarted.
----End
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
#
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
#
#

vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 20
#
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
#
wlan
user-isolate l2


ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group
provision-ap
#
as-auth
undo auth-mode
#
uni-mng


pass-vlan 50
pass-vlan 60
pass-vlan 50
pass-vlan 60
user-access-profile name test01
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
user-access-profile test01
#
#
return
6.8 Native AC + NAC Solution: Parent (Core Switches)

in an SVF System Functions as the Authentication
Point


In this example, core switches set up an SVF system, which functions as the
gateway and authentication point for wired and wireless users on the entire
network. These users can access the network only after being authenticated. The
● Users include employees and guests. Wired users use combined 802.1X +
Portal authentication, and wireless users use 802.1X authentication and MAC
address-prioritized Portal authentication.
● The authentication server delivers authorization ACLs to control network
access rights of different users.
Figure 6-46 Parent (core switches) in an SVF system functioning as the

Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point



configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap

RADIUS server template, AAA schemes,
and authentication domains to enable
user authentication, authorization, and
interconnection between switches and
the RADIUS server.
2 Configure a pre-authentication domain Core switches (CORE)

and a post-authentication domain.
3 Configure combined 802.1X + Portal Core switches (CORE)

authentication for wired users. In an SVF
system, the authentication mode of
wired users needs to be defined in a
user access profile.
4 Configure 802.1X authentication and Core switches (CORE)

MAC address-prioritized Portal

6 Log in to Agile Controller-Campus, add Agile Controller-Campus

users, and configure parameters for
interconnection with CORE, RADIUS and
Portal parameters, as well as the
authentication and authorization
functions.
Data Plan

VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

communication with
servers
Item Data
AP group ap-group

Item Data

Item Data

as-layer1-2: 00e0-0001-0022
as-layer2-1: 00e0-0001-0033
as-layer2-2: 00e0-0001-0044

system

VLANIF interface







ASs
admin_group.

Item Data

through
through
through
through


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Internet
192.168.11.3 and 172.16.3.1,
respectively.


Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.

Authentication Mode



For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
For users who use MAC address-prioritized Portal authentication, configure a


accounting servers.
<CORE> system-view


[CORE] aaa
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain and a post-authentication domain on

CORE.
# Configure a pre-authentication domain to allow packets destined for the DNS
server to pass through before users are authenticated.



Step 4 Configure combined 802.1X + Portal authentication for wired users on CORE.



# Configure an authentication profile for wired users, and bind the 802.1X access
profile and Portal access profile to the authentication profile.
forcible domain.
# Configure combined 802.1X + Portal authentication for wired users.

[CORE] uni-mng
[CORE-um] user-access-profile name test01 //Configure a user access profile, which needs to be
bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1
[CORE-um-user-access-test01] quit


[CORE-um] commit as all //Commit the configuration. Configurations in service profiles
then are delivered to ASs.
[CORE-um] quit
Step 5 On CORE, configure 802.1X authentication and MAC address-prioritized Portal

mode to MAC address-prioritized Portal authentication.
forcible domain.
mode to 802.1X authentication.
forcible domain.
# Configure 802.1X authentication for wireless users in VAP profile vap1.

[CORE] wlan
# Configure MAC address-prioritized Portal authentication for wireless users in the

VAP profile vap2.
[CORE] wlan



on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


IPv4 list 40

which CORE determines the Portal server
Portal server 192.168.11.1 status. This configuration corresponds to
IP address the server-detect command configured in
list the Portal server template view on CORE.


the user group Employee. The configuration of the user group Guest is
similar.
Employee.


the user group Employee.


Access Management.


employees.

b. Configure authorization rules for employees and guests according to

Table 6-53. The following describes how to configure authorization rules
for wired access of employees. The configuration for guests is similar.

Range
Wired Employee wire - Employees_

employees post-
n rule ion_domain
Wireless Employee - test01 Employees_

employees post-
n rule ion_domain


Range
Guests Guest - test02 Guests_post

authorizatio -
n rule authenticat
ion_domain
▪ Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24
and 172.16.60.0/24.
▪ Choose Policy > Permission Control > Authentication &

Authorization > Authorization Rule.

Figure 6-54 Adding an authorization rule

----End

Item
Employee ● The employee can complete 802.1X authentication using the

authenticat 802.1X client on a wired terminal. The employee can also
ion complete Portal authentication after entering http://
192.168.11.1:8080/portal in the address box of a browser and
entering the user name and password on the redirection page.
● The employee can use a mobile terminal to associate with the
Wi-Fi network.
employee account.


Item
guest account.
Basic:
User ID : 81564
User access time : 2019/10/22 02:00:03
User accounting session ID : LSW900210000000050ad****0203e9c
AS ID :1
AS name : as-layer2-1 //AS on which the user goes online
AS IP : 192.168.20.212
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/10 //AS interface on which the user goes online
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
------------------------------------------------------------------------------

Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
acl number 3001
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
#
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
#
#
vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0


#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 20
#
#
#
wlan
user-isolate l2
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1

forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group
provision-ap
#
as-auth
undo auth-mode
#
uni-mng

pass-vlan 50
pass-vlan 60
pass-vlan 50
pass-vlan 60
user-access-profile name test01
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
#
#
return
6.9 Standalone AC + NAC Solution: Core Switches and

ACs Function as the Authentication Points for Wired
and Wireless Users Respectively
to assign IP addresses to APs and wireless users, and centrally manages APs and
wireless users on the entire network.

authentication point for wired users, and standalone ACs in a hot standby (HSB)
group functions as the gateway and authentication point for wireless users. The
wired and wireless users can access the network only after being authenticated.
The specific requirements are as follows:

authentication.
different roles.
● Port isolation needs to be configured on access and aggregation switches to
control Layer 2 traffic of users.
Figure 6-55 Core switches and standalone ACs functioning as the authentication
points for wired and wireless users respectively
CORE-AC1 CORE-AC2
Server zone HSB
Eth-Trunk 2
Authentication
DNS server XGE1/2/0/1 CSS
server Core layer
CORE
XGE1/1/0/1 XG XGE2/1/0/1
E1 /2
/1/ / 1/0
Service server Special server 0/2 E2
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Location Device Requirement Device Used in Version Used in
This Example This Example
Authentic Agile Controller-Campus Agile Controller- V100R003C60SP

ation running V100R001, Campus C206
server V100R002, or V100R003
Aggregati - S5731-H
on layer


Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 3.11 Standalone AC Solution: Core

network Switches and ACs Function as the Gateways for Wired
connectivity. and Wireless Users Respectively.
Configure core 2. Configure AAA, including configuring a RADIUS server

switches and ACs. template, AAA schemes, and authentication domains, as
well as configuring parameters for interconnection between
switches and the RADIUS server and between ACs and the
RADIUS server.
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
4. Configure 802.1X authentication for employees.
5. Configure MAC address-prioritized Portal authentication

for guests only on ACs.
Configure 6. Configure Layer 2 transparent transmission for 802.1X

aggregation and authentication packets.
access switches.
Configure Agile 7. Add devices that need to communicate with Agile

Controller- Controller-Campus, and configure RADIUS and Portal
Campus. authentication parameters.
10. Configure network access rights for successfully

authenticated employees and guests.

Data Plan
Table 6-54 Data plan for campus network connectivity
VLANs for VLAN 20 (management 192.168.20.0/24

communication between VLAN for APs)
core switches and ACs
VLAN 30 (service VLAN 172.16.30.0/24
for wireless access of
employees)
VLAN 40 (service VLAN 172.16.40.0/24

for guests)

users (on AGG1)

users (on AGG2)

CORE-AC2

between core switches
and servers
Table 6-55 Wireless service data plan for ACs
Item Employee Guest
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)
AP group ap-group1
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
Service VLANs VLAN 30 VLAN 40

Table 6-56 Authentication service data plan for core switches and ACs
Item Data

authentication
● acco: accounting scheme for RADIUS
accounting

● Authentication and accounting keys:
Admin@123



resources
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.


Item Data
User accounts (user name/ ● Employees: user1/Huawei@123, user2/

password) Huawei@456
Device IP addresses ● Core switch: 192.168.100.1

● AC: 192.168.20.1 (IP address of the backup AC:
192.168.20.2)
RADIUS authentication ● Device series: Huawei S series switches

parameters ● Authentication and accounting keys:
Admin@123
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: Admin@123

parameters ● IP address list of access terminals:
172.16.30.0/24, 172.16.40.0/24
same.

the backup AC.
backed up.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.11 Standalone AC
Solution: Core Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively.
# Configure the network segment for CORE to connect to the Internet.

<CORE> system-view
[CORE-Eth-Trunk30] description con to Internet
Step 2 Configure the authentication service on CORE.

1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.

[CORE] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

# Configure an AAA authentication scheme and an AAA accounting scheme,

set the authentication and accounting modes to RADIUS, and set the
accounting interval to 15 minutes.
[CORE] aaa
# Configure the authentication domain huawei.com and bind AAA schemes

and RADIUS server template to this domain.
[CORE-aaa] quit
2. Configure authentication-free resources and network access rights for

successfully authenticated employees.
# Configure authentication-free resources to allow packets destined for the
DNS server and packets from the AP management VLAN to pass through.
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
# Configure network access rights for successfully authenticated employees to

allow them to access the Internet, DNS server, and service server and to
[CORE] acl 3001
[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to
access the Internet after being authenticated.
access the DNS server after being authenticated.
access the service server after being authenticated.

# Configure an 802.1X access profile. By default, an 802.1X access profile uses
EAP authentication. Ensure that the RADIUS server supports EAP; otherwise,
the RADIUS server cannot process 802.1X authentication requests.

[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.

interfaces.


Step 3 Configure the authentication service on ACs. The following uses CORE-AC1 as an
example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<CORE-AC1> system-view
[CORE-AC1] radius-server template tem_rad
[CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-AC1-radius-tem_rad] quit

[CORE-AC1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

[CORE-AC1] aaa
[CORE-AC1-aaa] authentication-scheme auth
[CORE-AC1-aaa-authen-auth] authentication-mode radius
[CORE-AC1-aaa-authen-auth] quit
[CORE-AC1-aaa-accounting-acco] accounting-mode radius
[CORE-AC1-aaa-accounting-acco] accounting realtime 15
[CORE-AC1-aaa-accounting-acco] quit

successfully authenticated users.
[CORE-AC1] free-rule-template name default_free_rule
[CORE-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[CORE-AC1-free-rule-default_free_rule] quit

ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[CORE-AC1] acl 3001
[CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 7 deny ip destination any
[CORE-AC1-acl-adv-3001] quit

# Configure network access rights for successfully authenticated guests to

allow them to access the Internet and DNS server and to communicate with
each other.
[CORE-AC1] acl 3002
[CORE-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to
[CORE-AC1-acl-adv-3002] rule 4 deny ip destination any
[CORE-AC1-acl-adv-3002] quit

[CORE-AC1] dot1x-access-profile name d1
[CORE-AC1-dot1x-access-profile-d1] quit

[CORE-AC1] authentication-profile name p1
[CORE-AC1-authen-profile-p1] dot1x-access-profile d1
[CORE-AC1-authen-profile-p1] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p1] authentication-scheme auth
[CORE-AC1-authen-profile-p1] accounting-scheme acco
[CORE-AC1-authen-profile-p1] radius-server tem_rad
[CORE-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[CORE-AC1] wlan
[CORE-AC1-wlan] security-profile name sec1
[CORE-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
#Configure 802.1X authentication for wireless access of employees.

[CORE-AC1-wlan-vap-prof-vap1] authentication-profile p1
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for
interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.
[CORE-AC1] web-auth-server tem_portal
[CORE-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[CORE-AC1-web-auth-server-tem_portal] port 50200
[CORE-AC1-web-auth-server-tem_portal] shared-key cipher Admin@123
[CORE-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[CORE-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[CORE-AC1-web-auth-server-tem_portal] quit

[CORE-AC1] portal-access-profile name web1
[CORE-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-AC1-portal-acces-profile-web1] quit

[CORE-AC1] mac-access-profile name mac1
[CORE-AC1-mac-access-profile-mac1] quit

[CORE-AC1] authentication-profile name p2

[CORE-AC1-authen-profile-p2] portal-access-profile web1
[CORE-AC1-authen-profile-p2] mac-access-profile mac1
[CORE-AC1-authen-profile-p2] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p2] authentication-scheme auth
[CORE-AC1-authen-profile-p2] accounting-scheme acco
[CORE-AC1-authen-profile-p2] radius-server tem_rad
[CORE-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.

[CORE-AC1] wlan
[CORE-AC1-wlan-vap-prof-vap2] authentication-profile p2

access and aggregation switches. The following uses ACC1 as an example. The
configurations of other switches are similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication

packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.
Table 6-58 Parameter settings for adding core switches and ACs on Agile
Controller-Campus
Parameter on Agile Setting for Core Setting for ACs

Controller-Campus Switches
Name CORE AC
IP address 192.168.100.1 192.168.20.1
Enable RADIUS Selected

(mandatory for 802.1X,
Portal, and MAC address
authentication, Free
Mobility, and Service
Chain)

Parameter on Agile Setting for Core Setting for ACs

Controller-Campus Switches
Standby device IP address - 192.168.20.2
Device series Huawei S Series
Authentication/Accounting Admin@123
key
Authorization key Admin@123
Real-time accounting 15
interval (minute)
Enable Portal (mandatory - Selected

for Portal authentication)
Portal protocol type HUAWEI portal protocol
Portal key Admin@123
Access terminal IPv4 list 172.16.30.0/24;172.16.40.0/2

4
Enable heartbeat between Selected

access device and Portal
server
Portal server IP address list 192.168.100.10



guests.



used as an example.



rule result

result
----End
Expected Results

domains.
4. Employees can communicate with each other, but cannot communicate with
the guest.

access-user command on CORE to view information about online users. The
[CORE] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
114337 user1 172.16.50.110 001b-21c4-820f Pre-

authen
------------------------------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>


C:\Users\*******>ping 172.16.3.1

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on CORE and CORE-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[CORE] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
115318 user1 172.16.50.110 001b-21c4-820f

Success
------------------------------------------------------------------------------------------------------
[CORE-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
16401 guest4 172.16.40.210 64b0-a6a3-f913

Success
32788 user2 172.16.30.165 38ca-da5e-441a
Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on CORE to

view detailed authentication and authorization information of user1.
Basic:
User ID : 115318
User name : user1


9FE9:95F9:C499
9FE9:95F9:C499
11:08:16
CORE002100000000506e****0304276
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on CORE-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[CORE-AC1] display access-user username user2 detail
Basic:
User ID : 32788
User name : user2
Dbss17496
21:22:53
User accounting session ID : CORE-
AC00000000000030f0****0200014
User accounting mult session ID :
AC853DA6A42038CADA5E441A5DDD9****690329A
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Employee
User Group Priority :0
AAA:
authentication
RADIUS

RADIUS
------------------------------------------------------------------------------
[CORE-AC1] display access-user username guest4 detail
Basic:
User ID : 16401
User name : guest4
Dbss17497
21:25:05
User accounting session ID : CORE-
AC000000000000401c****0100011
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Guest
192.168.100.10
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2



C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
C:\Users\*******>ping 172.16.30.165



C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.40.210

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^
%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%#
#
acl number 3001
rule 7 deny ip
#
#
vlan 50
vlan 60
#
aaa

domain huawei.com
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
description con to Internet
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#

eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
#
return
● CORE-AC1 configuration file

#
sysname CORE-AC1
#
#
vlan batch 20 30 40 100
#
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M

%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#

#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1

ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
#
#
#
return
● CORE-AC2 configuration file

#
sysname CORE-AC2
#
#
vlan batch 20 30 40 100
#
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#

#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#

hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^
%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
#
#
return

#
sysname AGG1

#
vlan batch 20 50
#
0100-0000-0002
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
eth-trunk 20
#

eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#
0100-0000-0002
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#


#
#
return
6.10 Standalone AC + NAC Solution: Aggregation

Switches and ACs Function as the Authentication
Points for Wired and Wireless Users Respectively
of data.
the interface density and forwarding bandwidth. A standalone AC is deployed in
off-path mode. It centrally manages APs on the entire network.
In this example, aggregation switches function as the gateways for wired and
wireless users and also function the authentication points for wired users.
Standalone ACs function as the authentication points for wireless users. The wired
and wireless users can access the network only after being authenticated. The
authentication.
different roles.
● Port isolation needs to be configured on access switches to control Layer 2
traffic of users.

Figure 6-56 Aggregation switches and standalone ACs functioning as the

authentication points for wired and wireless users respectively
Server zone
Authentication Eth-Trunk 30
DNS server
server
XGE1/1/0/5 XGE2/1/0/5
XGE1/2/0/1 CSS
Core layer
Service server Special server
XGE1/1/0/1 XG CORE XGE2/1/0/1
AGG-AC2 AGG-AC1 E1/1 0/2
/0/ 2/1/ AGG-AC3 AGG-AC4
Eth-Trunk 10 E Eth-Trunk 20
HSB 2 XG HSB
XG
/0/
GE0/0/1
GE0/0/1
E
GE0
E0
0/
/0/1 GE0/0/4 GE0/0/4 /0/1
GE0
0/
XG
XGE1/0/1 XGE1/0/1
1
AGG1 AGG2
layer GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller-Campus Agile Controller- V100R003C60SP

ation running V100R001, Campus C206
server V100R002, or V100R003
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00

Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 3.10 Standalone AC Solution:

network Aggregation Switches Function as Gateways for Wired
connectivity. and Wireless Users.
Configure 2. Configure AAA, including configuring a RADIUS server

aggregation template, AAA schemes, and authentication domains, as
switches and ACs. well as configuring parameters for interconnection between
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
5. Configure MAC address-prioritized Portal authentication

for guests only on ACs.
Configure access 6. Configure Layer 2 transparent transmission for 802.1X

switches. authentication packets.
Configure Agile 7. Add devices that need to communicate with Agile

Controller- Controller-Campus, and configure RADIUS and Portal
Campus. authentication parameters.
10. Configure network access rights for successfully

authenticated employees and guests.
Data Plan

connecting to the
Internet

communication with
AGG1

communication with
AGG2


communication with
servers


VLAN for APs

VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for APs

VLAN 41 (guest) 172.16.41.0/24

wired users
Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE
Table 6-63 Wireless service data plan for ACs

Item Employee Guest
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)

Item Employee Guest
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
Table 6-64 Authentication service data plan for aggregation switches and ACs
Item Data

authentication
● acco: accounting scheme for RADIUS
accounting

● Authentication and accounting keys:
Admin@123



resources

Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.

Item Data
User accounts (user name/ ● Employees: user1/Huawei@123, user2/

password) Huawei@456
Device IP addresses ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2
● AGG-AC1: 192.168.20.1 (IP address of the
backup AC: 192.168.20.2)
● AGG-AC3: 192.168.21.1 (IP address of the
backup AC: 192.168.21.2)
RADIUS authentication ● Device series: Huawei S series switches

parameters ● Authentication and accounting keys:
Admin@123
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: Admin@123

parameters ● IP address list of access terminals (AGG-AC1):
172.16.30.0/24, 172.16.31.0/24
● IP address list of access terminals (AGG-AC3):
172.16.40.0/24, 172.16.41.0/24
from all VLANs.


interrupted.
VLAN.
same.
the backup AC.
backed up.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.10 Standalone AC
Solution: Aggregation Switches Function as Gateways for Wired and Wireless
Users.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE-Eth-Trunk30] description con to Internet
[CORE] ospf

[CORE-ospf-1] quit
Step 2 Configure the authentication service on aggregation switches. The following uses
AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.
<AGG1> system-view


[AGG1] aaa
# Configure the authentication domain huawei.com and bind AAA schemes

and RADIUS server template to this domain.
[AGG1-aaa] quit

successfully authenticated employees.
DNS server and packets from the AP management VLAN to pass through.
[AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20

[AGG1] acl 3001
access the service server after being authenticated.




[AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.

interfaces.
Step 3 Configure the authentication service on ACs. The following uses AGG-AC1 as an
example. The configurations of other ACs are similar to that of AGG-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<AGG-AC1> system-view
[AGG-AC1] radius-server template tem_rad
[AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG-AC1-radius-tem_rad] quit

[AGG-AC1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

[AGG-AC1] aaa
[AGG-AC1-aaa] authentication-scheme auth
[AGG-AC1-aaa-authen-auth] authentication-mode radius
[AGG-AC1-aaa-authen-auth] quit
[AGG-AC1-aaa] accounting-scheme acco
[AGG-AC1-aaa-accounting-acco] accounting-mode radius
[AGG-AC1-aaa-accounting-acco] accounting realtime 15
[AGG-AC1-aaa-accounting-acco] quit

successfully authenticated users.
[AGG-AC1] free-rule-template name default_free_rule
[AGG-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG-AC1-free-rule-default_free_rule] quit


ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[AGG-AC1] acl 3001
[AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 8 deny ip destination any
[AGG-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to

allow them to access the Internet and DNS server and to communicate with
each other.
[AGG-AC1] acl 3002
[AGG-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access
the Internet after being authenticated.
[AGG-AC1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to
[AGG-AC1-acl-adv-3002] rule 5 deny ip destination any
[AGG-AC1-acl-adv-3002] quit

[AGG-AC1] dot1x-access-profile name d1
[AGG-AC1-dot1x-access-profile-d1] quit

[AGG-AC1] authentication-profile name p1
[AGG-AC1-authen-profile-p1] dot1x-access-profile d1
[AGG-AC1-authen-profile-p1] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p1] authentication-scheme auth
[AGG-AC1-authen-profile-p1] accounting-scheme acco
[AGG-AC1-authen-profile-p1] radius-server tem_rad
[AGG-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[AGG-AC1] wlan
[AGG-AC1-wlan] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
#Configure 802.1X authentication for wireless access of employees.

[AGG-AC1-wlan-vap-prof-vap1] authentication-profile p1
[AGG-AC1-wlan-vap-prof-vap1] quit
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for

interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.
[AGG-AC1] web-auth-server tem_portal
[AGG-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG-AC1-web-auth-server-tem_portal] port 50200
[AGG-AC1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[AGG-AC1-web-auth-server-tem_portal] quit
[AGG-AC1] portal-access-profile name web1
[AGG-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG-AC1-portal-acces-profile-web1] quit
[AGG-AC1] mac-access-profile name mac1
[AGG-AC1-mac-access-profile-mac1] quit
[AGG-AC1] authentication-profile name p2
[AGG-AC1-authen-profile-p2] portal-access-profile web1
[AGG-AC1-authen-profile-p2] mac-access-profile mac1
[AGG-AC1-authen-profile-p2] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p2] authentication-scheme auth
[AGG-AC1-authen-profile-p2] accounting-scheme acco
[AGG-AC1-authen-profile-p2] radius-server tem_rad
[AGG-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.
[AGG-AC1] wlan
[AGG-AC1-wlan-vap-prof-vap2] authentication-profile p2
[AGG-AC1-wlan-vap-prof-vap2] quit

the access switch. The following uses ACC1 as an example. The configuration of
ACC2 is similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication
packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.

Table 6-66 Parameter settings for adding aggregation switches and ACs on Agile
Controller-Campus
Parameter on Agile Setting for Setting for ACs

Controller-Campus Aggregation
Switches
Names and IP ● AGG1: ● AGG-AC1: 192.168.20.1 (IP

addresses 172.168.70.2 address of the backup AC:
● AGG2: 192.168.20.2)
172.168.80.2 ● AGG-AC3: 192.168.21.1 (IP
address of the backup AC:
192.168.21.2)
Enable RADIUS Selected

(mandatory for
802.1X, Portal, and
MAC address
authentication, Free
Mobility, and Service
Chain)
Device series Huawei S Series
Authentication/ Admin@123
Accounting key
Authorization key Admin@123
Real-time accounting 15
interval (minute)
Enable Portal - Selected

(mandatory for Portal
authentication)
Portal protocol type HUAWEI portal protocol
Portal key Admin@123
Access terminal IPv4 ● AGG-AC1:

list 172.16.30.0/24;172.16.31.0/24
● AGG-AC3:
172.16.40.0/24;172.16.41.0/24
Enable heartbeat Selected

between access device
and Portal server
Portal server IP 192.168.100.10

address list



guests.



used as an example.



rule result

result
----End
Expected Results


domains.
3. Employees can communicate with each other, but cannot communicate with
the guest.

# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on AGG1 and AGG-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
32792 user1 172.16.50.216 001b-21c4-820f

Success
------------------------------------------------------------------------------------------------------
[AGG-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
16434 user2 172.16.30.97 38ca-da5e-441a

Success
32809 guest4 172.16.31.165 64b0-a6a3-f913
Success
------------------------------------------------------------------------------------------------------

view detailed authentication and authorization information of user1.

Basic:
User ID : 32792
User name : user1
9FE9:95F9:C499
9FE9:95F9:C499
10:01:33
AGG00018000000050ef****0200018
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on AGG-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[AGG-AC1] display access-user username user2 detail
Basic:
User ID : 16434
User name : user2
Dbss17498
10:02:55
AC2000000000000308d****0100032
AC853DA6A42038CADA5E441A5E09C****B2526E4
AP name : area_1
Radio ID :1
SSID : Employee

AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
[AGG-AC1] display access-user username guest4 detail
Basic:
User ID : 32809
User name : guest4
Dbss17497
09:52:57
AC200000000000031dd****0200029
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
AP name : area_1
Radio ID :0
SSID : Guest
192.168.100.10
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2



C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>

C:\Users\*******>ping 172.16.30.97


C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.31.165

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10

#
eth-trunk 20
#
eth-trunk 30
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#
acl number 3001
rule 8 deny ip
#

#
vlan 50
#
aaa
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
port trunk allow-pass vlan 20 30 to 31
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 1
#
#
eth-trunk 1
#
eth-trunk 30
#

eth-trunk 10
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#
acl number 3001
rule 8 deny ip
#
#
vlan 60
#
aaa
domain huawei.com
#

interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.3 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 2
#
eth-trunk 2
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255

#
#
return

#
sysname AGG-AC1
#
#
#
#
dhcp enable
#
#
vlan 30
vlan 31
#
radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%#
url http://192.168.100.10:8080/portal
#


#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return

#
sysname AGG-AC2
#
#
#

#
dhcp enable
#
#
vlan 30
vlan 31
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0


#
interface Vlanif31
ip address 172.16.31.2 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.2 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1


forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return

#
sysname AGG-AC3
#
#
#
#
dhcp enable
#
#
vlan 40
vlan 41
#
$3F)3K]ar/O%^%#
#
acl number 3001


rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1

#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2

provision-ap
#
#
#
return

#
sysname AGG-AC4
#
#
#
#
dhcp enable
#
#
vlan 40
vlan 41
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal


#
#
aaa
#
interface Vlanif21
ip address 192.168.21.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.2 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.2 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#

#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
provision-ap
#
#
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
mode lacp
#

eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return

Campus Networks Typical Configuration Examples 7 Security Deployment
7 Security Deployment
7.1 Key Points of Security Deployment

7.2 Campus Internal Network Security
7.3 Campus Egress Security
7.1 Key Points of Security Deployment

Campus network security includes campus internal network security and campus
egress security. Campus internal network security covers login security (for
example, preventing unauthorized users from logging in to devices), data security
(data not being intercepted or tampered with during forwarding), and other
aspects. For campus egress security, professional security devices (such as
firewalls) are deployed at the campus egress to implement network border
protection and effectively prevent security threats from external networks.
● Campus internal network security

– Device login security
It is recommended that the user name and password be used for local
device login through the console port and a secure SSH protocol (for
example, STelnet) be used for remote device login.
– Security at different network layers
As the border of the campus network, access devices need to prevent
unauthorized users and terminals from accessing the network and control
Layer 2 traffic forwarding. Core devices are located at the key position of
the network, and the security of the core devices is critical. When a core
device is configured as a centralized authentication point, the CPU
performance must meet protocol packet processing requirements when a
large number of users access the network. When a core device is
configured as a gateway, ARP security must be considered.
– Wireless service security
Intrusion devices and attack users can be detected and contained to
ensure the border security of wireless networks. In addition, the validity
and security of user access need to be authenticated to ensure the
security of user service data.

● Campus egress security

– Online behavior management
If enterprise employees need to access external networks, functions such
as URL filtering, file filtering, data filtering, application behavior control,
and antivirus need to be enabled to protect internal hosts from external
threats and prevent information leaks to ensure network security.
– Border protection
Employees, servers, and external networks can be assigned to different
security zones for inter-zone traffic inspection and protection.
The content security protection functions need to be enabled according
to types of network services to be provided for external users. For
example, file filtering and data filtering are enabled on the file server,
mail filtering is enabled on the mail server, and antivirus and intrusion
prevention are enabled on all servers.
7.2 Campus Internal Network Security

This section describes deployment suggestions and configuration examples of
internal network security policies in terms of device login security, security at
different network layers, and wireless service security. You can deploy functions
based on service requirements.
7.2.1 Deployment Roadmap

Table 7-1 Recommended security policy deployment for device login
Function Description Application Scenario
Local device You need to configure an You want to log in to the device
login through authentication mode and through the console port while
the console port a user level for the improving local login security.
console user interface.
Remote device You need to configure a You want to remotely log in to

login using protocol type, an the device while ensuring remote
STelnet authentication mode, and login security, especially on an
a user level for the VTY insecure network through SSH.
user interface.

Table 7-2 Recommended security policy deployment for access devices

Function Description Application Deployme Default
Scenario nt Setting
Location
Traffic Discards or You are advised Downlink ● Traffic

suppression blocks to configure interface or suppression
broadcast, this function on VLAN for
unknown internal broadcast
multicast, or connection packets:
unknown interfaces of a enabled
unicast packets network to ● Traffic
when their rate reduce suppression
exceeds the network-wide for
specified service impact unknown
threshold. of broadcast multicast
storms caused and
by loops. unknown
unicast
packets:
disabled
Storm Blocks or On a tree Downlink Disabled

control disables network with a interface
interfaces for downstream
broadcast, user network,
unknown you are advised
multicast, or to configure
unknown this function to
unicast packets prevent storms
when their rate on the user
exceeds the network from
specified spreading over
threshold. the entire
network.


Scenario nt Setting
Location
DHCP Enables a DHCP When a host Downlink Disabled

snooping snooping- obtains an IP interface or
enabled device address VLAN
to exchange through DHCP, NOTE
valid DHCP you are advised An uplink
packets with a to configure interface
DHCP server this function on directly or
indirectly
through the the upper-layer
connected
trusted interface access device of to a DHCP
and generate the DHCP client server is
DHCP snooping to ensure that configured
binding entries, the DHCP client as a
check DHCP obtains the IP trusted
interface.
packets received address from a
from the valid DHCP
untrusted server. This
interface, and prevents bogus
discard the DHCP server
DHCP packets attacks, bogus
against the DHCP packet
binding entries. attacks, and
DHCP flood
attacks.
IP Source Checks IP When a host Downlink Disabled

Guard packets against obtains an IP interface or
(IPSG) a static binding address VLAN
table, DHCP through DHCP
snooping or uses a static
binding table, or IP address, you
ND snooping are advised to
binding table, configure this
and enables the function on the
device to discard access device
the IP packets directly
that do not connected to
match the users to prevent
binding table. unauthorized
hosts from
forging IP
address of
authorized
hosts or
changing the IP
addresses to
attack the
network.


Scenario nt Setting
Location
ND Checks neighbor If no DHCPv6 Downlink Disabled

snooping discovery (ND) server is interface or
packets by using deployed on VLAN
neighbor the network
solicitation (NS) and hosts
packets in the obtain IPv6
duplicate addresses only
address through
detection (DAD) stateless
process based address
on ND snooping autoconfigurati
binding entries, on, you are
and enables the advised to
device to discard configure this
the ND packets function to
that do not prevent address
match the spoofing
binding entries. attacks and RA
attacks.
Dynamic Checks ARP To prevent Downlink Disabled

ARP packets against man-in-the- interface or
inspection DHCP snooping middle attacks VLAN
(DAI) binding entries by forging ARP
and enables the packets and
device to discard theft of data
the ARP packets between
that do not communication
match the parties, you are
binding entries. advised to
configure this
function.
Port Changes the To enhance Downlink Disabled

security dynamic MAC host access interface
addresses security, you
learned on an are advised to
interface into configure this
secure MAC function to
addresses to limit the
prevent number of
unauthorized access hosts or
users from prevent attacks
communicating initiated by
with switches bogus hosts
using the through other
interface. interfaces.


Scenario nt Setting
Location
Port Adds interfaces To implement Downlink Disabled

isolation to an isolation Layer 2 interface
group and isolation or
configures the both Layer 2
isolation mode and Layer 3
and isolation
unidirectional or between
bidirectional interfaces in the
port isolation. same VLAN,
you are advised
to configure
this function.
Table 7-3 Recommended security policy deployment for aggregation devices

Suggestion Description
If a core device functions as the Port isolation allows terminals connected to

user gateway and an different access devices to communicate
aggregation device connects to with each other at Layer 2.
multiple access devices for Layer
2 forwarding of service traffic,
you only need to configure port
isolation.
If an aggregation device -
functions as the user gateway,
you can deploy security policies
by referring to security policy
deployment for core devices.
If an aggregation device connect -

to terminals, you can deploy
security policies by referring to
security policy deployment for
access devices.

Table 7-4 Recommended security policy deployment for core devices

Dimensi Function Description Application Default
on Scenario Setting
CPU CPU Limits the number If a large number Enabled

security attack of packets sent to of packets are sent
(Local defense the CPU within a to the CPU or
attack specified period of malicious packet
defense) time to protect the attacks occur, the
CPU. CPU usage becomes
high and the
Attack Finds the source performance Enabled
source user address or deteriorates,
tracing interface of the affecting other
attack packets and services. In this
sends logs or case, you are
alarms to the advised to
administrator, configure local
instructing the attack defense.
administrator to
take measures
based on
configurations to
defend against the
attack.
Port Traces the source Enabled

attack and limits the rate
defense of packets if the
packet rate
exceeds the
threshold,
preventing a
failure to send
packets from
normal ports to
the CPU, as
protocol packets
from attacked
ports may exhaust
the bandwidth.
User-level Rate-limits packets Enabled

rate sent from specified
limiting users to the CPU
based on MAC
addresses,
protecting other
users from an
attack initiated by
one user.


on Scenario Setting
ARP Rate Prevents the CPU ● Network access ● Rate

security limiting from being speed is slow, limiting
(Defens on ARP overloaded when a users are on ARP
e packets device is busy with disconnected, packets
against a large number of network access based on
ARP ARP packets. is frequently source IP
flood interrupted, addresses:
attacks) users cannot A device
access the allows a
network, or maximum
services are of 30 ARP
interrupted. packets
● The device fails from the
to learn ARP same
entries due to source IP
high CPU usage, address to
it is disconnected pass
from the NMS, it through
frequently within 1s.
alternates ● Rate
between master limiting
and slave states, on ARP
its interface packets
indicators blink based on
fast red, or source
attached devices MAC
are disconnected addresses:
from the disabled
network. ● Rate
● Ping responses limiting
are delayed, on ARP
packets are lost, packets
or the ping globally,
operation fails. in a VLAN,
or on an
interface:
disabled


on Scenario Setting
Rate Prevents a device ● Rate

limiting from processing a limiting
on ARP large number of on ARP
Miss packets that Miss
messages contain messages
unresolvable based on
destination IP source IP
addresses and addresses:
generating a large A device
number of ARP can
Miss messages. process a
maximum
of 30 ARP
Miss
messages
triggered
by the
same
source IP
address
per
second.
● Rate
limiting
on ARP
Miss
messages
globally,
in a VLAN,
or on an
interface:
disabled
Temporar Reduces the Aging time

y ARP frequency of of temporary
entry triggering ARP ARP entries:
aging Miss messages. 3s
Prohibitin Enables the device Enabled

g the to directly forward
device ARP packets
from destined for other
sending devices without
ARP sending them to
packets the CPU,
destined improving the
for other device's capability
devices to of defending
the CPU against ARP flood
attacks.


on Scenario Setting
Optimize Enables the Enabled

d ARP standby or slave
reply switch in a stack to
directly return an
ARP Reply packet
when receiving an
ARP Request
packet of which
the destination IP
address is the local
interface address,
improving the
stack's capability
of defending
against ARP flood
attacks.
Strict ARP Enables the device Disabled

learning to learn only ARP
entries for ARP
Reply packets in
response to ARP
Request packets
that it has sent,
preventing ARP
entry resources
from being fully
occupied by invalid
ARP entries of a
large number of
ARP attack
packets.
ARP entry Limits the The

limiting maximum number maximum
of dynamic ARP number of
entries that can be ARP entries
learned on an that an
interface, interface can
preventing ARP dynamically
entries from being learn is the
consumed by ARP same as the
attack packets sent number of
by a host ARP entries
connected to the supported by
interface. the device.


on Scenario Setting
Disabling Prevents ARP Enabled

ARP entries from being
learning consumed by ARP
on an attack packets by a
interface host connected to
the interface.
ARP ARP entry Disables the device ● Users are Enabled

security fixing from updating an disconnected,
(Defens entry, or enables network
e the device to connections are
against update only part frequently
ARP of the entry or interrupted,
spoofing send a unicast ARP users cannot
attacks) Request packet to access the
check the validity network, or
of the ARP packet services are
that triggers the interrupted.
entry update when ● Ping packets are
the device learns lost, or the ping
an ARP entry for operation fails.
the first time,
ensuring that valid
ARP entries are not
replaced by
attackers using
forged ARP
packets.


on Scenario Setting
ARP Prevents users ● Users are Disabled

gateway from forging a disconnected,
anti- gateway address network
collision to send ARP connections are
packets and frequently
modifying ARP interrupted,
entries of other users cannot
users on the access the
network. network, or
services are
interrupted.
● The device is
disconnected
from an NMS,
an attached
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping packets are
lost, or the ping
operation fails.
ARP Protects a gateway ● Users are Disabled

gateway address, disconnected,
protectio preventing users network
n from forging the connections are
gateway address frequently
to send ARP interrupted,
packets and users cannot
modifying ARP access the
entries of other network, or
users on the services are
network. interrupted.
● The device is
disconnected
from an NMS,
an attached
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping packets are
lost, or the ping
operation fails.


on Scenario Setting
Gratuitou Allows the device ● Network access Disabled

s ARP used as the speed is slow,
packet gateway to users are
sending periodically send disconnected,
ARP Request network access
packets whose is frequently
destination IP interrupted,
address is the users cannot
device IP address access the
to update the network, or
gateway MAC services are
address in ARP interrupted.
entries, ensuring ● Ping responses
that packets of are delayed,
authorized users packets are lost,
are forwarded to or the ping
the gateway and operation fails.
preventing hackers
from intercepting
these packets.
MAC Prevents attacks ● Network access Disabled

address from bogus ARP speed is slow,
consisten packets in which users are
cy check the source and disconnected,
in an ARP destination MAC network access
packet addresses are is frequently
different from interrupted,
those in the users cannot
Ethernet frame access the
header. network, or
services are
ARP Enables the device interrupted. Disabled
packet to filter out
● The device is
validity packets with
disconnected
check invalid MAC
from an NMS,
addresses or IP
an attached
addresses.
device is
disconnected, or
the gateway
address conflicts
occur.
● Ping responses
are delayed,
packets are lost,
or the ping
operation fails.


on Scenario Setting
Strict ARP Enables the device Disabled

learning to learn only ARP
entries for ARP
Reply packets in
response to ARP
Request packets
that it has sent,
preventing ARP
entry resources
from being fully
occupied by invalid
ARP entries of a
large number of
ARP attack
packets.
ARP Enables the device ● Network access Disabled

learning to generate ARP speed is slow,
triggered entries based on users are
by DHCP the received DHCP disconnected,
ACK packets, network access
preventing the is frequently
aging and learning interrupted,
of many ARP users cannot
entries from access the
impacting the network, or
device services are
performance and interrupted.
the network when ● Ping responses
many DHCP users are delayed,
connect to a packets are lost,
network device. or the ping
operation fails.

Table 7-5 Recommended security policy deployment for wireless services

Function Description Application Scenario Default
Setting
Wireless ● Enables the device To protect enterprises ● Device

Intrusion to detect and and users against detection
Detection counter rogue or unauthorized access and
System interference from wireless networks containm
(WIDS) and devices, preventing and detect ent:
Wireless unauthorized STAs unauthorized users or disabled
Intrusion from accessing the APs, you are advised to ● Attack
Prevention network. configure this function. detection
System (WIPS) ● Configures attack and
detection and dynamic
dynamic blacklisti
blacklisting ng:
functions, detecting disabled
and blacklisting
devices that initiate
flooding attacks,
weak IV attacks,
spoofing attacks, or
brute force key
cracking attacks.
Security policy Authenticates STAs You are advised to Open

and encrypts user configure this function system
packets through to ensure security of authenticati
WLAN security wireless users, on
policies, including implementing link
open system authentication when a
authentication, WEP, wireless link is
WPA/WPA2-PSK, established, user
WPA/WPA2-802.1X, authentication when
WAPI-PSK, and WAPI- users attempt to
certificate. connect to a wireless
network, and data
encryption during data
transmission.
STA blacklist Enables the device to You are advised to Disabled

and whitelist configure a blacklist configure this function
or whitelist to to control access of
manage the access of wireless users, ensuring
STAs. that authorized users
can access the WLAN
and preventing
unauthorized users
from forcibly accessing
the WLAN.

Function Description Application Scenario Default

Setting
User isolation Prevents packets of To allow users on the Disabled

on a VAP users on a VAP from same VAP to isolate
being forwarded to with each other at
each other. Layer 2 and
communicate at Layer
3 and improve
communication
security, you are
advised to configure
this function.
Port isolation Adds interfaces to an To allow WLAN users Disabled

isolation group and on different APs in the
configures the same VLAN to
isolation mode and communicate at Layer
unidirectional or 2 and improve
bidirectional isolation. communication
security, you are
advised to configure
this function on the
switch connected to
APs.
7.2.2 Example for Configuring Device Login Security

You can locally log in to a device through the console port or remotely log in using
STelnet.
Configuring Security for Local Device Login Through the Console Port
Logging in to a switch through the console port (also called serial port) is a basic
login mode and forms the basis of other login modes such as Telnet and STelnet.
Once an attacker accesses the console port on a switch, the switch is exposed to
the attacker, causing security risks. You can configure the authentication mode,
user authentication information, and user level for the console user interface to
ensure security of switch login through the console port.
● If you configure the console user interface after login through the console
port, the configuration takes effect at your next login.
● To ensure device security, you are required to change the default password
upon the first login and change the password periodically.
Procedure
Step 1 Configure an authentication mode for the console user interface.

[HUAWEI] user-interface console 0 //Enter the console user interface view.
[HUAWEI-console0] authentication-mode aaa //Set AAA authentication for the console user interface.

The default authentication mode is AAA.

[HUAWEI-console0] quit
Step 2 Configure authentication information and user level for the console user interface.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create local user
admin123 and set the login password to abcd@123.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user admin123 to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa] local-user admin123 service-type terminal //Set the access type of local user admin123
to terminal user, that is, console user.
Step 3 Connect to the switch through the console port and enter the user name and
password as prompted to log in to the switch. (In this example, the user name is
admin123 and the password is abcd@123.)
Login authentication
Username:admin123
Password:
<HUAWEI>
----End
Configuring Security for Remote Device Login Using STelnet

You can remotely log in to a switch using Telnet and STelnet. Telnet poses security
risks. However, STelnet, based on the SSH protocol, implements secure remote
login on insecure networks and provides powerful authentication functions to
ensure information security and protect switches against attacks, such as IP
spoofing attacks.
● Before configuring STelnet login, ensure that the PC and the switch are
routable to each other.
● STelnet V2 is more secure than STelnet V1, and is therefore recommended.
● Ensure that the user terminal has SSH server login software installed before
configuring STelnet login. This example uses the third-party software PuTTY
as the SSH server login software.
● STelnet login requires virtual type terminal (VTY) user interfaces to support
SSH. Therefore, the VTY user interfaces must use AAA authentication.
● For device security purposes, change the password periodically.
Procedure
Step 1 Configure a protocol type, an authentication mode, and a user level for the VTY
user interface.
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode aaa //Configure AAA authentication for the VTY user
interface.
[HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default,
SSH is used.
[HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15.
[HUAWEI-ui-vty0-4] quit
Step 2 Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function on the switch.
[HUAWEI] ssh user admin123 //Create SSH user admin123.
[HUAWEI] ssh user admin123 service-type stelnet //Set the service mode of the SSH user to STelnet.

Step 3 Configure an authentication mode for the SSH user.
# Set the authentication mode for the SSH user to password.
To use password authentication, create a local user with the same name as the
SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Configure password authentication for
the SSH user.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with
the same user name as the SSH user and set a login password for the local user.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15.
[HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH.
[HUAWEI-aaa] quit
# Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The
following uses ECC authentication as an example. Steps for configuring RSA and
DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to configure the public key of
the SSH client on the SSH server. When the SSH client connects to the SSH server,
the SSH client passes the authentication if the private key of the client matches
the configured public key. For details about the public key on the client, see the
help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Configure ECC authentication for the SSH user.
[HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding format of ECC
public key key01 and enter the ECC public key view.
Enter "ECC public key" view, return system view with "peer-public-key end".
[HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view.
Enter "ECC key code" view, return last view with "public-key-code end".
[HUAWEI-dsa-key-code] 308188 //Copy the public key of the client, which is a hexadecimal character
string.
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-ecc-key-code] 171896FB 1FFC38CD
[HUAWEI-ecc-key-code] 0203
[HUAWEI-ecc-key-code] 010001
[HUAWEI-ecc-key-code] public-key-code end //Return to the public key view.
[HUAWEI-ecc-public-key] peer-public-key end //Return to the system view.
[HUAWEI] ssh user admin123 assign ecc-key key01 //Assign an existing public key key01 to user
admin123.
Step 4 Generate a local key pair on the server.

[HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC.
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:521
Info: Generating keys..........
Info: Succeeded in creating the ECC host keys.
Step 5 Log in to the switch through STelnet.
On the PC, connect to the SSH server through password authentication.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH
protocol.

Click Open. Enter the user name and password as prompted and press Enter to
log in to the SSH server. (The following information is for reference only.)
login as: admin123
Sent username "admin123"
admin123@10.10.10.20's password:
Info: The max number of VTY users is 8, and the number

of current VTY users on line is 5.
The current login time is 2018-12-22 09:35:28+00:00.
<HUAWEI>
----End
7.2.3 Example for Configuring Access Device Security

As the border of the campus network, access devices need to prevent
unauthorized users and terminals from accessing the network. In addition, the
access devices need to control Layer 2 traffic forwarding.
Table 7-2 describes the security policy deployment suggestions for access devices.
You can configure functions based on service requirements.
● Configure traffic suppression.
[HUAWEI] suppression mode by-bits //Configure the global traffic
suppression mode.
[HUAWEI] interface gigabitethernet 0/0/1

[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression cir 1000 //Configure suppression of

unknown broadcast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression cir 1000 //Configure suppression of
unknown multicast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression cri 1000 //Configure suppression of
unknown unicast traffic in the inbound direction of the interface.
[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression block outbound //Block outgoing
broadcast traffic on the interface.
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression block outbound //Block outgoing
multicast traffic on the interface.
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression block outbound //Block outgoing unicast
traffic on the interface.
● Configure storm control.

[HUAWEI-GigabitEthernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000 //
Configure storm control for broadcast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000 //
Configure storm control for unknown multicast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control unicast min-rate 1000 max-rate 2000 //
Configure storm control for unknown unicast packets.
[HUAWEI-GigabitEthernet0/0/1] storm-control action block //Configure the
action for storm control.
[HUAWEI-GigabitEthernet0/0/1] storm-control enable log //Configure the
system to record logs during storm control.
[HUAWEI-GigabitEthernet0/0/1] storm-control interval 90 //Configure the
interval for detecting storms.
● Configure DHCP snooping.

[HUAWEI] dhcp enable //Enable DHCP.
[HUAWEI] dhcp snooping enable //Enable DHCP snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable //Enable DHCP snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the DHCP server.
[HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted //Configure the interface as a trusted
interface.
● Configure IPSG.
# Configure IPSG against static binding entries.
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a static
binding entry.
[HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 //Create a static
binding entry.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
# Configure IPSG against dynamic DHCP snooping binding entries. Before the
configuration, you need to configure DHCP snooping and generate dynamic
DHCP snooping binding entries.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
● Configure ND snooping.

[HUAWEI] nd snooping enable //Enable ND snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable //Enable ND snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the gateway.
[HUAWEI-GigabitEthernet0/0/2] nd snooping trusted //Configure the interface as a trusted
interface.
● Configure DAI.
Before the configuration, you need to configure DHCP snooping and generate
dynamic DHCP snooping binding entries or manually configure static DHCP
snooping binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable //Enable DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address //
Configure the device to check only IP addresses in ARP packets based on binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable //Enable
the alarm function for ARP packets discarded by DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 100 //Set
the alarm threshold for ARP packets discarded by DAI.
● Configure port security.

# If access users frequently change locations, you can configure port security
to change dynamic MAC addresses to secure dynamic MAC addresses. This
ensures that bound MAC address entries are deleted immediately after users
change locations.
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
[HUAWEI-GigabitEthernet0/0/1] port-security aging-time 100 //Set the aging time of
secure dynamic MAC addresses on the interface.
# If access users seldom change locations, you can configure port security to
change dynamic MAC addresses to sticky MAC addresses. This ensures that
bound MAC address entries are not lost after a device resets.
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky //Enable the sticky MAC
function on the interface.
# If there are only a few access users and they seldom change locations, you
can configure secure static MAC addresses.
[HUAWEI] port-security static-flapping protect //Enable static MAC address
flapping detection.
● Configure port isolation.

[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Enable port isolation.
7.2.4 Example for Configuring Core Device Security

Core devices are located at the key position of the network, and the security of
the core devices is critical. When a core device is configured as a centralized
authentication point, the CPU performance must meet requirements of processing
protocol packets when a large number of users access the network. When a core
device is configured as a gateway, ARP security must be considered.
Table 7-4 describes the security policy deployment suggestions for core devices.
You can configure functions based on service requirements.
● Configure CPU attack defense.

[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy test //Create an attack defense policy and
enter the attack defense policy view.
[HUAWEI-cpu-defend-policy-test] car packet-type http cir 120 //Set the CPCAR value for
packets when no protocol connection is established.
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type http cir 120 //Set the CPCAR value for
packets of a specified protocol upon the establishment of the protocol connection.
[HUAWEI-cpu-defend-policy-test] deny packet-type icmp //Set the action for packets
sent to the CPU to deny.
[HUAWEI-cpu-defend-policy-test] blacklist 1 acl 2001 //Configure the blacklist for CPU
attack defense.
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable //Enable dynamic link
protection globally.
[HUAWEI] cpu-defend application-apperceive http enable //Enable dynamic link
protection for protocol packets.
● Configure attack source tracing.

[HUAWEI-cpu-defend-policy-test] auto-defend enable //Enable attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend alarm enable //Enable the event reporting
function for attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for
attack source tracing.
[HUAWEI-cpu-defend-policy-test] auto-defend action deny //Enable the punishment
function of attack source tracing and specify the punishment action for attack packets.
● Configure port attack defense.

[HUAWEI-cpu-defend-policy-test] auto-port-defend enable //Enable port attack defense.
[HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable //Enable the function of
reporting port attack defense events.
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2001 //Configure a whitelist for
attack source tracing.
● Configure user-level rate limiting.

[HUAWEI] cpu-defend host-car enable //Enable user-level rate limiting.
● Configure rate limiting on ARP packets.

[HUAWEI] arp anti-attack rate-limit enable //Enable rate limiting on ARP
packets globally.
[HUAWEI] arp speed-limit source-mac 0001-0001-0001 maximum 20 //Set the maximum rate
of ARP packets based on source MAC addresses.
[HUAWEI] arp speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of
ARP packets based on source IP addresses.
● Configure rate limiting on ARP Miss messages.

[HUAWEI] arp-miss anti-attack rate-limit enable //Enable rate limiting on ARP Miss
messages globally.
[HUAWEI] arp-miss speed-limit source-mac 0001-0001-0001 maximum 20 //Set the maximum
rate of ARP Miss messages based on source MAC addresses.
[HUAWEI] arp-miss speed-limit source-ip 10.1.1.1 maximum 20 //Set the maximum rate of
ARP Miss messages based on source IP addresses.
● Configure the aging time of temporary ARP entries.

[HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 3 //Set the aging time of
temporary ARP entries.
● Configure the device not to send ARP packets destined for other devices to
the CPU.
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp optimized-passby enable //Configure the device not to
send ARP packets destined for other devices to the CPU.
● Configure optimized ARP reply.

[HUAWEI] arp optimized-reply disable //Enable optimized ARP reply.
● Configure strict ARP learning.

[HUAWEI] arp learning strict //Enable strict ARP learning globally.
[HUAWEI] quit
● Configure ARP entry limiting.

[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 //Configure the maximum
number of dynamic ARP entries that the interface can learn.
● Disable ARP learning on an interface.

[HUAWEI-Vlanif10] arp learning disable //Disable the interface from learning
dynamic ARP entries.
● Configure ARP entry fixing.

[HUAWEI] arp anti-attack entry-check fixed-mac enable //Enable ARP entry fixing
globally.
● Configure ARP gateway anti-collision.

[HUAWEI] arp anti-attack gateway-duplicate enable //Enable ARP gateway anti-
collision.
● Configure ARP gateway protection.

[HUAWEI-GigabitEthernet0/0/1] arp trust source 10.1.1.1 //Enable ARP gateway
protection.
● Configure gratuitous ARP packet sending.

[HUAWEI] arp gratuitous-arp send enable //Enable the device to send
gratuitous ARP packets.
[HUAWEI] arp gratuitous-arp send interval 60 //Set the interval for sending
gratuitous ARP packets.
● Configure MAC address consistency check in an ARP packet.

[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac //Enable MAC address
consistency check in an ARP packet.
● Configure ARP packet validity check.

[HUAWEI] arp anti-attack packet-check ip dst-mac sender-mac //Enable ARP packet validity
check.
● Configure ARP learning triggered by DHCP.

[HUAWEI-Vlanif10] arp learning dhcp-trigger //Enable ARP learning triggered by
DHCP.
7.2.5 Example for Configuring Wireless Service Security

Intrusion devices and attack users can be detected and contained to ensure the
border security of wireless networks. In addition, the validity and security of user
access need to be authenticated to ensure the security of user wireless service
data.
Table 7-5 describes the security policy deployment suggestions for wireless
services. You can configure functions based on service requirements.
● Configure WIDS and WIPS functions.

# Configure device detection and containment.
<Huawei> system-view
[Huawei] wlan
[Huawei-wlan-view] ap-id 0
[Huawei-wlan-ap-0] radio 0
[Huawei-wlan-radio-0/0] wids device detect enable //Enable device detection.
[Huawei-wlan-radio-0/0] wids contain enable //Enable device containment.
[Huawei-wlan-radio-0/0] quit
[Huawei-wlan-ap-0] quit
[Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile.
[Huawei-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap //Set the containment mode
against rogue or interference devices.
[Huawei-wlan-wids-prof-wlan-wids] quit
[Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.
# Configure attack detection and dynamic blacklist functions.

[Huawei] wlan
[Huawei-wlan-ap-0] radio 0
[Huawei-wlan-radio-0/0] wids attack detect enable all //Enable attack detection.
[Huawei-wlan-radio-0/0] quit
[Huawei-wlan-ap-0] quit
[Huawei-wlan-view] wids-profile name wlan-wids //Create a WIDS profile.
[Huawei-wlan-wids-prof-wlan-wids] dynamic-blacklist enable //Enable the dynamic blacklist
function.
[Huawei-wlan-wids-prof-wlan-wids] quit
[Huawei-wlan-ap-0] wids-profile wlan-wids //Bind a WIDS profile to an AP.

● Configure security policies.

WLAN security policies are configured in security profiles, and only one
security policy can be configured in a security profile. You can create multiple
security profiles with different security policies and apply the profiles to
different VAPs as required. The following uses WPA2-PSK-AES as an example.
[Huawei] wlan
[Huawei-wlan-view] security-profile name wlan-security //Create a security profile.
[HUAWEI-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //Set the
security policy to WPA2-PSK-AES.
[HUAWEI-wlan-sec-prof-wlan-security] quit
[Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile.
[HUAWEI-wlan-vap-prof-vap1] security-profile wlan-security //Bind a security profile to a VAP
profile.
● Configure STA blacklist and whitelist.

[Huawei] wlan
[Huawei-wlan-view] sta-whitelist-profile name sta-whitelist //Create a STA whitelist profile.
[Huawei-wlan-whitelist-prof-sta-whitelist] sta-mac 0001-0001-0001 //Add the MAC address of a
STA to the whitelist.
[Huawei-wlan-whitelist-prof-sta-whitelist] quit
[Huawei-wlan-view] sta-blacklist-profile name sta-blacklist //Create a STA blacklist profile.
[Huawei-wlan-blacklist-prof-sta-blacklist] sta-mac 0002-0002-0002 //Add the MAC address of a
STA to the blacklist.
● Configure user isolation on a VAP.

[Huawei] wlan
[Huawei-wlan-view] traffic-profile name traff1 //Create a traffic profile.
[HUAWEI-wlan-traffic-prof-traff1] user-isolate l2 //Configure user isolation.
Warning: Enabling user isolation may interrupt services. Are you sure you want to continue? [Y/N]:y
[HUAWEI-wlan-traffic-prof-traff1] quit
[Huawei-wlan-view] vap-profile name vap1 //Create a VAP profile.
[HUAWEI-wlan-vap-prof-vap1] traffic-profile traff1 //Bind a traffic profile to a VAP profile.
● Configure port isolation.

[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation.
7.3 Campus Egress Security

This section uses a typical campus network as an example to describe how to
deploy campus egress security. Service security requirements are as follows:
● Internal network users can access Internet resources but only education/
science and search/portal websites.
● To prevent information leaks, employees are not allowed to upload common
documents, R&D files (such as C, CPP, and JAVA files), and compressed files to
the Internet.
● To reduce the risk of viruses transferred to internal networks, employees are
not allowed to download executable files from the Internet.
● To ensure the work efficiency, employees are not allowed to download videos
from the Internet.
● To prevent disclosure of confidential information and transmission of violation
information, filter out uploaded files, sent emails, published ports and
microblogs, and searched web pages and contents of internal network users.

To ensure the proper running of the server, defend against SYN flood, UDP
flood, and HTTP flood attacks.
● To prevent viruses from being introduced by emails, perform antivirus
detection on emails using HTTP and POP3 protocols.
● Defend against attacks such as worms, Trojan horses, and botnets.
● To ensure normal services, restrict P2P and online video traffic within 30
Mbit/s at any time. To better control P2P and online video traffic, restrict
connections of related applications within 10,000. To ensure the proper
running of email and ERP applications, assign a minimum of 60 Mbit/s
bandwidth for such traffic.
● Record employees' online behaviors to implement more refined security policy
control.
Figure 7-1 Networking diagram of campus egress security
GE1/0/0 GE1/0/0
GE1/0/3 HSB GE1/0/3

Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
GE1/1/1/0 GE2/1/1/0
HTTP server GE1/1/1/1 GE2/1/1/1
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer
AGG

Location Device Device Used in Version Used in
Requirement This Example This Example
Egress - USG6650 V500R001C30
Core layer - S7706 V200R010C00

Location Device Device Used in Version Used in

Requirement This Example This Example
Aggregation layer - S5720-EI V200R011C00
Deployment Roadmap
1 Configure security zones and security Egress firewall

policies to ensure that internal network
users can access Internet resources and
external network users can access the HTTP
server.
2 Configure the filtering functions. Egress firewall

● URL filtering: Allows users to access only
education/science and search/portal
websites.
● File filtering: Prevents employees from
uploading common documents, R&D
files (such as C, CPP, and JAVA files), and
compressed files to the Internet as well
as downloading executable files and
video files from the Internet.
● Data filtering: Prevents disclosure of
confidential information and
transmission of violation information.
3 Configure antivirus and intrusion Egress firewall

prevention to prevent viruses from being
introduced by emails and defend against
attacks such as worms, Trojan horses, and
botnets.
4 Configure DDoS attack defense to defend Egress firewall

against SYN flood, UDP flood, and HTTP
flood attacks.
5 Configure traffic policies to ensure that Egress firewall

applications such as email and ERP work
properly.
6 Configure online behavior audit and Egress firewall

management and record employees' online
behaviors, implementing more refined
security policy control.

Data Plan
Number Interface
FWA GE1/0/0 - - 202.1.1.1/24
GE1/0/3 - - 10.4.0.1/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.1/24
GE1/0/2
FWB GE1/0/0 - - 202.1.1.2/24
GE1/0/3 - - 10.4.0.2/24
Eth-Trunk 1 GE1/0/1 - 10.3.0.2/24
GE1/0/2
CORE GE1/1/0/10 - VLANIF 50 10.7.0.1/24
GE2/1/1/1
GE1/1/1/1
GE2/2/0/0
GE2/0/1
HTTP Ethernet - - 10.7.0.2/24

server interface
Procedure
This section mainly describes security configurations of firewalls. For details about other
configurations, see 4 Campus Egress Deployment.
To configure URL filtering, you need to activate the license and ensure that the license is
within the validity period.
Ensure that the content security package has been loaded before configuring file and data
filtering.
Assume that the user in this example already exists on the firewall, and the authentication
configuration is complete.
Step 1 Configure security zones and security policies.

1. Configure security zones.

The system has four security zones by default. If the default security zones do
not meet your service requirements, you can create security zones and define
their security levels. After creating a security zone, add interfaces to it. Then
all packets sent and received on the interfaces are considered in the security
zone. By default, an interface does not belong to any security zone and is
unable to communicate with interfaces in other security zones.
# Assign interfaces to security zones.
the trusted zone.
[FWA] firewall zone name untrust //Add the interface connected to the external
[FWA-zone-untrust] set priority 5
[FWA-zone-untrust] add interface gigabitethernet 1/0/0
[FWA-zone-dmz] quit
the trusted zone.
[FWB] firewall zone name untrust //Add the interface connected to the external network to
the untrusted zone.
[FWB-zone-untrust] set priority 5
[FWB-zone-untrust] add interface gigabitethernet 1/0/0
[FWB-zone-dmz] quit

standby firewalls, the security policies configured on FWA will be
automatically backed up to FWB. For details about how to configure hot
backup, see 4.5 Deploying IPSec on Firewalls for Secure Communication
with the Headquarters.
HRP_M[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local
zone and DMZ.
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access
the Internet.
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FWA-policy-security] rule name untrust_to_trust //Allow external network users to access
the HTTP server.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 10.7.0.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit

HRP_M[FWAA-policy-security] quit
Step 2 Configure the filtering functions.

1. Configure URL filtering.
# Configure a URL filtering profile.
HRP_M[FWA] profile type url-filter name profile_url_research
HRP_M[FWA-profile-url-filter-profile_url_research] category user-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 15 action
allow //Allow users to access search/portal websites.
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 17 action
allow //Allow users to access education/science websites.
HRP_M[FWA-profile-url-filter-profile_url_research] quit
# Configure a security policy.
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] profile url-filter profile_url_research
HRP_M[FWA-policy-security-rule-policy_sec_research] quit
# Commit the content security profile.
HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.-
Info: Finish committing engine compiling.
2. Configure file filtering.
# Create profile profile_file_user1 to prevent users from uploading
documents, R&D files, and decompressed files as well as downloading
executable files, audios, and videos from the Internet.
HRP_M[FWA] profile type file-block name profile_file_user1
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule1
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name DOC PPT
XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name ODS ODT
ODP EML UOF RAR TAR ZIP GZIP CAB
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name BZ2 Z 7ZIP
JAR C CPP JAVA VBS
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] direction upload
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] quit
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule2
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name EXE MSI
RPM OCX A ELF DLL PE SYS MDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name MOV MPEG
AVI RMVB ASF SWF MP3 MP4 MIDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] direction download
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] quit
HRP_M[FWA-profile-file-block-profile_file_user1] quit
# Configure security policy policy_sec_user1 for traffic from the trusted zone
to the untrusted zone and reference profile profile_file_user1.
HRP_M[FWA-policy-security] rule name policy_sec_user1
HRP_M[FWA-policy-security-rule-policy_sec_user1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_user1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_user1] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_user1] profile file-block profile_file_user1

HRP_M[FWA-policy-security-rule-policy_sec_user1] action permit

HRP_M[FWA-policy-security-rule-policy_sec_user1] quit

Info: DLP submitted configurations successfully.
3. Configure data filtering.

# Configure keyword group keyword1.
HRP_M[FWA] keyword-group name keyword1
HRP_M[FWA-keyword-group-keyword1] pre-defined-keyword name confidentiality weight 1
HRP_M[FWA-keyword-group-keyword1] user-defined-keyword name abc
HRP_M[FWA-keyword-group-keyword1-keyword-abc] expression match-mode text "abcd" //Define
keyword abcd.
HRP_M[FWA-keyword-group-keyword1-keyword-abc] weight 1
HRP_M[FWA-keyword-group-keyword1-keyword-abc] quit
# Create profile profile_data_research.

HRP_M[FWA] profile type data-filter name profile_data_research
HRP_M[FWA-profile-data-filter-profile_data_research] rule name rule1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] keyword-group name keyword1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] application all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] file-type all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] direction upload
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] action block
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] quit
# Configure security policy policy_sec_research and reference profile

profile_data_research.
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] profile data-filter profile_data_research
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] quit

Step 3 Configure antivirus and intrusion prevention.

1. Configure antivirus.
When an internal network user attempts to download virus-infected files
using HTTP, the download connection is blocked. When an internal network
user attempts to download a virus-infected mail using POP3, the attachments
in the mail are deleted.
# Configure an antivirus profile for HTTP and POP3.
HRP_M[FWA] profile type av name av_http_pop3
HRP_M[FWA-profile-av-av_http_pop3] http-detect direction download action block
HRP_M[FWA-profile-av-av_http_pop3] pop3-detect action delete-attachment
HRP_M[FWA-profile-av-av_http_pop3] exception application name Netease_Webmail
HRP_M[FWA-profile-av-av_http_pop3] exception av-signature-id 1000
HRP_M[FWA-profile-av-av_http_pop3] quit
# Configure a security policy for traffic from the internal network to the
external network (from the trusted zone to the untrusted zone).
HRP_M[FWA-policy-security] rule name policy_av_1

HRP_M[FWA-policy-security-rule-policy_av_1] source-zone trust

HRP_M[FWA-policy-security-rule-policy_av_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_av_1] action permit
HRP_M[FWA-policy-security-rule-policy_av_1] profile av av_http_pop3
HRP_M[FWA-policy-security-rule-policy_av_1] quit
2. Configure intrusion prevention.

# Create intrusion prevention profile profile_ips_pc to protect internal
network users.
HRP_M[FWA] profile type ips name profile_ips_pc
HRP_M[FWA-profile-ips-profile_ips_pc] description profile for intranet users
HRP_M[FWA-profile-ips-profile_ips_pc] capture-packet enable
HRP_M[FWA-profile-ips-profile_ips_pc] signature-set name filter1
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] target client
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] severity high
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] quit
HRP_M[FWA-profile-ips-profile_ips_pc] quit
# Commit the configuration.

# Configure a security policy for traffic from the trusted zone to the untrusted
zone and reference intrusion prevention profile profile_ips_pc.
HRP_M[FWA-policy-security] rule name policy_sec_1
HRP_M[FWA-policy-security-rule-policy_sec_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-policy_sec_1] profile ips profile_ips_pc
HRP_M[FWA-policy-security-rule-policy_sec_1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_1] quit
Step 4 Configure DDoS attack defense.
Servers often suffer from SYN flood, UDP flood, and HTTP flood attacks. To ensure
the normal running of the servers, enable the anti-DDoS function on the firewall
to defend against the three types of DDoS attacks.
# Configure anti-DDoS parameters.

HRP_M[FWA] interface GigabitEthernet1/0/0
HRP_M[FWA] ddos-mode detect-clean
# Configure the threshold learning function.

# Enable the anti-DDoS function.

Step 5 Configure traffic policies.
# Configure a traffic profile for P2P and online video services.

HRP_M[FWA] traffic-policy
HRP_M[FWA-policy-traffic] profile profile_p2p
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole both 30000
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FWA-policy-traffic-profile-profile_p2p] quit
# Configure a traffic policy for P2P and online video services.
The following example describes the bandwidth management configuration for BitTorrent
(BT) and YouTube services. You can specify other P2P services as required.
HRP_M[FWA-policy-traffic] rule name policy_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_p2p] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_p2p] application app BT YouKu
HRP_M[FWA-policy-traffic-rule-policy_p2p] action qos profile profile_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] quit
# Configure a traffic profile for email and ERP applications.

HRP_M[FWA-policy-traffic] profile profile_email
HRP_M[FWA-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole both 60000
HRP_M[FWA-policy-traffic-profile-profile_email] quit
# Configure a traffic policy for email and ERP applications.
The following example describes the bandwidth management configuration for Outlook
Web Access (OWA) and Lotus Notes. You can specify other applications as required.
HRP_M[FWA-policy-traffic] rule name policy_email
HRP_M[FWA-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_email] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FWA-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FWA-policy-traffic-rule-policy_email] quit
Step 6 Configure online behavior audit and management.

# Configure an audit profile to audit HTTP, FTP, and mail behaviors.
HRP_M[FWA] profile type audit name profile_audit_1
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url all
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url recorded-title
HRP_M[FWA-profile-audit-profile_audit_1] http-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] ftp-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] http-audit bbs-content
HRP_M[FWA-profile-audit-profile_audit_1] http-audit micro-blog
HRP_M[FWA-profile-audit-profile_audit_1] quit
# Configure an audit policy and reference the audit profile.

HRP_M[FWA] audit-policy
HRP_M[FWA-policy-audit] rule name policy_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] description Policy of auditing for priuser.
HRP_M[FWA-policy-audit-rule-policy_audit_1] source-zone trust
HRP_M[FWA-policy-audit-rule-policy_audit_1] destination-zone untrust
HRP_M[FWA-policy-audit-rule-policy_audit_1] user user-group /default/priuser
HRP_M[FWA-policy-audit-rule-policy_audit_1] action audit profile profile_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] quit
# Commit the configuration.

Info: Audit submitted configurations successfully.

# Follow-up procedure
By viewing various reports, audit logs, and user activity logs, you can obtain the
online behavior of employees to implement more refined security policy control.
----End

● Internal network users can access education/science and search/portal
websites, but cannot access other websites.
● Internal network users fail to upload documents, compressed files, and code
files from the Internet, as well as download executable files and video files
from the Internet.
● When an internal network user sends confidential information to the Internet
or browse and search content that contains violation information, the content
is blocked.
● When an internal network user attempts to download virus-infected files
using HTTP, the download connection is blocked.
● When an internal network user attempts to download a virus-infected mail
using POP3, the attachments in the mail are deleted.
● The system blocks attacks such as worms, Trojan horses, and botnets.
When the server receives SYN flood, UDP flood, or HTTP flood attack, the
attack is blocked.
Configuration Files
#
sysname FWA
#
anti-ddosflow-statistic enable
#
keyword-group name keyword1
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research
rule name rule1
file-type all
application all
direction upload

action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research
category pre-defined subcategory-id 101 action block




#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
firewall zone name untrust
set priority 5
#
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
action permit
source-zone untrust
action permit
rule name policy_av_1
source-zone trust
profile av av_http_pop3
action permit
rule name policy_sec_1
source-zone trust
profile ips profile_ips_pc
action permit
rule name policy_sec_research
source-zone trust
user user-group /default/priuser
profile url-filter profile_url_research

action permit
rule name policy_sec_user1
source-zone trust
profile file-block profile_file_user1
action permit
source-zone trust
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return

#
sysname FWB
#
anti-ddosflow-statistic enable
#
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research

rule name rule1

file-type all
application all
direction upload
action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research




#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
firewall zone name untrust
set priority 5
#
#
security-policy
source-zone local
source-zone dmz
action permit
source-zone trust
action permit
source-zone untrust
action permit
rule name policy_av_1
source-zone trust
profile av av_http_pop3
action permit
rule name policy_sec_1
source-zone trust
profile ips profile_ips_pc
action permit


source-zone trust
profile url-filter profile_url_research
action permit
rule name policy_sec_user1
source-zone trust
profile file-block profile_file_user1
action permit
source-zone trust
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return

Campus Networks Typical Configuration Examples 8 QoS Deployment
8 QoS Deployment
8.1 Key Points of QoS Deployment

8.2 Aggregation Switch: Increasing the Priority of Special Traffic
8.1 Key Points of QoS Deployment

Quality of Service (QoS) provides end-to-end service quality assurance to meet
differentiated service requirements. It helps improve network resource utilization
and allows different types of traffic to compete for network resources based on
their priorities, so that audio, video, and important data applications are processed
preferentially on network devices. QoS is applicable to scenarios where burst
traffic exists and the quality of important services needs to be guaranteed. If
service quality requirements are not met for a long time (for example, the service
traffic volume exceeds the bandwidth limit for a long time), expand the network
capacity or use dedicated devices to control services based on upper-layer
applications.
QoS is used to identify special traffic (such as VoIP, VIP, voice, and video traffic)
and increase the priority of the special traffic to ensure that the special traffic is
preferentially scheduled and reliably forwarded. Based on the services and scale of
the campus network, key points of QoS deployment for improving the priority of
special traffic are as follows:
● Identify special traffic.
Identify characteristics of special traffic and match the traffic with traffic
classifiers.
Identify the interface through which special traffic passes and the traffic
direction to determine the location where the traffic policy is applied.
● Determine the priority of special traffic.
Packets transmitted over different networks carry different QoS precedence
fields. For example, the EXP field is used on a Multiprotocol Label Switching
(MPLS) network, the 802.1p field is used in a virtual local area network
(VLAN), and the DSCP field is used on an IP network. When the device
connects different types of networks, it maps external precedence fields
(including 802.1p, MPLS EXP, and DSCP fields) of all the received packets to
internal priorities. When the device sends packets, it maps internal priorities

to external priorities. There are eight CoS values, that is, eight per-hop
behaviors (PHBs): CS7, CS6, EF, AF4, AF3, AF2, AF1, and BE listed in
descending order of priority. Select a proper priority based on the actual
requirements for the packet delay, jitter, or packet loss ratio.
8.2 Aggregation Switch: Increasing the Priority of

Special Traffic
Before deploying QoS, ensure that the campus network is connected. For details,
see 3 Campus Network Connectivity Deployment.
In this example, the aggregation switch needs to guarantee the bandwidth and
preferentially forward the traffic of the special user (PC1).
Figure 8-1 Aggregation switches functioning as gateways for wired and wireless
users
Server zone
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1
/1/ /0/2
0/2 E2/1
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2

GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2


Aggregati - S5731-H V200R019C10

on layer
Deployment Roadmap
1 Create an ACL and configure an ACL Aggregation switch

rule to allow VIP user traffic to pass
through.
2 Configure a traffic classifier and

reference the ACL rule to classify VIP
user traffic into one type.
3 Configure a traffic behavior to re-mark

802.1p priorities of VLAN packets with 5.
4 Configure a traffic policy and bind the

traffic classifier and traffic behavior to
the traffic policy.
5 Apply the traffic policy to a downlink

interface of the aggregation switch to
increase the priority of incoming special
user traffic.
Data Plan
Table 8-1 VLAN plan

Segment

wired users
Table 8-2 Interface plan

Interface for connecting AGG1 and Eth-Trunk 30

ACC1

Table 8-3 QoS data plan of the aggregation switch
Item Description
ACL ● ACL number: 3000

● Rule: The source IP address is 172.16.50.0/0.0.0.255 and the
action is permit.
QoS ● Traffic classifier: Reference ACL 3000 in the traffic classifier.

● Traffic behavior: Re-mark the 802.1p priority of VLAN
packets with 5.
● Interface to which the traffic policy is applied: aggregation
switch's downlink interface (Eth-Trunk 30 of AGG1)
In this example, special user traffic belongs to VLAN packets, so the remark
8021p command is used to re-mark 802.1p priorities of VLAN packets.
Packets of different types use different QoS priorities. VLAN packets use 802.1p
priorities, IP packets use DSCP priorities, and MPLS packets use EXP priorities. To
increase the priority of VoIP traffic, run the remark dscp ef command. This is
because VoIP traffic belongs to IP packets, and EF traffic requires low delay, low
jitter, and low packet loss ratio. Typical examples of EF traffic in practice are real-
time services such as video, voice, and video conferencing.
Step 1 Configure devices at core, aggregation, and access layers to ensure connectivity of
the basic network.
For details, see 3.6 Native AC Solution: Aggregation Switches Function as
Gateways for Wired and Wireless Users.
Step 2 Configure an ACL. Create an ACL and configure an ACL rule to allow special user
traffic to pass through.
<AGG1> system-view
[AGG1] acl 3000
[AGG1-acl-adv-3000] rule permit ip source 172.16.50.0 0.0.0.255 //Allow packets with the source IP
address on the network segment that PC1 belongs to pass through.
Step 3 Configure a traffic classifier and reference the ACL rule to classify special user
traffic into one type.
[AGG1] traffic classifier c1
[AGG1-classifier-c1] if-match acl 3000
[AGG1-classifier-c1] quit
Step 4 Configure a traffic behavior to re-mark 802.1p priorities of VLAN packets with 5.
[AGG1] traffic behavior b1
[AGG1-behavior-b1] remark 8021p 5
[AGG1-behavior-b1] quit
Step 5 Configure a traffic policy and bind the traffic classifier and traffic behavior to the
traffic policy.

[AGG1] traffic policy p1

[AGG1-trafficpolicy-p1] classifier c1 behavior b1
[AGG1-trafficpolicy-p1] quit
Step 6 Apply the traffic policy to a downlink interface of the aggregation switch to
increase the priority of incoming special user traffic.
[AGG1] interface eth-trunk 30 //Eth-Trunk 30 is the downlink interface of the aggregation switch.
[AGG1-Eth-Trunk30] traffic-policy p1 inbound
----End

Expected Result
The traffic policy is applied successfully, and packets sent by the special user (PC1)
leave the aggregation switch through queue 5 on the outbound interface (uplink
interface of the aggregation switch).
Verification Method
● Run the display traffic-policy applied-record [ policy-name ] command to
check the use records of a specified traffic policy.
[AGG1] display traffic-policy applied-record p1
-------------------------------------------------
Policy Name: p1
Policy Index: 0
Classifier:c1 Behavior:b1
-------------------------------------------------
*interface Eth-Trunk30
traffic-policy p1 inbound
-------------------------------------------------
Policy total applied times: 1.
● Run the display qos queue statistics command to check queue-based traffic
statistics on uplink interfaces (XGE0/0/1 and XGE1/0/1) of the aggregation
switch. XGE0/0/1 is used as an example. Compared with the rate before the
traffic policy is applied, the rate of the packets in queue 5 (Passed Rate(pps))
increases significantly, and the packets are mapped to the correct priority
queue.
[AGG1] display qos queue statistics interface xgigabitethernet 0/0/1 queue
5
------------------------------------------------------------
Queue ID :5
CIR(kbps) :0
PIR(kbps) : 1,000,000
Used Length(byte) : 0
Passed Packets : 15,683,478
Passed Rate(pps) : 5,552
Passed Bytes : 1,631,081,712
Passed Rate(bps) : 4,619,544
Dropped Packets : 0
Dropped Rate(pps) : 0
Dropped Bytes :0
Dropped Rate(bps) : 0
------------------------------------------------------------
Configuration Files
AGG1
#
sysname AGG1

#
vlan batch 20 30 to 31 50 70
#
dhcp enable
#
#
acl number 3000
#
traffic classifier c1 operator or
if-match acl 3000
#
traffic behavior b1
remark 8021p 5
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
vlan 30
vlan 31
vlan 50
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
traffic-policy p1 inbound
mode lacp
#
eth-trunk 30
#

#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

Campus Networks Typical Configuration Examples 9 Campus Network Deployment Practices
9 Campus Network Deployment Practices
9.1 Network Deployment in Small- and Medium-Sized Stores (AR Router

Functioning as an Egress Gateway)
9.2 Higher Education Campus Network Deployment (ME60 Used as the Gateway
and Authentication Point + Firewall Used as the Egress)
9.3 Deployment of a Subway Bearer Network Featuring High-Speed Self Recovery
9.4 ISP Network Deployment for Internet Access of Home Users and Enterprise
Users
9.5 ISP Network Deployment for Integrated Access in Large Enterprises
9.6 ISP Backbone Network Deployment for Mutual Access of Sites in an Enterprise
9.1 Network Deployment in Small- and Medium-Sized

Stores (AR Router Functioning as an Egress Gateway)
9.1.1 Application Scenario and Service Requirements
Application Scenario
This case is applicable to a small- or medium-sized store with multiple APs
deployed to provide wireless access. In the store, a small number of wired
terminals are allowed to access the network and about 200 guests access the
network concurrently in peak hours.
Service Requirements
A small- or medium-sized store intends to build a network and has the following
requirements:
1. Guests access the Internet using wireless terminals. There are approximate
200 guests in peak hours.

2. The store provides Internet access and mobile office services for employees
who use wireless and wired terminals. There are around 20 employees in the
store.
3. Wireless terminals can access the Internet only after successful
authentication.
9.1.2 Solution Design

Figure 9-1 shows a recommended networking based on service requirements.
Figure 9-1 Networking of a small- or medium-sized store
GE0/0/0
AR
GE0/0/2
AC GE0/0/12
GE0/0/1 GE0/0/11
Switch
/1 GE
E0/0 0/0
G /10
/8
G
0/0
E0
/0
GE
/9
...
AP1 AP8 AP9 PC
Employee access in the

Guest access in the guest area management area
● Wired access
Employees can work and access the Internet using wired terminals in the
management area.
In the networking, the S5731-S functions as both a DHCP server to assign IP
addresses to wired terminals and a wired access gateway.
● Wi-Fi coverage
A WLAN covers the guest area and management area. Using wireless
terminals, guests in the guest area can access the Internet and employees in
the management area can work and access the Internet as well.
In the networking, the AC6605 manages wireless services, and APs register
with the AC across a Layer 3 network and forward service data packets in
direct forwarding mode.

The S5731-S functions as a DHCP server to assign IP addresses to all APs and
wireless terminals.
● Network egress
Network address translation (NAT) is configured on the AR6300 to translate
public and private IP addresses.
The AR6300 connects to the Internet through PPPoE dial-up.
● Security
An ACL is configured on the S5731-S to control guest access so that wireless
users in the guest area can access only the Internet but not terminals in the
management area.
The AC6605 manages wireless services. Wireless terminals in the guest area
and management area use WeChat authentication and WPA-WPA2
authentication, respectively.
In this case, eight APs are deployed in the guest area, and one AP and one wired
terminal (PC) are deployed in the management area. Determine the number of APs
and wired terminals in each area as needed.
To prevent interference between APs and ensure optimal WLAN coverage, determine
the positions where APs are to be installed, channel, bandwidth, and cabling solution
according to WLAN Indoor Settled Network Planning Guide before deploying APs.
9.1.3 Deployment Roadmap and Data Plan
Deployment Roadmap
1. Configure the egress router AR6300.
a. Configure PPPoE dialup for Internet access.
b. Configure the LAN.
c. Configure routes.
2. Configure the S5731-S switch.
a. Create VLANs, create VLANIF interfaces, and configure IP addresses for
the VLANIF interfaces.
b. Add VLANs to interfaces on the switch.
c. Enable the DHCP server function. The switch then can assign IP addresses
to APs, and wired and wireless terminals.
d. Configure an ACL to control user access. Guests in the guest area can
access only the Internet. This ensures data security in the management
area.
e. Configure a default static route with the next hop being the IP address of
a downlink interface on the egress router.
3. Configure the AC6605.
a. Configure network interconnection.
b. Configure APs to go online.
c. Configure WLAN services.

Data Plan
Table 9-1 VLAN plan

Item Description
VLAN 100 Wireless access management VLAN of

the AC, also used for communication
between the switch and AC
VLAN 102 VLAN to which APs belong
VLAN 103 VLAN to which uplink interfaces of the

switch belong, used for
communication between the switch
and AR router
VLAN 2000 Wireless access VLAN in the guest area
VLAN 2100 Wireless access VLAN in the

management area
VLAN 2200 Wired access VLAN in the

management area
Table 9-2 Interface plan

Device Interfac VLAN to IP Address Description
e Which the
Number Interface
Belongs
AR6300 GE0/0/2 - 10.103.1.2/24 Downlink interface

for communicating
with the S5731-S
GE0/0/0 - Negotiated IP Uplink egress

address connected to an
external network
S5731-S GE0/0/1 VLAN 102 VLANIF 102: Interfaces

to and VLAN 10.102.1.1/24 connected to the
GE0/0/8 2000 VLANIF 2000: AP6050DNs in the
192.168.200.1/2 guest area
4
GE0/0/9 VLAN 102 VLANIF 102: Interface

and VLAN 10.102.1.1/24 connected to the
2100 VLANIF 2100: AP6050DN in the
192.168.210.1/2 management area
4

Device Interfac VLAN to IP Address Description

e Which the
Number Interface
Belongs
GE0/0/10 VLAN 2200 VLANIF 2200: Interface providing

192.168.220.1/2 access for a wired
4 terminal in the
management area

10.100.1.1/24 connected to the
AC6605

AR6300
AC6605 GE0/0/1 VLAN 100 10.100.1.2/24 Interface

connected to the
S5731-S
Table 9-3 Route plan

Device Destination IP Next Hop/ Description
Address/Mask Outbound
Interface
AR6300 10.102.1.0/24 10.103.1.1 Route destined for

APs
192.168.200.0/24 10.103.1.1 Route destined for

wireless terminals
in the guest area

wireless terminals
in the
management area

wired terminals in
the management
area
S5731-S 0.0.0.0/0.0.0.0 10.103.1.2 Default route
AC6605 0.0.0.0/0.0.0.0 10.100.1.1 Default route with

the next hop
being VLANIF 100
of the switch

Table 9-4 AR6300 data plan

Item Data
Source NAT policy Enabled
Internet access mode PPPoE dial-up
User name admin
Password admin@huawei.com
LAN gateway address/ 10.103.1.2/255.255.255.0

mask
Table 9-5 S5731-S data plan

Item Data
VLAN VLAN 100

VLAN 102
VLAN 103
VLAN 2000
VLAN 2100
VLAN 2200
IP address VLANIF 100: 10.100.1.1/24

VLANIF 102: 10.102.1.1/24
VLANIF 103: 10.103.1.1/24
VLANIF 2000: 192.168.200.1/24
VLANIF 2100: 192.168.210.1/24
VLANIF 2200: 192.168.220.1/24
DHCP Interface address pools:

VLANIF 102: 10.102.1.1/24 (for APs); DHCP server
option: 43; sub-option: 3; ascii: 10.100.1.2
VLANIF 2000: 192.168.200.1/24 (for wireless
terminals in the guest area)
VLANIF 2100: 192.168.210.1/24 (for wireless
terminals in the management area)
VLANIF 2200: 192.168.220.1/24 (for wired
terminals in the management area)
DNS server IP address: 114.114.114.114

Item Data
ACL ● Type: VLAN ACL

● VLAN ID: 2000
● Rules:
– Source IP address: 192.168.200.0/24;
destination IP address: 192.168.210.0/24;
action: deny
– Source IP address: 192.168.200.0/24;
destination IP address: 192.168.220.0/24;
action: deny
Table 9-6 AC6605 data plan

Item Data
Management VLAN for VLAN 100

APs
AC source interface VLANIF 100: 10.100.1.2/24
Guest Wi-Fi (covering ● SSID: guest

the guest area) ● Authentication mode: WeChat authentication
– IP address of the built-in Portal server of the AC:
10.100.1.3
– Port number of the built-in Portal server of the
AC: 1025
– Default domain name of the WeChat server:
api.weixin.qq.com
– Default port number of the WeChat server: 443
● STA service VLAN: VLAN 2000
● AP: AP1 to AP8
● AP group: ap-group1
● STA rate limiting for guests
– Upstream: 1000 kbit/s
– Downlink: 2000 kbit/s
Employee Wi-Fi ● SSID: employee

(covering the guest ● Authentication mode: WPA-WPA2; authentication
and management password: huawei@123
areas)
● STA service VLAN: VLAN 2100
● AP: AP9
● AP groups: ap-group1 and ap-group2
Authentication-free DNS server address: 114.114.114.114

rule


Table 9-7 lists the products and their software versions used in this example.
Table 9-7 Products and their software versions

Product Software Version
AR6300 V300R019C10
S5731-S V200R019C10
AC6605 V200R019C10
AP6050DN V200R019C00
9.1.4 Deployment Procedure
9.1.4.1 Configuring the AR6300
Preparations
Before the configuration, log in to the web system of the AR router using a PC and
1. Change the IP address of the PC to 192.168.1.x, for example, 192.168.1.100.
The IP address cannot be set to 192.168.1.1.
2. Connect the PC to the management interface (marked with the Management
silkscreen) of the AR router using Ethernet cables.
3. Access https://192.168.1.1 using a browser on the PC and log in using the
default user name admin and default password admin@huawei.com.
Change the password as prompted upon the first login.
Procedure
Step 1 Configure PPPoE dialup for Internet access.
1. Choose Configuration > WAN Configuration > Ethernet Interface. The
Interface Configuration tab page is displayed.
2. In the Ethernet Interface Settings area, select the interface for Internet
access, select Broadband dialup (PPPoE) from the Connection mode drop-
down list box, set other parameters, and click OK, as shown in Figure 9-2.

Figure 9-2 WAN configuration for PPPoE dial-up
Step 2 Configure the LAN.

1. Click the Interface Attribute tab. In the Ethernet Interface List area, click
Convert in the operation column of GigabitEthernet0/0/2, and click OK to
configure the interface as a Layer 2 interface.
Figure 9-3 Changing a Layer 3 Interface to a Layer 2 Interface
2. Choose LAN Configuration from the navigation tree.

3. Click LAN (Local Area Network). On the Default Gateway tab page, set the
IP address and subnet mask of the default gateway for user hosts, as shown
in Figure 9-4.

Figure 9-4 Configuring the default gateway
4. Choose Advanced > IP > DHCP. On the DHCP Address Pool tab page, set
DHCP status of OFF, as shown in Figure 9-5.
Figure 9-5 Setting the DHCP status
Step 3 Configure routes.

1. Choose Advanced > IP > Routing. The static route configuration page is
displayed.
2. Expand Static Route, configure route information according to Table 9-8, and
click Add.
Figure 9-6 Configuring a static route
Repeat the preceding steps to configure all required static routes.

Table 9-8 Route information

Destination Address Subnet Mask Next Hop
10.102.1.0 255.255.255.0 10.103.1.1
192.168.200.0 255.255.255.0 10.103.1.1
192.168.210.0 255.255.255.0 10.103.1.1
192.168.220.0 255.255.255.0 10.103.1.1
----End
9.1.4.2 Configuring the S5731-S
Preparations
Before the configuration, you need to log in to the web system of the switch using
a PC and perform the following operations.
In this example, all configurations of the S5731-S are performed in traditional
management mode. If the switch is in cloud-based management mode, log in to
the web system of the switch and change the switch to the traditional
management mode.
1. Connect the PC to the first Ethernet interface on the switch using network
cables.
2. Press and hold down the MODE button for at least 6 seconds. When all
indicators on the switch are steady green, the switch enters the initial
configuration mode. In initial configuration mode, the system sets the default
IP address 192.168.1.253/24 for VLANIF 4094 and sets the default level 15 for
the admin user.
3. Configure the PC with an IP address that is on the same subnet as the default
IP address of the switch so that the PC and switch can communicate with
each other at Layer 3.
4. Visit https://192.168.1.253 using a browser on the PC and log in using the
5. By default, the switch works in traditional management mode. If the switch
works in cloud-based management mode, log in to the switch's web system,
choose Maintenance > System Maintenance > Device Working Mode, set
Device Working Mode to Traditional management mode, and click Apply.
Procedure
Step 1 Create VLANs, create VLANIF interfaces, and configure IP addresses for the VLANIF
interfaces.
1. Create VLAN 102 to which APs belong and configure an IP address for VLANIF
102.
– Choose Configuration > Basic Services > VLAN from the main menu.
The VLAN configuration page is displayed.

– Click Create. The Create VLAN page is displayed.

– Set VLAN ID to 102.
– Select Create VLANIF, set IPv4 address to 10.102.1.1, and set Mask to
24.
Click OK. VLAN 102 is configured.
Figure 9-7 Configuring VLAN 102
2. Create VLAN 100, VLAN 103, VLAN 2000, VLAN 2100, and VLAN 2200 as well
as VLANIF interfaces, and configure IP addresses for the VLANIF interfaces.
The configuration method is similar to that of VLAN 102. Table 9-9 lists the
involved configuration items.
Table 9-9 VLAN configuration items

VLAN ID IPv4 Address Mask VLANIF Description
VLAN 100 10.100.1.1 255.255.255. Interface connected to the

0 AC
VLAN 103 10.103.1.1 255.255.255. Uplink interface connected

0 to the AR
VLAN 192.168.200.1 255.255.255. Wireless access gateway in

2000 0 the guest area
VLAN 192.168.210.1 255.255.255. Wireless access gateway in

2100 0 the management area
VLAN 192.168.220.1 255.255.255. Wired access gateway in the

2200 0 management area
Step 2 Add interfaces on the switch to VLANs.

1. Configure interfaces connected to the APs in the guest area.
– Choose Configuration > Basic Services > Interface Settings from the
main menu. The Interface Settings page is displayed.

– Click Customized Under Select Task.
Figure 9-8 Customizing interface configurations
– Select interfaces 1 to 8.
– Set Link Type to Trunk, Default VLAN to 102, and Pass VLAN(Tagged)
to 102,2000.
Figure 9-9 Configuring interfaces connected to the APs in the guest area
– Click Apply. The interfaces are configured.

2. Configure interfaces connected to the APs and wired terminals in the
management area as well as interfaces connected to the AC and AR.
The configuration method is similar to that of the interfaces connected to the
APs in the guest area. Table 9-10 lists the involved configuration items.

Table 9-10 Interface configuration items

Interface Task Interface Configuration
Description Number
Interface Customized 11 Link Type: Trunk

connected to Default VLAN: 1
the AC
Pass VLAN(Tagged): 100
Interface Customized 12 Link Type: Access

the AR
Interface Customized 9 Link Type: Trunk

APs in the
management Pass VLAN(Tagged): 102
area and 2100
Interfaces Connect to PC 10 Default VLAN: 2200

connected to
wired terminals
in the
management
area
Step 3 Enable the DHCP server function.

1. Configure an IP address pool from which the DHCP server assigns IP
addresses to APs.
– Choose Configuration > Basic Services > DHCP from the main menu.
The DHCP Address Pool page is displayed.
– Set DHCP status to ON. The DHCP function is enabled globally.
– In the Address Pool List area, click Create. The Create DHCP Address
Pool page is displayed.
Figure 9-10 Address pool list
– Set Address pool type to Interface address pool, and select Vlanif102.

Figure 9-11 Interface address pool
– Set Vendor-defined to sub-option, and set 3, ascii, and 10.100.1.2 in

the three text boxes below.
Figure 9-12 Vendor-defined parameter
– Click Advanced, and set the IP address of the primary DNS server to
114.114.114.114.
Figure 9-13 DNS server
– Click OK. The DHCP server function is configured.

2. Configure IP address pools from which the DHCP server assigns IP addresses
to wireless terminals in the guest and management areas and wired terminals
in the management area.
The configuration method is similar to that of the IP address pool from which
the DHCP server assigns IP addresses to APs. Table 9-11 lists the involved
configuration items.
Table 9-11 IP address pools
Description Type Interface Vendor- Primary

Defined DNS Server
Address pool for Interface Vlanif2000 - none - 114.114.114.

wireless terminals address 114
in the guest area pool

wireless terminals address 114
in the pool
management area

Description Type Interface Vendor- Primary

Defined DNS Server

wired terminals in address 114
the management pool
area
Step 4 Configure an ACL to limit access of wireless end users in the guest area.
1. Choose Configuration > Security Services > ACL from the main menu. The
ACL configuration page is displayed.
2. Click the VLAN ACL tab, set VLAN ID to 2000, and click Add to add an ACL
rule.
Figure 9-14 Configuring an ACL rule
Table 9-12 describes the involved configuration items.
Table 9-12 ACL rules
Source IP Source IP Destinati Destinati Protocol Action

Address Address on IP on IP Type
Mask Address Address
Mask
192.168.20 24 192.168.21 24 ip Discard

0.1 (255.255.2 0.1 (255.255.2
55.0) 55.0)
192.168.20 24 192.168.22 24 ip Discard

0.1 (255.255.2 0.1 (255.255.2
55.0) 55.0)
3. Click Apply. ACL rules are configured.
Step 5 Configure a default route.

1. Choose Configuration > Basic Services > Static Routes from the main menu.
The static route configuration page is displayed.
2. Click the IPv4 Static Routes tab, and click Add.
3. Set Destination IP Address, Destination IP Address Mask, and Next Hop
Address.

– Set Destination IP Address to 0.0.0.0.

– Set Destination IP Destination Mask to 0.0.0.0.
– Set Next Hop Address to 10.103.1.2.
Click , as shown in Figure 9-15. The default route is configured.
Figure 9-15 Configuring a default route
----End
9.1.4.3 Configuring the AC6605
Preparations
NOTICE
To prevent interference between APs and ensure optimal WLAN coverage,

determine the positions where APs are to be installed, channel, bandwidth, and
cabling solution according to WLAN Indoor Settled Network Planning Guide
before deploying APs.
● Activate the license on the Huawei ESDP website by binding the activation
password to the ESN of the WLAN AC, that is, the SN on the label. Then
download the generated license file.
● Configure the social media authentication server. For details, see "Example for
Configuring Guest Access Using Social Media Accounts (GooglePlus,
Facebook, or Twitter Accounts)" in the Agile Controller-Campus Product
Documentation.
● Before the configuration, you need to log in to the web system of the WLAN
AC using a PC and perform the following operations:
a. Change the IP address of the wired network port on the PC to
169.254.1.x, such as 169.254.1.100. The IP address cannot be set to
169.254.1.1.
b. Connect the PC to any idle network port on the AC using a network
cable.
c. Visit https://169.254.1.1 using a browser on the PC and log in using the

Procedure
Step 1 Configure system parameters of the AC.
1. Configure basic AC parameters.
– Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
– Set Country/Region. The following uses China as an example. Set
System time to Manual and Date and time to PC Time.
– Expand License Loading, import the license file, and activate it.
– Click Next. The Port Configuration page is displayed.
2. Configure ports on the AC.
– Select GigabitEthernet0/0/1, expand Batch Modify, and set Interface
type to Trunk and VLAN (Tagged) to 100.
– Click Apply. In the dialog box that is displayed, click OK.

– Click Next. The Network Interconnection Configuration page is
displayed.
3. Configure network interconnection.
– Click Create under Interface Configuration. The Create Interface
Configuration window is displayed.
– Set the IP address of VLANIF 100 to 10.100.1.2/24.

– Click OK.
– Expand Static Route Table, and then click Create. The Create Static
Route Table dialog box is displayed.
– Configure a default route with the next hop being GE0/0/11 (using IP
address 10.100.1.1) on the switch.
– Click OK.
– Click Next.
– Skip the AC backup configuration and click Next. The AC Source Address
page is displayed.
4. Configure the AC source address.
– Set AC source address to Vlanif100.
– Click Next. The Confirm Settings page is displayed.

5. Confirm the configuration.
– Confirm the configuration and click Continue With AP Online.
Step 2 Configure APs to go online.

1. Configure APs to go online.
– Click Batch Import. The Batch Import dialog box is displayed.
– Click to download the AP template.

– Enter the information about each AP in the AP template. The items in the
following table are involved.
Item Description
MAC address of an AP The parameter must be set

according to the actual value.
SN of an AP The parameter must be set

according to the actual value.
AP name Set this parameter to AP1 to AP9

for each AP in sequence.
AP group
▪ Add AP1 to AP8 deployed in
the guest area to ap-group1.
▪ Add AP9 deployed in the

management area to ap-
group2.
▪ You can check the MAC address and SN on the label attached on each AP.
▪ If AP authentication mode is set to MAC address authentication, AP MAC

must be specified and AP SN is optional. If AP authentication mode is set to
SN authentication, AP SN must be specified and AP MAC is optional.
▪ You are advised to use the WLAN Planner to export the planned settings to
a .csv file, such as the radio ID, AP channel, frequency bandwidth, and power,
and then fill the information into the AP template. Set the longitude and
latitude in the template based on your site requirements.
– Click next to Import AP file, select the AP template filled with

planned settings, and click Import.
– After the template is imported, the import result is displayed. Click OK.
– Click Next. The Confirm Configurations page is displayed.
2. Confirm the configuration.
– Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 3 Configure WLAN services.

1. Configure a Wi-Fi network for employees.
– Click Create. The Basic Information page is displayed.

– Set SSID Name to employee and Service VLAN ID to 2100.
– Click Next. The Security Authentication page is displayed.

– Select Key (applicable to personal networks), select AES-TKIP (AES
and TKIP), and configure a key.
– Click Next. The Access Control page is displayed.

– Bind the SSID to the AP groups ap-group1 and ap-group2.
– Click Finish.
2. Configure a Wi-Fi network for guests.
– Click Create. The Basic Information page is displayed.
– Set SSID Name to guest and Service VLAN ID to 2000.

– Click Next. The Security Authentication page is displayed.

– Select WeChat, set Server IP address to 10.100.1.3, set Port number to
1025, and set App ID and App key.
– Click Next. The Access Control page is displayed.

– Bind the SSID to the AP group ap-group1.
– Click Finish.
3. Configure network resources that unauthenticated guests can access when

connecting to the guest SSID.
– Choose Configuration > AP Config > Profile from the main menu. The
Profile Management page is displayed.
– Choose Wireless Service > VAP Profile > guest > Authentication
Profile > Authentication-free Rule Profile. The Authentication-free
Rule Profile page is displayed.
– Select the authentication-free rule profile default_free_rule.
– Set Control mode to Authentication-free rule.
– Click Create, set Rule ID to 1, and set Destination IP address to the IP
address of the DNS server.

– Click OK.
– Select the created authentication-free rule and click Apply. In the dialog
box that is displayed, click OK.
----End
9.1.5 Verifying the Deployment

1. Verify whether guests in the guest area can access the WLAN and ensure that
the following requirements can be met:
– The WLAN with the SSID guest is available to wireless end users in the
guest area. After the end users are connected to the WLAN, a WeChat
authentication page is pushed to them. Wireless end users can be
authenticated successfully and access the Internet after performing
operations as prompted.
– Wireless terminals in the guest area can obtain IP addresses on the
subnet 192.168.200.0/24 after associating with the SSID guest.
– Wireless end users in the guest area, such as guests using laptops, cannot
ping the wireless access gateway (192.168.210.1) in the management
area.
2. Verify whether employees in the management area can access the Internet
and ensure that the following requirements are met:
– The WLAN with the SSID employee is available to wireless end users in
the management area. End users have access to the Internet after
entering the password huawei@123.
– Wireless terminals in the management area can obtain IP addresses on
the subnet 192.168.210.0/24 after associating with the SSID employee.
– Wired end users in the management area can access the Internet and
obtain IP addresses on the subnet 192.168.220.0/24.
– Wired end users in the management area can ping the wireless access
gateway (192.168.210.1) in the management area.
9.1.6 Configuration Files

AR6300 configuration file
#
dns resolve
dns proxy enable
#
acl name GigabitEthernet0/0/0 2999
rule 5 permit
#
interface Dialer1
link-protocol ppp

ppp chap user admin

ppp chap password cipher %^%#Tj#S%h%p:+J`b#~!2&lFqh79>gVT0<Br@=(H43UN%^%#
ppp pap local-user admin password cipher %^%#qLq_5;^}n*B#['~ii{+.]U)0U\ra`PB\7:ZXL=\I%^%#
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer number 1 autodial
dialer-group 1
nat outbound 2999
#
interface Vlanif1
ip address 10.103.1.2 255.255.255.0
#
pppoe-client dial-bundle-number 1
#
portswitch
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 10.102.1.0 255.255.255.0 10.103.1.1
ip route-static 192.168.200.0 255.255.255.0 10.103.1.1
ip route-static 192.168.210.0 255.255.255.0 10.103.1.1
ip route-static 192.168.220.0 255.255.255.0 10.103.1.1
#
return
S5731-S configuration file

#
vlan batch 100 102 to 103 2000 2100 2200
#
dhcp enable
#
acl name vlan2000 3999
#
interface Vlanif100
ip address 10.100.1.1 255.255.255.0
#
interface Vlanif102
ip address 10.102.1.1 255.255.255.0
dhcp server option 43 sub-option 3 ascii 10.100.1.2
#
interface Vlanif103
ip address 10.103.1.1 255.255.255.0
#
ip address 192.168.200.1 255.255.255.0
#
ip address 192.168.210.1 255.255.255.0
#
ip address 192.168.220.1 255.255.255.0
#


#
#
#
#
#
#
#
#
#
loopback-detect enable
port description desktop
undo trust 8021p
#
#
#

ip route-static 0.0.0.0 0.0.0.0 10.103.1.2

#
traffic-filter vlan 2000 inbound acl name vlan2000
#
return
AC6605 configuration file

#
portal local-server ip 10.100.1.3
portal local-server url 10.100.1.3
portal local-server http port 1025
#
vlan batch 100 2000 2100 2200
#
authentication-profile name guest
portal-access-profile guest
authentication-scheme guest
#
pki realm wechat_pki
#
ssl policy wechat_ssl_policy type client
pki-realm wechat_pki
version tls1.2
undo server-verify enable
prefer-ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256 ecdhe_rsa_aes128_gcm_sha256
ecdhe_rsa_aes256_gcm_sha384
#
#
portal-access-profile name guest
portal local-server enable
portal local-server wechat
#
aaa
authentication-scheme guest
authentication-mode none
local-user admin password irreversible-cipher $1a$D[%AQ7aQQ0$z%oZMBn:`%##J2VG6;R&~1n!JTfvI0t`
+uH`<K+)$
#
interface Vlanif100
ip address 10.100.1.2 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.100.1.1
#
#
wlan
traffic-profile name guest
rate-limit client up 1000
rate-limit client down 2000
security-profile name guest
security-profile name employee
security wpa-wpa2 psk pass-phrase %^%#F)&d'L_r}$$%`O9)#'>O%I*KC<O^!X%kI+6V'HhK%^%# aes-tkip
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
ssid-profile guest
security-profile guest
traffic-profile guest
authentication-profile guest
vap-profile name employee


ssid-profile employee
security-profile employee
radio 0
vap-profile guest wlan 1
vap-profile employee wlan 2
radio 1
radio 2
radio 0
radio 1
radio 2
ap-id 0 type-id 30 ap-mac 0046-4b59-1d00 ap-sn 210235449210CB000010
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group1
ap-group ap-group2
#
portal local-server wechat-authen
public-account appid wxappid123 appsecret %^%#j*I&%ioj`J"HReTI^"y97Zv\9BNh/Z>J;92x%S#)%^%#
wechat-server-ip ssl-policy wechat_ssl_policy
#
return
9.2 Higher Education Campus Network Deployment

(ME60 Used as the Gateway and Authentication Point
+ Firewall Used as the Egress)
This example describes the broadband remote access server (BRAS) scenario,
where an ME60 functions as a gateway and an authentication point to implement
user access authentication (IPoE access, PPPoE access, and MAC address
authentication). It is applicable to higher education campus networks with large
numbers of users (more than 20,000).

A higher education campus network needs to implement integrated
authentication on wired and wireless networks in dormitories and teachers' office
areas. The requirements are as follows:
● Access requirements
Both wired and wireless networks are deployed, allowing for access of both
wired and wireless users.
Internal network users can access external networks ISP1 and ISP2 (such as
the Internet and education network), and external network users can access
server resources on the internal network.
● Authentication requirements
Wired and wireless users need to be authenticated before accessing networks.
Wired users are authenticated using PPPoE, wireless users are authenticated
using IPoE, and dumb terminals are authenticated based on their MAC
addresses.
● Network access rights requirements
Wired and wireless users have different accounts and network access rights
based on roles such as students and teachers, as described in Table 9-13.
Student and teacher accounts are managed by a local authentication,
authorization, and accounting (AAA) server, which are used for
authentication, accounting, and authorization. The local AAA server also
functions as an AAA proxy to forward business accounts to the carrier's AAA
server for authentication.
Table 9-13 Network access rights requirements
Account Net Authe Network Bandwidth Control

Type work nticati Access Rights
Acce on
ss Mode
Mod
e
Student Wire PPPoE Access the 10 Mbit/s

account d campus
internal
Student Wirel IPoE network.
account ess
Teacher Wire PPPoE Access the Campus internal network:

account d campus 20 Mbit/s
internal External network: 50 Mbit/s
Teacher Wirel IPoE network, and
account ess access external
networks ISP1
and ISP2
through the
campus
network.

Account Net Authe Network Bandwidth Control

Type work nticati Access Rights
Acce on
ss Mode
Mod
e
Business Wire PPPoE Access the Campus internal network:

account d campus 10 Mbit/s for students and
internal 20 Mbit/s for teachers
Business Wirel IPoE network, and
account ess External network: 50 Mbit/s
access external
networks ISP1
and ISP2
through
carriers'
broadband
networks.
Dumb Wire MAC Access the 20 Mbit/s

terminals, d addres campus
such as s internal
printers authen network.
and fax ticatio
machines n
● Accounting requirements
Students and teachers are not charged when accessing the campus internal
network, and are charged when accessing external networks ISP1 and ISP2.
● Security requirements
For network security purposes, network devices need to identify and filter
traffic entering and leaving the campus network.

Networking Diagram
Figure 9-16 shows the networking in which an ME60 functions as a gateway and
an authentication point.

Figure 9-16 Networking in which an ME60 functions as a gateway and an

ISP1
GE1/0/2
GE1/0/1
GE1/0
USG6315E_A
GE1/0
10GE1/0/
ME6
10GE
XGE5
S12708E
XG
XGE3/
S6730-H_A
XGE1/0/1
GE0/0/1
S5735-L_A
GE0/0/5 GE0/0/4
GE0/0/3
Dumb
PC Laptop Mob
terminal pho
Student dormitory area

Service Design
● Access requirements design
An ME60 is deployed as a gateway and an authentication point for wired and
wireless users to dynamically assign IP addresses to users and authenticate
them.
All aggregation switches are connected to a core switch S12708E. The
S12708E has the native AC function enabled to manage network-wide APs
and implement wireless network access. The native AC function removes the
need of a hardware AC, reducing investment in network devices.
S5735-L switches are deployed as access switches and are connected to
S6730-H switches at the aggregation layer. 802.1Q in 802.1Q (QinQ) is
configured on access switches to isolate users. Inner VLAN IDs are assigned to
different interfaces in areas; for example, VLANs 2001 to 3500 are assigned to
downlink interfaces of access switches in the student dormitory area and
teaching and office areas. Outer VLAN IDs are assigned to different floors in
different areas; for example, VLANs 101 to 200 are assigned to downlink
interfaces of aggregation switches in the student dormitory area, and VLANs
201 to 400 are assigned to downlink interfaces of aggregation switches in the
teaching and office areas.
The S12708E transparently transmits QinQ packets to the ME60, and the
ME60 terminate QinQ packets.
The egress firewalls USG6680 function as the egress gateway of the external
network to isolate external networks from the internal network. They are
enabled with network address translation (NAT) to implement
communication between the internal and external networks. Additionally,
they are enabled with intelligent uplink selection to dynamically select
outbound interfaces based on the egress link bandwidth, improving link
resource utilization and user experience.
● Authentication requirements design
As an authentication device, the ME60 provides wired and wireless users with
various authentication modes, including IPoE authentication, PPPoE
authentication, and MAC address authentication.
Users can access external networks only after passing web authentication.
● Network access rights and accounting requirements design
The ME60 is configured with destination address accounting (DAA) to
implement rate limiting and accounting based on different users and
destination addresses.
Egress firewalls are configured with security policies to filter users' Internet
access packets to prevent users from accessing unauthorized websites, as well
as to monitor and trace user packets.


S12700E V200R019C10
S6730-H V200R019C10
S5735-L V200R019C10
ME60 V800R008C10
USG6315E V800R007C00
Deployment Roadmap
1 Configure interfaces and VLANs on access S5735-L_A and S5735-

switches to enable Layer 2 connectivity. L_B
2 Configure interfaces and VLANs on

aggregation switches to enable Layer 2
connectivity.
3 Configure interfaces, VLANs, IP addresses, S12708E

and routing on the core switch to enable
network connectivity.
4 Enable the Dynamic Host Configuration

Protocol (DHCP) on the core switch to
assign IP addresses to APs.
5 Configure the WLAN service on the core

switch to implement access of wireless
users.
6 Configure interfaces, VLANs, IP addresses, ME60

and routing on the ME60 to enable network
connectivity.
7 Configure IPoE access authentication on the

ME60 for wireless student and teacher
users.
8 Configure PPPoE access authentication on

the ME60 for wired student and teacher
users.
9 Configure MAC address authentication on

the ME60 for dumb terminals such as
printers and fax machines.

10 Configure interfaces, IP addresses, and USG6315E_A and

routing on egress firewalls to enable USG6315E_B
network connectivity.
11 Configure the security zone to which each

interface belongs on egress firewalls.
12 Configure intelligent uplink selection on

firewalls to implement load balancing
13 Configure hot standby on firewalls. If the

active firewall is faulty, the standby firewall
can smoothly take over services from the
active firewall, ensuring service continuity.
14 Configure security policies on firewalls.
15 Configure NAT on firewalls so that users on

the campus network can access the
Internet.
16 Configure NAT Server on firewalls so that

users on external networks can access the
internal HTTP server.
17 Enable the smart domain name service

(DNS) function on firewalls so that users
from different ISPs can obtain addresses on
their own ISP networks.
18 Configure attack defense and application

behavior control on firewalls.
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses,
routes, and services.
Table 9-15 VLAN plan

Device Item Description
S5735-L_A VLAN 600 VLAN to which dumb

terminals in the student
dormitory area belong
VLANs 2001 to 3000 Inner VLANs for wired

users in the student
dormitory area

VLANs 3001 to 3500 Inner VLANs for wireless

dormitory area
VLAN 4004 Management VLAN for

APs in the student
dormitory area
S5735-L_B VLAN 600 VLAN to which dumb

terminals in the teaching
and office areas belong
VLANs 2001 to 3000 Inner VLANs for wired

users in the teaching and
office areas
VLANs 3001 to 3500 Inner VLANs for wireless

office areas

APs in the teaching and
office areas
S6730-H_A VLAN 600 VLAN to which dumb

terminals in the student
dormitory area belong
VLANs 101 to 200 Outer VLANs for wired

dormitory area
VLANs 1601 to 1800 Outer VLANs for wireless

dormitory area

APs in the student
dormitory area
S6730-H_B VLAN 600 VLAN to which dumb

terminals in the teaching
and office areas belong

office areas

office areas


APs in the teaching and
office areas
S12708E VLAN 600 VLAN to which dumb

terminals belong

users

users
VLAN 4010 VLAN to which the core

switch's interface
connected to the ME60
belongs

APs
Table 9-16 Interface and IP address plan

Device Interface Number IP Address
USG6315E_A GE1/0/6 172.16.11.1/30
GE1/0/7 172.16.11.5/30
GE1/0/1 202.1.1.1/24
GE1/0/2 202.2.1.2/24
Loopback 0 172.16.10.1/32
USG6315E_B GE1/0/6 172.16.11.2/30
GE1/0/7 172.16.11.9/30
GE1/0/1 202.1.1.2/24
GE1/0/2 202.2.1.1/24
Loopback 0 172.16.10.2/32
ME60 GE1/0/1 172.16.11.6/30
GE1/0/2 172.16.11.10/30
GE1/1/1.4010 172.16.11.14/30
Loopback 0 172.16.10.3/32
S12708E Loopback 0 172.16.10.4/32

Device Interface Number IP Address
VLANIF 4010 172.16.11.13/30
Table 9-17 Static route table

Device Destination Address Next-Hop IP Address
USG6315E_A 10.253.0.0/17 172.16.11.6/30
10.253.128.0/17 172.16.11.6/30
10.254.0.0/17 172.16.11.6/30
10.254.128.0/17 172.16.11.6/30
172.16.10.2/32 172.16.11.6/30
172.16.10.3/32 172.16.11.6/30
172.16.10.4/32 172.16.11.6/30
192.168.10.0/24 172.16.11.6/30
USG6315E_B 10.253.0.0/17 172.16.11.10/30
10.253.128.0/17 172.16.11.10/30
10.254.0.0/17 172.16.11.10/30
10.254.128.0/17 172.16.11.10/30
172.16.10.1/32 172.16.11.10/30
172.16.10.3/32 172.16.11.10/30
172.16.10.4/32 172.16.11.10/30
192.168.10.0/24 172.16.11.10/30
ME60 172.16.10.1/32 172.16.11.5/30
172.16.10.2/32 172.16.11.9/30
172.16.10.4/32 172.16.11.13/30
0.0.0.0/0 172.16.11.5/30
0.0.0.0/0 172.16.11.9/30
S12708E 172.16.10.1/32 172.16.11.14/30
172.16.10.2/32 172.16.11.14/30
172.16.10.3/32 172.16.11.14/30

Table 9-18 IPoE access plan

Item Data
AAA schemes ● Authentication schemes: authen

and none
● Accounting schemes: acc and none
RADIUS server ● RADIUS server name: radius

● IP address and port number of the
authentication server:
192.168.10.55, 1812
accounting server: 192.168.10.55,
1813
● IP addresses of authorization
servers: 192.168.10.55,
192.168.10.241
● Interface of the ME60 for
communicating with the RADIUS
server: loopback 0
● Shared key of the RADIUS server:
Root@123
Web server ● Interface of the ME60 for

communicating with the web
server: loopback 0
web server: 192.168.10.53, 50100

Item Data
Address pool ● Name of the IP address pool:

xuesheng
– Gateway address: 10.254.0.1;
subnet mask: 255.255.128.0
– Network segment: 10.254.0.2 to
10.254.127.254
– IP addresses of DNS servers:
192.168.10.2, 10.255.57.5
– Lease period: 12 hours
● Name of the IP address pool: pre-
pool
subnet mask: 255.255.128.0
10.253.127.254
192.168.10.2, 10.255.57.5
● Name of the IP address pool: jiaoshi
subnet mask: 255.255.128.0
– Network segment: 10.254.128.2
to 10.254.255.254
192.168.10.2, 10.255.57.5
Pre-authentication domain ● Pre-authentication domain pre-

authen, which allows users to
access only the web server
● The authentication scheme none,
accounting scheme none, user
group pre-web, and IP address pool
pre-pool are bound to the pre-
authentication domain.

Item Data
User control list (UCL) rules A UCL rule needs to be configured to

redirect users in the pre-authentication
domain to the web authentication
page.
● UCL rule: 6010, allowing users to
access the authentication server,
authorization server, accounting
server, web server, and DNS server
● UCL rule: 6011, redirecting online
users in the user group pre-web to
the web authentication page
Authentication domain ● The domain name is xs. The

authentication scheme authen,
accounting scheme acc, RADIUS
server radius, and IP address pool
xuesheng are bound to this
● The domain name is jg. The
server template radius, and IP
address pool jiaoshi are bound to
this authentication domain.

Item Data
Broadband access server (BAS) ● BAS interface number: GE

interfaces 1/1/1.1001
– BAS interface type: common
Layer 2 user interface; pre-
authentication domain: pre-
authen; authentication domain:
xs
– Authentication mode of the BAS
interface: web authentication
● BAS interface number: GE
1/1/1.1003
authentication domain: pre-
authen; authentication domain:
jg
NOTE
Web authentication users are considered
unauthorized users before they are
authenticated. Therefore, they cannot
obtain IP addresses or access the web
authentication server. This means web
authentication cannot be performed on
these users. To resolve this problem, all
unauthenticated web authentication users
are assigned to a default domain
configured on an interface. This default
domain is called the default pre-
authentication domain. Unauthenticated
web authentication users can obtain IP
addresses from the pre-authentication
domain pre-authen and access the web
authentication server through the network
access rights granted to the pre-
authentication domain. After users pass
web authentication, they will be
authenticated by the RADIUS server
through the authentication domain xs.
Table 9-19 PPPoE access plan

Item Data
AAA schemes Same as the AAA schemes for IPoE

access
RADIUS server Same as the RADIUS server for IPoE

access

Item Data
Address pool ● Name of the IP address pool: pre-

ppp
subnet mask: 255.255.128.0
to 10.253.255.254
192.168.10.2, 10.255.57.5
● Name of the IP address pool:
xuesheng
subnet mask: 255.255.128.0
10.254.127.254
192.168.10.2, 10.255.57.5
subnet mask: 255.255.128.0
to 10.254.255.254
192.168.10.2, 10.255.57.5
User group User group pre-ppp, for which a pre-

authentication domain is configured
Pre-authentication domain ● Pre-authentication domain pre-

ppp, which allows users to access
only the web server
group pre-ppp, and IP address pool
pre-ppp are bound to the pre-

Item Data
UCL rules A UCL rule needs to be configured to

page.
server, and DNS server
users in the user group pre-ppp to
Authentication domain Same as the authentication domain

for IPoE access
Virtual template interface Interface number: 1; user

authentication mode: auto

Item Data
BAS interfaces ● BAS interface number: GE

1/1/1.1000
– Bound to the virtual template
interface 1
– Configure a user-side VLAN.
When an interface receives a
packet with dual VLAN tags, the
interface removes the VLAN tags
and then forwards the packet at
Layer 3.
authentication domain: pre-ppp;
authentication domain: xs
interface: PPP web
authentication
● BAS interface number: GE
1/1/1.1002
– Bound to the virtual template
interface 1
– Configure a user-side VLAN.
When an interface receives a
packet with dual VLAN tags, the
interface removes the VLAN tags
and then forwards the packet at
Layer 3.
authentication domain: pre-ppp;
authentication domain: jg
interface: PPP web
authentication
Table 9-20 MAC address authentication plan

Item Data
AAA schemes ● Authentication schemes: mac,

authen, and none
● Accounting schemes: acc and none

Item Data
RADIUS server ● Name of RADIUS servers: mac and

radius
authentication server:
192.168.10.55, 1812
accounting server: 192.168.10.55,
1813
● IP addresses of authorization
servers: 192.168.10.55,
192.168.10.241
● Interface of the ME60 for
communicating with the RADIUS
server: loopback 0
● Shared key of the RADIUS server: %
$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$
%$
Web server Same as the web server for IPoE access
Address pool ● Name of the IP address pool: pre-

pool
subnet mask: 255.255.128.0
10.253.127.254
192.168.10.2, 10.255.57.5
subnet mask: 255.255.128.0
to 10.254.255.254
192.168.10.2, 10.255.57.5
User group User group pre-web, for which a pre-

authentication domain is configured

Item Data
Authentication domain (domain to ● Pre-authentication domain pre-

which users are redirected after they authen, which allows users to
fail authentication) access only the web server
group pre-web, and IP address pool
pre-pool are bound to the pre-
UCL rules UCL rules need to be configured to

redirect users who fail the
authentication to the domain pre-
authen and to the web authentication
page.
Pre-authentication domain The domain name is mac. The

authentication scheme mac,
accounting scheme acc, RADIUS server
mac, IP address pool pre-pool are
bound to the pre-authentication
domain. MAC address authentication
needs to be enabled.
Authentication domain The domain name is jg. The

accounting scheme acc, RADIUS server
radius, and IP address pool jiaoshi are
bound to the authentication domain.
BAS interface ● BAS interface number: GE

1/1/1.1101
● BAS interface type: common Layer
2 user interface; pre-authentication
domain: mac; post-authentication
domain: jg
● Authentication mode of the BAS

Table 9-21 DAA plan

Item Data
DAA enablement Globally enabling the value-added

service function
AAA schemes Same as the AAA schemes for IPoE

access
RADIUS server Same as the RADIUS server for IPoE

access
Web server Same as the web server for IPoE access
Address pool Same as the IP address pool for IPoE

access
User groups ● User group pre-web, for which a

pre-authentication domain is
configured
● User group xuesheng, representing
students
● User group jiaoshi, representing
teachers
● User group shangye, representing
business accounts
NOTE
You can configure a user group using any
of the following methods:
● Configure a user group in a domain.
● Configure a user group using a DAA
service policy template.
● Deliver a user group by a RADIUS
server.
The user group configured using a DAA
service policy template has the highest
priority, followed by the one delivered by a
RADIUS server, and then the one
configured in a domain. In this example,
user groups are delivered by the RADIUS
server.
Pre-authentication domain Same as the pre-authentication

domain for IPoE access

Item Data
UCL rules A UCL rule needs to be configured to

page.
● UCL rule: 6003, allowing teachers to
access the campus internal
network, RADIUS server, web server,
and DNS server
● UCL rule: 6005, allowing students
to access the campus internal
network, RADIUS server, web server,
and DNS server
● UCL rule: 6001, allowing teachers
and students to use business
accounts to access both the campus
internal network and external
networks, RADIUS server, web
server, and DNS server
QoS profiles Names of QoS profiles: 10M, 20M, and

50M
DAA service policy ● Names of DAA service policies:

10M, 20M, and 50M
● Accounting mode: none
● DAA service separation: enabled
● Tariff level: 1; bound to QoS
profiles 10M, 20M, and 50M

Item Data
Authentication domains ● The domain name is xs. The

server radius, IP address pool
xuesheng, DAA service accounting
scheme none, and DAA service
policy 10M are bound to this
domain.
● The domain name is jg. The
server radius, IP address pool
jiaoshi, DAA service accounting
scheme none, and DAA service
policy 20M are bound to this
domain.
NOTE
The DAA service policy 50M is delivered by
a RADIUS server.
BAS interfaces Same as the BAS interfaces for IPoE

access
9.2.4.1 Configuring Access Switches (S5735-L)

Step 1 Configure VLANs on S5735-L_A.
# Create VLANs in a batch for users, dumb terminals, and APs in the student
dormitory area, including inner VLANs 2001 to 3000 for wired users, inner VLANs
3001 to 3500 for wireless users, VLAN 600 for dumb terminals, and management
VLAN 4004 for APs.
<S5735-L_A> system-view
[S5735-L_A] vlan batch 600 2001 to 3500 4004
# Add downlink interfaces connected to wired users to inner VLANs, with each
interface being added to a unique VLAN. The following example describes how to
add GE0/0/3 to VLAN 2001.
[S5735-L_A] interface GigabitEthernet 0/0/3
[S5735-L_A-GigabitEthernet0/0/3] port link-type access
[S5735-L_A-GigabitEthernet0/0/3] port default vlan 2001
[S5735-L_A-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_A-GigabitEthernet0/0/3] quit
# Add GE0/0/4 connected to an AP to management VLAN 4004, and enable the

interface to allow packets from service VLANs and the management VLAN to pass
through.
[S5735-L_A-GigabitEthernet0/0/4] port link-type trunk

[S5735-L_A-GigabitEthernet0/0/4] port trunk pvid vlan 4004

[S5735-L_A-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1
[S5735-L_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004
[S5735-L_A-GigabitEthernet0/0/4] port-isolate enable group 1
# Add GE0/0/5 connected to a dumb terminal to VLAN 600.

[S5735-L_A-GigabitEthernet0/0/5] port link-type access
[S5735-L_A-GigabitEthernet0/0/5] port default vlan 600
Step 2 Configure an uplink interface on S5735-L_A to allow packets from all service
VLANs and the management VLAN to pass through.
[S5735-L_A-GigabitEthernet0/0/1] port link-type trunk
[S5735-L_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5735-L_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004
Step 3 Configure VLANs on S5735-L_B.

# Create VLANs in a batch for users, dumb terminals, and APs in the teaching and
office areas, including inner VLANs 2001 to 3000 for wired users, inner VLANs
VLAN 4004 for APs.
<S5735-L_B> system-view
[S5735-L_B] vlan batch 600 2001 to 3500 4004
# Add downlink interfaces connected to wired users to inner VLANs, with each
interface being added to a unique VLAN. The following example describes how to
add GE0/0/3 to VLAN 2001.
[S5735-L_B] interface GigabitEthernet 0/0/3
[S5735-L_B-GigabitEthernet0/0/3] port link-type access
[S5735-L_B-GigabitEthernet0/0/3] port default vlan 2001
[S5735-L_B-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_B-GigabitEthernet0/0/3] quit
# Add GE0/0/4 connected to an AP to management VLAN 4004, and enable the

interface to allow packets from service VLANs and the management VLAN to pass
through.
[S5735-L_B-GigabitEthernet0/0/4] port link-type trunk
[S5735-L_B-GigabitEthernet0/0/4] port trunk pvid vlan 4004
[S5735-L_B-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1
[S5735-L_B-GigabitEthernet0/0/4] port trunk allow-pass vlan 3001 to 3500 4004
[S5735-L_B-GigabitEthernet0/0/4] port-isolate enable group 1
# Add GE0/0/5 connected to a dumb terminal to VLAN 600.

[S5735-L_B-GigabitEthernet0/0/5] port link-type access
[S5735-L_B-GigabitEthernet0/0/5] port default vlan 600
Step 4 Configure an uplink interface on S5735-L_B to allow packets from all service


[S5735-L_B-GigabitEthernet0/0/1] port link-type trunk
[S5735-L_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5735-L_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004
----End
9.2.4.2 Configuring Aggregation Switches (S6730-H)

Step 1 Configure VLANs on S6730-H_A.
# Create VLANs in a batch for users, dumb terminals, and APs in the student
dormitory area, including outer VLANs 101 to 200 for wired users, outer VLANs
VLAN 4004 for APs.
<S6730-H_A> system-view
[S6730-H_A] vlan batch 101 to 200 600 1601 to 1800 4004
# Configure outer VLANs for wired and wireless users on downlink interfaces, with
each interface being added to a unique VLAN. Additionally, enable the interfaces
to allow packets from the management VLAN of APs and the VLAN of dumb
terminals to pass through. The following uses XGE1/0/1 as an example to describe
how to configure outer VLAN 101 for wired users and outer VLAN 1601 for
wireless users.
[S6730-H_A] interface XGigabitEthernet 1/0/1
[S6730-H_A-XGigabitEthernet1/0/1] port link-type hybrid
[S6730-H_A-XGigabitEthernet1/0/1] undo port hybrid vlan 1
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid untagged vlan 101 1601
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 101
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1601
[S6730-H_A-XGigabitEthernet1/0/1] quit
Step 2 Configure an uplink interface on S6730-H_A to allow packets from all service
[S6730-H_A] interface XGigabitEthernet 3/0/0
[S6730-H_A-XGigabitEthernet3/0/0] port link-type trunk
[S6730-H_A-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1
[S6730-H_A-XGigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004
[S6730-H_A-XGigabitEthernet3/0/0] quit
Step 3 Configure VLANs on S6730-H_B.

# Create VLANs in a batch for users, dumb terminals, and APs in the teaching and
office areas, including outer VLANs 201 to 400 for wired users, outer VLANs 1801
to 2000 for wireless users, VLAN 600 for dumb terminals, and management VLAN
4004 for APs.
<S6730-H_B> system-view
[S6730-H_B] vlan batch 201 to 400 600 1801 to 2000 4004
# Configure outer VLANs for wired and wireless users on downlink interfaces, with
each interface being added to a unique VLAN. Additionally, enable the interfaces
to allow packets from the management VLAN of APs and the VLAN of dumb
terminals to pass through. The following uses XGE1/0/1 as an example to describe
how to configure outer VLAN 201 for wired users and outer VLAN 1801 for
wireless users.
[S6730-H_B] interface XGigabitEthernet 1/0/1
[S6730-H_B-XGigabitEthernet1/0/1] port link-type hybrid

[S6730-H_B-XGigabitEthernet1/0/1] undo port hybrid vlan 1

[S6730-H_B-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004
[S6730-H_B-XGigabitEthernet1/0/1] port hybrid untagged vlan 201 1801
[S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 201
[S6730-H_B-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1801
[S6730-H_B-XGigabitEthernet1/0/1] quit
Step 4 Configure an uplink interface on S6730-H_B to allow packets from all service
[S6730-H_B] interface XGigabitEthernet 3/0/0
[S6730-H_B-XGigabitEthernet3/0/0] port link-type trunk
[S6730-H_B-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1
[S6730-H_B-XGigabitEthernet3/0/0] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
[S6730-H_B-XGigabitEthernet3/0/0] quit
----End
9.2.4.3 Configuring the Core Switch (S12708E)

Step 1 Set the NAC mode to unified so that users can connect to the network properly.
<S12708EE> system-view
[S12708E] authentication unified-mode
Step 2 Create VLANs in a batch, including outer VLANs 101 to 400 for wired users, outer
VLANs 1601 to 2000 for wireless users, VLANs 3001 to 3500 for wireless services,
VLAN 600 for dumb terminals, management VLAN 4004 for APs, and VLAN 4010
for connecting to the ME60.
[S12708E] vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
Step 3 Add uplink and downlink interfaces to VLANs.

# Configure downlink interfaces.
[S12708E] interface XGigabitEthernet 4/0/1
[S12708E-XGigabitEthernet4/0/1] port link-type trunk
[S12708E-XGigabitEthernet4/0/1] undo port trunk allow-pass vlan 1
[S12708E-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004
[S12708E-XGigabitEthernet4/0/1] port-isolate enable group 1
[S12708E-XGigabitEthernet4/0/1] quit
[S12708E-XGigabitEthernet4/0/2] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
[S12708E-XGigabitEthernet4/0/2] port-isolate enable group 1
# Configure an uplink interface.

[S12708E-XGigabitEthernet4/0/1] port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010

[S12708E] interface Vlanif 4010
[S12708E-Vlanif4010] ip address 172.16.11.13 30
[S12708E-Vlanif4010] quit
[S12708E] interface LoopBack0
[S12708E-LoopBack0] ip address 172.16.10.4 32
[S12708E-LoopBack0] quit

Step 5 Configure static routes to firewalls and the ME60, with the next-hop address being
172.16.11.14.
[S12708E] ip route-static 172.16.10.1 32 172.16.11.14
Step 6 Configure the S12708E as a DHCP server to assign IP addresses to APs.
# Configure the switch as a DHCP server to assign IP addresses to APs from the IP
address pool on VLANIF 4004.
[S12708E] dhcp enable
[S12708E] interface Vlanif4004
[S12708E-Vlanif4004] ip address 10.250.0.1 20
[S12708E-Vlanif4004] arp-proxy enable
[S12708E-Vlanif4004] arp-proxy inner-sub-vlan-proxy enable
[S12708E-Vlanif4004] dhcp select interface
[S12708E-Vlanif4004] quit

[S12708E] capwap source interface vlanif4004
Step 7 Configure APs to go online.
# Create an AP group to which APs with the same configurations will be added.
[S12708E] wlan
[S12708E-wlan-view] ap-group name ap-group1
[S12708E-wlan-ap-group-ap-group1] quit
[S12708E-wlan-view] regulatory-domain-profile name domain1
[S12708E-wlan-regulate-domain-domain1] country-code cn
[S12708E-wlan-regulate-domain-domain1] quit
[S12708E-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
radio and reset the AP. Continu e?[Y/N]:y
# Import an AP offline and add the AP to the AP group ap-group1. Configure a

name for the AP based on the AP's deployment location, so that you can know
where the AP is deployed from its name. For example, name the AP with MAC
address acf9-703e-ad00 as area_1 if it is deployed in area 1.
[S12708E-wlan-view] ap auth-mode mac-auth
[S12708E-wlan-view] ap-id 0 ap-mac acf9-703e-ad00
[S12708E-wlan-ap-0] ap-name area_1
[S12708E-wlan-ap-0] ap-group ap-group1
[S12708E-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online properly.
[S12708E-wlan-view] display ap all
nor : normal [1]
Extra information:
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
0 acf9-703e-ad00 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S -

-----------------------------------------------------------------------------------------------------------------------
Total: 1
Step 8 Configure WLAN service parameters.

# Create security profile wlan-security and configure a security policy in the
profile. By default, the security policy is open.
[S12708E-wlan-view] security-profile name wlan-security
[S12708E-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[S12708E-wlan-view] ssid-profile name wlan-ssid
[S12708E-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[S12708E-wlan-ssid-prof-wlan-ssid] quit
# Create traffic profile new-vap-traffic-1, and enable user isolation at Layer 2

and communication at Layer 3.
[S12708E-wlan-view] traffic-profile name new-vap-traffic-1
[S12708E-wlan-traffic-prof-new-vap-traffic-1] user-isolate l2
[S12708E-wlan-traffic-prof-new-vap-traffic-1] quit
# Create VAP profile wlan-vap, set the service data forwarding mode and service
VLAN, and bind the security profile and SSID profile to the VAP profile.
[S12708E-wlan-view] vap-profile name wlan-vap
[S12708E-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[S12708E-wlan-vap-prof-wlan-vap] service-vlan vlan-id 3001
[S12708E-wlan-vap-prof-wlan-vap] security-profile wlan-security
[S12708E-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[S12708E-wlan-vap-prof-wlan-vap] traffic-profile name new-vap-traffic-1
[S12708E-wlan-traffic-prof-new-vap-traffic-1] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[S12708E-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[S12708E-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
Step 9 Configure channels and power for the AP radios.
The automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when the two functions are disabled.
The channel and power settings for the AP radios in this example are for reference only. In
practice, configure the channel and power of AP radios based on the actual country code
and network planning.
# Disable automatic channel and power calibration functions, and configure

channel and power for the AP radios.
[S12708E-wlan-view] rrm-profile name default
[S12708E-wlan-rrm-prof-default] calibrate auto-channel-select disable
[S12708E-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[S12708E-wlan-rrm-prof-default] quit
[S12708E-wlan-view] ap-id 0
[S12708E-wlan-ap-0] radio 0
[S12708E-wlan-radio-0/0] channel 20mhz 6
[S12708E-wlan-radio-0/0] eirp 127
[S12708E-wlan-radio-0/0] quit
[S12708E-wlan-ap-0] radio 1
[S12708E-wlan-radio-0/1] channel 20mhz 149


[S12708E-wlan-radio-0/1] eirp 127
[S12708E-wlan-radio-0/1] quit
[S12708E-wlan-ap-0] quit
----End
9.2.4.4 Configuring the ME60

<ME60> system-view
[~ME60] interface gigabitethernet 1/0/1
[~ME60-GigabitEthernet1/0/1] ip address 172.16.11.6 255.255.255.252
[*ME60-GigabitEthernet1/0/1] undo shutdown
[*ME60-GigabitEthernet1/0/1] commit
[~ME60-GigabitEthernet1/0/1] quit
[~ME60] interface gigabitethernet 1/0/2
[~ME60-GigabitEthernet1/0/1] ip address 172.16.11.10 255.255.255.252
[*ME60-GigabitEthernet1/0/1] undo shutdown
[*ME60-GigabitEthernet1/0/1] commit
[~ME60-GigabitEthernet1/0/1] quit
[~ME60] interface gigabitethernet 1/1/1.4010
[*ME60-GigabitEthernet1/1/1.4010] vlan-type dot1q 4010
[*ME60-GigabitEthernet1/1/1.4010] ip address 172.16.11.14 255.255.255.252
[*ME60-GigabitEthernet1/1/1.4010] commit
[~ME60-GigabitEthernet1/1/1.4010] quit
[~ME60] interface LoopBack0
[~ME60-LoopBack0] ip address 172.16.10.3 32
[~ME60-LoopBack0] quit
Step 2 Configure static routes to firewalls and the S12700.

[~ME60] ip route-static 172.16.10.1 255.255.255.255 172.16.11.5
[*ME60] ip route-static 172.16.10.2 255.255.255.255 172.16.11.9
[*ME60] ip route-static 172.16.10.4 255.255.255.255 172.16.11.13
[*ME60] commit
Step 3 Enable IPoE access to provide IPoE access authentication for wireless student and
teacher users on the campus network. As a gateway and an authentication device,
the ME60 assigns private IP addresses to wireless users who are successfully
authenticated and grants network access rights to these users accordingly. Users
can access external networks only after passing web authentication.
1. Configure AAA schemes.
# Configure an authentication scheme.
[~ME60] aaa
[~ME60-aaa] http-redirect enable
[*ME60-aaa] authentication-scheme none
[*ME60-aaa-authen-none] authentication-mode radius
[*ME60-aaa-authen-none] commit
[~ME60-aaa-authen-none] quit
# Configure an accounting scheme.

[~ME60-aaa] accounting-scheme acc
[*ME60-aaa-accounting-acc] accounting-mode none
[*ME60-aaa-accounting-acc] accounting interim interval 15
[*ME60-aaa-accounting-acc] commit
[~ME60-aaa-accounting-acc] quit
[~ME60-aaa] quit
2. Configure a RADIUS server.

[~ME60] radius-server source interface LoopBack0
[~ME60] radius-server group radius
[*ME60-radius-radius] radius-server authentication 192.168.10.55 1812 weight 0
[*ME60-radius-radius] radius-server accounting 192.168.8.249 1813 weight 0
[*ME60-radius-radius] radius-server type standard

[*ME60-radius-radius] radius-server shared-key-cipher %$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$

[*ME60-radius-radius] commit
[~ME60-radius-radius] quit
3. Configure RADIUS authorization servers.

[~ME60] radius-server authorization 192.168.10.55 shared-key-cipher Root@123
[~ME60] radius-server authorization 192.168.10.241 shared-key-cipher Root@123
4. Configure a web server.

[~ME60] web-auth-server source interface LoopBack0
[~ME60] web-auth-server 192.168.10.53 port 50100 key cipher Root@123
5. Configure IP address pools.

# Configure IP address pool xuesheng.
[~ME60] ip pool xuesheng bas local
[*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0
[*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254
[*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-xuesheng] lease 0 12 0
[*ME60-ip-pool-xuesheng] commit
[~ME60-ip-pool-xuesheng] quit
# Configure IP address pool per-pool.

[~ME60] ip pool per-pool bas local
[*ME60-ip-pool-per-pool] gateway 10.253.0.1 255.255.128.0
[*ME60-ip-pool-per-pool] section 0 10.253.0.2 10.253.127.254
[*ME60-ip-pool-per-pool] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-per-pool] lease 0 12 0
[*ME60-ip-pool-per-pool] commit
[~ME60-ip-pool-per-pool] quit
# Configure IP address pool jiaoshi.

[~ME60] ip pool jiaoshi bas local
[*ME60-ip-pool-jiaoshi] gateway 10.254.128.1 255.255.128.0
[*ME60-ip-pool-jiaoshi] section 0 10.254.128.2 10.254.255.254
[*ME60-ip-pool-jiaoshi] excluded-ip-address 10.254.128.2 10.254.129.254
[*ME60-ip-pool-jiaoshi] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-jiaoshi] lease 0 12 0
[*ME60-ip-pool-jiaoshi] commit
[~ME60-ip-pool-jiaoshi] quit
6. Configure user group pre-web.

[~ME60] user-group pre-web
7. Configure domains.
# Configure domain pre-authen as the pre-authentication domain for web
authentication.
[~ME60] aaa
[~ME60-aaa] domain pre-authen
[*ME60-aaa-domain-pre-authen] user-group pre-web
[*ME60-aaa-domain-pre-authen] authentication-scheme none
[*ME60-aaa-domain-pre-authen] accounting-scheme none
[*ME60-aaa-domain-pre-authen] ip-pool pre-pool
[*ME60-aaa-domain-pre-authen] web-server 192.168.10.53
[*ME60-aaa-domain-pre-authen] web-server url http://192.168.10.53/help/help.html
[*ME60-aaa-domain-pre-authen] commit
[~ME60-aaa-domain-pre-authen] quit
# Configure domain xs as an authentication domain for web authentication.

[~ME60-aaa] domain xs
[*ME60-aaa-domain-xs] user-group pre-web
[*ME60-aaa-domain-xs] authentication-scheme authen
[*ME60-aaa-domain-xs] accounting-scheme acc
[*ME60-aaa-domain-xs] ip-pool xuesheng
[*ME60-aaa-domain-xs] value-added-service account-type none
[*ME60-aaa-domain-xs] value-added-service policy 10m
[*ME60-aaa-domain-xs] radius-server group radius
[*ME60-aaa-domain-xs] quota-out online

[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit
# Configure domain jg as an authentication domain for web authentication.
[~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] user-group pre-web
[*ME60-aaa-domain-jg] authentication-scheme authen
[*ME60-aaa-domain-jg] accounting-scheme acc
[*ME60-aaa-domain-jg] ip-pool jiaoshi
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[*ME60-aaa-domain-jg] radius-server group radius
[*ME60-aaa-domain-jg] quota-out online
[~ME60-aaa-domain-jg] quit
[~ME60-aaa] quit
8. Configure UCLs.
[~ME60] acl 6010
[*ME60-acl-ucl-6010] rule 3 permit ip source user-group pre-web destination ip-address
192.168.10.2 0
192.168.10.53 0
192.168.10.55 0
192.168.10.241 0
10.255.57.5 0
[*ME60-acl-ucl-6010] commit
[~ME60-acl-ucl-6010] quit
[~ME60] acl 6011
[*ME60-acl-ucl-6011] rule 5 permit tcp source user-group pre-web destination-port eq www
[*ME60-acl-ucl-6011] rule 10 permit tcp source user-group pre-web destination-port eq 8080
[*ME60-acl-ucl-6011] rule 20 permit ip source user-group pre-web
9. Configure a traffic policy.
[~ME60] traffic classifier 6010 operator or
[*ME60-classifier-6010] if-match acl 6010
[*ME60-classifier-6010] commit
[~ME60-classifier-6010] quit
[~ME60] traffic behavior 6010
[*ME60-behavior-6010] permit
[*ME60-behavior-6010] commit
[~ME60-behavior-6010] quit
[*ME60-behavior-6011] http-redirect
[~ME60] traffic policy traffic-policy-1
[*ME60-trafficpolicy-traffic-policy-1] share-mode
[*ME60-trafficpolicy-traffic-policy-1] classifier 6010 behavior 6010
[*ME60-trafficpolicy-traffic-policy-1] commit
[~ME60-trafficpolicy-traffic-policy-1] quit
[~ME60] traffic-policy traffic-policy-1 inbound
[~ME60] traffic-policy traffic-policy-1 outbound
10. Configure BAS interfaces.
[~ME60] interface gigabitethernet1/1/1.1001
[*ME60-GigabitEthernet1/1/1.1001] description xuesheng-web
[*ME60-GigabitEthernet1/1/1.1001] user-vlan 3001 3500 qinq 1601 1800
[*ME60-GigabitEthernet1/1/1.1001-vlan-3001-3500-QinQ-1601-1800] quit
[*ME60-GigabitEthernet1/1/1.1001] bas
[*ME60-GigabitEthernet1/1/1.1001-bas] access-type layer2-subscriber default-domain pre-
authentication pre-authen authentication xs

[*ME60-GigabitEthernet1/1/1.1001-bas] dhcp session-mismatch action offline

[*ME60-GigabitEthernet1/1/1.1001-bas] authentication-method web
[*ME60-GigabitEthernet1/1/1.1001-bas] commit
[~ME60-GigabitEthernet1/1/1.1001-bas] quit
[~ME60] interface gigabitethernet1/1/1.1003
[*ME60-GigabitEthernet1/1/1.1003] description jiaoshi-web
[*ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] commit
[~ME60-GigabitEthernet1/1/1.1003-vlan-3001-3500-QinQ-1801-2000] quit
[~ME60-GigabitEthernet1/1/1.1003] bas
authentication pre-authen authentication jg
Step 4 Enable PPPoE access to provide PPPoE access authentication for wired student and
teacher users on the campus network. As a gateway and an authentication device,
the ME60 sends user names and passwords to the RADIUS server for
authentication, and assigns IP address to users after they are successfully
authenticated.
The following describes only the PPPoE access configuration for students. For
details about how to configure AAA schemes, a RADIUS server, and authentication
domains, see the IPoE access configuration.
1. Configure IP address pools.
# Configure IP address pool xuesheng.
[~ME60] ip pool xuesheng bas local
[*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0
[*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254
[*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-xuesheng] lease 0 12 0
[*ME60-ip-pool-xuesheng] commit
[~ME60-ip-pool-xuesheng] quit
# Configure IP address pool pre-ppp.
[~ME60] ip pool pre-ppp bas local
[*ME60-ip-pool-pre-ppp] gateway 10.253.128.1 255.255.128.0
[*ME60-ip-pool-pre-ppp] section 0 10.253.128.2 10.253.255.254
[*ME60-ip-pool-pre-ppp] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-pre-ppp] lease 0 12 0
[*ME60-ip-pool-pre-ppp] commit
[~ME60-ip-pool-pre-ppp] quit
2. Configure user group pre-ppp.
[~ME60] user-group pre-ppp
3. Configure pre-authentication domain pre-ppp.
[~ME60] aaa
[~ME60-aaa] domain pre-ppp
[*ME60-aaa-domain-pre-ppp] user-group pre-ppp
[*ME60-aaa-domain-pre-ppp] authentication-scheme none
[*ME60-aaa-domain-pre-ppp] accounting-scheme none
[*ME60-aaa-domain-pre-ppp] ip-pool pre-ppp
[*ME60-aaa-domain-pre-ppp] web-server 192.168.10.55
[*ME60-aaa-domain-pre-ppp] web-server url http://192.168.10.55/help/help.html
[*ME60-aaa-domain-pre-ppp] commit
[~ME60-aaa-domain-pre-ppp] quit
[~ME60-aaa] quit
4. Configure UCLs.
[~ME60] acl 6012
[*ME60-acl-ucl-6012] rule 5 permit ip source user-group pre-ppp destination ip-address

192.168.10.55 0
192.168.10.53 0
192.168.10.2 0
[~ME60] acl 6013
[*ME60-acl-ucl-6013] rule 5 permit tcp source user-group pre-ppp destination-port eq www
[*ME60-acl-ucl-6013] rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
[*ME60-acl-ucl-6013] rule 20 deny ip source user-group pre-ppp
5. Configure a traffic policy.

[*ME60-behavior-6012] permit
[*ME60-behavior-6013] http-redirect
[~ME60] traffic policy traffic-policy-1
[*ME60-trafficpolicy-traffic-policy-1] share-mode
[*ME60-trafficpolicy-traffic-policy-1] commit
[~ME60-trafficpolicy-traffic-policy-1] quit
[~ME60] traffic-policy traffic-policy-1 inbound
[~ME60] traffic-policy traffic-policy-1 outbound
6. Configure a virtual template.

[~ME60] interface virtual-template 1
[*ME60-Virtual-Template1] ppp authentication-mode auto
[*ME60-Virtual-Template1] commit
[~ME60-Virtual-Template1] quit
7. Configure a virtual Ethernet interface.

[~ME60] interface GigabitEthernet1/1/1.1000
[*ME60-GigabitEthernet1/1/1.1000] pppoe-server bind virtual-template 1
[*ME60-GigabitEthernet1/1/1.1000] description xuesheng-ppp
[*ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] commit
[~ME60-GigabitEthernet1/1/1.1000-vlan-2001-3000-QinQ-101-200] quit
8. Configure a BAS interface.

authentication pre-ppp authentication xs
[*ME60-GigabitEthernet1/1/1.1000-bas] authentication-method ppp web
Step 5 Configure MAC address authentication for dumb terminals such as printers and
fax machines. MAC address authentication is used to simplify web authentication.
When MAC address authentication is configured, a web authentication user only
needs to enter the user name and password at the first authentication, and the
RADIUS server records the user's MAC address. Upon the next web authentication

of the user, the RADIUS server performs authentication based on the user's MAC
address, removing the need to enter the user name and password again.
The following describes only the configuration of MAC address authentication. For
details about how to configure AAA schemes, a RADIUS server, a web server, IP
address pools, and UCL rules, see the IPoE and PPPoE access configurations.
1. In the AAA view, configure the ME60 to use the MAC address carried in access
request packets as the pure user name.
[~ME60] aaa
[~ME60-aaa] default-user-name include mac-address -
[*ME60-aaa] default-password cipher Root@123
[*ME60-aaa] authentication-scheme mac
[*ME60-aaa-authen-mac] authening authen-fail online authen-domain pre-authen
[*ME60-aaa-authen-mac] commit
[~ME60-aaa-authen-mac] quit
[~ME60-aaa] quit
2. Configure RADIUS server group mac.

[~ME60] radius-server group mac
[*ME60-radius-mac] radius-server authentication 192.168.10.55 1812 weight 0
[*ME60-radius-mac] radius-server accounting 192.168.10.55 1813 weight 0
[*ME60-radius-mac] radius-server shared-key-cipher Root@123
[*ME60-radius-mac] commit
[~ME60-radius-mac] quit
3. Enable MAC address authentication in the MAC address authentication

domain mac, and bind the RADIUS server group mac and authentication
profile mac to this domain.
[~ME60] aaa
[~ME60-aaa] domain mac
[*ME60-aaa-domain-mac] radius-server group mac
[*ME60-aaa-domain-mac] authentication-scheme mac
[*ME60-aaa-domain-mac] accounting-scheme acc
[*ME60-aaa-domain-mac] ip-pool pre-pool
[*ME60-aaa-domain-mac] mac-authentication enable
[*ME60-aaa-domain-mac] commit
[~ME60-aaa-domain-mac] quit
[~ME60-aaa] quit
4. Configure a pre-authentication domain, post-authentication domain, and

authentication method on a BAS interface.
[~ME60] interface GigabitEthernet1/1/1.1101
[*ME60-GigabitEthernet1/1/1.1101] description mac-web
[*ME60-GigabitEthernet1/1/1.1101] user-vlan 600
[*ME60-GigabitEthernet1/1/1.1101-vlan-600-600] commit
[~ME60-GigabitEthernet1/1/1.1101-vlan-600-600] quit
authentication mac authentication jg
Step 6 Configure DAA at different tariff levels to implement bandwidth control defined
on the basis of different destination addresses of user access traffic. You can
configure different bandwidths for students, teachers, business users, and dumb
terminals to access the campus internal network, for example, 10 Mbit/s for
students, 20 Mbit/s for teachers, and 20 Mbit/s for dumb terminals. Bind business
accounts to teacher or student accounts on the campus network, and configure a
bandwidth of 50 Mbit/s for students and teachers to access external networks.

The following describes only the DAA configuration. For details about how to
configure AAA schemes, a RADIUS server, and a web server, see the IPoE access
configuration.
1. Enable the value-added service function.

[~ME60] value-added-service enable
2. Configure user groups.

[~ME60] user-group xuesheng
[~ME60] user-group jiaoshi
[~ME60] user-group shangye
3. Configure value-added service policies.

# Configure UCL 6001.
[~ME60] acl number 6001
[*ME60-acl-ucl-6001] rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0
0.255.255.255
[*ME60-acl-ucl-6001] rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-
group shangye
[*ME60-acl-ucl-6001] rule 15 permit ip source user-group shangye destination ip-address
172.16.0.0 0.15.255.255
group shangye
[*ME60-acl-ucl-6001] rule 25 permit ip source user-group shangye destination ip-address
192.168.0.0 0.0.255.255
group shangye

[*ME60-acl-ucl-6003] rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0
0.255.255.255
group jiaoshi
[*ME60-acl-ucl-6003] rule 15 permit ip source user-group jiaoshi destination ip-address
172.16.0.0 0.15.255.255
group jiaoshi
[*ME60-acl-ucl-6003] rule 25 permit ip source user-group jiaoshi destination ip-address
192.168.0.0 0.0.255.255
group jiaoshi

[*ME60-acl-ucl-6005] rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0
0.255.255.255
group xuesheng
[*ME60-acl-ucl-6005] rule 15 permit ip source user-group xuesheng destination ip-address
172.16.0.0 0.15.255.255
group xuesheng
[*ME60-acl-ucl-6005] rule 25 permit ip source user-group xuesheng destination ip-address
192.168.0.0 0.0.255.255
group xuesheng
# Configure traffic classifier 6001.


# Configure DAA traffic behavior 6001.
[*ME60-behavior-6001] tariff-level 1
[*ME60-behavior-6001] car
[*ME60-behavior-6001] traffic-statistic
# Configure DAA traffic policy traffic_policy_daa.
[~ME60] traffic policy traffic_policy_daa
[*ME60-trafficpolicy-traffic_policy_daa] share-mode
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6003 behavior 6003
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6005 behavior 6005
[*ME60-trafficpolicy-traffic_policy_daa] commit
[~ME60-trafficpolicy-traffic_policy_daa] quit
# Apply the DAA traffic policy traffic_policy_daa globally.
[~ME60] accounting-service-policy traffic_policy_daa
4. Configure QoS profiles.
[~ME60] qos-profile 10M
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard inbound
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard outbound
[*ME60-qos-profile-10M] quit
[*ME60] qos-profile 20M
[*ME60] qos-profile 50M
[*ME60-qos-profile-50M] commit
5. Configure DAA service policies.
[~ME60] value-added-service policy 10m daa
[*ME60-vas-policy-10m] accounting-scheme none
[*ME60-vas-policy-10m] traffic-separate enable
[*ME60-vas-policy-10m] tariff-level 1 qos-profile 10M

[*ME60-vas-policy-10m] quit
[*ME60] value-added-service policy 20m daa
[*ME60-vas-policy-20m] quit
[*ME60] value-added-service policy 50m daa
[*ME60-vas-policy-50m] commit
[~ME60-vas-policy-50m] quit
6. Configure domains.
[~ME60] aaa
[~ME60-aaa] domain xs
[*ME60-aaa-domain-xs] value-added-service account-type none
[*ME60-aaa-domain-xs] value-added-service policy 10m
[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit
[~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[~ME60-aaa-domain-jg] commit
[~ME60-aaa-domain-jg] quit
----End
9.2.4.5 Configuring Firewalls (USG6315E)

Step 1 Configure interfaces.
# Configure interfaces on USG6315E_A.
<USG6315E_A> system-view
[USG6315E_A] interface loopback 0
[USG6315E_A-LoopBack0] ip address 172.16.10.1 32
[USG6315E_A-LoopBack0] quit
[USG6315E_A] interface gigabitethernet 1/0/1
[USG6315E_A-GigabitEthernet1/0/1] ip address 202.1.1.1 24
[USG6315E_A-GigabitEthernet1/0/1] gateway 202.1.1.254
[USG6315E_A-GigabitEthernet1/0/1] quit
[USG6315E_A-GigabitEthernet1/0/2] gateway 202.2.1.254
# Configure interfaces on USG6315E_B.

<USG6315E_B> system-view
[USG6315E_B] interface loopback 0
[USG6315E_B-LoopBack0] ip address 172.16.10.2 32
[USG6315E_B-LoopBack0] quit
[USG6315E_B] interface gigabitethernet 1/0/1
[USG6315E_B-GigabitEthernet1/0/1] ip address 202.1.1.2 24
[USG6315E_B-GigabitEthernet1/0/1] gateway 202.1.1.254
[USG6315E_B-GigabitEthernet1/0/1] quit
[USG6315E_B-GigabitEthernet1/0/2] gateway 202.2.1.254

Step 2 Add interfaces to security zones.
# Add each interface to the corresponding security zone. Specifically, add the
interfaces connected to the internal network to security zone trust, add the
interfaces connected to the ISP1 network to security zone isp1, add the interfaces
connected to the ISP2 network to security zone isp2, and add the heartbeat
interfaces between firewalls to the DMZ.
[USG6315E_A] firewall zone trust
[USG6315E_A-zone-trust] set priority 85
[USG6315E_A-zone-trust] add interface gigabitethernet 1/0/7
[USG6315E_A-zone-trust] quit
[USG6315E_A] firewall zone name isp1
[USG6315E_A-zone-isp1] set priority 10
[USG6315E_A-zone-isp1] add interface gigabitethernet 1/0/1
[USG6315E_A-zone-isp1] quit
[USG6315E_A] firewall zone name isp2
[USG6315E_A-zone-isp2] set priority 15
[USG6315E_A-zone-isp2] add interface gigabitethernet 1/0/2
[USG6315E_A-zone-isp2] quit
[USG6315E_A] firewall zone dmz
[USG6315E_A-zone-dmz] set priority 50
[USG6315E_A-zone-dmz] add interface gigabitethernet 1/0/6
[USG6315E_A-zone-dmz] quit
[USG6315E_B] firewall zone trust
[USG6315E_B-zone-trust] set priority 85
[USG6315E_B-zone-trust] add interface gigabitethernet 1/0/7
[USG6315E_B-zone-trust] quit
[USG6315E_B] firewall zone name isp1
[USG6315E_B-zone-isp1] set priority 10
[USG6315E_B-zone-isp1] add interface gigabitethernet 1/0/1
[USG6315E_B-zone-isp1] quit
[USG6315E_B] firewall zone name isp2
[USG6315E_B-zone-isp2] set priority 15
[USG6315E_B-zone-isp2] add interface gigabitethernet 1/0/2
[USG6315E_B-zone-isp2] quit
[USG6315E_B] firewall zone dmz
[USG6315E_B-zone-dmz] set priority 50
[USG6315E_B-zone-dmz] add interface gigabitethernet 1/0/6
[USG6315E_B-zone-dmz] quit
Step 3 Configure routes and intelligent uplink selection.
# Configure static routes.

[USG6315E_A] ip route-static 10.253.0.0 255.255.128.0 172.16.11.6
[USG6315E_B] ip route-static 10.253.0.0 255.255.128.0 172.16.11.10
# Enable the IP-link function to detect whether ISP links are working properly.

[USG6315E_A] ip-link check enable

[USG6315E_A] ip-link name ip_link_1
[USG6315E_A-iplink-ip_link_1] destination 202.1.1.254 interface gigabitethernet 1/0/1
[USG6315E_A-iplink-ip_link_1] quit
[USG6315E_A] ip-link name ip_link_2
[USG6315E_A-iplink-ip_link_2] destination 202.2.1.254 interface gigabitethernet 1/0/2
[USG6315E_A-iplink-ip_link_2] quit
[USG6315E_B] ip-link check enable
[USG6315E_B] ip-link name ip_link_1
[USG6315E_B-iplink-ip_link_1] destination 202.1.1.254 interface gigabitethernet 1/0/1
[USG6315E_B-iplink-ip_link_1] quit
[USG6315E_B] ip-link name ip_link_2
[USG6315E_B-iplink-ip_link_2] destination 202.2.1.254 interface gigabitethernet 1/0/2
[USG6315E_B-iplink-ip_link_2] quit
# Configure two default routes on each firewall, with the next hops pointing to
the access points of the two ISP networks respectively.
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
# Configure intelligent uplink selection to implement load balancing based on link

bandwidth.
[USG6315E_A] multi-interface
[USG6315E_A-multi-inter] mode proportion-of-bandwidth
[USG6315E_A-multi-inter] add interface gigabitethernet1/0/1
[USG6315E_A-multi-inter] add interface gigabitethernet1/0/2
[USG6315E_A-multi-inter] quit
[USG6315E_A-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[USG6315E_A-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[USG6315E_A-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[USG6315E_A-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[USG6315E_B] multi-interface
[USG6315E_B-multi-inter] mode proportion-of-bandwidth
[USG6315E_B-multi-inter] add interface gigabitethernet1/0/1
[USG6315E_B-multi-inter] add interface gigabitethernet1/0/2
[USG6315E_B-multi-inter] quit
[USG6315E_B-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[USG6315E_B-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[USG6315E_B-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[USG6315E_B-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
Step 4 Configure the Huawei Redundancy Protocol (HRP) function.
# Configure a VRRP Group Management Protocol (VGMP) group on each firewall

to monitor uplink and downlink service interfaces.
[USG6315E_A] hrp track interface gigabitethernet 1/0/7
[USG6315E_B] hrp track interface gigabitethernet 1/0/7
# On USG6315E_A and USG6315E_B, configure quick session backup, specify the

heartbeat interface, and enable HRP.
[USG6315E_A] hrp mirror session enable
[USG6315E_A] hrp interface gigabitethernet 1/0/6 remote 172.16.11.2
[USG6315E_A] hrp enable
[USG6315E_B] hrp mirror session enable

[USG6315E_B] hrp interface gigabitethernet 1/0/6 remote 172.16.11.1

[USG6315E_B] hrp enable
Step 5 Configure security policies to allow communication between the local zone and
DMZ, allow internal network users to access external networks, and allow external
network users to access the internal HTTP server.
firewalls, the security policies configured on USG6315E_A will be automatically
synchronized to USG6315E_B. The following describe only the configuration on
USG6315E_A.
[USG6315E_A] security-policy
[USG6315E_A-policy-security] rule name policy_dmz
[USG6315E_A-policy-security-rule-policy_dmz] source-zone local
[USG6315E_A-policy-security-rule-policy_dmz] source-zone dmz
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone local
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone dmz
[USG6315E_A-policy-security-rule-policy_dmz] action permit
[USG6315E_A-policy-security-rule-policy_dmz] quit
[USG6315E_A-policy-security] rule name trust_to_untrust
[USG6315E_A-policy-security-rule-trust_to_untrust] source-zone trust
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp1
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp2
[USG6315E_A-policy-security-rule-trust_to_untrust] action permit
[USG6315E_A-policy-security-rule-trust_to_untrust] quit
[USG6315E_A-policy-security] rule name untrust_to_trust
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp1
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp2
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-zone trust
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-address 192.168.10.0 24
[USG6315E_A-policy-security-rule-untrust_to_trust] action permit
[USG6315E_A-policy-security-rule-untrust_to_trust] quit
[USG6315E_A-policy-security] quit

# On USG6315E_A, create address pools addressgroup1 (from 202.1.1.1 to
202.1.1.5) and addressgroup2 (from 202.2.1.1 to 202.2.1.5). The address pools
configured on USG6315E_A will be automatically synchronized to USG6315E_B.
[USG6315E_A] nat address-group addressgroup1
[USG6315E_A-address-group-addressgroup1] section 0 202.1.1.1 202.1.1.5
[USG6315E_A-address-group-addressgroup1] mode pat
[USG6315E_A-address-group-addressgroup1] route enable
[USG6315E_A-address-group-addressgroup1] quit
[USG6315E_A] nat address-group addressgroup2
[USG6315E_A-address-group-addressgroup2] section 1 202.2.1.1 202.2.1.5
[USG6315E_A-address-group-addressgroup2] mode pat
[USG6315E_A-address-group-addressgroup2] route enable
[USG6315E_A-address-group-addressgroup2] quit
# Configure source NAT policies to allow internal network users to access the
Internet through post-NAT public IP addresses.
[USG6315E_A] nat-policy
[USG6315E_A-policy-nat] rule name policy_nat_1
[USG6315E_A-policy-nat-rule-policy_nat_1] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_1] destination-zone isp1
[USG6315E_A-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1
[USG6315E_A-policy-nat-rule-policy_nat_1] quit
[USG6315E_A-policy-nat] rule name policy_nat_2
[USG6315E_A-policy-nat-rule-policy_nat_2] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_2] destination-zone isp2
[USG6315E_A-policy-nat-rule-policy_nat_2] action nat address-group addressgroup2
[USG6315E_A-policy-nat-rule-policy_nat_2] quit
[USG6315E_A-policy-nat] quit


addresses in addressgroup1 and addressgroup2 and with the next hops being the
interface addresses of the firewalls.
# Assume that the HTTP server on the internal network applies to ISP1 and ISP2
for public IP addresses (202.1.1.10 and 202.2.1.10) so that the external network
users of ISP1 and ISP2 can access the HTTP server through their respective public
IP addresses.
# Configure static server mapping.
[USG6315E_A] nat server web_for_isp1 zone isp1 protocol tcp global 202.1.1.10 8080 inside
192.168.10.10 80 no-reverse
[USG6315E_A] nat server web_for_isp2 zone isp2 protocol tcp global 202.2.1.10 8080 inside
192.168.10.10 80 no-reverse
# Contact ISP network administrators to configure a route with the destination

address being the public IP address of the HTTP server and the next hop being the
firewall interface address.
# Configure blackhole routes.
[USG6315E_A] ip route-static 202.1.1.100 32 NULL 0
[USG6315E_A] ip route-static 202.2.1.100 32 NULL 0
[USG6315E_B] ip route-static 202.1.1.100 32 NULL 0
[USG6315E_B] ip route-static 202.2.1.100 32 NULL 0
# Configure the same interface to receive and send packets.

[USG6315E_A-GigabitEthernet1/0/1] redirect-reverse next-hop 202.1.1.254
[USG6315E_A-GigabitEthernet1/0/2] redirect-reverse next-hop 202.2.1.254
[USG6315E_B-GigabitEthernet1/0/1] redirect-reverse next-hop 202.1.1.254
[USG6315E_B-GigabitEthernet1/0/2] redirect-reverse next-hop 202.2.1.254
Step 8 Configure smart DNS.

[USG6315E_A] dns-smart enable
[USG6315E_A] dns-smart group 1 type multi
[USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/1 map 202.1.1.10
[USG6315E_A-dns-smart-group-1] out-interface gigabitethernet 1/0/2 map 202.2.1.10
[USG6315E_A-dns-smart-group-1] quit
Step 9 Configure attack defense.

[USG6315E_A] firewall defend land enable
[USG6315E_A] firewall defend smurf enable
[USG6315E_A] firewall defend fraggle enable
[USG6315E_A] firewall defend winnuke enable
[USG6315E_A] firewall defend source-route enable
[USG6315E_A] firewall defend route-record enable
[USG6315E_A] firewall defend time-stamp enable
[USG6315E_A] firewall defend ping-of-death enable
[USG6315E_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[USG6315E_A-GigabitEthernet1/0/2] anti-ddos flow-statistic enable

[USG6315E_A] anti-ddos baseline-learn start

[USG6315E_A] anti-ddos baseline-learn tolerance-value 100
[USG6315E_A] anti-ddos baseline-learn apply
[USG6315E_A] anti-ddos syn-flood source-detect
[USG6315E_A] anti-ddos udp-flood dynamic-fingerprint-learn
[USG6315E_A] anti-ddos udp-frag-flood dynamic-fingerprint-learn
[USG6315E_A] anti-ddos http-flood defend alert-rate 2000
[USG6315E_A] anti-ddos http-flood source-detect mode basic
Step 10 Configure application behavior control.
package.
during the class time.
[USG6315E_A] profile type app-control name profile_app_work
[USG6315E_A-profile-app-control-profile_app_work] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control proxy action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control web-browse action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] quit
# Create an application behavior control file to allow only HTTP web browsing,
HTTP proxy surfing, and HTTP file download during the break time.
[USG6315E_A] profile type app-control name profile_app_rest
[USG6315E_A-profile-app-control-profile_app_rest] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_rest] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_rest] quit
# Create time range working_hours, which indicates the class time.

[USG6315E_A] time-range working_hours
[USG6315E_A-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
[USG6315E_A-time-range-working_hours] quit
# Create time range off_hours, which indicates the break time.

[USG6315E_A] time-range off_hours
[USG6315E_A-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
[USG6315E_A-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
[USG6315E_A-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
[USG6315E_A-time-range-off_hours] quit
# Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to control
the application behavior of students during the class time.
[USG6315E_A] security-policy
[USG6315E_A-policy-security] rule name policy_sec_work
[USG6315E_A-policy-security-rule-policy_sec_work] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_work] user any
[USG6315E_A-policy-security-rule-policy_sec_work] time-range working_hours
[USG6315E_A-policy-security-rule-policy_sec_work] profile app-control profile_app_work
[USG6315E_A-policy-security-rule-policy_sec_work] action permit
[USG6315E_A-policy-security-rule-policy_sec_work] quit

# Configure the security policy policy_sec_rest and reference the time range
off_hours and application behavior control file profile_app_rest to control the
application behavior of students during the break time.
[USG6315E_A-policy-security] rule name policy_sec_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_rest] user any
[USG6315E_A-policy-security-rule-policy_sec_rest] time-range off_hours
[USG6315E_A-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] action permit
[USG6315E_A-policy-security-rule-policy_sec_rest] quit
----End

Step 1 Check the AP online status on the core switch S12708E.
[S12708E] display ap all
nor : normal [1]
Extra information:
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
0 acf9-703e-ad00 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S -
-----------------------------------------------------------------------------------------------------------------------
Total: 1
Step 2 User 1 and user 2 access the network in the student dormitory through wired
authentication and wireless authentication, respectively. After the authentication
succeeds, you can check the user information on the ME60, including the interface
of the access switch from which the wired user goes online and the AP from which
the wireless user goes online. On the ME60, you can check information about
online users, check whether users have obtained corresponding network access
rights, and check whether user 1 and user 2 can access the post-authentication
domain.
Step 3 User 1 and user 2 access the network in the teaching and office areas through
wired authentication and wireless authentication, respectively. After the
authentication succeeds, you can check the user information on the ME60,
including the interface of the access switch from which the wired user goes online
and the AP from which the wireless user goes online. On the ME60, you can check
information about online users, check whether users have obtained corresponding
network access rights, and check whether user 1 and user 2 can access the post-
----End


S5735-L_A S5735-L_B
# #
sysname S5735-L_A sysname S5735-L_B
# #
vlan batch 600 2001 to 3500 4004 vlan batch 600 2001 to 3500 4004
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 600 2001 to port trunk allow-pass vlan 600 2001 to 3500 4004
3500 4004 #
# interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/3 port link-type access
port link-type access port default vlan 2001
port default vlan 2001 stp edged-port enable
stp edged-port enable #
# interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/4 port link-type trunk
port link-type trunk port trunk pvid vlan 4004
port trunk pvid vlan 4004 undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 3001 to 3500 4004
port trunk allow-pass vlan 3001 to 3500 stp edged-port enable
4004 port-isolate enable group 1
stp edged-port enable #
port-isolate enable group 1 interface GigabitEthernet0/0/5
# port link-type access
interface GigabitEthernet0/0/5 port default vlan 600
port link-type access stp edged-port enable
port default vlan 600 #
stp edged-port enable return
#
return
S6730-H_A S6730-H_B
# #
sysname S6730-H_A sysname S6730-H_B
# #
vlan batch 101 to 200 600 1601 to 1800 4004 vlan batch 201 to 400 600 1801 to 2000 4004
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet1/0/1
port link-type hybrid port link-type hybrid
undo port hybrid vlan 1 undo port hybrid vlan 1
port hybrid tagged vlan 600 4004 port hybrid tagged vlan 600 4004
port hybrid untagged vlan 101 1601 port hybrid untagged vlan 201 1801
port vlan-stacking vlan 2001 to 3000 stack-vlan port vlan-stacking vlan 2001 to 3000 stack-vlan
101 201
port vlan-stacking vlan 3001 to 3500 stack-vlan port vlan-stacking vlan 3001 to 3500 stack-vlan
1601 1801
# #

port trunk allow-pass vlan 101 to 200 600 1601 to port trunk allow-pass vlan 201 to 400 600 1801
1800 4004 to 2000 4004
# #
return return

S12708E
#
sysname S12708E
#
vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
#
dhcp enable
#
ip address 10.250.0.1 255.255.240.0
arp-proxy enable
#
ip address 172.16.11.13 255.255.255.252
#
port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004
#
port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
#
port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010
#
interface LoopBack0
ip address 172.16.10.4 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.14
ip route-static 172.16.10.2 255.255.255.255 172.16.11.14
ip route-static 172.16.10.3 255.255.255.255 172.16.11.14
#
#
wlan
traffic-profile name new-vap-traffic-1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile new-vap-traffic-1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 75 ap-mac acf9-703e-ad00 ap-sn 21500831023GJ1006553
ap-group ap-group1
radio 0

S12708E
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

ME60
#
sysname ME60
#
value-added-service enable
#
user-group pre-web
user-group pre-ppp
user-group xuesheng
user-group jiaoshi
#
radius-server source interface LoopBack0
radius-server authorization 192.168.10.55 shared-key-cipher %^%#&|-oI:&#&%<ZBPF\0s@"-
vgF~lVjpAB5w[5XP4=4%^%#
radius-server authorization 192.168.10.241 shared-key-cipher %^%#O1n13EDPo9e7bHWac{b7-
FtB(:e}f@pT-p6l=$<*%^%#
#
radius-server group radius
radius-server shared-key-cipher %^%#l$~9,kQZF!:j]$R54Ka~=3]%L8^w7,E+Ft2X*}:@%^
%#
undo radius-server user-name domain-included
#
radius-server group mac
radius-server shared-key-cipher %^%#/W@Y%>vX8EzCg<LzjKV$G(0j&;2"}:5Nzy3pc[=+%^%#
#
qos-profile 50M
car cir 50000 cbs 9350000 green pass red discard inbound
car cir 50000 cbs 9350000 green pass red discard outbound
#
qos-profile 20M
#
qos-profile 10M
#
ip pool jiaoshi bas local
gateway 10.254.128.1 255.255.128.0
section 0 10.254.128.2 10.254.255.254
excluded-ip-address 10.254.128.2 10.254.129.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-pool bas local
gateway 10.253.0.1 255.255.128.0
section 0 10.253.0.2 10.253.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-ppp bas local
gateway 10.253.128.1 255.255.128.0
section 0 10.253.128.2 10.253.255.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool xuesheng bas local
gateway 10.254.0.1 255.255.128.0
section 0 10.254.0.2 10.254.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
acl number 6001

ME60
rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye
#
acl number 6003
rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0
0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group
jiaoshi
0.15.255.255
jiaoshi
0.0.255.255
jiaoshi
#
acl number 6005
rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0
0.255.255.255
xuesheng
0.15.255.255
xuesheng
0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng
#
acl number 6010
rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0
rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5
0
#
acl number 6011
rule 5 permit tcp source user-group pre-web destination-port eq www
rule 10 permit tcp source user-group pre-web destination-port eq 8080
rule 20 permit ip source user-group pre-web
#
acl number 6012
rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0
rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0
rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2
0
#
acl number 6013
rule 5 permit tcp source user-group pre-ppp destination-port eq www
rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
rule 20 deny ip source user-group pre-ppp
#
traffic classifier 6001 operator or
if-match acl 6001
#
if-match acl 6003
#
if-match acl 6005

ME60
#
if-match acl 6010
#
if-match acl 6011
#
if-match acl 6012
#
if-match acl 6013
#
traffic behavior 6001
car
tariff-level 1
traffic-statistic
#
car
tariff-level 1
traffic-statistic
#
car
tariff-level 1
traffic-statistic
#
#
http-redirect
#
#
http-redirect
#
traffic policy traffic-policy-1
share-mode
classifier 6010 behavior 6010 precedence 1
#
traffic policy traffic_policy_daa
share-mode
#
aaa
http-redirect enable
default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$
default-user-name include mac-address -
local-user root password irreversible-cipher +Hv$!xKCa#UY6\$GWJ!N4[QH.O/'HIa@AoURN`>;R"Z8PtIa
\3AZAy6Sa60(C6GCN
#
authentication-scheme none
#
authentication-scheme authen
#
accounting-scheme none
accounting-mode none
#
accounting-scheme acc
accounting interim interval 15

ME60
#
domain pre-authen
ip-pool pre-pool
user-group pre-web
web-server 192.168.10.53
web-server url http://192.168.10.53/help/help.html
#
domain xs
ip-pool xuesheng
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 10m
user-group pre-web
web-server 192.168.10.53
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain jg
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 20m
user-group pre-web
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain pre-ppp
ip-pool pre-ppp
user-group pre-ppp
web-server 192.168.10.55
#
domain mac
authentication-scheme mac
radius-server group mac
ip-pool pre-pool
mac-authentication enable
#
value-added-service policy 10m daa
traffic-separate enable
tariff-level 1 qos-profile 10M
#
#
#

ME60
interface Virtual-Template1
ppp authentication-mode auto
#
undo shutdown
ip address 172.16.11.6 255.255.255.252
#
undo shutdown
ip address 172.16.11.10 255.255.255.252
#
interface GigabitEthernet 1/1/1.1000
description xuesheng-ppp
user-vlan 2001 3000 qinq 101 200
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs
dhcp session-mismatch action offline
authentication-method ppp web
#
#
description xuesheng-web
user-vlan 3001 3500 qinq 1601 1800
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs
authentication-method web
#
#
description jiaoshi-ppp
user-vlan 2001 3000 qinq 201 400
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authen
tication jg
authentication-method ppp web
#
#
description jiaoshi-web
user-vlan 3001 3500 qinq 1801 2000
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg
#
#
description mac-web
user-vlan 600
bas
#
access-type layer2-subscriber default-domain pre-authentication mac authentication jg
#
#
vlan-type dot1q 4010

ME60
ip address 172.16.11.14 255.255.255.252
#
interface LoopBack0
ip address 172.16.10.3 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.5
ip route-static 172.16.10.2 255.255.255.255 172.16.11.9
ip route-static 172.16.10.4 255.255.255.255 172.16.11.13
#
web-auth-server source interface LoopBack0
web-auth-server 192.168.10.53 port 50100 key cipher %^%#S2#I1~`Kc/>vz1F4u3q+_DHT)ZE^`"n:w>!
li(<C%^%#
#
traffic-policy traffic-policy-1 inbound
traffic-policy traffic-policy-1 outbound
#
accounting-service-policy traffic_policy_daa
#
return

USG6315E_A USG6315E_B
# #
sysname USG6315E_A sysname USG6315E_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/6 remote hrp interface GigabitEthernet 1/0/6 remote
172.16.11.2 172.16.11.1
hrp mirror session enable hrp mirror session enable
hrp track interface GigabitEthernet 1/0/7 hrp track interface GigabitEthernet 1/0/7
# #
dns-smart enable dns-smart enable
# #
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend route-record enable firewall defend route-record enable
firewall defend source-route enable firewall defend source-route enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
firewall defend smurf enable firewall defend smurf enable
irewall defend land enable irewall defend land enable
# #
ip-link check ip-link check

enable enable
ip-link name ip-link name
ip_link_1 ip_link_1
destination 202.1.1.254 interface destination 202.1.1.254 interface
GigabitEthernet1/0/1 mode icmp GigabitEthernet1/0/1 mode icmp
ip-link name ip-link name
ip_link_2 ip_link_2
destination 202.2.1.254 interface destination 202.2.1.254 interface
GigabitEthernet1/0/2 mode icmp GigabitEthernet1/0/2 mode icmp
# #
time-range off_hours time-range off_hours
period-range 00:00:00 to 23:59:59 off-day period-range 00:00:00 to 23:59:59 off-day
period-range 00:00:00 to 08:59:59 working-day period-range 00:00:00 to 08:59:59 working-day
time-range working_hours time-range working_hours
# #
ip address 202.1.1.1 255.255.255.0 ip address 202.1.1.2 255.255.255.0
anti-ddos flow-statistic enable anti-ddos flow-statistic enable
gateway 202.1.1.254 gateway 202.1.1.254
bandwidth ingress 800000 threshold 95 bandwidth ingress 800000 threshold 95
bandwidth egress 800000 threshold 95 bandwidth egress 800000 threshold 95
redirect-reverse next-hop 202.1.1.254 redirect-reverse next-hop 202.1.1.254
# #
anti-ddos flow-statistic enable anti-ddos flow-statistic enable
gateway 202.2.1.254 gateway 202.2.1.254
bandwidth ingress 200000 threshold 90 bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90 bandwidth egress 200000 threshold 90
redirect-reverse next-hop 202.2.1.254 redirect-reverse next-hop 202.2.1.254
# #
# #
# #
interface LoopBack0 interface LoopBack0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85

add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone dmz firewall zone dmz
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
# #
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip- ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-
link ip_link_1 link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip- ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-
link ip_link_2 link ip_link_2
ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 ip route-static 10.253.0.0 255.255.128.0
ip route-static 10.253.128.0 255.255.128.0 172.16.11.10
172.16.11.6 ip route-static 10.253.128.0 255.255.128.0
ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 172.16.11.10
ip route-static 10.254.128.0 255.255.128.0 ip route-static 10.254.0.0 255.255.128.0
172.16.11.6 172.16.11.10
172.16.11.6 172.16.11.10
172.16.11.6 172.16.11.10
172.16.11.6 172.16.11.10
172.16.11.6 172.16.11.10
ip route-static 202.1.1.100 255.255.255.255 NULL 0 ip route-static 192.168.10.0 255.255.255.0
ip route-static 202.2.1.100 255.255.255.255 NULL 0 172.16.11.10
# ip route-static 202.1.1.100 255.255.255.255 NULL
anti-ddos syn-flood source-detect 0
anti-ddos udp-flood dynamic-fingerprint-learn ip route-static 202.2.1.100 255.255.255.255 NULL
anti-ddos udp-frag-flood dynamic-fingerprint-learn 0
anti-ddos http-flood defend alert-rate 2000 #
anti-ddos http-flood source-detect mode basic anti-ddos syn-flood source-detect
anti-ddos baseline-learn start anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos baseline-learn apply anti-ddos udp-frag-flood dynamic-fingerprint-
anti-ddos baseline-learn tolerance-value 100 learn
# anti-ddos http-flood defend alert-rate 2000
nat server web_for_isp1 0 zone isp1 protocol tcp anti-ddos http-flood source-detect mode basic
global 202.1.1.10 8080 inside 192.168.10.10 www anti-ddos baseline-learn start
no-reverse anti-ddos baseline-learn apply
nat server web_for_isp2 1 zone isp2 protocol tcp anti-ddos baseline-learn tolerance-value 100
global 202.2.1.10 8080 inside 192.168.10.10 www #
no-reverse nat server web_for_isp1 0 zone isp1 protocol tcp
# global 202.1.1.10 8080 inside 192.168.10.10 www
profile type app-control name profile_app_work no-reverse
http-control web-browse action deny nat server web_for_isp2 1 zone isp2 protocol tcp
http-control proxy action deny global 202.2.1.10 8080 inside 192.168.10.10 www
http-control post action deny no-reverse
http-control file direction upload action deny #
http-control file direction download action deny profile type app-control name profile_app_work
ftp-control file delete action deny http-control web-browse action deny
ftp-control file direction upload action deny http-control proxy action deny
ftp-control file direction download action deny http-control post action deny
# http-control file direction upload action deny
profile type app-control name profile_app_rest http-control file direction download action deny
http-control post action deny ftp-control file delete action deny
http-control file direction upload action deny ftp-control file direction upload action deny
ftp-control file delete action deny ftp-control file direction download action deny
ftp-control file direction upload action deny #

ftp-control file direction download action deny profile type app-control name profile_app_rest
# http-control post action deny
nat address-group addressgroup1 ftp-control file delete action deny
0 ftp-control file direction upload action deny
mode ftp-control file direction download action deny
pat #
route
enable nat address-group addressgroup1
section 0 202.1.1.1 0
202.1.1.5 mode
# pat
nat address-group addressgroup2 route

1 enable
mode
pat section 0 202.1.1.1
route 202.1.1.5
enable #
section 1 202.2.1.1 202.2.1.5
# nat address-group addressgroup2
dns-smart group 1 type multi 1
out-interface GigabitEthernet 1/0/1 map 202.1.1.10 mode
out-interface GigabitEthernet 1/0/2 map 202.2.1.10 pat
multi-interface
mode proportion-of-bandwidth route
add interface GigabitEthernet1/0/1 enable
# section 1 202.2.1.1 202.2.1.5
security-policy #
rule name trust_to_untrust dns-smart group 1 type multi
source-zone trust out-interface GigabitEthernet 1/0/1 map
destination-zone isp1 202.1.1.10
destination-zone isp2 out-interface GigabitEthernet 1/0/2 map
action permit 202.2.1.10
rule name untrust_to_trust multi-interface
source-zone isp1 mode proportion-of-bandwidth
source-zone isp2 add interface GigabitEthernet1/0/1
destination-zone trust add interface GigabitEthernet1/0/2
destination-address 192.168.10.0 mask #
255.255.255.0 security-policy
action permit rule name trust_to_untrust
rule name policy_dmz source-zone trust
source-zone local destination-zone isp1
source-zone dmz destination-zone isp2
destination-zone local action permit
destination-zone dmz rule name untrust_to_trust
action permit source-zone isp1
rule name policy_sec_work source-zone isp2
source-zone trust destination-zone trust
destination-zone isp1 destination-address 192.168.10.0 mask
destination-zone isp2 255.255.255.0
time-range working_hours action permit
profile app-control profile_app_work rule name policy_dmz
action permit source-zone local
rule name policy_sec_rest source-zone dmz
source-zone trust destination-zone local
destination-zone isp1 destination-zone dmz
destination-zone isp2 action permit
time-range off_hours rule name policy_sec_work
profile app-control profile_app_rest source-zone trust
action permit destination-zone isp1
# destination-zone isp2
nat-policy time-range working_hours
rule name policy_nat_1 profile app-control profile_app_work
source-zone trust action permit

destination-zone isp1 rule name policy_sec_rest
action nat address-group addressgroup1 source-zone trust
rule name policy_nat_2 destination-zone isp1
source-zone trust destination-zone isp2
destination-zone isp2 time-range off_hours
action nat address-group addressgroup2 profile app-control profile_app_rest
# action permit
return #
nat-policy
source-zone trust
source-zone trust
#
return
9.3 Deployment of a Subway Bearer Network Featuring

High-Speed Self Recovery
9.3.1 Service Requirements and Solution Description
Economic and social development makes traveling by subway become a major
way to avoid traffic congestion in cities. A more diverse range of IP services and
increasing data traffic require a highly secure and reliable subway public
transportation system. The legacy subway bearer network can no longer meet
these requirements, and a more robust, reliable bearer network is required by a
digital subway system. A modernized subway bearer network needs to meet the
following requirements:
● Ensures high reliability and security: Subways belong to the public

transportation system, requiring the subway bearer network to be reliable and
secure.
● Provides sufficient data capacity: The subway system has high passenger
traffic and increasing data terminals, requiring the subway bearer network to
provide sufficient data capacity and data switching capacity.
● Supports a diverse range of service types: The subway system involves
different service types such as the control system, advertising media, and daily
office, requiring the subway bearer network to support a diverse range of
service types.
The IP data communication network is the mainstream data communication

network, supports various access modes, and has a large network scale.
Constructing an IP-based subway bearer network has become a trend in future
development.

Huawei offers the hierarchy of VPN (HoVPN)-based High-Speed Self Recovery

(HSR) solution to implement secure and reliable subway system operation and
support a diverse range of service types for the subway system. The HSR solution
uses Huawei agile switches to construct a hierarchical network based on MPLS
L3VPN technology, provides powerful service supporting capabilities and simple as
well as flexible networking modes, and is suitable for large-scale subway bearer
networks. This solution adopts multiple protection technologies, including
bidirectional forwarding detection (BFD), TE hot standby (HSB), VPN fast reroute
(FRR), and traffic forwarding on the Virtual Route Redundancy Protocol (VRRP)
backup device and provides protection switchovers within milliseconds to complete
an end-to-end link switchover without being detected by users.
Solution Overview
The HoVPN-based HSR solution is designed to ensure network reliability,
scalability, maintainability, and multi-service supporting capability, provide a
hierarchical network structure, and reduce networking costs. Figure 9-17 shows
the network topology in the HSR solution.
Figure 9-17 Network topology
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
BFD for Core_SPE1 BFD for
VRRP VRRP
TE HSB TE HSB
VPN FRR VPN FRR
Site1_UPE2 VPN FRR Site3_UPE5
Data center site Subway site 2

Core_SPE2 Core_SPE3
TE HSB
VPN FRR
BFD for
VRRP
CE2
vpna
Subway site 1
In Figure 9-17,
● Three S12700E switches on the core layer are fully connected to form a core
ring, while the data center site and two subway sites exchange data across
the core ring.

● Two S6730-H switches are deployed as aggregation switches at each subway

site and form a looped square topology with two S12700E switches on the
core ring. Alternatively, S6730-H switches at multiple sites are connected in
serial networking and then form a looped square topology with two S12700E
switches on the core ring. S6730-H switches have VRRP configured to function
as the user gateways of each subway site. The data center site uses two
S12700E switches as aggregation switches and deploys the same services as
S6730-H switches on the two S12700E switches.
● Layer 2 switches are deployed on the access layer at each site to form an
access ring and are dual-homed to two S6730-H switches at subway sites or
two S12700E switches at the data center site.
This network transmits all service traffic of the subway system, including traffic of
routine office, advertising media, and train control management.
Service Deployment
Table 9-22 Service deployment

Item Description
IGP Use OSPF as an IGP and run OSPF between aggregation and core
switches to ensure that there are reachable routes between these
switches and establish Multiprotocol Label Switching (MPLS) Label
Distribution Protocol (LDP) and MPLS Traffic Engineering (TE) tunnels
using OSPF routes.
BGP Deploy Multiprotocol Border Gateway Protocol (MP-BGP) to

implement L3VPN. Establish Internal BGP (IBGP) neighbor relationships
between aggregation and core switches, and between core switches,
and advertise VPN routes.
Routin Use routing policies to set the route preferred value and community
g attribute to filter, select, and back up routes.
policie
s
MPLS Run LDP between aggregation and core switches to transmit L3VPN
LDP data on links for label switching. Configure BFD for label switched
paths (LSPs) to implement fast link switchovers.
MPLS Deploy MPLS TE tunnels to transmit L3VPN traffic. That is, establish
TE the primary and backup TE tunnels between each S6730-H switch and
its directly connected S12700E, and establish the primary and backup
tunnels between each S12700E switch and its directly connected
S6730-H switch. Enable TE HSB and configure BFD for TE HSB to allow
traffic to be switched from the faulty primary TE tunnel to the backup
TE tunnel within 50 ms.
L3VPN Configure different VPNs for services such as daily office, advertising
media, and train control management to isolate these services. In this
scenario, one VPN is configured as an example.

Item Description
BFD Use BFD on each node to detect faults and implement fast traffic
switchovers in case of faults. In this example, you need to deploy
multiple services, including BFD for VRRP, BFD for LSP, and BFD for TE,
to complete end-to-end switchovers within 50 ms.
TE Establish bidirectional TE tunnels between S6730-H aggregation

HSB switches and S12700E core switches, and deploy HSB for MPLS TE
tunnels to provide the primary and backup constraint-based routed
label switched paths (CR-LSPs) for each TE tunnel. Configure BFD for
CR-LSPs to fast detect CR-LSP faults. If a fault occurs on the primary
CR-LSP, L3VPN traffic can be fast switched to the hot-standby CR-LSP,
providing end-to-end (E2E) traffic protection.
Hybrid Enable IP + VPN hybrid FRR on S6730-H switches. If a fault occurs on

FRR the downlink access link, the connected interface on one S6730-H will
detect the fault and fast switch traffic to the other S6730-H, which
then forwards traffic to access devices.
VRRP Deploy VRRP between two S6730-H switches to implement gateway

backup for access users. Configure BFD for VRRP to speed up fault
detection, VRRP convergence, and traffic switchovers. To prevent traffic
loss caused by aggregation switch faults and shorten service
interruptions, you also need to configure the VRRP backup device to
forward service traffic.
Device Selection and Restrictions
Table 9-23 Device selection and restrictions

NE Device Selection and Restrictions
Core nodes Use S12700E switches as core nodes and data center
and data aggregation nodes, and install MPUEs and X series LPUs on
center these switches.
aggregation To ensure reliability, ensure that:
nodes
● Eth-Trunk member interfaces reside on the same LPU.
● On the same device, any two interfaces connected to other
devices reside on different LPUs.
Aggregation Use S6730-H switches as aggregation switches.

nodes at
subway sites

Version Requirements
Table 9-24 Version requirements
Version Matching Devices
V200R019C1 Use S12700E switches as core devices and S6730-H switches as

0 and later aggregation devices.
versions NOTE
The following uses S series switches running V200R019C10 as an
example to describe the configuration procedure.
9.3.2 Basic Configurations
9.3.2.1 Data Plan
Network Topology
Construct a network based on the topology shown in Figure 9-18, name network
devices, configure IP addresses for network devices and the service interfaces as
well as user interfaces of the devices.
Figure 9-18 Network topology

CE1 XGE1/0/4.200 XGE0/0/2.100 CE3
Eth 4
vpna -Tr / 0 / vpna
un E0
k1 XG
Eth Eth 7
-Tr -Tr Core_SPE1 /1
un un /4 0/0
k7 k1
7 E 6/0 X GE
Eth XG
5
-Tr nk
Eth
-Tr
un
k4 h -Tru
un Et /1
XGE1/0/4.200 k7 0/0 XGE0/0/2.100
E X GE
Eth th-
Tru 4
-Tr
un nk k5 /0/
k1 4 -T run X G E0
Site1_UPE2 Eth 7 Eth Site3_UPE5
-Tr 0/1
un 6 /
k1 Eth-Trunk 2 E
7 XG
Eth-Trunk 2
Core_SPE2 XGE5/0/5 XGE6/0/3 Core_SPE3
XGE0/0/1 XGE0/0/1
XGE0/0/4
XGE0/0/4
XGE0/0/2.150 XGE0/0/2.150
CE2
vpna

Interface Data Plan

Table 9-25 and Table 9-26 list interfaces and their IP addresses on devices.
Table 9-25 Eth-Trunk interface plan

NE Role Interface Number Member Interface
Core_SPE1 Eth-Trunk 4 XGigabitEthernet5/0/4

XGigabitEthernet5/0/5
Eth-Trunk 5 XGigabitEthernet1/0/0



NE Role Interface Number Member Interface
Site1_UPE1 Eth-Trunk 17 XGigabitEthernet1/0/0

Site1_UPE2 Eth-Trunk 17 XGigabitEthernet6/0/0

Table 9-26 Interfaces and their IP addresses

NE Role Local Interface IP Address Description
Core_SPE1 Loopback 1 172.16.0.5/32 -
Eth-Trunk 4 172.17.4.8/31 Core_SPE1 to

Core_SPE2

Core_SPE3

Site1_UPE1
XGigabitEthernet6/ 172.17.10.2/31 Core_SPE1 to

0/4 Site3_UPE6

Core_SPE1

Core_SPE3

Site1_UPE2


0/5 Site2_UPE3

Core_SPE1

Core_SPE2

0/1 Site3_UPE5

0/3 Site2_UPE4
Site1_UPE1 Loopback 1 172.16.2.51/32 -
Eth-Trunk 17 172.17.4.11/31 Site1_UPE1 to

Core_SPE1

Site1_UPE2
XGigabitEthernet1/ 172.18.200.66/26 Site1_UPE1 to CE1

0/4.200

Core_SPE2

Site1_UPE1

0/4.200
XGigabitEthernet0/ 172.16.8.179/31 Site2_UPE3 to

0/1 Core_SPE2

0/4 Site2_UPE4

0/2.150

0/1 Core_SPE3

0/4 Site2_UPE3


0/2.150

0/4 Core_SPE3

0/1 Site3_UPE6

0/2.100

0/4 Core_SPE1

0/1 Site3_UPE5

0/2.100
9.3.2.2 Configuring Device Information
Data Plan
Set parameters based on network requirements (such as the network scale and topology).
The following table lists the recommended values and precautions for reference only.
Configure device information on all devices based on the network topology.
Device information includes the site name, device role, and device number. Each
device is named in the format of AA_BBX.
● AA: indicates the site name, such as Core and Site1.

● BB: indicates the device role, such as superstratum provider edge (SPE), user-
end provider edge (UPE), and customer edge (CE).
● X: indicates the device number, starting from 1.
For example, Site1_UPE1 indicates a UPE numbered 1 at site 1. The following table
describes the data plan.
sysname Site1_UPE1 Device Name

Procedure
● Configure the device name.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of other devices are similar to the configuration of Site1_UPE1.
sysname Site1_UPE1
----End
9.3.2.3 Configuring Interfaces
Procedure
Step 1 Add physical interfaces to Eth-Trunk interfaces.
The following uses the configuration of Core_SPE1 as an example. The
configurations of other devices are similar to that of Core_SPE1.
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
Step 2 Configure descriptions and IP addresses for interfaces.

The following uses Core_SPE1 as an example to describe how to configure the
interface description, IP address, and Eth-Trunk interface working mode. The
#

undo portswitch
description Core_SPE1 to Core_SPE2
ip address 172.17.4.8 255.255.255.254
mode lacp
#
undo portswitch
ip address 172.17.4.2 255.255.255.254
mode lacp
#
undo portswitch
description Core_SPE1 to Site1_UPE1
ip address 172.17.4.10 255.255.255.254
mode lacp
#
undo portswitch
ip address 172.17.10.2 255.255.255.254
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
Step 3 Configure Eth-Trunk interfaces to function as 40GE interfaces.
Run the least active-linknumber 4 command on Eth-Trunk interfaces of all S9700

switches to configure the Eth-Trunk interfaces to function as 40GE interfaces. If a
member interface of an Eth-Trunk interface goes Down, the Eth-Trunk interface
goes Down. The following uses the configuration of Core_SPE1 as an example. The
#
least active-linknumber 4
#
#
#
Step 4 Create Eth-Trunk load balancing profiles and apply the profiles to Eth-Trunk
interfaces.
Configure load balancing based on the source and destination port numbers. The
following uses the configuration of Core_SPE1 as an example. The configurations
of other devices are similar to that of Core_SPE1.
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
#
load-balance enhanced profile CUSTOM
#
#
#

Step 5 Disable STP globally.

All devices on the entire network are connected through Layer 3 interfaces, and
Layer 2 loop prevention protocols are not required. Therefore, disable STP globally.
The following uses the configuration of Core_SPE1 as an example. The
#
stp disable
#
----End
9.3.2.4 Enabling BFD
Context
To implement link switchovers within 50 ms, devices must support the 3.3-ms
interval for sending and receiving BFD packets. Devices need to meet the following
requirements:
● For the S12700E, MPUs must be LST7MPUE0000 or LST7MPUE000K0.
● For the S6730-H, the set service-mode command must be run to configure
the switch to work in enhanced BFD mode.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
#
bfd
#
● Configure UPE devices.

configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to that of Site1_UPE1.
#
bfd
#
----End
9.3.3 Deploying OSPF

9.3.3.1 Deployment Roadmap
Figure 9-19 OSPF neighbor relationship

CE1 CE3
vpna vpna
OS Core_SPE1
P PF
F OS
PF
OS
OS
PF
PF
OS
OS
PF
OS
PF
PF
OS
OSPF
Core_SPE2 OSPF Core_SPE3
OSPF
OSPF
CE2 OSPF
vpna
Deployment Roadmap
Configure OSPF as an IGP to ensure that there are reachable routes between
devices on the entire network, and establish MPLS LDP and MPLS TE tunnels using
OSPF routes. The configuration roadmap is as follows:
1. Add all devices to Area 0 and advertise their directly connected network
segments and loopback 1 addresses.
2. Configure all interfaces that are not running OSPF as silent interfaces to
prohibit these interfaces from receiving and sending OSPF packets. This
configuration enhances OSPF networking adaptability and reduces system
resource consumption.
3. Set the OSPF network type to point-to-point (P2P) on the interconnected
main interfaces using IP addresses with 31-bit subnet masks.
4. Configure synchronization between LDP and OSPF to prevent traffic loss
caused by a primary/backup LSP switchover.
9.3.3.2 Configuring OSPF
Context
Configuring OSPF ensures that there are reachable public network routes between
UPE devices and SPE devices.

Procedure
of Core_SPE1.
router id 172.16.0.5 //Configure a router ID.
#
ospf network-type p2p //Set the OSPF network type to P2P on the interconnected main interface
using IP addresses with 31-bit subnet masks.
#
ospf network-type p2p
#
#
#
ospf 1
silent-interface all //Disable all interfaces from sending and receiving OSPF packets.
undo silent-interface Eth-Trunk4 //Enable the interface to send and receive OSPF packets.
undo silent-interface Eth-Trunk5
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10 //Set the route calculation interval to 10 ms to speed up route
convergence.
lsa-originate-interval 0 //Set the interval for updating LSAs to 0.
lsa-arrival-interval 0 //Set the interval for receiving LSAs to 0. Then the changes of the topology or
routes can be detected immediately, speeding up route convergence.
graceful-restart period 600 //Enable OSPF GR.
flooding-control //Restrict the flooding of updated LSAs to maintain the stability of OSPF neighbor
relationships.
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^
%# //Set the OSPF area authentication mode and password.
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
#
router id 172.16.2.51
#
#
#
ospf 1
silent-interface all
graceful-restart period 600
bandwidth-reference 100000 //Set the bandwidth reference value for calculating interface costs.
flooding-control
area 0.0.0.0

authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#

network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
#
----End

● Run the display ospf peer command to check OSPF neighbor information.
The following uses the command output of Core_SPE1 as an example. If the
Full field displays Full, the OSPF neighbor relationship has been established.
[Core_SPE1]display ospf peer
OSPF Process 1 with Router ID 172.16.0.5

Neighbors
Area 0.0.0.0 interface 172.17.4.8(Eth-Trunk4)'s neighbors

Router ID: 172.16.0.3 Address: 172.17.4.9 GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 4
Neighbor is up for 00:53:42
Authentication Sequence: [ 0 ]
Neighbors

State: Full Mode:Nbr is Master Priority: 1
Neighbors

State: Full Mode:Nbr is Slave Priority: 1
Neighbors
Area 0.0.0.0 interface 172.17.10.2(XGigabitEthernet6/0/4)'s neighbors

State: Full Mode:Nbr is Master Priority: 1
9.3.4 Deploying MPLS LDP

Figure 9-20 MPLS LDP topology

CE1 CE3
vpna vpna
Core_SPE1
4 7
8
1
2
6 9
3
Core_SPE2 Core_SPE3
10
12
11
CE2 LDP LSP

vpna
Deployment Roadmap
The deployment roadmap is as follows:
1. Configure LSR IDs and enable MPLS LDP globally and on each interface.
2. Configure synchronization between LDP and OSPF to prevent traffic loss
3. Configure LDP GR to ensure uninterrupted traffic forwarding during a
primary/backup switchover or protocol restart.
4. Configure BFD for LSP to quickly detect LDP LSP faults on the core ring.
9.3.4.2 Data Plan
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Plan data before configuring MPLS LDP.

Table 9-27 MPLS parameters

Parameter Value Remarks
mpls lsr-id Specifying the IP address LSR IDs must be set

of Loopback 1 on an LSR before other MPLS
as an LSR ID commands are run.
label advertise non-null Penultimate hop

popping (PHP) cannot
be configured.
Otherwise, the
switchover performance
is affected.
bfd bind ldp-lsp discriminator local This command

discriminator remote configures static BFD for
LDP LSPs.
detect-multiplier
The local discriminator
min-tx-interval of the local end must be
min-rx-interval the remote discriminator
process-pst of the remote end. The
local BFD detection
multiplier can be
adjusted.
The minimum interval at
which BFD packets are
sent and received must
be set to 3.3 ms.
To speed up a traffic
switchover, associate a
BFD session with the
port state table (PST).
9.3.4.3 Enabling MPLS LDP
Procedure
of Core_SPE1.
mpls lsr-id 172.16.0.5 //Set an MPLS LSR ID. Using a loopback interface address is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP and enable the egress node to assign labels to the
penultimate hop.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls
mpls ldp //Enable MPLS LDP on the interface.
#

mpls
#
mpls
#
mpls
#

mpls lsr-id 172.16.2.51 //Set an MPLS LSR ID. Using a loopback interface address is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP and enable the egress node to assign labels to the
penultimate hop.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls
#
mpls
#
----End

● Run the display mpls ldp session all command to check the MPLS LDP
session status. The following uses the command output of Core_SPE1 as an
example. If the Status field displays Operational, the MPLS LDP session has
been established.
[Core_SPE1]display mpls ldp session all
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
172.16.0.3:0 Operational DU Passive 0000:00:56 226/226
172.16.0.4:0 Operational DU Active 0000:00:56 226/226
------------------------------------------------------------------------------
TOTAL: 4 session(s) Found.
9.3.4.4 Configuring Synchronization Between LDP and OSPF
Context
LDP LSRs set up LSPs using OSPF. If the LDP session on the primary link fails (not
caused by a link failure) or the primary link recovers from a failure,

synchronization between LDP and OSPF can be configured to prevent traffic loss
Procedure
of Core_SPE1.
ospf ldp-sync //Enable synchronization between LDP and OSPF on the interface.
ospf timer ldp-sync hold-down 20 //Set the interval during which the interface waits for creating
an LDP session before establishing an OSPF neighbor relationship.
#
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
ospf ldp-sync
#
ospf ldp-sync
#
ospf ldp-sync
#
ospf ldp-sync
#
----End
9.3.4.5 Configuring LDP GR
Context
LDP graceful restart (GR) ensures uninterrupted traffic forwarding during a
primary/backup switchover or protocol restart.
Procedure
of Core_SPE1.
mpls ldp
graceful-restart //Enable LDP GR.
#


mpls ldp
graceful-restart
#
----End
9.3.4.6 Configuring BFD for LSPs
Context
To improve the reliability of LDP LSPs between SPE devices on the core ring,
configure static BFD for LDP LSPs to rapidly detect faults of LDP LSPs.
Procedure
of Core_SPE1.
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-Trunk4 //Enable
static BFD to monitor the LDP LSP between Core_SPE1 and Core_SPE2.
discriminator local 317 //Specify the local discriminator. The local discriminator of the local end
must be the same as the remote discriminator of the remote end.
discriminator remote 137 //Specify a remote discriminator.
detect-multiplier 8 //Specify the local BFD detection multiplier.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Enable the system to modify the port status table (PST) when the BFD session status
changes to speed up the switchover.
commit //Commit the BFD session configuration.
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface Eth-Trunk5 //Enable
static BFD to monitor the LDP LSP between Core_SPE1 and Core_SPE3.
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End

● Run the display bfd session all for-lsp command to check the BFD for LSP
session status. The following uses the command output of Core_SPE1 as an
example. If the BFD session status is Up and the type is S_LDP_LSP on
Core_SPE1, the BFD for LSP session has been successfully established.
[Core_SPE1]display bfd session all for-lsp
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName

--------------------------------------------------------------------------------
32 23 172.16.0.4 Up S_LDP_LSP Eth-Trunk4
317 137 172.16.0.3 Up S_LDP_LSP Eth-Trunk5
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
9.3.5 Deploying MPLS TE
Figure 9-21 MPLS TE topology
Core_SPE2 Core_SPE3
Primary TE1
Primary TE3
2 Ba
3 1 TE ck
up 5 7
up TE
ack 4
B
6
2
Site2_UPE3 4 Site2_UPE4
8
TE隧道主路径
TE隧道备路径
同色虚线表示TE隧道的主备路径
管道表示L3VPN业务的主备TE隧道

1. Enable MPLS TE.
2. Enable MPLS, MPLS TE, and MPLS TE Constrained Shortest Path First (CSPF)
globally on each node along TE tunnels, and deploy MPLS and MPLS TE on
the interfaces along the TE tunnels.
3. Configure tunnel paths, enable each node to use primary and backup TE
tunnels, and configure primary and hot-standby CR-LSPs using the affinity
attribute.
4. Create L3VPN service tunnels.
a. Create primary tunnels.
▪ Establish a primary tunnel TE1 between Site2_UPE3 and Core_SPE2.

Specify path 1 as the primary CR-LSP and path 2 as the hot-standby
CR-LSP.
▪ Establish a primary tunnel TE3 between Site2_UPE4 and Core_SPE3.

Specify path 5 as the primary CR-LSP and path 6 as the hot-standby
CR-LSP.

b. Create backup tunnels.
▪ Establish a backup tunnel TE2 between Site2_UPE3 and Core_SPE3,

which is the backup tunnel of the primary tunnel TE1. Specify path 3
as the primary CR-LSP and path 4 as the hot-standby CR-LSP.
▪ Establish a backup tunnel TE4 between Site2_UPE4 and Core_SPE2,

which is the backup tunnel of the primary tunnel TE3. Specify path 7
as the primary CR-LSP and path 8 as the hot-standby CR-LSP.
c. Configure Resource Reservation Protocol (RSVP) GR.
Enable RSVP GR on all devices to prevent network interruptions caused
by an active/standby switchover of RSVP nodes and restore dynamic CR-
LSPs.
d. Configure BFD for CR-LSPs.
Configure static BFD for CR-LSPs on all devices to speed up the
switchover between the primary and hot-standby CR-LSPs.
5. Create a tunnel policy.
Configure TE tunnels to be preferentially selected.
9.3.5.2 Data Plan
Table 9-28 MPLS parameters

mpls te - Enable MPLS TE.
mpls rsvp-te - Enable MPLS RSVP-TE.
mpls rsvp-te hello - Enable the RSVP Hello

extension mechanism.
mpls rsvp-te hello full- - Enable the RSVP GR

gr capability and RSVP GR
Helper capability on a
GR node.
mpls te cspf - Enable the MPLS TE

CSPF algorithm.

Table 9-29 MPLS TE tunnel parameters

interface Tunnel Number of a tunnel To facilitate

interface maintenance, it is
recommended that
tunnel IDs be associated
with device names and
that descriptions be
added for tunnel
interfaces.
ip address unnumbered interface LoopBack1 Configure a tunnel

interface to borrow the
IP address of loopback 1.
tunnel-protocol mpls te Enable the TE tunnel

function.
destination Loopback 1 address of Specify a destination IP

the remote device address.
mpls te tunnel-id Tunnel ID Set a tunnel ID.
mpls te affinity Affinity attribute for the -

property primary and hot-standby
CR-LSPs based on the
administrative group
attributes of links
mpls te backup hot-standby Set the backup mode of

a tunnel to hot-standby.
bfd bind mpls-te discriminator local Configure static BFD to

interface Tunnel te-lsp discriminator remote detect the hot-standby
CR-LSP of a TE tunnel.
detect-multiplier
Set the local
min-tx-interval discriminator of the local
min-rx-interval end to be the same as
process-pst the remote discriminator
of the remote end, and
adjust the local detection
multiplier of BFD.
Set the minimum interval
at which BFD packets are
sent and received to 3.3
ms.
Associate a BFD session
with the PST to speed up
a traffic switchover.

bfd bind mpls-te discriminator local Configure static BFD to

interface Tunnel discriminator remote detect the primary CR-
LSP of a TE tunnel.
detect-multiplier
Set the local
min-tx-interval discriminator of the local
min-rx-interval end to be the same as
process-pst the remote discriminator
of the remote end, and
adjust the local detection
multiplier of BFD.
Set the minimum interval
at which BFD packets are
sent and received to 3.3
ms.
Associate a BFD session
with the PST to speed up
a traffic switchover.
tunnel-policy Tunnel policy name: TSel Configure tunnel policies

tunnel select-seq cr-lsp for preferentially
lsp load-balance-number selecting CR-LSPs.
1
Tunnel policy on a core
device: TE
tunnel select-seq cr-lsp
load-balance-number 1
Table 9-30 MPLS TE tunnel list

Tunnel Tunnel Interface Tunnel ID
Core_SPE1 to Site1_UPE1 Tunnel611 71

Site1_UPE1 to Core_SPE1
Core_SPE1 to Site1_UPE2 Tunnel 622 82





Tunnel Tunnel Interface Tunnel ID







9.3.5.3 Configuring MPLS TE Tunnels and Hot Standby
Procedure
of Core_SPE1.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
mpls te //Enable MPLS TE on the interface.
mpls te link administrative group c //Configure an administrative group attribute for selecting the
primary and backup paths of a TE tunnel.
mpls rsvp-te //Enable RSVP-TE on the interface.
#
mpls te
mpls te link administrative group 30
mpls rsvp-te
#
mpls te
mpls rsvp-te
#
mpls te

mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque LSA capability.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the current OSPF area.
#
interface Tunnel611 //Specify the tunnel from Core_SPE1 to Site1_UPE1.
description Core_SPE1 to Site1_UPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface to borrow the IP
address of loopback 1.
tunnel-protocol mpls te //Configure MPLS TE as a tunneling protocol.
destination 172.16.2.51 //Configure the IP address of Site1_UPE1 as the tunnel destination IP
address.
mpls te tunnel-id 71 //Set a tunnel ID, which must be valid and unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of the primary CR-LSP for
selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity attribute of the hot-standby
CR-LSP.
mpls te backup hot-standby //Set the backup mode of the tunnel to hot-standby mode.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for the configuration to take
effect.
#
interface Tunnel622
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
mpls te commit
#
interface Tunnel721
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure CR-LSPs to be preferentially selected.
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#


mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
mpls te //Enable MPLS TE on the interface.
mpls te link administrative group c //Configure an administrative group attribute for selecting the
primary and backup paths of a TE tunnel.
mpls rsvp-te //Enable RSVP-TE on the interface.
#
mpls te
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque LSA capability.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the current OSPF area.
#
interface Tunnel611 //Specify the tunnel from Site1_UPE1 to Core_SPE1.
description Site1_UPE1 to Core_SPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface to borrow the IP
address of loopback 1.
tunnel-protocol mpls te //Configure MPLS TE as a tunneling protocol.
destination 172.16.0.5 //Configure the IP address of Core_SPE1 as the tunnel destination IP address.
mpls te tunnel-id 71 //Set a tunnel ID, which must be valid and unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of the primary CR-LSP for
selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity attribute of the hot-standby
CR-LSP.
mpls te backup hot-standby //Set the backup mode of the tunnel to hot-standby mode.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for the configuration to take
effect.
#
interface Tunnel612
description Site1_UPE1 to Core_SPE2
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure CR-LSPs to be preferentially selected.
#
----End

● Run the display mpls te tunnel-interface Tunnel command to check tunnel
interface information on a local node.
The following uses Tunnel 611 from Core_SPE1 to Site1_UPE1 as an example.
If both the primary and hot-standby LSPs of Tunnel 611 are in UP state, the
primary and hot-standby LSPs have been established successfully.

[Core_SPE1]display mpls te tunnel-interface Tunnel611

----------------------------------------------------------------
Tunnel611
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 71
Ingress LSR ID : 172.16.0.5 Egress LSR ID: 172.16.2.51
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 1
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32772
● Run the display mpls te hot-standby state all command to check the status
of all hot-standby tunnels.
The following uses Core_SPE1 as an example. If all hot-standby tunnels are in
Primary LSP state, traffic has been switched to primary CR-LSPs.
[Core_SPE1]display mpls te hot-standby state all
---------------------------------------------------------------------
No. tunnel name session id switch result
---------------------------------------------------------------------
1 Tunnel611 71 Primary LSP
● Run the ping lsp te tunnel command to check the bidirectional connectivity
of the primary and backup TE tunnels of each device.
Run the following commands on both ends of the TE tunnel.
[Core_SPE1] ping lsp te Tunnel611
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes, press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=5 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
0.00% packet loss
[Core_SPE1] ping lsp te Tunnel611 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes, press CTRL_C to break
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
0.00% packet loss
● Run the tracert lsp te Tunnel command to detect LSPs.
Ensure that the primary and hot-standby tunnel paths are different.
[Core_SPE1]tracert lsp te Tunnel611
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.11/[1078 ]
1 172.16.2.51 3 ms Egress

[Core_SPE1]tracert lsp te Tunnel611 hot-standby

LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.9/[1391 ]
1 172.17.4.9 3 ms Transit 172.17.4.13/[1169 ]
2 172.17.4.13 7 ms Transit 172.17.4.14/[1109 ]
3 172.16.2.51 4 ms Egress
9.3.5.4 Configuring RSVP GR
Procedure

of Core_SPE1.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension function globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR capability and RSVP GR Helper capability.
#
mpls rsvp-te hello //Enable the RSVP Hello extension function on the interface.
#
mpls rsvp-te hello
#
mpls rsvp-te hello
#
mpls rsvp-te hello
#

mpls
mpls rsvp-te hello //Enable the RSVP Hello extension function globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR capability and RSVP GR Helper capability.
#
mpls rsvp-te hello //Enable the RSVP Hello extension function on the interface.
#
mpls rsvp-te hello
#
----End
9.3.5.5 Configuring BFD for CR-LSPs
Procedure

of Core_SPE1.

bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup //Enable static BFD to detect the
hot-standby CR-LSP of Tunnel 611.
ms.
process-pst //Enable the system to modify the PST when the BFD session status changes to speed
up the switchover.
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static BFD to detect the
primary CR-LSP of Tunnel 611.
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_b bind mpls-te interface Tunnel622 te-lsp backup //Enable static BFD to detect
the hot-standby CR-LSP of Tunnel 622.
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3

min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#

bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup //Enable static BFD to detect
the hot-standby CR-LSP of Tunnel 611.
ms.
process-pst //Enable the system to modify the PST when the BFD session status changes to speed
up the switchover.
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static BFD to detect the
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup //Enable static BFD to detect the
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp //Enable static BFD to detect the
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End


● Run the display bfd session all for-te command to check the BFD session
status.
BFD sessions that monitor tunnels of the S_TE_LSP type are in Up state, BFD
sessions have been established successfully.
[Core_SPE1]display bfd session all for-te
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
7112 7111 172.16.2.86 Up S_TE_LSP Tunnel711
7212 7211 172.16.2.87 Up S_TE_LSP Tunnel721
7216 7215 172.16.2.87 Up S_TE_LSP Tunnel721
7116 7115 172.16.2.86 Up S_TE_LSP Tunnel711
6226 6225 172.16.2.50 Up S_TE_LSP Tunnel622
6116 6115 172.16.2.51 Up S_TE_LSP Tunnel611
6112 6111 172.16.2.51 Up S_TE_LSP Tunnel611
6222 6221 172.16.2.50 Up S_TE_LSP Tunnel622
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 8/0
9.3.6 Deploying L3VPN Services and Protection (HoVPN)

On a subway bearer network, IP tunnels between nodes need to be established to
transmit L3VPN services. For example, establish a hierarchical L3VPN tunnel from
Site1_UPE1 to Site2_UPE3 to transmit IP data services between Site1 and Site2, as
shown in Figure 9-22.

Figure 9-22 Hierarchical L3VPN
Primary path for

serivce traffic of vpna
VPN FRR
CE1 CE3
Sp L
vpna eci 3VP vpna
fic N
De rou
fau te
lt r
ou
te
Core_SPE1
VPN FRR
L3VPN
te
rou
L3
ic
N
f
VP
VP
eci
L3
N
Sp
Core_SPE2 Core_SPE3
VPN FRR
Specific route
Default route
L3
L3VPN
L3VPN
VP
N
IP+VPN hybrid FRR
CE2
vpna
1. Deploy MP-BGP.
– Establish Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationships between UPE and SPE devices, and between SPE devices.
– Plan a route target (RT) to make traffic from UPE devices to SPE devices
be transmitted by default routes and traffic from SPE devices to UPE
devices be transmitted by specific routes.
– Configure a routing policy to ensure that traffic from a specific UPE
device to other sites is preferentially forwarded by the SPE device directly
connected to the UPE device.
– Configure a routing policy to ensure that traffic from a specific SPE device
to other sites is preferentially forwarded by the UPE device directly
connected to the SPE device.
– Configure a route filtering policy to prevent a specific SPE device at a site
from advertising ARP Vlink direct routes to UPE devices at other sites.
– Configure a route filtering policy to prevent a specific SPE device from
receiving routes of sites directly connected to this SPE device from other
SPE devices. If an SPE device receives such routes from other SPE devices,
routing loops may occur. For example, prevent Core_SPE2 from receiving
any routes of Site1 from Core_SPE1 or any routes of Site2 from
Core_SPE3.

2. Deploy VPN services.

– Deploy VPN instances on UPE devices and SPE devices, and bind
interfaces to the VPN instances on UPE devices but not on SPE devices.
– Preferentially use TE tunnels to transmit VPN services on UPE devices. In
hybrid FRR mode, LSPs can be used to transmit VPN services.
– Configure a tunnel selector on an SPE device to enable the SPE device to
select any tunnel policy when the next-hop address prefix of a VPNv4
route is the IP address prefix of another SPE device and to select a TE
tunnel in other scenarios.
– Deploy VRRP on two UPE devices at a site, and configure the UPE devices
to advertise ARP Vlink direct routes to their connected SPE devices so that
the SPE devices select the optimal route to send packets to CE devices.
3. Deploy reliability protection.
– Deploy VRRP on two UPE devices at a site to implement gateway backup
and ensure reliability of uplink traffic on CE devices. Configure backup
devices to forward service traffic, minimizing the impact of VRRP
switchovers on services.
– Deploy VPN FRR on UPE devices. If the TE tunnel between a UPE device
and an SPE device is faulty, traffic is automatically switched to the TE
tunnel between the UPE device and another SPE device at the same site,
minimizing the impact on VPN services.
– Deploy VPN FRR on an SPE device. If the SPE device is faulty, VPN
services are switched to another SPE device, implementing a fast E2E
switchover of VPN services.
– Deploy VPN FRR on an SPE device. If the TE tunnel between an SPE
device and a UPE device is faulty, traffic is automatically switched to the
TE tunnel between the SPE device and another UPE device at the same
site, minimizing the impact on VPN services.
– Deploy IP + VPN hybrid FRR on UPE devices. If the interface of a UPE
device detects a fault on the link between the UPE device and its
connected CE device, the UPE device quickly switches traffic to its remote
UPE device, which then forwards the traffic to the CE device.
– Deploy VPN GR on all UPE devices and SPE devices to ensure
uninterrupted VPN traffic forwarding during an active/standby switchover
on the device that is transmitting VPN services.
9.3.6.2 Data Plan
Table 9-31 Service interfaces
NE Role Value Remarks
Site1_UPE1 interface -
XGigabitEthernet1/0/4.20
0: 172.18.200.66/26

NE Role Value Remarks
0: 172.18.200.67/26
0: 172.18.150.2/26
0: 172.18.150.3/26
0: 172.18.100.2/26
0: 172.18.100.3/26
Table 9-32 MPLS VPN parameters

VPN instance name vpna -
Route distinguisher (RD) UPE: 1:1 In this solution, it is

Core_SPE1: 5:1 recommended that the
same RD value be set on
Core_SPE2: 3:1 UPE and SPE devices. If
Core_SPE3: 4:1 different RD values are
set, to make VPN FRR
take effect, run the vpn-
route cross multipath
command to add
multiple VPNv4 routes to
a VPN instance with a
different RD value from
these routes' RD values.
RT 0:1 Plan the same RT on the

entire network.

Table 9-33 BGP parameters

Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
BGP 6500 6500 6500 6500 6500 6500 6500 6500 6500
proce 0 0 0 0 0 0 0 0 0
ss ID
Route 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
r ID 6.0.5 6.0.3 6.0.4 6.2.51 6.2.50 6.2.75 6.2.76 6.2.87 6.2.86
Peer devC devC devC devC devC devC devC devC devC
group ore: ore: ore: ore: ore: ore: ore: ore: ore:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.3, 6.0.4, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.4, 6.0.4,
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.4 6.0.5 6.0.5 6.0.5 6.0.5 6.0.4 6.0.4 6.0.5 6.0.5
devH devH devH devH devH devH devH devH devH
ost: ost: ost: ost: ost: ost: ost: ost: ost:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.2.50 6.2.50 6.2.75 6.2.50 6.2.51 6.2.76 6.2.75 6.2.86 6.2.87
, , ,
172.1 172.1 172.1
6.2.51 6.2.51 6.2.76
, , ,
172.1 172.1 172.1
6.2.86 6.2.75 6.2.86
, , ,
172.1 172.1 172.1
6.2.87 6.2.76 6.2.87
policy Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl
vpn- e e e e e e e e e
target
Tunn Deplo Deplo Deplo - - - - - -

el y y y
select
or

Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
Priori - - - Incre Incre Incre Incre Incre Incre

ty of ase ase ase ase ase ase
peer the the the the the the
route route route route route route route
s priori priori priori priori priori priori
ty of ty of ty of ty of ty of ty of
Core_ Core_ Core_ Core_ Core_ Core_
SPE1 SPE2 SPE2 SPE3 SPE3 SPE1
so so so so so so
that that that that that that
UPE UPE UPE UPE UPE UPE
devic devic devic devic devic devic
es es es es es es
alway alway alway alway alway alway
s s s s s s
prefer prefer prefer prefer prefer prefer
the the the the the the
route route route route route route
s s s s s s
adver adver adver adver adver adver
tised tised tised tised tised tised
by by by by by by
Core_ Core_ Core_ Core_ Core_ Core_
SPE1. SPE2. SPE2. SPE3. SPE3. SPE1.

9.3.6.3 Configuring MP-BGP
BGP Connections
Site1_UPE1 10 Site3_UPE6
12 0:100 00
0:1
57 :12 10 13:13
CE1 20 72
0 CE3
:57 0:5
vpna 20 2 vpna
57
Core_SPE1
30 0
0 30
200
200
200 200
Site1_UPE2 30
0 0 Site3_UPE5
30
20
00
12 0:200 0:3
57 :12 30 13:13
20 20
:57 :57
20 20
57
Core_SPE2 Core_SPE3
5720:5720
5720:5720
300
300
20
200:200
300:300
0
20 0
23:23
23:23
BGP peers
CE2 Route preferred
vpna n
value
Route community
attribute
Procedure
of Core_SPE1.
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp //Configure a tunnel selector to enable Core_SPE1 to select
any tunnel for route recursion when the next-hop address prefix of a VPNv4 route is the IP address
prefix of another SPE.
#
tunnel-selector TSel permit node 10 //Configure a tunnel selector to allow the routes received from
an IBGP peer to recurse to a TE tunnel if the routes need to be forwarded to another IBGP peer and
the next hops of the routes need to be changed to the local IP address.
apply tunnel-policy TE
#
bgp 65000
group devCore internal //Create an IBGP peer group.
peer devCore connect-interface LoopBack1 //Specify loopback 1 and its address as the source
interface and address of BGP messages.
peer 172.16.0.3 as-number 65000 //Establish a peer relationship between SPE devices.
peer 172.16.0.3 group devCore //Add Core_SPE1 to the peer group.
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000

peer 172.16.2.50 group devHost

peer 172.16.2.51 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
#
ipv4-family vpnv4
policy vpn-target
tunnel-selector TSel //Configure a tunnel selector to allow BGP VPNv4 routes sent to UPE devices
to recurse to TE tunnels and BGP VPNv4 routes sent to other SPE devices to recurse to LSPs. This is
because an SPE device advertises default routes to UPE devices, forwards routes of UPE devices to
other SPE devices and changes the next hops of the UPE devices' routes to itself.
peer devCore enable
peer devCore route-policy core-import import //Configure Core_SPE1 to filter all routes of sites
connected to itself when it receives routes from other SPE devices.
peer devCore advertise-community
peer 172.16.0.3 enable
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import //Configure Core_SPE1 to filter host routes when
receiving routes from UPE devices, set the preferred value of the routes received from its directly
connected UPE devices to 300, and set the preferred value of the routes received from other UPE
devices to 200.
peer devHost advertise-community //Advertise community attributes to the peer group.
peer devHost upe //Configure the peer devHost as a UPE device.
peer devHost default-originate vpn-instance vpna //Configure Core_SPE1 to send the default
routes of the VPN instance vpna to the UPE device devHost.
#
#
route-policy p_iBGP_RR_in deny node 5 //Filter host routes of all sites.
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11 //Set the preferred value of the routes received from its
directly connected UPE devices to 300.
if-match community-filter site1
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 12 //Set the preferred value of the routes received from
indirectly connected UPE devices to 200.
#
route-policy p_iBGP_RR_in permit node 13 //Set the preferred value of the routes received from
indirectly connected UPE devices to 200.


#
route-policy p_iBGP_RR_in permit node 20 //Permit all the other routes.
#
route-policy core-import deny node 5 //Deny all routes of sites directly connected to Core_SPE1.
#
route-policy core-import deny node 6 //Deny all routes of sites directly connected to Core_SPE1.
#
route-policy core-import permit node 10 //Permit all the other routes.
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32 //Permit all 32-bit
host routes and deny all the other routes.
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.4 32 //Permit routes to 172.16.0.3/32 and
172.16.0.4/32 and deny all the other routes.
#
ip community-filter basic site1 permit 100:100 //Create a community attribute filter site1 and set
the community attribute to 100:100.
ip community-filter basic site2 permit 200:200
ip community-filter basic all_site permit 5720:5720
#
bgp 65000
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export //Configure the community attribute of routes
advertised by Site1_UPE1 to SPE devices.
peer 172.16.0.3 preferred-value 200 //Set the preferred value of the routes received from
Core_SPE2 to 200.
peer 172.16.0.5 preferred-value 300 //Set the preferred value of the routes received from
Core_SPE1 to 300 so that Site1_UPE1 always selects routes received from Core_SPE1.
peer devHost enable
peer devHost advertise-community


#
#
route-policy p_iBGP_host_ex permit node 0 //Add the community attribute to routes.
apply community 100:100 5720:5720 12:12
#
----End

● Run the display bgp vpnv4 all peer command to check the BGP VPNv4 peer
relationship.
State field displays Established, BGP peer relationships have been established
successfully.
[Core_SPE1]display bgp vpnv4 all peer
BGP local router ID : 172.16.0.5

Local AS number : 65000
Total number of peers : 4 Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
172.16.2.51 4 65000 2102 1859 0 20:55:17 Established 550

172.16.2.86 4 65000 3673 2989 0 0026h03m Established 550
172.16.0.3 4 65000 1659 1462 0 20:57:05 Established 200
172.16.0.4 4 65000 3421 2494 0 0026h03m Established 200
9.3.6.4 Configuring L3VPN
Context
VPN instances need to be configured to advertise VPNv4 routes and forward data
to achieve communication over an L3VPN.
Procedure
of Core_SPE1.
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 5:1 //Configure an RD.
tnl-policy TSel //Configure a TE tunnel for the VPN instance.
vpn-target 0:1 export-extcommunity //Configure the extended community attribute VPN target.
#
bgp 65000
#
ipv4-family vpnv4
nexthop recursive-lookup delay 10 //Set the delay in responding to next-hop changes to 10s.
route-select delay 120 //Set the route selection delay to 120s to prevent traffic interruptions
caused by fast route switchback.
#
ipv4-family vpn-instance vpna
default-route imported //Import default routes to the VPN instance vpna.
nexthop recursive-lookup route-policy delay_policy //Configure BGP next-hop recursion based on
the routing policy delay_policy.

nexthop recursive-lookup delay 10

route-select delay 120
#
route-policy delay_policy permit node 0 //Permit routes of all sites.
#

arp vlink-direct-route advertise //Configure Site1_UPE1 to advertise IPv4 ARP Vlink direct routes.
#
ip vpn-instance vpna
ipv4-family
tnl-policy TSel
arp vlink-direct-route advertise
#
#
interface XGigabitEthernet1/0/4.200
ip binding vpn-instance vpna //Bind the VPN instance vpna to the specific service interface.
arp direct-route enable //Configure the ARP module to report ARP Vlink direct routes to the RM
module.
ip address 172.18.200.66 255.255.255.192
arp broadcast enable //Enable ARP broadcast on a VLAN tag termination sub-interface.
#
bgp 65000
#
ipv4-family vpnv4
#
default-route imported
import-route direct route-policy p_iBGP_RR_ex //Import direct routes to the VPN instance vpna
and add the community attribute.
#
#
route-policy p_iBGP_RR_ex permit node 0 //Add the community attribute to routes.
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640 //Set the aging time of dynamic ARP entries.
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200 //Configure a
static ARP entry.
#
Since V200R010C00, dynamic ARP is supported to meet reliability requirements in this

scenario. Perform the following operations to implement dynamic ARP:
● Run the arp learning passive enable command in the system view to enable
passive ARP.
● Run the arp auto-scan enable command in the sub-interface view to enable ARP
automatic scanning in the sub-interface view.
After the preceding configuration is complete, you do not need to configure the aging
time of dynamic ARP entries or configure static ARP entries.
----End

9.3.6.5 Configuring Reliability Protection
Deployment Roadmap
1. Deploy VRRP on two UPE devices at a site to ensure reliability for uplink
traffic of CE devices. The following uses Site1 as an example, as shown in
Figure 9-23:
– Configure Site1_UPE1 as the master device and Site1_UPE2 as the backup
device in a VRRP group. If Site1_UPE1 fails, the uplink traffic of CE1 can
be rapidly switched to Site1_UPE2.
– Configure BFD for VRRP so that BFD can quickly detect faults and instruct
the VRRP backup device to become the new master device. In addition,
hardware directly sends gratuitous ARP packets, to instruct access devices
to forward traffic to the new master device.
– Configure backup devices to forward service traffic. A device in the
backup state can forward service traffic as long as it receives service
traffic. This prevents service traffic loss and shortens the service
interruption time if an aggregation device is faulty.
If the number of VRRP groups exceeds the default maximum value, run the set vrrp
max-group-number max-group-number command on a UPE device to set the
maximum number of supported VRRP groups.
Figure 9-23 VRRP between two UPE devices

Site1_UPE1
CE1
vpna
Master
FD
kB
rac
Pt
R
VR
Backup
Configure the backup device
to forward service traffic
Site1_UPE2 Upstream
2. Deploy VPN FRR on a UPE device. If the TE tunnel between the UPE device
and an SPE device is faulty, traffic is automatically switched to the TE tunnel
between the UPE device and another SPE device at the same site. The
following uses Site1_UPE1 as an example, as shown in Figure 9-24.
Site1_UPE1 has two TE tunnels to Core_SPE1 and Core_SPE2 respectively.
Deploying VPN FRR on Site1_UPE1 ensures that traffic is rapidly switched to
Core_SPE2 if Core_SPE1 is faulty.

Figure 9-24 VPN FRR from an aggregation device to a core device

Site1_UPE1
VPN FRR
CE1
L3 Primary path
vpna VP
N
Core_SPE1
L3VPN
Backup path
Site1_UPE2
Upstream
Core_SPE2
3. Deploy VPN FRR on an SPE device. If the SPE device is faulty, VPN services are
switched to another SPE device, implementing a fast E2E switchover of VPN
services. The following uses Core_SPE1 as an example, as shown in Figure
9-25.
Core_SPE1 has two LSPs to Core_SPE2 and Core_SPE3 respectively. Configuring
VPN FRR on Core_SPE1 ensures that traffic is rapidly switched to Core_SPE3 if
Core_SPE2 is faulty.
Figure 9-25 VPN FRR between core devices
Core_SPE1
VPN FRR
N
L3
VP
VP
Primary path Backup path

L3
Core_SPE2 Core_SPE3
Downstream
4. Deploy VPN FRR on an SPE device. If the TE tunnel between the SPE device
and a UPE device is faulty, traffic is automatically switched to the TE tunnel

between the SPE device and another UPE device at the same site. The
following uses Core_SPE2 as an example, as shown in Figure 9-26:
Core_SPE2 has two TE tunnels to Site2_UPE3 and Site2_UPE4 respectively.
Deploying VPN FRR on Core_SPE2 ensures that traffic is rapidly switched to
Site2_UPE4 if Site2_UPE3 is faulty.
Figure 9-26 VPN FRR from a core device to an aggregation device
Core_SPE2 Core_SPE3
VPN FRR
Primary path
Ba
cku L3V
L3VPN
p p PN
ath
CE2 Downstream
vpna
5. Deploy IP + VPN hybrid FRR on UPE devices. If the interface of a UPE device
detects a fault on the link between the UPE device and its connected CE
device, the UPE device quickly switches traffic to its remote UPE device, which
then forwards the traffic to the CE device. The following uses Site2 as an
example, as shown in Figure 9-27:
If the link from Site2_UPE3 to CE2 is faulty, traffic is forwarded to Site2_UPE4
through an LSP and then to CE2 using a private IP address, improving
network reliability.
Figure 9-27 Deployment of IP + VPN hybrid FRR on UPE devices
MPLD LDP
IP+VPN hybrid FRR
Primary
Backup path
path
CE2 Downstream
vpna

6. Deploy VPN GR on all UPE devices and SPE devices to ensure uninterrupted
VPN traffic forwarding during an active/standby switchover on the device that
is transmitting VPN services.
Procedure

of Core_SPE1.
bgp 65000
graceful-restart //Enable BGP GR.
#
ipv4-family vpnv4
auto-frr //Enable VPNv4 FRR.
bestroute nexthop-resolved tunnel //Configure the system to select a VPNv4 route only when the
next hop recurses to a tunnel, preventing packet loss during traffic switchback.
#
auto-frr //Enable VPN auto FRR.
vpn-route cross multipath //Add multiple VPNv4 routes to a VPN instance with a different RD
value from these routes' RD values to make VPN FRR take effect.
#

ipv4-family
ip frr route-policy mixfrr //Enable IP FRR.
#
vrrp vrid 1 virtual-ip 172.18.200.65 //Configure VRRP.
vrrp vrid 1 preempt-mode timer delay 250 //Set the preemption delay of devices in a VRRP group.
vrrp vrid 1 track bfd-session 2200 peer //Enable BFD for VRRP to implement master/backup
switchovers.
vrrp vrid 1 backup-forward //Enable the backup device to forward service traffic.
vrrp track bfd gratuitous-arp send enable //Enable BFD for VRRP to quickly send gratuitous ARP
packets during master/backup switchovers.
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-
ip 172.18.200.66 //Configure static BFD for VRRP.
ms.
#
bgp 65000
graceful-restart
#
auto-frr
#
#
route-policy mixfrr permit node 0 //Set the backup next-hop address to the IP address of loopback
1 on another UPE device at the same site.

apply backup-nexthop 172.16.2.50

#
----End

● Run the display ip routing-table vpn-instance command on SPE devices to
check the VPN FRR status from SPE devices to UPE devices.
The following uses the command output of Core_SPE2 as an example. The
fields in boldface indicate the backup next hop, backup label, and backup
tunnel ID. The command output shows that the VPN FRR entry from
Core_SPE2 to a UPE device has been generated.
[Core_SPE2]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 1
Destination: 172.18.150.0/26
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.75 Neighbour: 172.16.2.75
State: Active Adv Relied Age: 21h55m50s
Tag: 0 Priority: low
Label: 1025 QoSInfo: 0x0
IndirectID: 0x185
RelayNextHop: 0.0.0.0 Interface: Tunnel111
TunnelID: 0x2 Flags: RD
BkNextHop: 172.16.2.76 BkInterface: Tunnel121
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x3 BkPESecTunnelID: 0x0
BkIndirectID: 0xd
● Run the display ip routing-table vpn-instance command on UPE devices to
check the hybrid FRR status.
The following uses the command output of Site2_UPE3 as an example. The
fields in boldface indicate the backup next hop, backup label, and backup
tunnel ID. The command output shows that a hybrid FRR entry has been
generated. The command output shows that the master hybrid FRR route
points to the local sub-interface, and the backup route points to the UPE
device with the IP address 172.16.2.76 at the same site.
[Site2_UPE3]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 2
Destination: 172.18.150.4/32
Protocol: Direct Process ID: 0
State: Active Adv Age: 1d02h36m21s
Tag: 0 Priority: high
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: XGigabitEthernet0/0/2.150
TunnelID: 0x0 Flags: D
BkNextHop: 172.16.2.76 BkInterface: XGigabitEthernet0/0/4
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x4800001b BkPESecTunnelID: 0x0
BkIndirectID: 0x0
Destination: 172.18.150.4/32

Protocol: IBGP Process ID: 0

State: Inactive Adv Relied Age: 1d02h36m21s
Tag: 0 Priority: low
Label: 1024 QoSInfo: 0x0
IndirectID: 0xcd
RelayNextHop: 172.16.8.181 Interface: XGigabitEthernet0/0/4
TunnelID: 0x4800001b Flags: R
● Run the display vrrp interface command to check the VRRP status.
The following uses the command output of Site2_UPE3 as an example. The
fields in boldface indicate that the VRRP status of Site2_UPE3 is Master, the
backup device has been configured to forward service traffic, and BFD for
VRRP has been configured.
[Site2_UPE3]display vrrp interface XGigabitEthernet0/0/2.150
XGigabitEthernet0/0/2.150 | Virtual Router 1
State : Master
Virtual IP : 172.18.150.1
Master IP : 172.18.150.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : enabled
Track BFD : 1150 type: peer
BFD-session state : UP
Create time : 2016-05-21 11:02:27
Last change time : 2016-05-21 11:02:55
9.3.7.1 Core_SPE1 configuration file

sysname Core_SPE1
#
router id 172.16.0.5
#
stp disable
#
ipv4-family
tnl-policy TSel
#
if-match ip next-hop ip-prefix core_nhp
#
#
bfd
#
mpls lsr-id 172.16.0.5
mpls
mpls te
label advertise non-null
mpls rsvp-te

mpls rsvp-te hello

mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch
ip address 172.17.4.8 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.2 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.10 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
eth-trunk 5
#
eth-trunk 5
#

eth-trunk 5
#
eth-trunk 5
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
undo portswitch
ip address 172.17.10.2 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.0.5 255.255.255.255
#
interface Tunnel611
mpls te commit
#
interface Tunnel622

mpls te commit
#
interface Tunnel711
mpls te commit
#
interface Tunnel721
mpls te commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000
peer 172.16.2.50 as-number 65000
peer 172.16.2.51 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
tunnel-selector TSel
bestroute nexthop-resolved tunnel
peer devCore enable
peer devCore route-policy core-import import


peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost upe
peer devHost default-originate vpn-instance vpna
#
auto-frr
nexthop recursive-lookup route-policy delay_policy
vpn-route cross multipath
#
ospf 1
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^%#
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
#
route-policy p_iBGP_RR_in deny node 5
#
route-policy p_iBGP_RR_in permit node 11
#
#
#
#
route-policy core-import deny node 5
#


#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
#
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
tunnel-policy TE
#
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-Trunk4
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#

detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Core_SPE2
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
#
#
bfd
#
mpls

mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch
ip address 172.17.4.0 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.9 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.12 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
eth-trunk 2
#

eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
undo portswitch
ip address 172.16.8.178 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
interface LoopBack1
ip address 172.16.0.3 255.255.255.255
#
interface Tunnel111
mpls te commit
#
interface Tunnel121


mpls te commit
#
interface Tunnel612
mpls te commit
#
interface Tunnel621
mpls te commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
peer 172.16.2.51 as-number 65000
peer 172.16.2.75 as-number 65000
peer 172.16.2.76 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
peer devCore enable


peer devHost enable
peer devHost upe
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#8|'*QyJCZ<@"H2,\pm@FUK3R3uSfFGaaJr39=1%^%#
network 172.16.0.3 0.0.0.0
network 172.16.8.178 0.0.0.0
network 172.17.4.0 0.0.0.0
network 172.17.4.9 0.0.0.0
network 172.17.4.12 0.0.0.0
mpls-te enable
#
#
#
#
#
#
#
#


#
#
#
#
tunnel-policy TSel
#
tunnel-policy TE
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#


detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Core_SPE3
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
#
#
bfd
#

mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch
ip address 172.17.4.1 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.3 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2

#
eth-trunk 2
#
undo portswitch
ip address 172.16.8.213 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.16.8.183 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.0.4 255.255.255.255
#
interface Tunnel112
mpls te bfd enable
mpls te commit
#
interface Tunnel122
mpls te commit
#
interface Tunnel712


mpls te commit
#
interface Tunnel722
mpls te commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.75 as-number 65000
peer 172.16.2.76 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
peer devCore enable
peer devHost enable
peer devHost upe


#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#N@WU@i600:_5W!%F!L~9%7ui(!x:VP5<mJ:z>zJX%^%#
network 172.16.0.4 0.0.0.0
network 172.16.8.183 0.0.0.0
network 172.16.8.213 0.0.0.0
network 172.17.4.1 0.0.0.0
network 172.17.4.3 0.0.0.0
mpls-te enable
#
#
#
#
#
#
#
#
#
#
#


#
tunnel-policy TSel
#
tunnel-policy TE
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3

min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
9.3.7.4 Site1_UPE1 configuration file

sysname Site1_UPE1
#
router id 172.16.2.51
#
#
stp disable
#
ipv4-family
ip frr route-policy mixfrr
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.51
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
description Site1_UPE1 TO Site1_UPE2

ip address 172.17.4.14 255.255.255.254

ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.11 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
#
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.200.66 255.255.255.192
vrrp vrid 1 track bfd-session 2200 peer
vrrp vrid 1 backup-forward
vrrp track bfd gratuitous-arp send enable
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#

interface LoopBack1
ip address 172.16.2.51 255.255.255.255
#
interface Tunnel611
mpls te commit
#
interface Tunnel612
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-ip
172.18.200.66
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer 172.16.0.3 preferred-value 200


peer devHost enable
#
import-route direct route-policy p_iBGP_RR_ex
auto-frr
#
#
ospf 1
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 12:12
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
#
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit

#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Site1_UPE2
#
router id 172.16.2.50
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.50
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch
description Site1_UPE2 to Site1_UPE1
ip address 172.17.4.15 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
undo portswitch
ip address 172.17.4.13 255.255.255.254
ospf ldp-sync

mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
#
#
ip address 172.18.200.67 255.255.255.192
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
interface LoopBack1
ip address 172.16.2.50 255.255.255.255
#
interface Tunnel621
mpls te commit
#
interface Tunnel622

mpls te commit
#
172.18.200.67
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.51 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
#
ospf 1

flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#GUPhWw-[LH2O6#NMxtJAl!Io8W~iF'![mQF[\9GI%^%#
network 172.16.2.50 0.0.0.0
network 172.16.2.92 0.0.0.0
network 172.17.4.13 0.0.0.0
network 172.17.4.15 0.0.0.0
mpls-te enable
#
#
apply community 200:200 5720:5720 12:12
#
apply community 200:200 5720:5720 12:12
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Site2_UPE3
#
router id 172.16.2.75
#

#
stp disable
#
set service-mode enhanced
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.75
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
ip address 172.16.8.179 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
#
ip address 172.18.150.2 255.255.255.192
#
undo portswitch
ip address 172.16.8.180 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te

mpls rsvp-te hello

mpls ldp
#
interface LoopBack1
ip address 172.16.2.75 255.255.255.255
#
interface Tunnel111
mpls te commit
#
interface Tunnel112
mpls te commit
#
172.18.150.2
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000
peer 172.16.2.76 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable


peer devHost enable
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#zJm-P{(FiMrB0bLa^ST'z[!(UezNNTx\CQ6@N\,K%^%#
network 172.16.2.75 0.0.0.0
network 172.16.8.179 0.0.0.0
network 172.16.8.180 0.0.0.0
mpls-te enable
#
#
apply community 200:200 5720:5720 23:23
#
apply community 200:200 5720:5720 23:23
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3

process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Site2_UPE4
#
router id 172.16.2.76
#
#
stp disable
#
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.76
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
ip address 172.16.8.182 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
#


ip address 172.18.150.3 255.255.255.192
#
undo portswitch
ip address 172.16.8.181 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.76 255.255.255.255
#
interface Tunnel121
mpls te commit
#
interface Tunnel122
mpls te commit
#
172.18.150.3
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000


peer 172.16.2.75 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#"sZy-UeQ88(kmb#.o"Y8*@/_9D[_<-3ET`+!1no4%^%#
network 172.16.2.76 0.0.0.0
network 172.16.8.181 0.0.0.0
network 172.16.8.182 0.0.0.0
mpls-te enable
#
#
apply community 300:300 5720:5720 23:23
#
apply community 300:300 5720:5720 23:23
#
#
tunnel-policy TSel
#


detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Site3_UPE5
#
router id 172.16.2.87
#
#
stp disable
#
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.87
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp

graceful-restart
#
#
ip address 172.18.100.2 255.255.255.192
#
undo portswitch
ip address 172.17.10.0 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.16.8.212 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.87 255.255.255.255
#
interface Tunnel721
mpls te commit
#
interface Tunnel722


mpls te commit
#
172.18.100.2 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.86 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#^tB:@vm8r%4Z0),RRem7dU.A3.}(a&*/IhJ70>y9%#%#
network 172.16.2.87 0.0.0.0
network 172.16.8.212 0.0.0.0
network 172.17.10.0 0.0.0.0
mpls-te enable

#
#
apply community 300:300 5720:5720 13:13
#
apply community 300:300 5720:5720 13:13
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

sysname Site3_UPE6
#
router id 172.16.2.86
#
#
stp disable
#
#
ipv4-family


tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.86
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
ip address 172.18.100.3 255.255.255.192
#
undo portswitch
ip address 172.17.10.1 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.10.3 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.86 255.255.255.255
#

interface Tunnel711
mpls te commit
#
interface Tunnel712
mpls te commit
#
172.18.100.3 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#

auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#<3.TS63Ml*_Gn]2$}@O/G8llX)VNvDY\kT;4E9-A%#%#
network 172.16.2.86 0.0.0.0
network 172.17.10.1 0.0.0.0
network 172.17.10.3 0.0.0.0
mpls-te enable
#
#
apply community 100:100 5720:5720 13:13
#
apply community 100:100 5720:5720 13:13
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst

commit
#
return
9.4 ISP Network Deployment for Internet Access of

Home Users and Enterprise Users

This example applies to small-scale access scenarios where home users and
enterprise users require Internet access in residential buildings and enterprise
office buildings respectively. This deployment solution can be replicated at
multiple sites.
Residential buildings and office buildings are the places where people live and
work, and have the following characteristics:
● Users are densely distributed, and the required egress bandwidth is increasing.
● Users of various types may have different bandwidth requirements and
consumption levels.
● There are diverse service types and access modes.
● There are a large number of routes.
● The bandwidth usage is subject to user activities. Network congestion may
occur during peak hours.
The following lists the specific network requirements:
Provide wired access for IPv4/IPv6 dual-stack services.
Provide differentiated multi-GE access, such as 10 Gbit/s and 1 Gbit/s, for
different types of users.
Reuse existing third-party access switches at some sites.
● Refined bandwidth requirements
Provide customized bandwidths for different users based on their payment
levels.
Guarantee the bandwidth of VIP users upon network congestion.
● Route control requirements
Flexibly control route forwarding and reduce the number of routes on devices,
mitigating the pressure on device performance.
● Reliability requirements
Provide device-level, card-level, and link-level reliability.
Prevent access from unauthorized devices, as well as malicious attacks.

Control user access to ensure network security.

Networking Diagram
Figure 9-28 shows the networking diagram for Internet access of home users and
enterprise users in a project.
Figure 9-28 Networking diagram for Internet access of home users and enterprise
users
RR ISP backbone
network
Eth-Trunk 1 S6730-H-2
Egress S6730-H-1
gateway Eth-Trunk 1 Eth-Trunk 4
Eth-Trunk 4
Eth-Trunk 102
Aggregation Eth-Trunk
S6730-H-3 S6730-H-4 101 S5731-H-5
switch
XGE0/0/1 XGE0/0/1 Eth-Trunk 1
Eth-Trunk 1
XGE0/0/47 XGE0/0/48 Third-party
Access access switch
switch S5735-L-6
XGE0/0/1 XGE0/0/2
Home user Enterprise

Home user Enterprise user
user
Network Design Analysis

The Internet service provider (ISP) backbone network uses S series switches to
provide Internet access services for home users and enterprise users.
On the network, the third-party access switch is retained and connected to a
stack of aggregation switches, that is, S5731-H-5. A VLAN stacking sub-
interface is configured on the interface of S5731-H-5 connected to the third-
party access switch and is bound to a Virtual Switch Instance (VSI) for

connecting to the virtual private LAN service (VPLS) network, so that S5731-
H-5 adds the same outer VLAN tag to the service packets in different VLANs
sent from the third-party access switch. This configuration saves VLAN IDs on
the public network. S5731-H-5 is configured with Martini VPLS and uses the
Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) as
the signaling protocol.
On the new network to be built, S6730-H switches are deployed at the
aggregation layer to reduce the number of egress gateway interfaces, and the
access switch S5735-L-6 is deployed as the user gateway at the access layer to
provide 10GE interfaces for Internet access.
S6730-H switches function as egress gateways and are connected to the ISP
backbone network.
IPv4/IPv6 dual-stack is enabled on the entire network. The Border Gateway
Protocol (BGP) and BGP for IPv6 (BGP4+) are configured to advertise routes,
while Open Shortest Path First version 2 (OSPFv2) and OSPFv3 are configured
to calculate and select routes.
● Refined bandwidth requirements
The access switch S5735-L-6 is configured with traffic policing to provide
different access bandwidths for users of different payment levels.
The downstream area of the egress gateways and is configured as an OSPF
stub area to reduce the number of routes in the area.
The access switch S5735-L-6 selects routes through OSPF and establishes a
BGP peer relationship with the remote route reflector (RR) to advertise and
receive routes. S5735-L-6 forwards traffic to upstream devices through the
default routes generated in the OSPF stub area and to downstream devices
through direct routes and static routes.
The egress gateways S6730-H establish Internal Border Gateway Protocol
(IBGP) peer relationships with the remote RR to receive and advertise routes,
and establish OSPFv2 and OSPFv3 neighbor relationships with the access
switch S5735-L-6 to exchange routing information. The egress gateways
forward traffic to upstream devices through default routes and OSPF routes
and to downstream devices through BGP routes.
S5731-H-5 imports static routes and direct routes to the BGP routing table
and advertise them to the RR on the ISP backbone network. Routing policies
are configured to flexibly control route import and filter out unwanted routes.
S5731-H switches set up a stack to ensure device-level reliability. The switches
are configured with multi-active detection (MAD) to detect multi-master
conflicts if the stack splits. An inter-card downlink Eth-Trunk is configured
between S5731-H-5 and the downstream third-party access switch to ensure
link-level reliability.
The access switch S5735-L-6 connects to aggregation switches through dual
uplinks and uses active/standby OSPF routes to ensure device-level and link-
level reliability. Bidirectional Forwarding Detection (BFD) for OSPF is
configured on the switch to accelerate convergence of OSPF routes. OSPF
Graceful Restart (GR) is also configured to ensure proper data forwarding
when OSPF restarts.

Message-digest algorithm 5 (MD5) authentication is enabled on OSPFv2-
enabled interfaces and Internet Protocol Security (IPSec) is enabled in the
OSPFv3 process.
MD5 authentication is performed for TCP connections over which BGP
sessions are established. This improves the security of BGP peer connections.
MD5 authentication is performed for TCP connections over which LDP
sessions are established. This improves the security of LDP session
connections.
IBGP peer relationships are established through loopback interfaces and
password authentication is enabled.

S6730-H V200R019C10SPC500 + latest patch
S5731-H V200R019C10SPC500 + latest patch
S5735-L V200R019C10SPC500 + latest patch
Deployment Roadmap
The configuration roadmap is as follows:
1. Configure interfaces, add them to corresponding VLANs, and assign IPv4 and
IPv6 addresses to interfaces.
2. Configure S5731-H aggregation switches to set up a stack (S5731-H-5) to
ensure device-level reliability.
3. Configure OSPFv2 and OSPFv3 on the egress gateways S6730-H-1 and S6730-
H-2, the access switch S5735-L-6, as well as the aggregation switch stack
S5731-H-5 to implement Layer 3 communication. Configure BGP so that all
the preceding devices can establish BGP peer relationships with the RR on the
ISP backbone network.
4. Configure Layer 2 transparent transmission in a VLAN on the aggregation
switches S6730-H-3 and S6730-H-4.
5. Enable MD5 authentication on OSPFv2-enabled interfaces, enable IPSec in the
OSPFv3 process, and configure BGP peers to perform MD5 authentication
when setting up TCP connections.
6. Configure the downstream area of the egress gateways as an OSPF stub area
to reduce the size of the routing table in the area.

7. On S5735-L-6 and S5731-H-5, import direct routes and static routes of

downstream devices to the BGP routing table and advertise them to the RR.
Configure a routing policy to filter out unwanted routes.
8. Enable MPLS LDP on the egress gateways and establish local sessions with
MPLS LDP-enabled neighboring devices.
9. Enable MPLS LDP on S5731-H-5, establish local sessions with MPLS LDP-
enabled neighboring devices, and configure remote peer relationships to
establish remote sessions.
10. Configure VPLS on S5731-H-5 for communication with remote peers.
11. Enable MD5 authentication on each device for TCP connections over which
LDP sessions are established.
12. Enable MD5 authentication on each device for TCP connections over which
BGP sessions are established.
13. Configure traffic policing on the access switch S5735-L-6 to provide different
access bandwidths for users of different payment levels.
Data Plan
Device Data Description
Egress gateway S6730- VLANs 200 and 201 VLANs to which S6730-
H-1 H-1 and S6730-H-2
belong
VLAN 2350 VLAN for connecting to

the ISP backbone
network

the downstream
aggregation switch
S6730-H-3

S5731-H-5
Egress gateway S6730- VLANs 200 and 201 VLANs to which S6730-
H-2 H-1 and S6730-H-2
belong

the ISP backbone
network

the downstream
aggregation switch
S6730-H-4


S5731-H-5
Aggregation switch VLAN 210 VLAN for connecting to

S6730-H-3 the egress gateways and
the access switch S5735-
L-6
Aggregation switch VLAN 250 VLAN for connecting to

S6730-H-4 the egress gateways and
the access switch S5735-
L-6
Aggregation switch stack VLAN 2401 VLAN for connecting to

S5731-H-5 the upstream egress
gateway S6730-H-1

the upstream egress
gateway S6730-H-2
VLANs 2601 to 2605 VLANs for connecting to

the downstream third-
party access switch
Access gateway S5735- VLAN 210 VLAN for connecting to

L-6 the upstream
aggregation switch
S6730-H-3

the upstream
aggregation switch
S6730-H-4

downstream terminals

Device Interface VLAN to IP Address Description
Number Which
the
Interface
Belongs
Egress Eth-Trunk 200 VLANIF 200: Interface connected

gateway 1 1.1.1.193/30 to the egress
S6730- gateway S6730-H-2
H-1 2001:F60::A39/126


Number Which
the
Interface
Belongs
FE80:F60::A39 (link-
local address)
201 VLANIF 201: Interface connected

1.1.1.197/30 to the egress
gateway S6730-H-2
2001:F60::A3D/126
FE80:F60::A3D (link-
local address)
Eth-Trunk 2350 VLANIF 2350: Interface connected

2 1.1.1.186/30 to the ISP backbone
network
2001:F60::A32/126
local address)

3 1.1.1.209/30 to the downstream
aggregation switch
2001:F60::A41/126 S6730-H-3
local address)

4 1.1.1.213/30 to S5731-H-5
Loopback - 1.1.1.104/32 -
0
- 2001:F60::66/128 -
Egress Eth-Trunk 200 VLANIF 200: Interface connected

gateway 1 1.1.1.194/30 to the egress
S6730- gateway S6730-H-1
H-2 2001:F60::A3A/126
FE80:F60::A3A (link-
local address)

1.1.1.198/30 to the egress
gateway S6730-H-1
2001:F60::A3E/126
FE80:F60::A3E (link-
local address)


Number Which
the
Interface
Belongs

2 1.1.1.190/30 to the ISP backbone
network
2001:F60::A36/126
local address)

aggregation switch
2001:F60::A45/126 S6730-H-4
local address)

4 1.1.1.221/30 to S5731-H-5
Loopback - 1.1.1.105/32 -
0
- 2001:F60::67/128 -
Aggregati Eth-Trunk 210 - Interface connected

on switch 2 to the upstream
S6730- egress gateways
H-3
XGE0/0/1 210 - Interface connected
to the downstream
access gateways
Aggregati Eth-Trunk 250 - Interface connected

on switch 2 to the upstream
S6730- egress gateways
H-4
XGE0/0/1 250 - Interface connected
to the downstream
access gateways
Aggregati Eth-Trunk 2401 VLANIF 2401: Interface connected

on switch 101 1.1.1.214/30 to the upstream
stack egress gateways
S5731-
H-5 Eth-Trunk 2402 VLANIF 2402: Interface connected
102 1.1.1.222/30 to the upstream
egress gateways

third-party access
switch


Number Which
the
Interface
Belongs

2.2.2.113/28 to the downstream
third-party access
switch

third-party access
switch

third-party access
switch

third-party access
switch
Loopback - 1.1.1.107/32 -
0
Access XGE0/0/1 502 VLANIF 502: Interfaces

gateway and 3.3.3.173/30 connected to
S5735-L-6 XGE0/0/2 downstream
2002:F60::113/64 terminals or other
FE80:F60::113 (link- network devices
local address)
XGE0/0/4 210 VLANIF 210: Interface connected

aggregation switch
2001:F60::A42/126 S6730-H-3
local address)
XGE0/0/4 250 VLANIF 25: Interface connected

aggregation switch
2001:F60::A46/126 S6730-H-4
local address)
Loopback - 1.1.1.106/32 -
0
- 2001:F60::68/128 -

9.4.4.1 Configuring Egress Gateways (S6730-H)

The following uses S6730-H-1 as an example. The configuration of S6730-H-2 is
similar to that of S6730-H-1.
Step 1 Configure VLANs and interfaces on S6730-H-1.

# Create Eth-Trunks and add them to corresponding VLANs.
<S6730-H-1> system-view
[S6730-H-1] vlan batch 200 to 201 210 280 2350
[S6730-H-1] stp disable
[S6730-H-1] interface Eth-Trunk 1
[S6730-H-1-Eth-Trunk1] mode lacp
[S6730-H-1-Eth-Trunk1] port link-type trunk
[S6730-H-1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S6730-H-1-Eth-Trunk1] port trunk allow-pass vlan 200 to 201
[S6730-H-1-Eth-Trunk1] quit
[S6730-H-1-Eth-Trunk2] port trunk allow-pass vlan 2350
# Add member interfaces to the Eth-Trunks.

[S6730-H-1] interface 40GE 0/0/1
[S6730-H-1-40GE0/0/1] eth-trunk 1
[S6730-H-1-40GE0/0/1] quit
[S6730-H-1] interface 40GE 0/0/2
[S6730-H-1-40GE0/0/2] eth-trunk 1
[S6730-H-1-40GE0/0/2] quit
[S6730-H-1] interface XGigabitEthernet 0/0/24
[S6730-H-1-XGigabitEthernet0/0/24] eth-trunk 2
[S6730-H-1-XGigabitEthernet0/0/24] quit
# Assign IP addresses to VLANIF interfaces and loopback 0.

[S6730-H-1] ipv6
[S6730-H-1] interface Vlanif 200
[S6730-H-1-Vlanif200] ipv6 enable
[S6730-H-1-Vlanif200] ip address 1.1.1.193 30
[S6730-H-1-Vlanif200] ipv6 address 2001:F60::A39/126
[S6730-H-1-Vlanif200] ipv6 address FE80:F60::A39 link-local
[S6730-H-1-Vlanif200] quit


[S6730-H-1-Vlanif201] ipv6 address 2001:F60::A3D/126
[S6730-H-1-Vlanif201] ipv6 address FE80:F60::A3D link-local
[S6730-H-1] interface LoopBack 0
[S6730-H-1-LoopBack0] ipv6 enable
[S6730-H-1-LoopBack0] ip address 1.1.1.104 32
[S6730-H-1-LoopBack0] ipv6 address 2001:F60::66/128
[S6730-H-1-LoopBack0] quit
Step 2 Configure OSPF on S6730-H-1.
# Configure IPSec.
[S6730-H-1] ipsec proposal 1
[S6730-H-1-ipsec-proposal-1] encapsulation-mode transport
[S6730-H-1-ipsec-proposal-1] transform ah
[S6730-H-1-ipsec-proposal-1] ah authentication-algorithm md5
[S6730-H-1-ipsec-proposal-1] quit
[S6730-H-1] ipsec sa area0
[S6730-H-1-ipsec-sa-area0] proposal 1
[S6730-H-1-ipsec-sa-area0] sa spi inbound ah 256
[S6730-H-1-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S6730-H-1-ipsec-sa-area0] sa spi outbound ah 256
[S6730-H-1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[S6730-H-1-ipsec-sa-area0] quit
[S6730-H-1] ipsec sa stub
[S6730-H-1-ipsec-sa-stub] proposal 1
[S6730-H-1-ipsec-sa-stub] sa spi inbound ah 1256
[S6730-H-1-ipsec-sa-stub] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S6730-H-1-ipsec-sa-stub] sa spi outbound ah 1256
[S6730-H-1-ipsec-sa-stub] sa authentication-hex outbound ah cipher
[S6730-H-1-ipsec-sa-stub] quit
# Create an OSPFv2 process.

[S6730-H-1] bfd
[S6730-H-1-bfd] quit
[S6730-H-1] ospf 1 router-id 1.1.1.104
[S6730-H-1-ospf-1] bfd all-interfaces enable
[S6730-H-1-ospf-1] opaque-capability enable
[S6730-H-1-ospf-1] graceful-restart
[S6730-H-1-ospf-1] area 0.0.0.0
[S6730-H-1-ospf-1-area-0.0.0.0] quit
[S6730-H-1-ospf-1] area 1.1.1.104
[S6730-H-1-ospf-1-area-1.1.1.104] stub no-summary
[S6730-H-1-ospf-1-area-1.1.1.104] quit
[S6730-H-1-ospf-1] quit


[S6730-H-1] ospfv3 1
[S6730-H-1-ospfv3-1] router-id 1.1.1.104
[S6730-H-1-ospfv3-1] graceful-restart
[S6730-H-1-ospfv3-1] bfd all-interfaces enable
[S6730-H-1-ospfv3-1] ipsec sa area0
[S6730-H-1-ospfv3-1] area 1.1.1.104
[S6730-H-1-ospfv3-1-area-1.1.1.104] stub no-summary
[S6730-H-1-ospfv3-1-area-1.1.1.104] ipsec sa stub
[S6730-H-1-ospfv3-1-area-1.1.1.104] quit
[S6730-H-1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 200, VLANIF 201, VLANIF 210, VLANIF
280, VLANIF 2350, and loopback 0. Enable OSPFv2 and OSPFv3 on VLANIF 200,
VLANIF 2350, and loopback 0 in area 0, and on other interfaces in the stub area.
The following example enables OSPFv2 and OSPFv3 on VLANIF 200:
[S6730-H-1-Vlanif200] ospf authentication-mode md5 1 cipher huawei@123
[S6730-H-1-Vlanif200] ospf network-type p2p
[S6730-H-1-Vlanif200] ospf enable 1 area 0.0.0.0
[S6730-H-1-Vlanif200] ospfv3 1 area 0.0.0.0
[S6730-H-1-Vlanif200] ospfv3 network-type p2p
Step 3 Configure BGP on S6730-H-1.
# Create a BGP process and configure peer relationships. Assume that RRs
working in active/standby mode are deployed on the ISP backbone network, and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4 and their IPv6 addresses are
2001:F60::3 and 2001:F60::4, respectively.
[S6730-H-1] bgp 64700
[S6730-H-1-bgp] router-id 1.1.1.104
[S6730-H-1-bgp] peer 1.1.1.3 as-number 64700
[S6730-H-1-bgp] peer 1.1.1.3 connect-interface LoopBack0
[S6730-H-1-bgp] peer 1.1.1.3 password cipher huawei@123
[S6730-H-1-bgp] peer 2001:F60::3 as-number 64700
[S6730-H-1-bgp] peer 2001:F60::3 connect-interface LoopBack0
[S6730-H-1-bgp] peer 2001:F60::3 password cipher huawei@123
[S6730-H-1-bgp] peer 2001:F60::4 as-number 64700
[S6730-H-1-bgp] peer 2001:F60::4 connect-interface LoopBack0
[S6730-H-1-bgp] peer 2001:F60::4 password cipher huawei@123
[S6730-H-1-bgp] ipv4-family unicast
[S6730-H-1-bgp-af-ipv4] peer 1.1.1.3 enable
[S6730-H-1-bgp-af-ipv4] quit
[S6730-H-1-bgp-af-ipv6] peer 2001:F60::3 enable
[S6730-H-1-bgp-af-ipv6] peer 2001:F60::4 enable
[S6730-H-1-bgp] quit
Step 4 Configure MPLS LDP on S6730-H-1.

[S6730-H-1] mpls lsr-id 1.1.1.104
[S6730-H-1] mpls
[S6730-H-1-mpls] quit
[S6730-H-1] mpls ldp
[S6730-H-1-mpls-ldp] longest-match
[S6730-H-1-mpls-ldp] md5-password cipher all huawei@123
[S6730-H-1-mpls-ldp] quit
[S6730-H-1-Vlanif200] mpls

[S6730-H-1-Vlanif200] mpls ldp

----End
9.4.4.2 Configuring a Stack of Aggregation Switches (S5731-H-5)

Step 1 Configure two S5731-H aggregation switches to set up a stack (S5731-H-5).
For details about how to set up a stack, see Stack & SVF Assistant.
Step 2 Configure VLANs and interfaces on S5731-H-5.
# Create Eth-Trunks and add them to corresponding VLANs.
[S5731-H-5] vlan batch 2401 to 2402 2601 to 2605
[S5731-H-5] stp disable
[S5731-H-5-Eth-Trunk1] port trunk allow-pass vlan 2601 to 2605
# Add member interfaces to the Eth-Trunks.

[S5731-H-5] interface GigabitEthernet 0/0/1
[S5731-H-5-GigabitEthernet0/0/1] eth-trunk 1
[S5731-H-5-GigabitEthernet0/0/1] quit
[S5731-H-5] interface GigabitEthernet 1/0/1
[S5731-H-5-GigabitEthernet1/0/1] eth-trunk 1
[S5731-H-5-GigabitEthernet1/0/1] quit


[S5731-H-5] interface LoopBack 0
[S5731-H-5-LoopBack0] ip address 1.1.1.107 32
[S5731-H-5-LoopBack0] quit
Step 3 Configure OSPF on S5731-H-5.

[S5731-H-5] bfd
[S5731-H-5-bfd] quit
[S5731-H-5] ospf 1 router-id 1.1.1.107
[S5731-H-5-ospf-1] bfd all-interfaces enable
[S5731-H-5-ospf-1] opaque-capability enable
[S5731-H-5-ospf-1] graceful-restart
[S5731-H-5-ospf-1] area 1.1.1.104
[S5731-H-5-ospf-1-area-1.1.1.104] stub no-summary
[S5731-H-5-ospf-1-area-1.1.1.104] quit
[S5731-H-5-ospf-1] quit
# Enable OSPFv2 on VLANIF 2401, VLANIF 2402, and loopback 0. The following
example enables OSPFv2 on VLANIF 2401.
[S5731-H-5-Vlanif2401] ospf authentication-mode md5 1 cipher huawei@123
[S5731-H-5-Vlanif2401] ospf network-type p2p
[S5731-H-5-Vlanif2401] ospf enable 1 area 1.1.1.104
Step 4 Configure BGP on S5731-H-5.

# Create a routing policy to import direct routes and static routes on downstream
devices to the BGP routing table and advertise them to the RR, and create another
routing policy to filter out unneeded routes.
[S5731-H-5] route-policy STATIC-to-BGP permit node 10
[S5731-H-5-route-policy] if-match tag 647000
[S5731-H-5-route-policy] route-policy STATIC-to-BGP permit node 20
[S5731-H-5-route-policy] if-match tag 647001
[S5731-H-5-route-policy] route-policy STATIC-to-BGP deny node 30
[S5731-H-5-route-policy] quit
working in active/standby mode are deployed on the ISP backbone network and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4, respectively.
[S5731-H-5] bgp 64700
[S5731-H-5-bgp] router-id 1.1.1.107


[S5731-H-5-bgp-af-ipv4] import-route static route-policy STATIC-to-BGP
[S5731-H-5-bgp] quit
Step 5 Configure MPLS LDP on S5731-H-5.

[S5731-H-5] mpls lsr-id 1.1.1.107
[S5731-H-5] mpls
[S5731-H-5-mpls] quit
[S5731-H-5] mpls ldp
[S5731-H-5-mpls-ldp] longest-match
[S5731-H-5-mpls-ldp] md5-password cipher all huawei@123
[S5731-H-5-mpls-ldp] quit
[S5731-H-5] mpls ldp remote-peer 1.1.1.9
[S5731-H-5-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[S5731-H-5-mpls-ldp-remote-1.1.1.9] quit
[S5731-H-5] mpls ldp remote-peer 1.1.1.10
[S5731-H-5-mpls-ldp-remote-1.1.1.10] remote-ip 1.1.1.10
[S5731-H-5-mpls-ldp-remote-1.1.1.10] quit
Step 6 Configure VPLS on S5731-H-5.

[S5731-H-5] mpls l2vpn
[S5731-H-5-l2vpn] quit
[S5731-H-5] vsi v2 static
[S5731-H-5-vsi-v2] pwsignal ldp
[S5731-H-5--vsi-v2-ldp] vsi-id 1035
[S5731-H-5--vsi-v2-ldp] peer 1.1.1.9
[S5731-H-5--vsi-v2-ldp] quit
[S5731-H-5-vsi-v2] quit
[S5731-H-5] vcmp role silent
[S5731-H-5] interface Eth-Trunk 1.1035
[S5731-H-5-Eth-Trunk1.1035] qinq stacking vid 3400 to 3999 pe-vid 1035
[S5731-H-5-Eth-Trunk1.1035] l2 binding vsi v2
[S5731-H-5-Eth-Trunk1.1035] quit
VLAN termination sub-interfaces cannot be created on a VLAN Central Management

Protocol (VCMP) client. In this example, S5731-H-5 is configured as a VCMP silent switch.
----End
9.4.4.3 Configuring Aggregation Switches (S6730-H)

The following uses S6730-H-3 as an example. The configuration of S6730-H-4 is
similar to that of S6730-H-3.
Step 1 Configure a VLAN and an interface on S6730-H-3.
# Create an Eth-Trunk, and add the Eth-Trunk and a physical interface to a VLAN.

[S6730-H-3] vlan batch 210
[S6730-H-3-XGigabitEthernet0/0/1] port link-type trunk
[S6730-H-3-XGigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S6730-H-3-XGigabitEthernet0/0/1] port trunk allow-pass vlan 210
# Add a member interface to the Eth-Trunk.

----End
9.4.4.4 Configuring the Access Switch S5735-L-6

Step 1 Configure VLANs and interfaces on S5735-L-6.
# Create VLANs and add physical interfaces to the corresponding VLANs.
<S5735-L-6> system-view
[S5735-L-6] vlan batch 210 250 502
[S5735-L-6] stp disable
[S5735-L-6] interface XGigabitEthernet 0/0/1
[S5735-L-6-XGigabitEthernet0/0/2] port link-type access
[S5735-L-6-XGigabitEthernet0/0/2] port default vlan 502
[S5735-L-6-XGigabitEthernet0/0/2] quit
[S5735-L-6-XGigabitEthernet0/0/2] port link-type access
[S5735-L-6-XGigabitEthernet0/0/2] port default vlan 502
[S5735-L-6-XGigabitEthernet0/0/47] port link-type trunk
[S5735-L-6-XGigabitEthernet0/0/47] undo port trunk allow-pass vlan 1
[S5735-L-6-XGigabitEthernet0/0/47] port trunk allow-pass vlan 210
[S5735-L-6-XGigabitEthernet0/0/48] port link-type trunk
[S5735-L-6-XGigabitEthernet0/0/48] undo port trunk allow-pass vlan 1
[S5735-L-6-XGigabitEthernet0/0/48] port trunk allow-pass vlan 250

[S5735-L-6] ipv6
[S5735-L-6] interface Vlanif 210
[S5735-L-6-Vlanif210] ipv6 enable
[S5735-L-6-Vlanif210] ip address 1.1.1.210 30
[S5735-L-6-Vlanif210] ipv6 address 2001:F60::A42/126
[S5735-L-6-Vlanif210] ipv6 address FE80:F60::A42 link-local
[S5735-L-6-Vlanif210] quit
[S5735-L-6-Vlanif250] ipv6 address 2001:F60::A46/126
[S5735-L-6-Vlanif250] ipv6 address FE80:F60::A46 link-local

[S5735-L-6-Vlanif502] ipv6 address 2002:F60::113/64

[S5735-L-6-Vlanif502] ipv6 address FE80:F60::113 link-local
[S5735-L-6] interface LoopBack 0
[S5735-L-6-LoopBack0] ipv6 enable
[S5735-L-6-LoopBack0] ip address 1.1.1.106 32
[S5735-L-6-LoopBack0] ipv6 address 2001:F60::68/128
[S5735-L-6-LoopBack0] quit
Step 2 Configure OSPF on S5735-L-6.

# Configure IPSec.
[S5735-L-6] ipsec proposal 1
[S5735-L-6-ipsec-proposal-1] encapsulation-mode transport
[S5735-L-6-ipsec-proposal-1] transform ah
[S5735-L-6-ipsec-proposal-1] ah authentication-algorithm md5
[S5735-L-6-ipsec-proposal-1] quit
[S5735-L-6] ipsec sa area0
[S5735-L-6-ipsec-sa-area0] proposal 1
[S5735-L-6-ipsec-sa-area0] sa spi inbound ah 256
[S5735-L-6-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S5735-L-6-ipsec-sa-area0] sa spi outbound ah 256
[S5735-L-6-ipsec-sa-area0] sa authentication-hex outbound ah cipher
[S5735-L-6-ipsec-sa-area0] quit
[S5735-L-6] ipsec sa stub
[S5735-L-6-ipsec-sa-stub] proposal 1
[S5735-L-6-ipsec-sa-stub] sa spi inbound ah 1256
[S5735-L-6-ipsec-sa-stub] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S5735-L-6-ipsec-sa-stub] sa spi outbound ah 1256
[S5735-L-6-ipsec-sa-stub] sa authentication-hex outbound ah cipher
[S5735-L-6-ipsec-sa-stub] quit

[S5735-L-6] bfd
[S5735-L-6-bfd] quit
[S5735-L-6] ospf 1 router-id 1.1.1.106
[S5735-L-6-ospf-1] bfd all-interfaces enable
[S5735-L-6-ospf-1] opaque-capability enable
[S5735-L-6-ospf-1] graceful-restart
[S5735-L-6-ospf-1] area 1.1.1.104
[S5735-L-6-ospf-1-area-1.1.1.104] stub no-summary
[S5735-L-6-ospf-1-area-1.1.1.104] quit
[S5735-L-6-ospf-1] quit

[S5735-L-6] ospfv3 1
[S5735-L-6-ospfv3-1] router-id 1.1.1.106
[S5735-L-6-ospfv3-1] graceful-restart
[S5735-L-6-ospfv3-1] bfd all-interfaces enable
[S5735-L-6-ospfv3-1] area 1.1.1.104
[S5735-L-6-ospfv3-1-area-1.1.1.104] stub no-summary
[S5735-L-6-ospfv3-1-area-1.1.1.104] ipsec sa stub
[S5735-L-6-ospfv3-1-area-1.1.1.104] quit
[S5735-L-6-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 210, VLANIF 250, and loopback 0. The
following example enables OSPFv2 and OSPFv3 on VLANIF 210:
[S5735-L-6-Vlanif210] ospf authentication-mode md5 1 cipher huawei@123
[S5735-L-6-Vlanif210] ospf network-type p2p
[S5735-L-6-Vlanif210] ospf enable 1 area 1.1.1.104
[S5735-L-6-Vlanif210] ospfv3 1 area 1.1.1.104

[S5735-L-6-Vlanif210] ospfv3 network-type p2p

Step 3 Configure BGP on S5735-L-6 to import specified static routes (such as the routes
carrying tags 6000 and 6001) from the user side to the BGP routing table.
# Create routing policies.
[S5735-L-6] route-policy STATIC-to-BGP permit node 10
[S5735-L-6-route-policy] if-match tag 6000
[S5735-L-6-route-policy] route-policy STATIC-to-BGP permit node 20
[S5735-L-6-route-policy] if-match tag 6001
[S5735-L-6-route-policy] route-policy STATIC-to-BGP deny node 30
[S5735-L-6-route-policy] quit
working in active/standby mode are deployed on the ISP backbone network, and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4 and their IPv6 addresses are
2001:F60::3 and 2001:F60::4, respectively.
[S5735-L-6] bgp 64700
[S5735-L-6-bgp] router-id 1.1.1.106
[S5735-L-6-bgp] peer 1.1.1.3 as-number 64700
[S5735-L-6-bgp] peer 1.1.1.3 connect-interface LoopBack0
[S5735-L-6-bgp] peer 1.1.1.3 password cipher huawei@123
[S5735-L-6-bgp] peer 1.1.1.4 as-number 64700
[S5735-L-6-bgp] peer 1.1.1.4 connect-interface LoopBack0
[S5735-L-6-bgp] peer 1.1.1.4 password cipher huawei@123
[S5735-L-6-bgp] peer 2001:F60::3 as-number 64700
[S5735-L-6-bgp] peer 2001:F60::3 connect-interface LoopBack0
[S5735-L-6-bgp] peer 2001:F60::3 password cipher huawei@123
[S5735-L-6-bgp] peer 2001:F60::4 as-number 64700
[S5735-L-6-bgp] peer 2001:F60::4 connect-interface LoopBack0
[S5735-L-6-bgp] peer 2001:F60::4 password cipher huawei@123
[S5735-L-6-bgp] ipv4-family unicast
[S5735-L-6-bgp-af-ipv4] import-route static route-policy STATIC-to-BGP
[S5735-L-6-bgp-af-ipv4] peer 1.1.1.3 enable
[S5735-L-6-bgp-af-ipv4] peer 1.1.1.4 enable
[S5735-L-6-bgp-af-ipv4] quit
[S5735-L-6-bgp] ipv6-family unicast
[S5735-L-6-bgp-af-ipv6] import-route static route-policy STATIC-to-BGP
[S5735-L-6-bgp-af-ipv6] peer 2001:F60::3 enable
[S5735-L-6-bgp-af-ipv6] peer 2001:F60::4 enable
[S5735-L-6-bgp-af-ipv6] quit
[S5735-L-6-bgp] quit
Step 4 Configure QoS on S5735-L-6 to enable different interfaces to provide

differentiated bandwidths for users.
[S5735-L-6] traffic classifier ANYINT operator or
[S5735-L-6-classifier-ANYINT] if-match any
[S5735-L-6-classifier-ANYINT] quit
[S5735-L-6] traffic behavior PREMIUM10
[S5735-L-6-behavior-PREMIUM10] car cir 10000 pir 1000000 cbs 1250000 pbs 125000000 share green
pass remark-8021p 4 yellow pass remark-8021p 1 red discard
[S5735-L-6-behavior-PREMIUM10] quit
[S5735-L-6] traffic behavior PREMIUM100
[S5735-L-6-behavior-PREMIUM100] car cir 100000 pir 1000000 cbs 12500000 pbs 125000000 share
green pass remark-8021p 4 yellow pass remark-8021p 1 red discard
[S5735-L-6-behavior-PREMIUM100] quit
[S5735-L-6] traffic policy PREMIUM10 match-order config
[S5735-L-6-trafficpolicy-PREMIUM10] classifier ANYINT behavior PREMIUM10
[S5735-L-6-trafficpolicy-PREMIUM10] quit
[S5735-L-6] traffic policy PREMIUM100 match-order config
[S5735-L-6-trafficpolicy-PREMIUM100] classifier ANYINT behavior PREMIUM100
[S5735-L-6-trafficpolicy-PREMIUM100] quit
[S5735-L-6-XGigabitEthernet0/0/1] traffic-policy PREMIUM10 inbound


[S5735-L-6-XGigabitEthernet0/0/2] traffic-policy PREMIUM100 inbound
----End

Step 1 Verify that a PC connected to the aggregation switch S5731-H-5 can successfully
ping the IP address of a remote server on the ISP backbone network.
Step 2 Verify that a PC connected to the access switch S5735-L-6 can successfully ping
the IP address of a remote server on the ISP backbone network.
----End


Egress gateway S6730-H-1 Egress gateway S6730-H-2
# #
sysname S6730-H-1 sysname S6730-H-2
# #
ipv6 ipv6
# #
vlan batch 200 to 201 210 280 2350 vlan batch 200 to 201 250 290 2355
# #
stp disable stp disable
# #
bfd bfd
# #
mpls lsr-id 1.1.1.104 mpls lsr-id 1.1.1.105
mpls mpls
# #
mpls ldp mpls ldp
longest-match longest-match
md5-password cipher all %^%#r- md5-password cipher all %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
ipsec proposal 1 ipsec proposal 1
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa area0 ipsec sa area0
proposal 1 proposal 1
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ipsec sa stub ipsec sa stub
# #
ospfv3 1 ospfv3 1
router-id 1.1.1.104 router-id 1.1.1.105
graceful-restart graceful-restart
bfd all-interfaces enable bfd all-interfaces enable
area 1.1.1.104 area 1.1.1.104
stub no-summary stub no-summary
ipsec sa stub ipsec sa stub
# #
interface Vlanif200 interface Vlanif200
ipv6 enable ipv6 enable
ipv6 address 2001:F60::A39/126 ipv6 address 2001:F60::A3A/126
ipv6 address FE80:F60::A39 link-local ipv6 address FE80:F60::A3A link-local
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospf authentication-mode md5 1 cipher %^ ospf authentication-mode md5 1 cipher %^


%#^3hAD4{>*9Tof;&4U1.0Up#B'7=%G6Cfs5YT1iV; %#^3hAD4{>*9Tof;&4U1.0Up#B'7=%G6Cfs5YT1iV;
%^%# %^%#
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls ldp mpls ldp
# #
ipv6 address 2001:F60::A3D/126 ipv6 address 2001:F60::A3E/126
ipv6 address FE80:F60::A3D link-local ipv6 address FE80:F60::A3E link-local
%^%# %^%#
mpls mpls
mpls ldp mpls ldp
# #
ipv6 address 2001:F60::A41/126 ipv6 address 2001:F60::A45/126
ipv6 address FE80:F60::A41 link-local ipv6 address FE80:F60::A45 link-local
%^%# %^%#
mpls mpls
mpls ldp mpls ldp
# #
%^%# %^%#
mpls mpls
mpls ldp mpls ldp
# #
ipv6 address 2001:F60::A32/126 ipv6 address 2001:F60::A36/126
ipv6 address FE80:F60::A32 link-local ipv6 address FE80:F60::A36 link-local
%^%# %^%#
mpls mpls
mpls ldp mpls ldp
# #
interface Eth-Trunk1 interface Eth-Trunk1
port trunk allow-pass vlan 200 to 201 port trunk allow-pass vlan 200 to 201


mode lacp mode lacp
# #
port trunk allow-pass vlan 2350 port trunk allow-pass vlan 2355
mode lacp mode lacp
# #
mode lacp mode lacp
# #
mode lacp mode lacp
# #
eth-trunk 3 eth-trunk 3
# #
# #
# #
interface 40GE0/0/1 interface 40GE0/0/1
# #
interface 40GE0/0/2 interface 40GE0/0/2
# #
ipv6 address 2001:F60::66/128 ipv6 address 2001:F60::67/128
# #
bgp 64700 bgp 64700
peer 1.1.1.3 as-number 64700 peer 1.1.1.3 as-number 64700
peer 1.1.1.3 connect-interface LoopBack0 peer 1.1.1.3 connect-interface LoopBack0
peer 1.1.1.3 password cipher %^%#r- peer 1.1.1.3 password cipher %^%#r-
%# %#
peer 1.1.1.4 connect-interface LoopBack0 peer 1.1.1.4 connect-interface LoopBack0
%# %#
peer 2001:F60::3 as-number 64700 peer 2001:F60::3 as-number 64700
peer 2001:F60::3 connect-interface LoopBack0 peer 2001:F60::3 connect-interface LoopBack0
peer 2001:F60::3 password cipher %^%#r- peer 2001:F60::3 password cipher %^%#r-
%# %#
peer 2001:F60::4 as-number 64700 peer 2001:F60::4 as-number 64700
peer 2001:F60::4 connect-interface LoopBack0 peer 2001:F60::4 connect-interface LoopBack0
peer 2001:F60::4 password cipher %^%#r- peer 2001:F60::4 password cipher %^%#r-
%# %#
# #
ipv4-family unicast ipv4-family unicast


undo synchronization undo synchronization
peer 1.1.1.3 enable peer 1.1.1.3 enable
# #
peer 2001:F60::3 enable peer 2001:F60::3 enable
peer 2001:F60::4 enable peer 2001:F60::4 enable
# #
ospf 1 router-id 1.1.1.104 ospf 1 router-id 1.1.1.105
opaque-capability enable opaque-capability enable
area 0.0.0.0 area 0.0.0.0
area 1.1.1.104 area 1.1.1.104
stub no-summary stub no-summary
# #
return return
Aggregation switch S6730-H-3 Aggregation switch S6730-H-4

# #
sysname S6730-H-3 sysname S6730-H-4
# #
vlan batch 210 vlan batch 250
# #
mode lacp mode lacp
# #
# #
# #
return return

Access gateway S5735-L-6

#
sysname S5735-L-6
#
ipv6
#
#
stp disable
#
bfd
#
ipsec proposal 1
encapsulation-mode transport
transform ah
ah authentication-algorithm md5
#
ipsec sa stub
proposal 1
sa spi inbound ah 1256
sa authentication-hex inbound ah cipher %^%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 1256
sa authentication-hex outbound ah cipher %^%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!Hx#FYZ:oDR:
\BEGkIsK$LtsnQ%^%#
#
traffic classifier ANYINT operator or
if-match any
#
traffic behavior PREMIUM10
car cir 10000 pir 1000000 cbs 1250000 pbs 125000000 share green pass remark-8021p 4 yellow pass
remark-8021p 1 red discard
traffic behavior PREMIUM100
car cir 100000 pir 1000000 cbs 12500000 pbs 125000000 share green pass remark-8021p 4 yellow pass
remark-8021p 1 red discard
#
traffic policy PREMIUM10 match-order config
classifier ANYINT behavior PREMIUM10
traffic policy PREMIUM100 match-order config
classifier ANYINT behavior PREMIUM100
#
ospfv3 1
router-id 1.1.1.106
graceful-restart
bfd all-interfaces enable
area 1.1.1.104
stub no-summary
ipsec sa stub
#
interface Vlanif210
ipv6 enable
ip address 1.1.1.210 255.255.255.252
ipv6 address 2001:F60::A42/126
ipv6 address FE80:F60::A42 link-local
ospfv3 1 area 1.1.1.104
ospfv3 network-type p2p
ospf authentication-mode md5 1 cipher %^%#^3hAD4{>*9Tof;&4U1.0Up#B'7=%G6Cfs5YT1iV;%^%#
ospf enable 1 area 1.1.1.104
#
interface Vlanif250
ipv6 enable
ip address 1.1.1.218 255.255.255.252
ipv6 address 2001:F60::A46/126
ipv6 address FE80:F60::A46 link-local
ospfv3 1 area 1.1.1.104


#
interface Vlanif502
ipv6 enable
ip address 3.3.3.173 255.255.255.252
ipv6 address 2002:F60::113/64
ipv6 address FE80:F60::113 link-local
#
traffic-policy PREMIUM10 inbound
#
traffic-policy PREMIUM100 inbound
#
#
#
interface LoopBack0
ipv6 enable
ip address 1.1.1.106 255.255.255.255
ipv6 address 2001:F60::68/128
ospfv3 1 area 1.1.1.104
#
bgp 64700
router-id 1.1.1.106
peer 1.1.1.3 as-number 64700
peer 1.1.1.3 connect-interface LoopBack0
peer 1.1.1.3 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 2001:F60::3 as-number 64700
peer 2001:F60::3 connect-interface LoopBack0
peer 2001:F60::3 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 2001:F60::4 as-number 64700
peer 2001:F60::4 connect-interface LoopBack0
peer 2001:F60::4 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
ipv4-family unicast
import-route static route-policy STATIC-to-BGP
peer 1.1.1.3 enable
peer 1.1.1.4 enable
#
ipv6-family unicast
peer 2001:F60::3 enable
peer 2001:F60::4 enable
#


graceful-restart
area 1.1.1.104
stub no-summary
#
route-policy STATIC-to-BGP permit node 10
if-match tag 6000
#
if-match tag 6001
#
route-policy STATIC-to-BGP deny node 30
#
return

Aggregation switch stack S5731-H-5

#
sysname S5731-H-5
#
vcmp role silent
#
vlan batch 2401 to 2402 2601 to 2605
#
stp disable
#
bfd
#
mpls
#
mpls l2vpn
#
vsi v2 static
pwsignal ldp
vsi-id 1035
peer 1.1.1.9
#
mpls ldp
longest-match
md5-password cipher all %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
mpls ldp remote-peer 1.1.1.10
remote-ip 1.1.1.10
#
ip address 1.1.1.214 255.255.255.252
mpls
mpls ldp
#
ip address 1.1.1.222 255.255.255.252
mpls
mpls ldp
#
ip address 2.2.1.113 255.255.255.240
#
ip address 2.2.2.113 255.255.255.240
#
ip address 2.2.3.117 255.255.255.252
#
ip address 2.2.4.25 255.255.255.252
#
ip address 2.2.5.109 255.255.255.252
#
port trunk allow-pass vlan 2601 to 2605

Aggregation switch stack S5731-H-5

mode lacp
#
qinq stacking vid 3400 to 3999 pe-vid 1035
l2 binding vsi v2
#
mode lacp
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 101
#
eth-trunk 102
#
interface LoopBack0
ip address 1.1.1.107 255.255.255.255
#
bgp 64700
router-id 1.1.1.107
#
ipv4-family unicast
peer 1.1.1.3 enable
peer 1.1.1.4 enable
#
graceful-restart
area 1.1.1.104
stub no-summary
#
if-match tag 647000
#
if-match tag 647001
#
route-policy STATIC-to-BGP deny node 30
#
return

9.5 ISP Network Deployment for Integrated Access in

Large Enterprises

This example is applicable to the integrated Internet Service Provider (ISP)
network access of large enterprises that require high bandwidth and high
reliability.
Large enterprises are usually connected to the backbone area of an ISP network.
ISPs can provide the following access services for large enterprise customers:
● Private line access for content service providers
● Internet access for data centers of large enterprises
● Internet access for users on enterprise campus networks
This scenario has the following characteristics:
● A large number of routes
● Flexible routing policies
● High access bandwidth
In most cases, enterprises have the following service requirements on the ISP
backbone network:
Provide wired access for IPv4/IPv6 dual-stack services.
Provide high-bandwidth access and multi-gigabit access, such as 10 Gbit/s
and 1 Gbit/s, for different types of users.
Meet flexible route forwarding requirements.
Control route advertisement and import based on routing policies.
Control traffic routes through explicit paths of traffic engineering (TE)
tunnels.
Ensure bandwidth using multiple egress links.
Ensure high reliability and service continuity for important services such as
enterprise private line services.
Provide backup functions for key network nodes to ensure reliable
transmission of data services.
Shorten the service interruption time as much as possible to ensure user
experience upon an intermittent link disconnection or a device fault.

Meet security compliance requirements.

Networking Diagram
Figure 9-29 shows the networking diagram for integrated access of large
enterprises in a project.
Figure 9-29 Networking diagram for integrated access of large enterprises
Internet
Router
RR1 RR2
Eth-Trunk 4
Eth-Trunk 3
P1 P2
Eth-Trunk 0 Eth-Trunk 1 Eth-Trunk 0 Eth-Trunk 1
Eth-Trunk 0 Eth-Trunk 1 Eth-Trunk 1

Eth-Trunk 0
PE1 PE2
S12700E-8 Eth-Trunk 3
S12700E-8
Eth-Trunk 2
Eth-Trunk 0
Eth-Trunk 1
SW1 SW2
S5735-L S5735-L
Enterprise 1 Enterprise 2


S12700E-8 switches equipped with X2H and X1E cards function as PE devices,
and are connected to upstream P devices at the core layer and downstream
Layer 3 switches (SW1 and SW2).
The PE devices can provide two networking modes for enterprises:
– For small-scale enterprises (such as enterprise 2 in Figure 9-29), the PE
devices function as user gateways. S5735-L switches function as Layer 2
aggregation devices and are dual-homed to S12700E-8 switches through
the Virtual Router Redundancy Protocol (VRRP).
– For large-scale enterprises (such as enterprise 1 in Figure 9-29), S5735-L
aggregation switches function as user gateways and establish External
Border Gateway Protocol (EBGP) peer relationships with the PE devices.
S12700E-8 switches learn the routes of downstream devices through
EBGP and advertise routes of upstream devices to downstream devices.
The PE devices, P devices, and Router communicate with each other through
the Open Shortest Path First (OSPF) protocol. RR1 and RR2 are route
reflectors (RRs) and work in active/standby mode. The PE devices establish
Internal Border Gateway Protocol (IBGP) peer relationships with the active
and standby RRs to receive and forward routes.
Multiprotocol Label Switching Traffic Engineering (MPLS TE) tunnels are
established between the PE devices, P devices, and Router, and explicit paths
are also deployed to implement traffic control.
– MPLS TE tunnels are established between the PE devices, P devices, and
Router in the core area. MPLS TE tunnels work in active/standby mode
and each tunnel is configured with active and standby paths.
– S12700E-8 switches are dual-homed to the two P devices working in
active/standby mode to ensure device-level reliability.
– Eth-Trunks in Link Aggregation Control Protocol (LACP) mode are
configured on interconnected interfaces of devices to ensure link-level
reliability.
– OSPF graceful restart (GR) and BGP GR are enabled to avoid traffic
interruption and route flapping caused by an active/standby switchover.
– Message-digest algorithm 5 (MD5) authentication is enabled on OSPFv2-
OSPFv3 process.
– Password authentication is configured for MPLS Resource Reservation
Protocol (RSVP) TE tunnels.
– IBGP peer relationships are established through loopback interfaces and


S12700E-8 V200R019C10SPC500 + latest patch
S5735-L V200R019C10SPC500 + latest patch
In this example, S12700E series switches are used as P devices, RRs, and Router.
Deployment Roadmap
2. Configure OSPF between PE devices, P devices, Router, and RRs. Configure
BGP, and configure PE devices, P devices, and Router to establish IBGP peer
relationships with RRs.
3. Enable MD5 authentication on OSPF-enabled interfaces, and configure BGP
peers to perform MD5 authentication when establishing TCP connections.
4. Enable MPLS and MPLS RSVP on PE devices, P devices, and Router, and
establish TE tunnels between PE devices and Router.
Data Plan
SW1 VLAN 300 VLAN to which the

interface connected to
enterprise 1 belongs
SW2 VLAN 100 VLAN to which the

interfaces connected to
PE devices belong
VLAN 200 VLAN to which the

interface connected to
enterprise 2 belongs


Number Which the
Interface
Belongs
PE1 Eth-Trunk 0 - 1.1.1.2/30 Interface

2001:0:0:4D9::2/64 connected to P1
Eth-Trunk 1 - 1.1.1.10/30 Interface

2001:0:0:4DB::2/64 connected to P2

connected to
SW1

virtual-ip: 3.3.3.113 connected to
SW2
Loopback 0 - 4.4.4.143/32 -
2001::149/128
PE2 Eth-Trunk 0 - 1.1.1.6/30 Interface

2001:0:0:4DA::2/64 connected to P1

2001:0:0:4DC::2/64 connected to P2

connected to
SW1

virtual-ip: 3.3.3.113 connected to
SW2
Loopback 0 - 4.4.4.144/32 -
2001::14A/128
P1 Eth-Trunk 0 - 1.1.1.1/30 Interface

2001:0:0:4D9::1/64 connected to
PE1

2001:0:0:4DA::1/64 connected to
PE2

2001:0:0:4D8::1/64 connected to P2

2001:0:0:4D7::1/64 connected to
RR1


Number Which the
Interface
Belongs

2001:0:0:4E2::1/64 connected to
RR2

2001:0:0:4D5::1/64 connected to
Router
Loopback 0 - 4.4.4.1/32 -
2001::21/128
P2 Eth-Trunk 0 - 1.1.1.9/30 Interface

2001:0:0:4DB::1/64 connected to
PE1

2001:0:0:4DC::1/64 connected to
PE2

2001:0:0:4D8::2/64 connected to P1

2001:0:0:4D6::1/64 connected to
RR1

2001:0:0:4E1::1/64 connected to
RR2

2001:0:0:4D4::1/64 connected to
Router
Loopback 0 - 4.4.4.2/32 -
2001::22/128
Router Eth-Trunk 0 - 1.1.2.226/30 Interface

2001:0:0:4D5::2/64 connected to P1

2001:0:0:4D4::2/64 connected to P2
Loopback 0 - 4.4.4.39/32 -
2001::31/128
RR1 Eth-Trunk 0 - 1.1.2.234/30 Interface

2001:0:0:4D7::2/64 connected to P1


Number Which the
Interface
Belongs

2001:0:0:4D6::2/64 connected to P2
Loopback 0 - 4.4.4.27/32 -
2001::15/128
RR2 Eth-Trunk 0 - 1.1.2.190/30 Interface

2001:0:0:4E2::2/64 connected to P1

2001:0:0:4E1::2/64 connected to P2
Loopback 0 - 4.4.4.28/32 -
2001::16/128
SW1 Eth-Trunk 0 - 2.2.2.206/30 Interface

connected to
PE1

connected to
PE2
Eth-Trunk 2 300 VLANIF 300: Interface

5.5.5.1/24 connected to
enterprise 1
SW2 Eth-Trunk 0 100 VLANIF 100: Interface

PE1
Eth-Trunk 1 Interface
connected to
PE2
Eth-Trunk 2 200 VLANIF 200: Interface

enterprise 2
9.5.4.1 Configuring PE1

Step 1 Configure VLANs and IP addresses for interfaces.
# Create Eth-Trunk 0 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/0 and XGE2/0/0 to Eth-Trunk 0.

<PE1> system-view
[PE1] ipv6
[PE1] interface Eth-Trunk 0
[PE1-Eth-Trunk0] undo portswitch
[PE1-Eth-Trunk0] description To_P1
[PE1-Eth-Trunk0] ip address 1.1.1.2 255.255.255.252
[PE1-Eth-Trunk0] ipv6 enable
[PE1-Eth-Trunk0] ipv6 address 2001:0:0:4D9::2/64
[PE1-Eth-Trunk0] mode lacp
[PE1-Eth-Trunk0] quit
[PE1] interface XGigabitEthernet 1/0/0
[PE1-XGigabitEthernet1/0/0] eth-trunk 0
[PE1-XGigabitEthernet1/0/0] quit
[PE1-Eth-Trunk1] ipv6 address 2001:0:0:4DB::2/64
# Create Eth-Trunk 2 and configure its IPv4 address. Enable LACP, and add
XGE3/0/0 and XGE4/0/0 to Eth-Trunk 2.
[PE1-Eth-Trunk2] description To_SW1
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.

[PE1] interface LoopBack 0

[PE1-LoopBack0] ip address 4.4.4.143 255.255.255.255
[PE1-LoopBack0] ipv6 enable
[PE1-LoopBack0] ipv6 address 2001::149/128
[PE1-LoopBack0] quit
Step 2 Configure OSPFv2 and OSPFv3.

# Create OSPFv2 process 1, specify the router ID, create area 0, enable GR, and
configure password authentication.
[PE1] ospf 1 router-id 4.4.4.143
[PE1-ospf-1] silent-interface all
[PE1-ospf-1] undo silent-interface Eth-Trunk0
[PE1-ospf-1] preference 80
[PE1-ospf-1] opaque-capability enable
[PE1-ospf-1] graceful-restart
[PE1-ospf-1] bandwidth-reference 1000000
[PE1-ospf-1] enable traffic-adjustment
[PE1-ospf-1] area 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[PE1-ospf-1-area-0.0.0.0] mpls-te enable
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure an IPSec proposal and a security association (SA).

[PE1] ipsec proposal ah-md5
[PE1-ipsec-proposal-ah-md5] encapsulation-mode transport
[PE1-ipsec-proposal-ah-md5] transform ah
[PE1-ipsec-proposal-ah-md5] ah authentication-algorithm md5
[PE1-ipsec-proposal-ah-md5] quit
[PE1] ipsec sa ospfv3-sa
[PE1-ipsec-sa-ospfv3-sa] proposal ah-md5
[PE1-ipsec-sa-ospfv3-sa] sa spi inbound ah 256
[PE1-ipsec-sa-ospfv3-sa] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[PE1-ipsec-sa-ospfv3-sa] sa spi outbound ah 256
[PE1-ipsec-sa-ospfv3-sa] sa authentication-hex outbound ah cipher
[PE1-ipsec-sa-ospfv3-sa] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[PE1] ospfv3 1
[PE1-ospfv3-1] router-id 4.4.4.143
[PE1-ospfv3-1] bandwidth-reference 1000000
[PE1-ospfv3-1] graceful-restart
[PE1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on loopback 0.

[PE1-LoopBack0] ospf enable 1 area 0.0.0.0
[PE1-LoopBack0] ospfv3 1 area 0.0.0.0
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0 and set the network type to P2P.
[PE1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[PE1-Eth-Trunk0] ospf network-type p2p
[PE1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[PE1-Eth-Trunk0] ospfv3 network-type p2p
[PE1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa


# Enable OSPFv2 on Eth-Trunk 2 and set the network type to P2P.

# Enable OSPFv2 on Eth-Trunk 3.

Step 3 Configure MPLS and RSVP-TE globally and enable them on all Layer 3 interfaces
of PE1.
# Configure MPLS RSVP-TE and enable MPLS globally.
[PE1] mpls lsr-id 4.4.4.143
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls rsvp-te hello
[PE1-mpls] mpls rsvp-te srefresh
[PE1-mpls] quit
# Establish RSVP peer relationships and enable MD5 authentication.

[PE1] mpls rsvp-te peer 1.1.1.1
[PE1-mpls-rsvp-te-peer-1.1.1.1] mpls rsvp-te authentication cipher huawei@123
[PE1-mpls-rsvp-te-peer-1.1.1.1] quit
# Enable MPLS and RSVP-TE on Layer 3 interfaces of P1 connected to P devices.

[PE1-Eth-Trunk0] mpls
[PE1-Eth-Trunk0] mpls te
[PE1-Eth-Trunk0] mpls rsvp-te
[PE1-Eth-Trunk0] mpls rsvp-te hello
Step 4 Configure TE tunnels and their explicit paths.

# Configure explicit paths for TE tunnels.
[PE1] explicit-path TO-P1-1
[PE1-explicit-path-TO-P1-1] next hop 1.1.1.1
[PE1-explicit-path-TO-P1-1] quit


[PE1] explicit-path TO-PE2-1
[PE1-explicit-path-TO-PE2-1] next hop 1.1.1.1
[PE1-explicit-path-TO-PE2-1] quit
[PE1] explicit-path TO-ROUTER-1
[PE1-explicit-path-TO-ROUTER-1] next hop 1.1.1.1
[PE1-explicit-path-TO-ROUTER-1] quit
# Configure TE tunnels.
[PE1] interface Tunnel1
[PE1-Tunnel1] ip address unnumbered interface LoopBack0
[PE1-Tunnel1] tunnel-protocol mpls te
[PE1-Tunnel1] destination 4.4.4.1
[PE1-Tunnel1] mpls te tunnel-id 1
[PE1-Tunnel1] mpls te signalled tunnel-name pe1->P1-1
[PE1-Tunnel1] mpls te record-route label
[PE1-Tunnel1] mpls te path explicit-path TO-P1-1
[PE1-Tunnel1] mpls te path explicit-path TO-P1-2 secondary
[PE1-Tunnel1] mpls te backup hot-standby
[PE1-Tunnel1] mpls te igp shortcut ospf
[PE1-Tunnel1] mpls te igp metric absolute 10
[PE1-Tunnel1] mpls te reserved-for-binding
[PE1-Tunnel1] ospf enable 1 area 0.0.0.0
[PE1-Tunnel1] mpls
[PE1-Tunnel1] mpls te commit
[PE1-Tunnel1] quit
[PE1-Tunnel2] mpls
[PE1-Tunnel2] quit
[PE1-Tunnel3] mpls te signalled tunnel-name pe1->router-1
[PE1-Tunnel3] mpls te path explicit-path TO-ROUTER-1
[PE1-Tunnel3] mpls te path explicit-path TO-ROUTER-2 secondary


[PE1-Tunnel3] mpls
[PE1-Tunnel3] quit
[PE1-Tunnel4] mpls
[PE1-Tunnel4] quit
[PE1-Tunnel5] mpls te signalled tunnel-name pe1->pe2-1
[PE1-Tunnel5] mpls te path explicit-path TO-PE2-1
[PE1-Tunnel5] mpls te path explicit-path TO-PE2-2 secondary
[PE1-Tunnel5] mpls
[PE1-Tunnel5] quit
[PE1-Tunnel6] mpls
[PE1-Tunnel6] quit
Step 5 Configure BGP and BGP4+, and configure PE1 to establish IBGP peer relationships
with RR1 and RR2 and establish an EBGP peer relationship with SW1.
# Start the BGP process and configure BGP peers.
[PE1] bgp 2519
[PE1-bgp] router-id 4.4.4.143
[PE1-bgp] graceful-restart
[PE1-bgp] group IPv6-PRIVATEAS_CUSTOMER external
[PE1-bgp] group PRIVATEAS_CUSTOMER external
[PE1-bgp] peer 2.2.2.206 as-number 64901
[PE1-bgp] peer 2.2.2.206 group PRIVATEAS_CUSTOMER
[PE1-bgp] peer 2.2.2.206 password cipher huawei@123
[PE1-bgp] group iBGP internal

[PE1-bgp] peer iBGP connect-interface LoopBack0

[PE1-bgp] peer 4.4.4.27 group iBGP
[PE1-bgp] peer 2001::15 as-number 2519
[PE1-bgp] peer 2001::15 group iBGP
[PE1-bgp] peer 2001::15 password cipher huawei@123
[PE1-bgp] ipv4-family unicast
[PE1-bgp-af-ipv4] undo synchronization
[PE1-bgp-af-ipv4] preference 170 170 130
[PE1-bgp-af-ipv4] peer PRIVATEAS_CUSTOMER advertise-community
[PE1-bgp-af-ipv4] peer iBGP next-hop-local
[PE1-bgp-af-ipv4] peer iBGP advertise-community
[PE1-bgp-af-ipv4] quit
# Configure BGP4+ peers.

[PE1-bgp-af-ipv6] peer IPv6-PRIVATEAS_CUSTOMER enable
[PE1-bgp-af-ipv6] peer IPv6-PRIVATEAS_CUSTOMER advertise-community
[PE1-bgp-af-ipv6] peer iBGP enable
[PE1-bgp-af-ipv6] peer 2001::15 enable
[PE1-bgp-af-ipv6] peer 2001::15 group iBGP
[PE1-bgp] quit
# Configure BGP routing policies to advertise only the default routes to

enterprises. Configure a routing policy to import static routes to the BGP routing
table.
[PE1] ip ip-prefix DEFAULT-ROUTE index 5 permit 0.0.0.0 0
[PE1] route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT permit node 100
[PE1-route-policy] if-match ip-prefix DEFAULT-ROUTE
[PE1-route-policy] apply community no-export
[PE1-route-policy] quit
[PE1] route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT deny node 200
[PE1] route-policy DENY-ANY_ROUTE-OUT deny node 100
[PE1] route-policy STATIC-to-BGP permit node 200
[PE1-route-policy] if-match tag 2519
[PE1-route-policy] apply local-preference 10000
[PE1-route-policy] apply origin igp
[PE1-route-policy] apply community 2519:1
# Apply the BGP routing policies.

[PE1] bgp 2519
[PE1-bgp-af-ipv4] import-route static route-policy STATIC-to-BGP
[PE1-bgp-af-ipv4] peer 2.2.2.206 route-policy DENY-ANY_ROUTE-OUT export
[PE1-bgp-af-ipv4] peer 2.2.2.206 default-route-advertise route-policy PRIVATEAS_CUSTOMER-DEFAULT-
OUT conditional-route-match-any 0.0.0.0 0.0.0.0

[PE1-bgp] quit
Step 6 Configure VRRP and static routes for access of SW2.

# Configure VRRP on the interface of PE1 connected to SW2.
[PE1] interface Eth-Trunk3
[PE1-Eth-Trunk3] vrrp vrid 1 virtual-ip 3.3.3.113
[PE1-Eth-Trunk3] vrrp vrid 1 priority 150
[PE1-Eth-Trunk3] vrrp vrid 1 preempt-mode timer delay 120
[PE1-Eth-Trunk3] vrrp vrid 1 track interface Eth-Trunk0 reduced 30
[PE1-Eth-Trunk3] vrrp vrid 1 authentication-mode md5 ***
[PE1-Eth-Trunk3] ospf cost 10000
# Configure static routes for communication with SW2.

[PE1] ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk 3 3.3.3.116 tag 2519
----End
9.5.4.2 Configuring PE2

Step 1 Configure interfaces connected to devices.
<PE2> system-view
[PE2] ipv6
[PE2-Eth-Trunk0] ipv6 address 2001:0:0:4DA::2/64
[PE2-Eth-Trunk1] ipv6 address 2001:0:0:4DC::2/64


[PE2-LoopBack0] ip address 4.4.4.144 255.255.255.255
[PE2-LoopBack0] ipv6 enable
[PE2-LoopBack0] ipv6 address 2001::14A/128

[PE2] ospf 1 router-id 4.4.4.144
[PE2-ospf-1] silent-interface all
[PE2-ospf-1] preference 80
[PE2-ospf-1] opaque-capability enable
[PE2-ospf-1] graceful-restart
[PE2-ospf-1] bandwidth-reference 1000000
[PE2-ospf-1] enable traffic-adjustment
[PE2-ospf-1] area 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[PE2-ospf-1-area-0.0.0.0] mpls-te enable
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure an IPSec proposal and an SA.

[PE2] ipsec proposal ah-md5
[PE2-ipsec-proposal-ah-md5] encapsulation-mode transport
[PE2-ipsec-proposal-ah-md5] transform ah
[PE2-ipsec-proposal-ah-md5] ah authentication-algorithm md5
[PE2-ipsec-proposal-ah-md5] quit
[PE2] ipsec sa ospfv3-sa
[PE2-ipsec-sa-ospfv3-sa] proposal ah-md5
[PE2-ipsec-sa-ospfv3-sa] sa spi inbound ah 256
[PE2-ipsec-sa-ospfv3-sa] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[PE2-ipsec-sa-ospfv3-sa] sa spi outbound ah 256

[PE2-ipsec-sa-ospfv3-sa] sa authentication-hex outbound ah cipher

[PE2-ipsec-sa-ospfv3-sa] quit
[PE2] ospfv3 1
[PE2-ospfv3-1] router-id 4.4.4.144
[PE2-ospfv3-1] bandwidth-reference 1000000
[PE2-ospfv3-1] graceful-restart
[PE2-ospfv3-1] quit

[PE2-LoopBack0] ospf enable 1 area 0.0.0.0
[PE2-LoopBack0] ospfv3 1 area 0.0.0.0
# Enable OSPFv2 on Eth-Trunk 2 and set the network type to P2P.

# Enable OSPFv2 on Eth-Trunk 3.

of PE2.
[PE2] mpls lsr-id 4.4.4.144
[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] mpls rsvp-te
[PE2-mpls] mpls rsvp-te hello
[PE2-mpls] mpls rsvp-te srefresh
[PE2-mpls] quit



# Enable MPLS and RSVP-TE on Layer 3 interfaces of PE2 connected to P devices.



[PE2-Tunnel1] mpls
[PE2-Tunnel1] quit
[PE2-Tunnel2] mpls
[PE2-Tunnel2] quit
[PE2-Tunnel3] mpls
[PE2-Tunnel3] quit
[PE2-Tunnel4] mpls
[PE2-Tunnel4] quit
[PE2-Tunnel5] mpls


[PE2-Tunnel5] quit
[PE2-Tunnel6] mpls
[PE2-Tunnel6] quit
Step 5 Configure BGP and BGP4+, and configure PE2 to establish IBGP peer relationships
with RR1 and RR2 and establish an EBGP peer relationship with SW1.

[PE2] bgp 2519
[PE2-bgp] router-id 4.4.4.144
[PE2-bgp] graceful-restart
[PE2-bgp] group IPv6-PRIVATEAS_CUSTOMER external
[PE2-bgp] group PRIVATEAS_CUSTOMER external
[PE2-bgp] peer 2.2.2.254 group PRIVATEAS_CUSTOMER
[PE2-bgp] peer 2.2.2.254 password cipher ***
[PE2-bgp] group iBGP internal
[PE2-bgp] peer iBGP connect-interface LoopBack0
[PE2-bgp-af-ipv4] peer PRIVATEAS_CUSTOMER advertise-community

[PE2-bgp-af-ipv6] peer IPv6-PRIVATEAS_CUSTOMER enable
[PE2-bgp-af-ipv6] peer IPv6-PRIVATEAS_CUSTOMER advertise-community
[PE2-bgp-af-ipv6] peer iBGP enable

[PE2-bgp] quit
# Configure BGP routing policies.

[PE2] ip ip-prefix DEFAULT-ROUTE index 5 permit 0.0.0.0 0
[PE2] route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT permit node 100
[PE2-route-policy] if-match ip-prefix DEFAULT-ROUTE
[PE2-route-policy] apply community no-export
[PE2] route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT deny node 200
[PE2] route-policy DENY-ANY_ROUTE-OUT deny node 100
[PE2] route-policy STATIC-to-BGP permit node 200
[PE2-route-policy] if-match tag 2519
[PE2-route-policy] apply local-preference 9000
[PE2-route-policy] apply origin igp
[PE2-route-policy] apply community 2519:1
# Configure BGP routing policies to advertise only the default routes to

enterprises. Configure a routing policy to import static routes to the BGP routing
table.
[PE2] bgp 2519
[PE2-bgp-af-ipv4] peer 2.2.2.254 route-policy DENY-ANY_ROUTE-OUT export
[PE2-bgp-af-ipv4] peer 2.2.2.254 default-route-advertise route-policy PRIVATEAS_CUSTOMER-DEFAULT-
OUT conditional-route-match-any 0.0.0.0 0.0.0.0
[PE2-bgp] quit
Step 6 Configure VRRP and static routes for access of SW2.

# Configure VRRP on the interface of PE1 connected to SW2.
[PE2] interface Eth-Trunk3
[PE2-Eth-Trunk3] vrrp vrid 1 virtual-ip 3.3.3.113
[PE2-Eth-Trunk3] vrrp vrid 1 authentication-mode md5 huawei@123
[PE2-Eth-Trunk3] ospf cost 20000
# Configure static routes for communication with SW2.

[PE2] ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk 3 3.3.3.116 tag 2519
----End
9.5.4.3 Configuring P Devices

The following uses P1 as an example. The configuration of P2 is similar to that of
P1.
<P1> system-view
[P1] ipv6

[P1] interface Eth-Trunk 0

[P1-Eth-Trunk0] undo portswitch
[P1-Eth-Trunk0] description To_PE1
[P1-Eth-Trunk0] ip address 1.1.1.1 255.255.255.252
[P1-Eth-Trunk0] ipv6 enable
[P1-Eth-Trunk0] ipv6 address 2001:0:0:4D9::1/64
[P1-Eth-Trunk0] mode lacp
[P1-Eth-Trunk0] quit
[P1] interface XGigabitEthernet 1/0/0
[P1-XGigabitEthernet1/0/0] eth-trunk 0
[P1-XGigabitEthernet1/0/0] quit
[P1-Eth-Trunk1] description To_PE2
[P1-Eth-Trunk1] ipv6 address 2001:0:0:4DA::1/64
[P1-Eth-Trunk2] description To_P2
[P1-Eth-Trunk3] description To_RR1

[P1-Eth-Trunk4] description To_RR2
[P1-Eth-Trunk4] ipv6 address 2001:0:0:4E2::1/64
[P1-Eth-Trunk5] description To_Router
[P1] interface LoopBack 0
[P1-LoopBack0] ip address 4.4.4.1 255.255.255.255
[P1-LoopBack0] ipv6 enable
[P1-LoopBack0] ipv6 address 2001::21/128
[P1-LoopBack0] quit

[P1] ospf 1 router-id 4.4.4.1
[P1-ospf-1] silent-interface all
[P1-ospf-1] undo silent-interface Eth-Trunk0
[P1-ospf-1] preference 80
[P1-ospf-1] opaque-capability enable
[P1-ospf-1] graceful-restart
[P1-ospf-1] bandwidth-reference 1000000
[P1-ospf-1] enable traffic-adjustment
[P1-ospf-1] area 0.0.0.0
[P1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[P1-ospf-1-area-0.0.0.0] mpls-te enable
[P1-ospf-1-area-0.0.0.0] quit
[P1-ospf-1] quit

[P1] ipsec proposal ah-md5

[P1-ipsec-proposal-ah-md5] encapsulation-mode transport
[P1-ipsec-proposal-ah-md5] transform ah
[P1-ipsec-proposal-ah-md5] ah authentication-algorithm md5
[P1-ipsec-proposal-ah-md5] quit
[P1] ipsec sa ospfv3-sa
[P1-ipsec-sa-ospfv3-sa] proposal ah-md5
[P1-ipsec-sa-ospfv3-sa] sa spi inbound ah 256
[P1-ipsec-sa-ospfv3-sa] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[P1-ipsec-sa-ospfv3-sa] sa spi outbound ah 256
[P1-ipsec-sa-ospfv3-sa] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00
[P1-ipsec-sa-ospfv3-sa] quit
[P1] ospfv3 1
[P1-ospfv3-1] router-id 4.4.4.1
[P1-ospfv3-1] bandwidth-reference 1000000
[P1-ospfv3-1] graceful-restart
[P1-ospfv3-1] quit

[P1] interface LoopBack 0
[P1-LoopBack0] ospf enable 1 area 0.0.0.0
[P1-LoopBack0] ospfv3 1 area 0.0.0.0
[P1-LoopBack0] quit
[P1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk0] ospf network-type p2p
[P1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk0] ospfv3 network-type p2p
[P1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 4, set the network type to P2P, and set
the OSPF cost value.


of P1.
[P1] mpls lsr-id 4.4.4.1
[P1] mpls
[P1-mpls] mpls te
[P1-mpls] mpls rsvp-te
[P1-mpls] mpls rsvp-te hello
[P1-mpls] mpls rsvp-te srefresh
[P1-mpls] quit

[P1] mpls rsvp-te peer 1.1.1.2
[P1-mpls-rsvp-te-peer-1.1.1.2] mpls rsvp-te authentication cipher huawei@123
[P1-mpls-rsvp-te-peer-1.1.1.2] quit
# Enable MPLS and RSVP-TE on the Layer 3 interface of P1 connected to P2.

[P1-Eth-Trunk0] mpls
[P1-Eth-Trunk0] mpls te
[P1-Eth-Trunk0] mpls rsvp-te
[P1-Eth-Trunk0] mpls rsvp-te hello


[P1] explicit-path TO-PE1-1
[P1-explicit-path-TO-PE1-1] next hop 1.1.1.2
[P1-explicit-path-TO-PE1-1] quit
[P1] interface Tunnel1
[P1-Tunnel1] ip address unnumbered interface LoopBack0
[P1-Tunnel1] tunnel-protocol mpls te
[P1-Tunnel1] destination 4.4.4.143
[P1-Tunnel1] mpls te tunnel-id 1
[P1-Tunnel1] mpls te signalled tunnel-name P1->pe1-1
[P1-Tunnel1] mpls te record-route label
[P1-Tunnel1] mpls te path explicit-path TO-PE1-1
[P1-Tunnel1] mpls te path explicit-path TO-PE1-2 secondary
[P1-Tunnel1] mpls te backup hot-standby
[P1-Tunnel1] mpls te igp shortcut ospf
[P1-Tunnel1] mpls te igp metric absolute 10
[P1-Tunnel1] mpls te reserved-for-binding
[P1-Tunnel1] ospf enable 1 area 0.0.0.0
[P1-Tunnel1] mpls
[P1-Tunnel1] mpls te commit
[P1-Tunnel1] quit
[P1] interface Tunnel2
[P1-Tunnel2] ip address unnumbered interface LoopBack0
[P1-Tunnel2] tunnel-protocol mpls te
[P1-Tunnel2] destination 4.4.4.144
[P1-Tunnel2] mpls te tunnel-id 2
[P1-Tunnel2] mpls te signalled tunnel-name P1->pe2-1
[P1-Tunnel2] mpls te record-route label
[P1-Tunnel2] mpls te path explicit-path TO-PE2-1
[P1-Tunnel2] mpls te path explicit-path TO-PE2-2 secondary
[P1-Tunnel2] mpls te backup hot-standby
[P1-Tunnel2] mpls te igp shortcut ospf
[P1-Tunnel2] mpls te igp metric absolute 10
[P1-Tunnel2] mpls te reserved-for-binding
[P1-Tunnel2] ospf enable 1 area 0.0.0.0
[P1-Tunnel2] mpls
[P1-Tunnel2] mpls te commit
[P1-Tunnel2] quit
Step 5 Configure BGP and BGP4+, and configure P1 to establish IBGP peer relationships
with RR1 and RR2.

[P1] bgp 2519
[P1-bgp] router-id 4.4.4.1
[P1-bgp] graceful-restart

[P1-bgp] group iBGP internal

[P1-bgp] peer iBGP connect-interface LoopBack0
[P1-bgp] peer 4.4.4.27 as-number 2519
[P1-bgp] peer 4.4.4.27 group iBGP
[P1-bgp] peer 4.4.4.27 password cipher huawei@123
[P1-bgp] peer 4.4.4.28 as-number 2519
[P1-bgp] peer 4.4.4.28 group iBGP
[P1-bgp] peer 4.4.4.28 password cipher huawei@123
[P1-bgp] peer 2001::15 as-number 2519
[P1-bgp] peer 2001::15 group iBGP
[P1-bgp] peer 2001::15 password cipher huawei@123
[P1-bgp] peer 2001::16 as-number 2519
[P1-bgp] peer 2001::16 group iBGP
[P1-bgp] peer 2001::16 password cipher huawei@123
[P1-bgp] ipv4-family unicast
[P1-bgp-af-ipv4] undo synchronization
[P1-bgp-af-ipv4] preference 170 170 130
[P1-bgp-af-ipv4] peer iBGP next-hop-local
[P1-bgp-af-ipv4] peer iBGP advertise-community
[P1-bgp-af-ipv4] quit

[P1-bgp] ipv6-family unicast
[P1-bgp-af-ipv6] undo synchronization
[P1-bgp-af-ipv6] preference 170 170 130
[P1-bgp-af-ipv6] peer iBGP enable
[P1-bgp-af-ipv6] peer iBGP next-hop-local
[P1-bgp-af-ipv6] peer iBGP advertise-community
[P1-bgp-af-ipv6] peer 2001::15 enable
[P1-bgp-af-ipv6] peer 2001::15 group iBGP
[P1-bgp-af-ipv6] peer 2001::16 enable
[P1-bgp-af-ipv6] peer 2001::16 group iBGP
[P1-bgp-af-ipv6] quit
[P1-bgp] quit
----End
9.5.4.4 Configuring RRs

The following uses RR1 as an example. The configuration of RR2 is similar to that
of RR1.

<RR1> system-view
[RR1] ipv6
[RR1] interface Eth-Trunk 0
[RR1-Eth-Trunk0] undo portswitch
[RR1-Eth-Trunk0] description To_P1
[RR1-Eth-Trunk0] ip address 1.1.2.234 255.255.255.252
[RR1-Eth-Trunk0] ipv6 enable
[RR1-Eth-Trunk0] ipv6 address 2001:0:0:4D7::2/64
[RR1-Eth-Trunk0] mode lacp
[RR1-Eth-Trunk0] quit
[RR1] interface XGigabitEthernet 1/0/0
[RR1-XGigabitEthernet1/0/0] eth-trunk 0
[RR1-XGigabitEthernet1/0/0] quit


[RR1-Eth-Trunk1] undo portswitch
[RR1-Eth-Trunk1] description To_P2
[RR1-Eth-Trunk1] ip address 1.1.2.238 255.255.255.252
[RR1-Eth-Trunk1] ipv6 enable
[RR1-Eth-Trunk1] ipv6 address 2001:0:0:4D6::2/64
[RR1-Eth-Trunk1] mode lacp
[RR1] interface LoopBack 0
[RR1-LoopBack0] ip address 4.4.4.27 255.255.255.255
[RR1-LoopBack0] ipv6 enable
[RR1-LoopBack0] ipv6 address 2001::15/128
[RR1-LoopBack0] quit

[RR1] ospf 1 router-id 4.4.4.27
[RR1-ospf-1] silent-interface all
[RR1-ospf-1] undo silent-interface Eth-Trunk0
[RR1-ospf-1] undo silent-interface Eth-Trunk1
[RR1-ospf-1] preference 80
[RR1-ospf-1] opaque-capability enable
[RR1-ospf-1] graceful-restart
[RR1-ospf-1] bandwidth-reference 1000000
[RR1-ospf-1] enable traffic-adjustment
[RR1-ospf-1] area 0.0.0.0
[RR1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[RR1-ospf-1-area-0.0.0.0] mpls-te enable
[RR1-ospf-1-area-0.0.0.0] quit
[RR1-ospf-1] quit

[RR1] ipsec proposal ah-md5
[RR1-ipsec-proposal-ah-md5] encapsulation-mode transport
[RR1-ipsec-proposal-ah-md5] transform ah
[RR1-ipsec-proposal-ah-md5] ah authentication-algorithm md5
[RR1-ipsec-proposal-ah-md5] quit
[RR1] ipsec sa ospfv3-sa
[RR1-ipsec-sa-ospfv3-sa] proposal ah-md5
[RR1-ipsec-sa-ospfv3-sa] sa spi inbound ah 256
[RR1-ipsec-sa-ospfv3-sa] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[RR1-ipsec-sa-ospfv3-sa] sa spi outbound ah 256
[RR1-ipsec-sa-ospfv3-sa] sa authentication-hex outbound ah cipher
[RR1-ipsec-sa-ospfv3-sa] quit
[RR1] ospfv3 1
[RR1-ospfv3-1] router-id 4.4.4.27
[RR1-ospfv3-1] bandwidth-reference 1000000
[RR1-ospfv3-1] graceful-restart
[RR1-ospfv3-1] quit

[RR1] interface LoopBack 0
[RR1-LoopBack0] ospf enable 1 area 0.0.0.0

[RR1-LoopBack0] ospfv3 1 area 0.0.0.0

[RR1-LoopBack0] quit
[RR1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[RR1-Eth-Trunk0] ospf network-type p2p
[RR1-Eth-Trunk0] ospf cost 10000
[RR1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[RR1-Eth-Trunk0] ospfv3 network-type p2p
[RR1-Eth-Trunk0] ospfv3 cost 10000
[RR1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[RR1-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[RR1-Eth-Trunk1] ospf network-type p2p
[RR1-Eth-Trunk1] ospf cost 1000
[RR1-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[RR1-Eth-Trunk1] ospfv3 network-type p2p
[RR1-Eth-Trunk1] ospfv3 cost 1000
[RR1-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
Step 3 Configure BGP and BGP4+, and configure RR1 to establish IBGP peer relationships
with other network elements (NEs).
[RR1] bgp 2519
[RR1-bgp] router-id 4.4.4.27
[RR1-bgp] graceful-restart
[RR1-bgp] group iBGP internal
[RR1-bgp] peer iBGP connect-interface LoopBack0
[RR1-bgp] peer 4.4.4.1 as-number 2519
[RR1-bgp] peer 4.4.4.1 group iBGP
[RR1-bgp] peer 4.4.4.1 password cipher huawei@123
[RR1-bgp] peer 2001::149 as-number 2519
[RR1-bgp] peer 2001::149 group iBGP
[RR1-bgp] peer 2001::149 password cipher huawei@123
[RR1-bgp] peer 2001::14A as-number 2519
[RR1-bgp] peer 2001::14A group iBGP
[RR1-bgp] peer 2001::14A password cipher huawei@123

[RR1-bgp] ipv4-family unicast

[RR1-bgp-af-ipv4] undo synchronization
[RR1-bgp-af-ipv4] reflector cluster-id 2519
[RR1-bgp-af-ipv4] peer iBGP advertise-community
[RR1-bgp-af-ipv4] peer 4.4.4.1 reflect-client
[RR1-bgp-af-ipv4] quit

[RR1-bgp] ipv6-family unicast
[RR1-bgp-af-ipv6] undo synchronization
[RR1-bgp-af-ipv6] preference 170 170 130
[RR1-bgp-af-ipv6] reflector cluster-id 2519
[RR1-bgp-af-ipv6] peer iBGP enable
[RR1-bgp-af-ipv6] peer iBGP next-hop-local
[RR1-bgp-af-ipv6] peer iBGP advertise-community
[RR1-bgp-af-ipv6] peer 2001::149 enable
[RR1-bgp-af-ipv6] peer 2001::149 group iBGP
[RR1-bgp-af-ipv6] peer 2001::149 reflect-client
[RR1-bgp-af-ipv6] peer 2001:0::150 enable
[RR1-bgp-af-ipv6] peer 2001:0::150 group iBGP
[RR1-bgp-af-ipv6] peer 2001:0::150 reflect-client
[RR1-bgp-af-ipv6] quit
[RR1-bgp] quit
----End
9.5.4.5 Configuring Router

<Router> system-view
[Router] ipv6
[Router-Eth-Trunk0] undo portswitch
[Router-Eth-Trunk0] description To_P1
[Router-Eth-Trunk0] ip address 1.1.2.226 255.255.255.252
[Router-Eth-Trunk0] ipv6 enable
[Router-Eth-Trunk0] ipv6 address 2001:0:0:4D5::2/64
[Router-Eth-Trunk0] mode lacp
[Router] interface XGigabitEthernet 1/0/0
[Router-XGigabitEthernet1/0/0] Eth-Trunk 0
[Router-Eth-Trunk1] undo portswitch

[Router-Eth-Trunk1] description To_P2

[Router-Eth-Trunk1] ip address 1.1.2.230 255.255.255.252
[Router-Eth-Trunk1] ipv6 enable
[Router-Eth-Trunk1] ipv6 address 2001:0:0:4D4::2/64
[Router-Eth-Trunk1] mode lacp
[Router] interface LoopBack 0
[Router-LoopBack0] ip address 4.4.4.39 255.255.255.255
[Router-LoopBack0] ipv6 enable
[Router-LoopBack0] ipv6 address 2001::31/128
[Router] ospf 1 router-id 4.4.4.39
[Router-ospf-1] silent-interface all
[Router-ospf-1] undo silent-interface Eth-Trunk0
[Router-ospf-1] undo silent-interface Eth-Trunk1
[Router-ospf-1] default-route-advertise always
[Router-ospf-1] preference 80
[Router-ospf-1] opaque-capability enable
[Router-ospf-1] graceful-restart
[Router-ospf-1] bandwidth-reference 1000000
[Router-ospf-1] enable traffic-adjustment
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[Router-ospf-1-area-0.0.0.0] mpls-te enable
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit

[Router] ipsec proposal ah-md5
[Router-ipsec-proposal-ah-md5] encapsulation-mode transport
[Router-ipsec-proposal-ah-md5] transform ah
[Router-ipsec-proposal-ah-md5] ah authentication-algorithm md5
[Router-ipsec-proposal-ah-md5] quit
[Router] ipsec sa ospfv3-sa
[Router-ipsec-sa-ospfv3-sa] proposal ah-md5
[Router-ipsec-sa-ospfv3-sa] sa spi inbound ah 256
[Router-ipsec-sa-ospfv3-sa] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[Router-ipsec-sa-ospfv3-sa] sa spi outbound ah 256
[Router-ipsec-sa-ospfv3-sa] sa authentication-hex outbound ah cipher
[Router-ipsec-sa-ospfv3-sa] quit
[Router] ospfv3 1
[Router-ospfv3-1] router-id 4.4.4.39
[Router-ospfv3-1] bandwidth-reference 1000000
[Router-ospfv3-1] graceful-restart
[Router-ospfv3-1] default-route-advertise always
[Router-ospfv3-1] quit

[Router] interface LoopBack 0

[Router-LoopBack0] ospf enable 1 area 0.0.0.0
[Router-LoopBack0] ospfv3 1 area 0.0.0.0
[Router-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[Router-Eth-Trunk0] ospf network-type p2p
[Router-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[Router-Eth-Trunk0] ospfv3 network-type p2p
[Router-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[Router-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[Router-Eth-Trunk1] ospf network-type p2p
[Router-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[Router-Eth-Trunk1] ospfv3 network-type p2p
[Router-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
of Router
[Router] mpls lsr-id 4.4.4.39
[Router] mpls
[Router-mpls] mpls te
[Router-mpls] mpls rsvp-te
[Router-mpls] mpls rsvp-te hello
[Router-mpls] mpls rsvp-te srefresh
[Router-mpls] quit

[Router] mpls rsvp-te peer 1.1.2.225
[Router-mpls-rsvp-te-peer-1.1.2.225] mpls rsvp-te authentication cipher huawei@123
[Router-mpls-rsvp-te-peer-1.1.2.225] quit
[Router] mpls rsvp-te peer 1.1.2.229
[Router-mpls-rsvp-te-peer-1.1.2.229] mpls rsvp-te authentication cipher huawei@123
[Router-mpls-rsvp-te-peer-1.1.2.229] quit
# Enable MPLS and RSVP-TE on Layer 3 interfaces of Router connected to P

devices.
[Router-Eth-Trunk0] mpls
[Router-Eth-Trunk0] mpls te
[Router-Eth-Trunk0] mpls rsvp-te
[Router-Eth-Trunk0] mpls rsvp-te hello
[Router-Eth-Trunk1] mpls
[Router-Eth-Trunk1] mpls te
[Router-Eth-Trunk1] mpls rsvp-te
[Router-Eth-Trunk1] mpls rsvp-te hello

[Router] explicit-path TO-PE1-1
[Router-explicit-path-TO-PE1-1] next hop 1.1.2.225


[Router-explicit-path-TO-PE1-1] quit
[Router] interface Tunnel1
[Router-Tunnel1] ip address unnumbered interface LoopBack0
[Router-Tunnel1] tunnel-protocol mpls te
[Router-Tunnel1] destination 4.4.4.143
[Router-Tunnel1] mpls te tunnel-id 1
[Router-Tunnel1] mpls te signalled tunnel-name router->pe1-1
[Router-Tunnel1] mpls te record-route label
[Router-Tunnel1] mpls te path explicit-path TO-PE1-1
[Router-Tunnel1] mpls te path explicit-path TO-PE1-2 secondary
[Router-Tunnel1] mpls te backup hot-standby
[Router-Tunnel1] mpls te igp shortcut ospf
[Router-Tunnel1] mpls te igp metric absolute 10
[Router-Tunnel1] mpls te reserved-for-binding
[Router-Tunnel1] ospf enable 1 area 0.0.0.0
[Router-Tunnel1] mpls
[Router-Tunnel1] mpls te commit
[Router-Tunnel1] quit
[Router] interface Tunnel2
[Router-Tunnel2] ip address unnumbered interface LoopBack0
[Router-Tunnel2] tunnel-protocol mpls te
[Router-Tunnel2] destination 4.4.4.144
[Router-Tunnel2] mpls te tunnel-id 2
[Router-Tunnel2] mpls te signalled tunnel-name router->pe2-1
[Router-Tunnel2] mpls te record-route label
[Router-Tunnel2] mpls te path explicit-path TO-PE2-1
[Router-Tunnel2] mpls te path explicit-path TO-PE2-2 secondary
[Router-Tunnel2] mpls te backup hot-standby
[Router-Tunnel2] mpls te igp shortcut ospf
[Router-Tunnel2] mpls te igp metric absolute 10
[Router-Tunnel2] mpls te reserved-for-binding
[Router-Tunnel2] ospf enable 1 area 0.0.0.0
[Router-Tunnel2] mpls
[Router-Tunnel2] mpls te commit
[Router-Tunnel2] quit
Step 5 Configure BGP and BGP4+, and configure Router to establish IBGP peer
relationships with RR1 and RR2.
[Router] bgp 2519
[Router-bgp] router-id 4.4.4.39
[Router-bgp] graceful-restart
[Router-bgp] group iBGP internal
[Router-bgp] peer iBGP connect-interface LoopBack0
[Router-bgp] peer 4.4.4.27 as-number 2519
[Router-bgp] peer 4.4.4.27 group iBGP
[Router-bgp] peer 4.4.4.27 password cipher huawei@123
[Router-bgp] peer 4.4.4.28 as-number 2519
[Router-bgp] peer 4.4.4.28 group iBGP
[Router-bgp] peer 4.4.4.28 password cipher huawei@123
[Router-bgp] peer 2001::15 as-number 2519
[Router-bgp] peer 2001::15 group iBGP

[Router-bgp] peer 2001::15 password cipher huawei@123

[Router-bgp] peer 2001::16 as-number 2519
[Router-bgp] peer 2001::16 group iBGP
[Router-bgp] peer 2001::16 password cipher huawei@123
[Router-bgp] ipv4-family unicast
[Router-bgp-af-ipv4] undo synchronization
[Router-bgp-af-ipv4] preference 170 170 130
[Router-bgp-af-ipv4] peer iBGP next-hop-local
[Router-bgp-af-ipv4] peer iBGP advertise-community
[Router-bgp-af-ipv4] quit

[Router-bgp] ipv6-family unicast
[Router-bgp-af-ipv6] undo synchronization
[Router-bgp-af-ipv6] preference 170 170 130
[Router-bgp-af-ipv6] peer iBGP enable
[Router-bgp-af-ipv6] peer iBGP next-hop-local
[Router-bgp-af-ipv6] peer iBGP advertise-community
[Router-bgp-af-ipv6] peer 2001::15 enable
[Router-bgp-af-ipv6] peer 2001::15 group iBGP
[Router-bgp-af-ipv6] peer 2001::16 enable
[Router-bgp-af-ipv6] peer 2001::16 group iBGP
[Router-bgp-af-ipv6] quit
[Router-bgp] quit
----End
9.5.4.6 Configuring SW1

<SW1> system-view
[SW1] interface Eth-Trunk 0
[SW1-Eth-Trunk0] undo portswitch
[SW1-Eth-Trunk0] description To_PE1
[SW1-Eth-Trunk0] ip address 2.2.2.206 255.255.255.252
[SW1-Eth-Trunk0] mode lacp
[SW1-Eth-Trunk0] quit
[SW1] interface XGigabitEthernet 0/0/1
[SW1-XGigabitEthernet0/0/1] eth-trunk 0
[SW1-XGigabitEthernet0/0/1] quit
[SW1-Eth-Trunk1] undo portswitch
[SW1-Eth-Trunk1] description To_PE2
[SW1-Eth-Trunk1] ip address 2.2.2.254 255.255.255.252
# Create VLANIF 300 and configure an IP address for it.

[SW1] vlan batch 300
[SW1] interface Vlanif300

[SW1-Vlanif300] ip address 5.5.5.1 255.255.255.0

[SW1-Vlanif300] quit
# Create Eth-Trunk 2, enable LACP, and add XGE0/0/5 and XGE0/0/6 to Eth-Trunk
2.
[SW1-Eth-Trunk2] port link-type trunk
[SW1-Eth-Trunk2] undo port trunk allow-pass vlan 1
[SW1-Eth-Trunk2] port trunk allow-pass vlan 300
Step 2 Configure BGP and configure SW1 to establish EBGP peer relationships with PE
devices.
[SW1] bgp 64901
[SW1-bgp] graceful-restart
[SW1-bgp] group eBGP1 external
[SW1-bgp] peer eBGP1 connect-interface Eth-Trunk0
[SW1-bgp] peer 2.2.2.205 as-number 2519
[SW1-bgp] peer 2.2.2.205 group eBGP1
[SW1-bgp] peer 2.2.2.205 password cipher huawei@123
[SW1-bgp] group eBGP2 external
[SW1-bgp] peer eBGP2 connect-interface Eth-Trunk1
[SW1-bgp] peer 2.2.2.253 as-number 2519
[SW1-bgp] peer 2.2.2.253 group eBGP2
[SW1-bgp] peer 2.2.2.253 password cipher huawei@123
[SW1-bgp-af-ipv4] ipv4-family unicast
[SW1-bgp-af-ipv4] undo synchronization
[SW1-bgp-af-ipv4] network 5.5.5.0 255.255.255.0
[SW1-bgp-af-ipv4] quit
[SW1-bgp] quit
----End
9.5.4.7 Configuring SW2

# Create VLANIF 100 and VLANIF 200, and configure IP addresses for them.
<SW2> system-view
[SW2] vlan batch 100 200
0.
[SW2-Eth-Trunk0] stp disable


1.
2.
# Configure static routes.

[SW2] ip route-static 0.0.0.0 0.0.0.0 Vlanif100 3.3.3.113
----End

Step 1 Connect testers to enterprise 1 and enterprise 2 respectively to simulate Device A
and Device B.
Step 2 Device A can successfully ping Device B, P devices, and Router.
Step 3 Device B can successfully ping Device A, P devices, and Router.
----End


SW1 SW2
# #
sysname SW1 sysname SW2
# #
vlan batch 300 vlan batch 100 200
# #
# #
interface Eth-Trunk0 interface Vlanif200
undo portswitch ip address 6.6.6.1 255.255.255.0
description To_PE1 #
ip address 2.2.2.206 255.255.255.252 interface Eth-Trunk0
mode lacp port link-type trunk
# undo port trunk allow-pass vlan 1
interface Eth-Trunk1 port trunk allow-pass vlan 100
undo portswitch stp disable
description To_PE2 mode lacp
ip address 2.2.2.254 255.255.255.252 #
mode lacp interface Eth-Trunk1
# port link-type trunk
interface Eth-Trunk2 undo port trunk allow-pass vlan 1
port link-type trunk port trunk allow-pass vlan 100
undo port trunk allow-pass vlan 1 stp disable
port trunk allow-pass vlan 300 mode lacp
mode lacp #
# interface Eth-Trunk2
interface XGigabitEthernet0/0/1 port link-type trunk
eth-trunk 0 undo port trunk allow-pass vlan 1
# port trunk allow-pass vlan 200
interface XGigabitEthernet0/0/2 stp disable
eth-trunk 0 mode lacp
# #
# #
# #
# #
# #
bgp 64901 interface XGigabitEthernet0/0/5
graceful-restart eth-trunk 2
group eBGP1 external #
peer eBGP1 connect-interface Eth-Trunk1 interface XGigabitEthernet1/0/6
peer 2.2.2.205 as-number 2519 eth-trunk 2
peer 2.2.2.205 group eBGP1 #
peer 2.2.2.205 password cipher %^%#r- ip route-static 0.0.0.0 0.0.0.0 Vlanif100 3.3.3.113
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A #
%^%# return
group eBGP2 external
peer eBGP2 connect-interface Eth-Trunk0
peer 2.2.2.253 group eBGP2
peer 2.2.2.253 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A
%^%#
#
ipv4-family unicast
network 5.5.5.0 255.255.255.0

SW1 SW2
peer eBGP1 enable
peer eBGP2 enable
#
return

PE1 PE2
# #
sysname PE1 sysname PE2
# #
ipv6 ipv6
# #
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mpls rsvp-te srefresh mpls rsvp-te srefresh
# #
explicit-path TO-P1-1 explicit-path TO-P1-1
next hop 1.1.1.1 next hop 1.1.1.5
# #
# #
# #
# #
explicit-path TO-PE2-1 explicit-path TO-PE1-1
# #
# #
explicit-path TO-ROUTER-1 explicit-path TO-ROUTER-1
next hop 1.1.2.226 next hop 1.1.2.226
# #
explicit-path TO-ROUTER-2 explicit-path TO-ROUTER-2
next hop 1.1.2.230 next hop 1.1.2.230
# #
mpls rsvp-te peer 1.1.1.1 mpls rsvp-te peer 1.1.1.5
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%^%# %#
# #
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%^%# %#
# #
ipsec proposal ah-md5 ipsec proposal ah-md5
# #
ipsec sa ospfv3-sa ipsec sa ospfv3-sa
proposal ah-md5 proposal ah-md5

PE1 PE2
# #
ospfv3 1 ospfv3 1
bandwidth-reference 1000000 bandwidth-reference 1000000
# #
undo portswitch undo portswitch
description To_P1 description To_P1
ipv6 address 2001:0:0:4D9::2/64 ipv6 address 2001:0:0:4DA::2/64
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
mpls mpls
mpls te mpls te
more lacp more lacp
# #
ipv6 address 2001:0:0:4DB::2/64 ipv6 address 2001:0:0:4DC::2/64
mpls mpls
mpls te mpls te
more lacp more lacp
# #
description To_SW1 description To_SW1
mode lacp mode lacp
# #
description To_SW2 description To_SW2
vrrp vrid 1 virtual-ip 3.3.3.113 vrrp vrid 1 virtual-ip 3.3.3.113
vrrp vrid 1 priority 150 vrrp vrid 1 track interface Eth-Trunk0 reduced 30
vrrp vrid 1 preempt-mode timer delay 120 vrrp vrid 1 track interface Eth-Trunk1 reduced 30
vrrp vrid 1 track interface Eth-Trunk0 reduced 30 vrrp vrid 1 authentication-mode md5 %^%#r-
vrrp vrid 1 track interface Eth-Trunk1 reduced 30 cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
vrrp vrid 1 authentication-mode md5 %^%#r- %#
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A ospf cost 20000
%^%# ospf enable 1 area 0.0.0.0
ospf cost 10000 mode lacp
ospf enable 1 area 0.0.0.0 #
mode lacp interface XGigabitEthernet1/0/0
# eth-trunk 0
interface XGigabitEthernet1/0/0 #

PE1 PE2
eth-trunk 0 interface XGigabitEthernet1/0/1
# eth-trunk 1
# eth-trunk 0
# eth-trunk 1
# eth-trunk 2
# eth-trunk 3
# eth-trunk 2
# eth-trunk 3
eth-trunk 3 interface LoopBack0
# ipv6 enable
interface LoopBack0 ip address 4.4.4.144 255.255.255.255
ipv6 enable ipv6 address 2001::14A/128
ip address 4.4.4.143 255.255.255.255 ospfv3 1 area 0.0.0.0
ipv6 address 2001::149/128 ospf enable 1 area 0.0.0.0
ospfv3 1 area 0.0.0.0 #
ospf enable 1 area 0.0.0.0 interface Tunnel1
# ip address unnumbered interface LoopBack0
interface Tunnel1 tunnel-protocol mpls te
ip address unnumbered interface LoopBack0 destination 4.4.4.1
tunnel-protocol mpls te mpls te tunnel-id 1
destination 4.4.4.1 mpls te signalled tunnel-name pe2->P1-1
mpls te tunnel-id 1 mpls te record-route label
mpls te signalled tunnel-name pe1->P1-1 mpls te path explicit-path TO-P1-1
mpls te record-route label mpls te path explicit-path TO-P1-2 secondary
mpls te path explicit-path TO-P1-1 mpls te backup hot-standby
mpls te path explicit-path TO-P1-2 secondary mpls te igp shortcut ospf
mpls te backup hot-standby mpls te igp metric absolute 10
mpls te igp shortcut ospf mpls te reserved-for-binding
mpls te igp metric absolute 10 mpls te commit
mpls te reserved-for-binding ospf enable 1 area 0.0.0.0
mpls te commit mpls
mpls interface Tunnel2
destination 4.4.4.2 mpls te signalled tunnel-name pe2->P2-1
mpls te signalled tunnel-name pe1->P2-1 mpls te path explicit-path TO-P2-1
mpls te record-route label mpls te path explicit-path TO-P2-2 secondary
mpls te path explicit-path TO-P2-1 mpls te backup hot-standby
mpls te path explicit-path TO-P2-2 secondary mpls te igp shortcut ospf
mpls te backup hot-standby mpls te igp metric absolute 10
mpls te igp shortcut ospf mpls te reserved-for-binding
mpls te igp metric absolute 10 mpls te commit
mpls te reserved-for-binding ospf enable 1 area 0.0.0.0
mpls te commit mpls
mpls interface Tunnel3

PE1 PE2
destination 4.4.4.39 mpls te signalled tunnel-name pe2->router-1
mpls te signalled tunnel-name pe1->router-1 mpls te path explicit-path TO-ROUTER-1
mpls te record-route label mpls te path explicit-path TO-ROUTER-2 secondary
mpls te path explicit-path TO-ROUTER-1 mpls te backup hot-standby
mpls te path explicit-path TO-ROUTER-2 mpls te igp shortcut ospf
secondary mpls te igp metric absolute 10
mpls te backup hot-standby mpls te reserved-for-binding
mpls te igp shortcut ospf mpls te commit
mpls te igp metric absolute 10 ospf enable 1 area 0.0.0.0
mpls te reserved-for-binding mpls
mpls te commit #
ospf enable 1 area 0.0.0.0 interface Tunnel4
mpls ip address unnumbered interface LoopBack0
# tunnel-protocol mpls te
interface Tunnel4 destination 4.4.4.39
ip address unnumbered interface LoopBack0 mpls te tunnel-id 4
tunnel-protocol mpls te mpls te signalled tunnel-name pe2->router-2
destination 4.4.4.39 mpls te record-route label
mpls te tunnel-id 20 mpls te path explicit-path TO-ROUTER-2
mpls te signalled tunnel-name pe1->router-2 mpls te path explicit-path TO-ROUTER-1 secondary
mpls te record-route label mpls te backup hot-standby
mpls te path explicit-path TO-ROUTER-2 mpls te igp shortcut ospf
mpls te path explicit-path TO-ROUTER-1 mpls te igp metric absolute 10
secondary mpls te reserved-for-binding
mpls te backup hot-standby mpls te commit
mpls te igp shortcut ospf ospf enable 1 area 0.0.0.0
mpls te igp metric absolute 10 mpls
mpls te reserved-for-binding #
mpls te commit interface Tunnel5
ospf enable 1 area 0.0.0.0 ip address unnumbered interface LoopBack0
mpls tunnel-protocol mpls te
# destination 4.4.4.143
interface Tunnel5 mpls te tunnel-id 5
ip address unnumbered interface LoopBack0 mpls te signalled tunnel-name pe2->pe1-1
tunnel-protocol mpls te mpls te record-route label
destination 4.4.4.144 mpls te path explicit-path TO-PE1-1
mpls te tunnel-id 69 mpls te path explicit-path TO-PE1-2 secondary
mpls te signalled tunnel-name pe1->pe2-1 mpls te backup hot-standby
mpls te record-route label mpls te igp shortcut ospf
mpls te path explicit-path TO-PE2-1 mpls te igp metric absolute 10
mpls te path explicit-path TO-PE2-2 secondary mpls te reserved-for-binding
mpls te commit interface Tunnel6
ospf enable 1 area 0.0.0.0 ip address unnumbered interface LoopBack0
mpls tunnel-protocol mpls te
# destination 4.4.4.143
interface Tunnel6 mpls te tunnel-id 6
ip address unnumbered interface LoopBack0 mpls te signalled tunnel-name pe2->pe1-2
tunnel-protocol mpls te mpls te record-route label
destination 4.4.4.144 mpls te path explicit-path TO-PE1-2
mpls te tunnel-id 70 mpls te path explicit-path TO-PE1-1 secondary
mpls te signalled tunnel-name pe1->pe2-2 mpls te backup hot-standby
mpls te record-route label mpls te igp shortcut ospf
mpls te path explicit-path TO-PE2-2 mpls te igp metric absolute 10
mpls te path explicit-path TO-PE2-1 secondary mpls te reserved-for-binding
mpls te commit bgp 2519
ospf enable 1 area 0.0.0.0 router-id 4.4.4.144

PE1 PE2
mpls graceful-restart
# group IPv6-PRIVATEAS_CUSTOMER external
bgp 2519 group PRIVATEAS_CUSTOMER external
router-id 4.4.4.143 peer 2.2.2.254 as-number 64901
graceful-restart peer 2.2.2.254 group PRIVATEAS_CUSTOMER
group IPv6-PRIVATEAS_CUSTOMER external peer 2.2.2.254 password cipher %^%#r-
group PRIVATEAS_CUSTOMER external cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 2.2.2.206 as-number 64901 %#
peer 2.2.2.206 group PRIVATEAS_CUSTOMER group iBGP internal
peer 2.2.2.206 password cipher %^%#r- peer iBGP connect-interface LoopBack0
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 4.4.4.27 as-number 2519
%^%# peer 4.4.4.27 group iBGP
group iBGP internal peer 4.4.4.27 password cipher %^%#r-
peer iBGP connect-interface LoopBack0 cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 4.4.4.27 as-number 2519 %#
peer 4.4.4.27 group iBGP peer 4.4.4.28 as-number 2519
peer 4.4.4.27 password cipher %^%#r- peer 4.4.4.28 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 4.4.4.28 password cipher %^%#r-
%^%# cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 4.4.4.28 as-number 2519 %#
peer 4.4.4.28 group iBGP peer 2001::15 as-number 2519
peer 4.4.4.28 password cipher %^%#r- peer 2001::15 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 2001::15 password cipher %^%#r-
peer 2001::15 as-number 2519 %#
peer 2001::15 group iBGP peer 2001::16 as-number 2519
peer 2001::15 password cipher %^%#r- peer 2001::16 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 2001::16 password cipher %^%#r-
peer 2001::16 as-number 2519 %#
peer 2001::16 group iBGP #
peer 2001::16 password cipher %^%#r- ipv4-family unicast
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A undo synchronization
%^%# preference 170 170 130
# import-route static route-policy STATIC-to-BGP
ipv4-family unicast peer IPv6-PRIVATEAS_CUSTOMER enable
undo synchronization peer PRIVATEAS_CUSTOMER enable
preference 170 170 130 peer PRIVATEAS_CUSTOMER advertise-community
import-route static route-policy STATIC-to-BGP peer 2.2.2.254 enable
peer IPv6-PRIVATEAS_CUSTOMER enable peer 2.2.2.254 group PRIVATEAS_CUSTOMER
peer PRIVATEAS_CUSTOMER enable peer 2.2.2.254 route-policy DENY-ANY_ROUTE-
peer PRIVATEAS_CUSTOMER advertise- OUT export
community peer 2.2.2.254 default-route-advertise route-policy
peer 2.2.2.206 enable PRIVATEAS_CUSTOMER-DEFAULT-OUT conditional-
peer 2.2.2.206 group PRIVATEAS_CUSTOMER route-match-any 0.0.0.0 0.0.0.0
peer 2.2.2.206 route-policy DENY-ANY_ROUTE- peer iBGP enable
OUT export peer iBGP next-hop-local
peer 2.2.2.206 default-route-advertise route- peer iBGP advertise-community
policy PRIVATEAS_CUSTOMER-DEFAULT-OUT peer 4.4.4.27 enable
conditional-route-match-any 0.0.0.0 0.0.0.0 peer 4.4.4.27 group iBGP
peer iBGP enable peer 4.4.4.28 enable
peer iBGP next-hop-local peer 4.4.4.28 group iBGP
peer iBGP advertise-community #
peer 4.4.4.27 enable ipv6-family unicast
peer 4.4.4.27 group iBGP undo synchronization
peer 4.4.4.28 enable preference 170 170 130
peer 4.4.4.28 group iBGP import-route static route-policy STATIC-to-BGP
# peer IPv6-PRIVATEAS_CUSTOMER enable
ipv6-family unicast peer IPv6-PRIVATEAS_CUSTOMER advertise-
undo synchronization community
preference 170 170 130 peer iBGP enable
import-route static route-policy STATIC-to-BGP peer iBGP next-hop-local
peer IPv6-PRIVATEAS_CUSTOMER enable peer iBGP advertise-community
peer IPv6-PRIVATEAS_CUSTOMER advertise- peer 2001::15 enable
community peer 2001::15 group iBGP
peer iBGP enable peer 2001::16 enable

PE1 PE2
peer iBGP next-hop-local peer 2001::16 group iBGP
peer iBGP advertise-community #
peer 2001::15 enable ospf 1 router-id 4.4.4.144
peer 2001::15 group iBGP silent-interface all
peer 2001::16 enable undo silent-interface Eth-Trunk0
peer 2001::16 group iBGP undo silent-interface Eth-Trunk1
# preference 80
ospf 1 router-id 4.4.4.143 opaque-capability enable
silent-interface all graceful-restart
undo silent-interface Eth-Trunk0 bandwidth-reference 1000000
undo silent-interface Eth-Trunk1 enable traffic-adjustment
preference 80 area 0.0.0.0
opaque-capability enable authentication-mode md5 1 cipher %^%#r-
graceful-restart cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
bandwidth-reference 1000000 %#
enable traffic-adjustment mpls-te enable
area 0.0.0.0 #
authentication-mode md5 1 cipher %^%#r- route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A permit node 100
%^%# if-match ip-prefix DEFAULT-ROUTE
mpls-te enable apply community no-export
# #
route-policy PRIVATEAS_CUSTOMER-DEFAULT- route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT
OUT permit node 100 deny node 200
if-match ip-prefix DEFAULT-ROUTE #
apply community no-export route-policy DENY-ANY_ROUTE-OUT deny node 100
# #
route-policy PRIVATEAS_CUSTOMER-DEFAULT- route-policy STATIC-to-BGP permit node 200
OUT deny node 200 if-match tag 2519
# apply local-preference 9000
route-policy DENY-ANY_ROUTE-OUT deny node apply origin igp
100 apply community 2519:1
# #
route-policy STATIC-to-BGP permit node 200 ip ip-prefix DEFAULT-ROUTE index 5 permit 0.0.0.0 0
if-match tag 2519 #
apply local-preference 10000 ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk3
apply origin igp 3.3.3.116 tag 2519
apply community 2519:1 #
# return
ip ip-prefix DEFAULT-ROUTE index 5 permit
0.0.0.0 0
#
ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk3
3.3.3.116 tag 2519
#
return

P1 P2
# #
sysname P1 sysname P2
# #
ipv6 ipv6
# #
mpls mpls
mpls te mpls te
mpls rsvp-te srefresh mpls rsvp-te srefresh
# #
# #
# #
# #
# #
%# %#
# #
%# %#
# #
%# %#
# #
%# %#
# #
# #
%#"sFYHYf[9Mz|GW;ko4d<`%DjK- OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
# #
ospfv3 1 ospfv3 1

P1 P2
# #
description To_PE1 description To_PE1
ipv6 address 2001:0:0:4D9::1/64 ipv6 address 2001:0:0:4DB::1/64
mpls mpls
mpls te mpls te
mode lacp mode lacp
# #
description To_PE2 description To_PE2
ipv6 address 2001:0:0:4DA::1/64 ipv6 address 2001:0:0:4DC::1/64
mpls mpls
mpls te mpls te
mode lacp mode lacp
# #
ipv6 address 2001:0:0:4D8::1/64 ipv6 address 2001:0:0:4D8::2/64
mpls mpls
mpls te mpls te
mode lacp mode lacp
# #
description To_RR1 description To_RR1
mode lacp mode lacp
# #

P1 P2
description To_RR2 description To_RR2
ipv6 address 2001:0:0:4E2::1/64 ipv6 address 2001:0:0:4E1::1/64
mode lacp mode lacp
# #
description To_Router description To_Router
mpls mpls
mpls te mpls te
mode lacp mode lacp
# #
# #
# #
# #
# #
# #
# #
# #
# #
# #
# #
# #
# #

P1 P2
ipv6 address 2001::21/128 ipv6 address 2001::22/128
# #
interface Tunnel1 interface Tunnel1
ip address unnumbered interface LoopBack0 ip address unnumbered interface LoopBack0
tunnel-protocol mpls te tunnel-protocol mpls te
destination 4.4.4.143 destination 4.4.4.143
mpls te tunnel-id 1 mpls te tunnel-id 1
mpls te signalled tunnel-name P1->pe1-1 mpls te signalled tunnel-name P2->pe1-1
mpls te record-route label mpls te record-route label
mpls te path explicit-path TO-PE1-1 mpls te path explicit-path TO-PE1-1
mpls te path explicit-path TO-PE1-2 secondary mpls te path explicit-path TO-PE1-2 secondary
mpls te backup hot-standby mpls te backup hot-standby
mpls te igp shortcut ospf mpls te igp shortcut ospf
mpls te igp metric absolute 10 mpls te igp metric absolute 10
mpls te reserved-for-binding mpls te reserved-for-binding
mpls te commit mpls te commit
mpls mpls
# #
interface Tunnel2 interface Tunnel2
ip address unnumbered interface LoopBack0 ip address unnumbered interface LoopBack0
tunnel-protocol mpls te tunnel-protocol mpls te
destination 4.4.4.144 destination 4.4.4.144
mpls te tunnel-id 2 mpls te tunnel-id 2
mpls te signalled tunnel-name P1->pe2-1 mpls te signalled tunnel-name P2->pe2-1
mpls te record-route label mpls te record-route label
mpls te path explicit-path TO-PE2-1 mpls te path explicit-path TO-PE2-1
mpls te path explicit-path TO-PE2-2 secondary mpls te path explicit-path TO-PE2-2 secondary
mpls te backup hot-standby mpls te backup hot-standby
mpls te igp shortcut ospf mpls te igp shortcut ospf
mpls te igp metric absolute 10 mpls te igp metric absolute 10
mpls te reserved-for-binding mpls te reserved-for-binding
mpls te commit mpls te commit
mpls mpls
# #
bgp 2519 bgp 2519
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer 4.4.4.27 group iBGP peer 4.4.4.27 group iBGP
%# %#
%# %#
peer 2001::15 as-number 2519 peer 2001::15 as-number 2519
peer 2001::15 group iBGP peer 2001::15 group iBGP
peer 2001::15 password cipher %^%#r- peer 2001::15 password cipher %^%#r-
%# %#
peer 2001::16 password cipher %^%#r- peer 2001::16 password cipher %^%#r-
%# %#
# #

P1 P2
preference 170 170 130 preference 170 170 130
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
# #
peer 2001::15 enable peer 2001::15 enable
# #
silent-interface all silent-interface all
undo silent-interface Eth-Trunk0 undo silent-interface Eth-Trunk0
preference 80 preference 80
enable traffic-adjustment enable traffic-adjustment
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^%#r- authentication-mode md5 1 cipher %^%#r-
%# %#
mpls-te enable mpls-te enable
# #
return return

RR1 RR2
# #
sysname RR1 sysname RR2
# #
ipv6 ipv6
# #
# #
# #
ospfv3 1 ospfv3 1
# #
ipv6 address 2001:0:0:4D7::2/64 ipv6 address 2001:0:0:4E2::2/64
ospfv3 cost 10000 ospfv3 cost 10000
ospf cost 10000 ospf cost 10000
mode lacp mode lacp
# #
ipv6 address 2001:0:0:4D6::2/64 ipv6 address 2001:0:0:4E1::2/64
mode lacp mode lacp
# #
# #
# #
# #

RR1 RR2
# #
# #
bgp 2519 bgp 2519
%# %#
%# %#
%# %#
%# %#
%# %#
peer 2001::21 password cipher %^%#Df[B&= peer 2001::21 password cipher %^%#Df[B&=
%EiAdjp',]J'aTYKvRU]aRoBMw)c#ueRO@%^%# %EiAdjp',]J'aTYKvRU]aRoBMw)c#ueRO@%^%#
peer 2001::22 password cipher %^%#%L73Zh@& peer 2001::22 password cipher %^%#%L73Zh@&
+U}9+\%GU<M07v}SO%{f!6WO<j)(rUmI%^%# +U}9+\%GU<M07v}SO%{f!6WO<j)(rUmI%^%#
peer 2001::31 password cipher %^%#]/ peer 2001::31 password cipher %^%#]/
q`QBny7KG<(T%tM)TLc2V8%cmLN2*o1cUuyt]U q`QBny7KG<(T%tM)TLc2V8%cmLN2*o1cUuyt]U
%^%# %^%#
peer 2001::149 password cipher %^%# peer 2001::149 password cipher %^%#
$_KwO"PsP)Cv2\~rmZ%;":hb$ZTRE@4rnYAtEusX $_KwO"PsP)Cv2\~rmZ%;":hb$ZTRE@4rnYAtEusX
%^%# %^%#
peer 2001::14A as-number 2519 peer 2001::14A as-number 2519
peer 2001::14A group iBGP peer 2001::14A group iBGP
peer 2001::14A password cipher %^ peer 2001::14A password cipher %^
%#N0~G8KObA6aSzL;d,n&YVsT0$!\G{6suKiATq=)G %#N0~G8KObA6aSzL;d,n&YVsT0$!\G{6suKiATq=)G
%^%# %^%#
# #
reflector cluster-id 2519 reflector cluster-id 2519

RR1 RR2
peer 4.4.4.1 reflect-client peer 4.4.4.1 reflect-client
# #
reflector cluster-id 2519 reflector cluster-id 2519
peer 2001::21 reflect-client peer 2001::21 reflect-client
peer 2001::14A enable peer 2001::14A enable
peer 2001::14A group iBGP peer 2001::14A group iBGP
peer 2001::14A reflect-client peer 2001::14A reflect-client
# #
preference 80 preference 80
enable traffic-adjustment enable traffic-adjustment
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^%#r- authentication-mode md5 1 cipher %^%#r-
%# %#
mpls-te enable mpls-te enable
# #
return return

Router
#
sysname Router
#
ipv6
#
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te srefresh
#
explicit-path TO-PE1-1
next hop 1.1.2.225
next hop 1.1.1.2
#
next hop 1.1.2.229
next hop 1.1.1.10
#
next hop 1.1.2.225
next hop 1.1.1.6
#
next hop 1.1.2.229
next hop 1.1.1.14
#
mpls rsvp-te peer 1.1.2.225
mpls rsvp-te authentication cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
mpls rsvp-te peer 1.1.2.229
mpls rsvp-te authentication cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
ipsec proposal ah-md5
encapsulation-mode transport
transform ah
ah authentication-algorithm md5
#
ipsec sa ospfv3-sa
proposal ah-md5
sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!Hx#FYZ:oDR:
\BEGkIsK$LtsnQ%^%#
#
ospfv3 1
router-id 4.4.4.1
graceful-restart
default-route-advertise always
#
undo portswitch
description To_P1
ipv6 enable
ip address 1.1.2.226 255.255.255.252
ipv6 address 2001:0:0:4D5::2/64
ospfv3 1 area 0.0.0.0
ospfv3 ipsec sa ospfv3-sa
ospf cost 10000

Router
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mode lacp
#
undo portswitch
description To_P2
ipv6 enable
ip address 1.1.2.230 255.255.255.252
ipv6 address 2001:0:0:4D4::2/64
ospfv3 cost 1000
ospfv3 ipsec sa ospfv3-sa
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mode lacp
#
eth-trunk 0
#
eth-trunk 1
#
eth-trunk 0
#
eth-trunk 1
#
interface LoopBack0
ipv6 enable
ip address 4.4.4.39 255.255.255.255
ipv6 address 2001::31/128
#
interface Tunnel1
mpls te tunnel-id 1
mpls te signalled tunnel-name router->pe1-1
mpls te record-route label
mpls te path explicit-path TO-PE1-1
mpls te path explicit-path TO-PE1-2 secondary
mpls te igp shortcut ospf
mpls te igp metric absolute 10
mpls te reserved-for-binding
mpls te commit
mpls
#
interface Tunnel2
mpls te tunnel-id 2
mpls te signalled tunnel-name router->pe2-1

Router
mpls te record-route label
mpls te path explicit-path TO-PE2-1
mpls te path explicit-path TO-PE2-2 secondary
mpls te igp shortcut ospf
mpls te igp metric absolute 10
mpls te reserved-for-binding
mpls te commit
mpls
#
bgp 2519
router-id 4.4.4.39
graceful-restart
group iBGP internal
peer iBGP connect-interface LoopBack0
peer 4.4.4.27 group iBGP
peer 2001::15 as-number 2519
peer 2001::15 group iBGP
peer 2001::15 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 2001::16 as-number 2519
peer 2001::16 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
ipv4-family unicast
preference 170 170 130
peer iBGP enable
peer iBGP next-hop-local
peer iBGP advertise-community
#
ipv6-family unicast
preference 170 170 130
peer iBGP enable
peer iBGP next-hop-local
peer iBGP advertise-community
peer 2001::15 enable
peer 2001::16 enable
#
default-route-advertise always
preference 80
graceful-restart
enable traffic-adjustment advertise
area 0.0.0.0
authentication-mode md5 1 cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
mpls-te enable
#
return

9.6 ISP Backbone Network Deployment for Mutual

Access of Sites in an Enterprise

This example applies to the scenarios where internal networks of a large-scale
enterprise need to communicate through an Internet Service Provider (ISP)
backbone network.
The ISP backbone network providing mutual access of internal networks of an
enterprise is a core area and has the following characteristics:
● A large number of routes
● IPv4/IPv6 dual stack
● Flexible routing policies
● A large number of users and heavy traffic
The following lists the main service requirements of the ISP backbone network
that provides mutual access of internal networks of an enterprise:
Provide flexible route forwarding, and control route advertisement and import
based on routing policies.
Ensure bandwidth using multiple egress links.
Ensure high reliability and service continuity for important services such as
enterprise private line services.
Provide backup functions for key network nodes to ensure reliable
transmission of data services.
Shorten the service interruption time as much as possible to ensure user
experience upon an intermittent link disconnection or a device fault.
Meet security compliance requirements.

Networking Diagram
Figure 9-30 shows the networking diagram for mutual access between internal
networks of an enterprise through the backbone network in a project.
Figure 9-30 Networking diagram for mutual access between internal networks of
an enterprise through the backbone network
RR_1 RR_2
Eth-Trunk 1 Eth-Trunk 0 Eth-Trunk 0

Eth-Trunk 1
S12700E-4_P1 S12700E-4_P3
XGE2/0/3 XGE2/0/3
XGE0/0/1
XGE0/0/1
Internal Internal
network of XGE0/0/2 network of
site A XGE0/0/2
Router_1 Eth-Trunk 2 Eth-Trunk 0 Eth-Trunk 0 site B
Eth-Trunk 2
Router_2
XGE2/0/3 Eth-Trunk 1 Eth-Trunk 1 XGE2/0/3
S12700E-4_P2 S12700E-4_P4

S12700E-4 switches equipped with 10GE X1E cards serve as P devices for
mutual access between site A and site B. The P devices are interconnected
through 10GE interfaces and transmit services of the backbone network. RR_1
and RR_2 function as route reflectors (RRs). Traffic in the core backbone area
is forwarded through Border Gateway Protocol (BGP) and Open Shortest Path
First (OSPF) routes. User gateways at each site (not displayed in the
networking diagram) learn the site routes through the External Border
Gateway Protocol (EBGP) and import the routes to the backbone area. In this
manner, the two sites can communicate with each other.
Two P devices for a site (such as S12700E-4_P1 and S12700E-4_P2 for site A)
are configured to work in active/standby mode to ensure device-level
reliability. Eth-Trunks in Link Aggregation Control Protocol (LACP) mode are
configured on interconnected interfaces of the two P devices to ensure link-
level reliability.
Bidirectional Forwarding Detection (BFD) for OSPF is enabled in the OSPF
process to accelerate convergence of OSPF routes upon link status changes.
When BFD detects a link fault, it notifies the OSPF protocol of the fault and
triggers fast convergence of OSPF routes.

Message-digest algorithm 5 (MD5) authentication is enabled on OSPFv2-

OSPFv3 process.
BGP peers are configured to perform MD5 authentication when setting up
Transmission Control Protocol (TCP) connections.
IBGP peer relationships are established through loopback interfaces and

S12700E V200R019C10SPC500 + latest patch
In this example, S12700E series switches are used as RRs and Router.
Deployment Roadmap
2. On four P devices (S12700E-4_P1, S12700E-4_P2, S12700E-4_P3, and
S12700E-4_P4), configure OSPFv2 and OSPFv3, configure BGP and BGP4+,
configure them to establish IBGP peer relationships with RRs, and configure
Multiprotocol Extensions for BGP (MP-BGP).
3. Enable MD5 authentication on OSPFv2-enabled interfaces, enable IPSec in the
OSPFv3 process, and configure BGP peers to perform MD5 authentication
when setting up TCP connections.
Data Plan
S12700E-4_P1 VLAN 3900 VLAN to which the interface

connected to RR_1 belongs




RR_1 VLAN 3900 VLAN to which the interface

connected to S12700E-4_P1
belongs
VLAN3940 VLAN to which the interface

belongs
RR_2 VLAN 3900 VLAN to which the interface

belongs
VLAN 3940 VLAN to which the interface

belongs

Number Which
the
Interface
Belongs
S12700E- XGE2/0/3 - 1.1.1.129/30 Interface

4_P1 2001:0:0:20E::1/64 connected to the
internal network
of site A
Eth-Trunk 3900 VLANIF 3900: Interface

2 1.1.2.1/30 connected to RR_1
2001:0:0:3B0::1/64
Eth-Trunk - 1.1.1.2/30 Interface

1 2001:0:0:209::2/64 connected to
S12700E-4_P3

0 2001:0:0:20A::1/64 connected to
S12700E-4_P2


Number Which
the
Interface
Belongs
Loopback - 2.2.2.9/32 -
0 2001::13/128
S12700E- XGE2/0/3 - 1.1.1.133/30 Interface

4_P2 2001:0:0:20F::1/64 connected to the
internal network
of site A
Eth-Trunk2 3940 VLANIF 3940: Interface

1.1.2.5/30 connected to RR_1
2001:0:0:3D0::1/64

1 2001:0:0:20B::1/64 connected to
S12700E-4_P4

0 2001:0:0:20A::2/64 connected to
S12700E-4_P1
Loopback - 2.2.2.10/32 -
0 2001::14/128
S12700E- XGE2/0/3 - 1.1.1.121/30 Interface

4_P3 2001:0:0:20C::1/64 connected to the
internal network
of site B

2001:0:0:330::1/64
Eth-Trunk1 - 1.1.1.1/30 Interface

2001:0:0:209::1/64 connected to
S12700E-4_P1

0 2001:0:0:208::1/64 connected to
S12700E-4_P4
Loopback - 2.2.2.3/32 -
0 2001::11/128
S12700E- XGE2/0/3 - 1.1.1.125/30 Interface

4_P4 2001:0:0:20D::1/64 connected to the
internal network
of site B


Number Which
the
Interface
Belongs

2001:0:0:430::1/64

2001:0:0:20B::2/64 connected to
S12700E-4_P2

2001:0:0:208::2/64 connected to
S12700E-4_P3
Loopback - 2.2.2.4/32 -
0 2001::12/128
RR_1 Eth-Trunk 3900 VLANIF 3900: Interface

0 1.1.2.2/30 connected to
2001:0:0:3B0::2/64 S12700E-4_P1

2001:0:0:3D0::2/64 S12700E-4_P2
Loopback - 2.2.2.57/32 -
0 2001::17/128
RR_2 Eth-Trunk 3900 VLANIF 3900: Interface

2001:0:0:330::2/64 S12700E-4_P3
Eth-Trunk1 3940 VLANIF 3940: Interface

2001:0:0:430::2/64 S12700E-4_P4
Loopback - 2.2.2.55/32 -
0 2001::15/128
Router_1 XGE0/0/1 - 1.1.1.130/30 Interface

2001:0:0:20E::2/64 connected to
S12700E-4_P1
XGE0/0/2 - 1.1.1.134/30 Interface

2001:0:0:20F::2/64 connected to
S12700E-4_P2


Number Which
the
Interface
Belongs
XGE0/0/3 1101 VLANIF Interface

1101:101.1.1.2/24 connected to the
2000:101::1/64 user gateway
Loopback - 2.2.2.11/32 -
0 2001:F167::1/128
Router_2 XGE0/0/1 - 1.1.1.122/30 Interface

2001:0:0:20C::2/64 connected to
S12700E-4_P3
XGE0/0/2 - 1.1.1.126/30 Interface

2001:0:0:20D::2/64 connected to
S12700E-4_P4
XGE0/0/3 1101 VLANIF 1101: Interface

2000:102::1/64 user gateway
Loopback - 2.2.2.1/32 -
0 2001:F168::1/128
This solution uses a symmetric networking mode. The configuration of S12700E-4_P2 is

similar to that of S12700E-4_P1, the configuration of S12700E-4_P4 is similar to that of
S12700E-4_P3, the configuration of RR_2 is similar to that of RR_1, and the configuration of
Router_2 is similar to that of Router_1. S12700E-4_P1, S12700E-4_P3, RR_1, and Router_1
are used as examples in the following sections.
9.6.4.1 Configuring S12700E-4_P1

# Create Eth-Trunk 0, configure its IPv4 and IPv6 addresses, enable LACP, and add
an interface (XGE1/0/0 is used as an example) to Eth-Trunk 0.
<S12700E-4_P1> system-view
[S12700E-4_P1] ipv6
[S12700E-4_P1] interface Eth-Trunk 0
[S12700E-4_P1-Eth-Trunk0] undo portswitch
[S12700E-4_P1-Eth-Trunk0] description To_S12700E-4_P2
[S12700E-4_P1-Eth-Trunk0] ip address 1.1.1.13 255.255.255.252
[S12700E-4_P1-Eth-Trunk0] ipv6 enable
[S12700E-4_P1-Eth-Trunk0] ipv6 address 2001:0:0:20A::1/64
[S12700E-4_P1-Eth-Trunk0] mode lacp
[S12700E-4_P1-Eth-Trunk0] quit

[S12700E-4_P1] interface XGigabitEthernet 1/0/0

[S12700E-4_P1-XGigabitEthernet1/0/0] eth-trunk 0
[S12700E-4_P1-XGigabitEthernet1/0/0] quit
XGE2/0/0 to Eth-Trunk 1.
[S12700E-4_P1-Eth-Trunk1] ipv6 address 2001:0:0:209::2/64
# Create VLAN 3900, and configure an IPv4 address and an IPv6 address for
VLANIF 3900. Create Eth-Trunk 2, enable LACP, and add XGE1/0/1 to Eth-Trunk 2.
[S12700E-4_P1] vlan 3900
[S12700E-4_P1-vlan3900] quit
[S12700E-4_P1] interface Vlanif 3900
[S12700E-4_P1-Vlanif3900] ip address 1.1.2.1 255.255.255.252
[S12700E-4_P1-Vlanif3900] ipv6 enable
[S12700E-4_P1-Vlanif3900] ipv6 address 2001:0:0:3B0::1/64
[S12700E-4_P1-Vlanif3900] quit
[S12700E-4_P1-Eth-Trunk2] description To_RR_1
[S12700E-4_P1-Eth-Trunk2] port link-type trunk
[S12700E-4_P1-Eth-Trunk2] port trunk allow-pass vlan 3900
[S12700E-4_P1-Eth-Trunk2] undo port trunk allow-pass vlan 1
# Configure an IPv4 address and an IPv6 address for XGE2/0/3 that connects
S12700E-4_P1 to the egress router Router_1 of site A.
[S12700E-4_P1]interface XGigabitEthernet 2/0/3
[S12700E-4_P1-XGigabitEthernet2/0/3] description To_Router_1
[S12700E-4_P1-XGigabitEthernet2/0/3] undo portswitch
[S12700E-4_P1-XGigabitEthernet2/0/3] ip address 1.1.1.129 255.255.255.252
[S12700E-4_P1-XGigabitEthernet2/0/3] ipv6 enable
[S12700E-4_P1-XGigabitEthernet2/0/3] ipv6 address 2001:0:0:20E::1/64
[S12700E-4_P1] interface LoopBack 0
[S12700E-4_P1-LoopBack0] ip address 2.2.2.9 255.255.255.255
[S12700E-4_P1-LoopBack0] ipv6 enable
[S12700E-4_P1-LoopBack0] ipv6 address 2001::13/128
[S12700E-4_P1-LoopBack0] quit
Step 2 Configure OSPFv2 and OSPFv3 to allow Layer 3 communication between P

devices. Enable MD5 authentication on OSPFv2-enabled interfaces and enable
IPSec in the OSPFv3 process.
# Create OSPFv2 process 1, specify the router ID, create area 0, enable graceful
restart (GR), and configure password authentication.
[S12700E-4_P1] ospf 1 router-id 2.2.2.9
[S12700E-4_P1-ospf-1] silent-interface all

[S12700E-4_P1-ospf-1] undo silent-interface Eth-Trunk0

[S12700E-4_P1-ospf-1] undo silent-interface Vlanif3900
[S12700E-4_P1-ospf-1] undo silent-interface XGigabitEthernet2/0/3
[S12700E-4_P1-ospf-1] opaque-capability enable
[S12700E-4_P1-ospf-1] graceful-restart
[S12700E-4_P1-ospf-1] bandwidth-reference 1000000
[S12700E-4_P1-ospf-1] stub-router on-startup
[S12700E-4_P1-ospf-1] area 0.0.0.0
[S12700E-4_P1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[S12700E-4_P1-ospf-1-area-0.0.0.0] quit
[S12700E-4_P1-ospf-1] quit
# Configure IPSec.
[S12700E-4_P1] ipsec proposal 1
[S12700E-4_P1-ipsec-proposal-1] encapsulation-mode transport
[S12700E-4_P1-ipsec-proposal-1] transform ah
[S12700E-4_P1-ipsec-proposal-1] ah authentication-algorithm md5
[S12700E-4_P1-ipsec-proposal-1] quit
[S12700E-4_P1] ipsec sa area0
[S12700E-4_P1-ipsec-sa-area0] proposal 1
[S12700E-4_P1-ipsec-sa-area0] sa spi inbound ah 256
[S12700E-4_P1-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S12700E-4_P1-ipsec-sa-area0] sa spi outbound ah 256
[S12700E-4_P1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
[S12700E-4_P1-ipsec-sa-area0] quit
[S12700E-4_P1] ospfv3 1
[S12700E-4_P1-ospfv3-1] router-id 2.2.2.9
[S12700E-4_P1-ospfv3-1] bandwidth-reference 1000000
[S12700E-4_P1-ospfv3-1] ipsec sa area0
[S12700E-4_P1-ospfv3-1] graceful-restart
[S12700E-4_P1-ospfv3-1] quit

[S12700E-4_P1-LoopBack0] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-LoopBack0] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk0] ospf network-type p2p
[S12700E-4_P1-Eth-Trunk0] ospf cost 500
[S12700E-4_P1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk0] ospfv3 network-type p2p
[S12700E-4_P1-Eth-Trunk0] ospfv3 cost 500

# Enable OSPFv2 and OSPFv3 on VLANIF 3900, set the network type to P2P, and
set the OSPF cost value.
[S12700E-4_P1-Vlanif3900] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-Vlanif3900] ospf network-type p2p
[S12700E-4_P1-Vlanif3900] ospf cost 2000
[S12700E-4_P1-Vlanif3900] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Vlanif3900] ospfv3 network-type p2p
[S12700E-4_P1-Vlanif3900] ospfv3 cost 2000
# Enable OSPFv2 and OSPFv3 on XGE2/0/3, set the network type to P2P, and set
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf network-type p2p
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf cost 2000
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 network-type p2p
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 cost 2000
Step 3 Configure BGP and BGP4+, and configure S12700E-4_P1 to establish an IBGP peer
relationship with RR_1.

[S12700E-4_P1] bgp 64999
[S12700E-4_P1-bgp] router-id 2.2.2.9
[S12700E-4_P1-bgp] graceful-restart
[S12700E-4_P1-bgp] group iBGP internal
[S12700E-4_P1-bgp] peer iBGP connect-interface LoopBack0
[S12700E-4_P1-bgp] peer iBGP password cipher huawei@123
[S12700E-4_P1-bgp] peer 2.2.2.57 as-number 64999
[S12700E-4_P1-bgp] peer 2.2.2.57 group iBGP
[S12700E-4_P1-bgp] ipv4-family unicast
[S12700E-4_P1-bgp-af-ipv4] peer iBGP enable
[S12700E-4_P1-bgp-af-ipv4] peer iBGP next-hop-local
[S12700E-4_P1-bgp-af-ipv4] peer iBGP advertise-community
[S12700E-4_P1-bgp-af-ipv4] quit

[S12700E-4_P1-bgp] peer 2001::17 as-number 64999
[S12700E-4_P1-bgp] peer 2001::17 group iBGP
[S12700E-4_P1-bgp-af-ipv6] peer 2001::17 enable
[S12700E-4_P1-bgp-af-ipv6] peer 2001::17 group iBGP
[S12700E-4_P1-bgp] quit
Step 4 Enable BFD globally, and enable BFD for OSPFv2 and BFD for OSPFv3.
[S12700E-4_P1] bfd
[S12700E-4_P1-bfd] quit
[S12700E-4_P1] ospf 1
[S12700E-4_P1-ospf-1] bfd all-interfaces enable
[S12700E-4_P1] ospfv3 1
[S12700E-4_P1-ospfv3-1] bfd all-interfaces enable
----End

9.6.4.2 Configuring S12700E-4_P3

<S12700E-4_P3> system-view
[S12700E-4_P3] ipv6
[S12700E-4_P3] vlan 3900
[S12700E-4_P3-vlan3900] quit
[S12700E-4_P3-Vlanif3900] ip address 1.1.4.1 255.255.255.252
[S12700E-4_P3-Vlanif3900] ipv6 enable
[S12700E-4_P3-Vlanif3900] ipv6 address 2001:0:0:330::1/64
[S12700E-4_P3-Eth-Trunk2] description To_RR_2
[S12700E-4_P3-Eth-Trunk2] port link-type trunk
[S12700E-4_P3-Eth-Trunk2] port trunk allow-pass vlan 3900
[S12700E-4_P3-Eth-Trunk2] undo port trunk allow-pass vlan 1
# Configure an IPv4 address and an IPv6 address for XGE2/0/3 that connects
S12700E-4_P3 to the egress router Router_2 of site B.
[S12700E-4_P3]interface XGigabitEthernet 2/0/3
[S12700E-4_P3-XGigabitEthernet2/0/3] description To_Router_2
[S12700E-4_P3-XGigabitEthernet2/0/3] undo portswitch
[S12700E-4_P3-XGigabitEthernet2/0/3] ip address 1.1.1.121 255.255.255.252
[S12700E-4_P3-XGigabitEthernet2/0/3] ipv6 enable
[S12700E-4_P3-XGigabitEthernet2/0/3] ipv6 address 2001:0:0:20C::1/64


[S12700E-4_P3-LoopBack0] ip address 2.2.2.3 255.255.255.255
[S12700E-4_P3-LoopBack0] ipv6 enable
[S12700E-4_P3-LoopBack0] ipv6 address 2001::11/128
[S12700E-4_P3] ospf 1 router-id 2.2.2.3
[S12700E-4_P3-ospf-1] silent-interface all
[S12700E-4_P3-ospf-1] undo silent-interface Vlanif3900
[S12700E-4_P3-ospf-1] undo silent-interface XGigabitEthernet2/0/3
[S12700E-4_P3-ospf-1] opaque-capability enable
[S12700E-4_P3-ospf-1] graceful-restart
[S12700E-4_P3-ospf-1] bandwidth-reference 1000000
[S12700E-4_P3-ospf-1] stub-router on-startup
[S12700E-4_P3-ospf-1] area 0.0.0.0
[S12700E-4_P3-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[S12700E-4_P3-ospf-1-area-0.0.0.0] quit
# Configure IPSec.
[S12700E-4_P3] ipsec proposal 1
[S12700E-4_P3-ipsec-proposal-1] encapsulation-mode transport
[S12700E-4_P3-ipsec-proposal-1] transform ah
[S12700E-4_P3-ipsec-proposal-1] ah authentication-algorithm md5
[S12700E-4_P3-ipsec-proposal-1] quit
[S12700E-4_P3] ipsec sa area0
[S12700E-4_P3-ipsec-sa-area0] proposal 1
[S12700E-4_P3-ipsec-sa-area0] sa spi inbound ah 256
[S12700E-4_P3-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S12700E-4_P3-ipsec-sa-area0] sa spi outbound ah 256
[S12700E-4_P3-ipsec-sa-area0] sa authentication-hex outbound ah cipher
[S12700E-4_P3-ipsec-sa-area0] quit
[S12700E-4_P3] ospfv3 1
[S12700E-4_P3-ospfv3-1] router-id 2.2.2.3
[S12700E-4_P3-ospfv3-1] bandwidth-reference 1000000
[S12700E-4_P3-ospfv3-1] ipsec sa area0
[S12700E-4_P3-ospfv3-1] graceful-restart

[S12700E-4_P3-LoopBack0] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-LoopBack0] ospfv3 1 area 0.0.0.0


[S12700E-4_P3-Vlanif3900] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-Vlanif3900] ospf network-type p2p
[S12700E-4_P3-Vlanif3900] ospf cost 2000
[S12700E-4_P3-Vlanif3900] ospfv3 1 area 0.0.0.0
[S12700E-4_P3-Vlanif3900] ospfv3 network-type p2p
[S12700E-4_P3-Vlanif3900] ospfv3 cost 2000
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf network-type p2p
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf cost 2000
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 1 area 0.0.0.0
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 network-type p2p
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 cost 2000
Step 3 Configure BGP and BGP4+, and configure S12700E-4_P3 to establish an IBGP peer
[S12700E-4_P3] bgp 64999
[S12700E-4_P3-bgp] router-id 2.2.2.3
[S12700E-4_P3-bgp] graceful-restart
[S12700E-4_P3-bgp] group iBGP internal
[S12700E-4_P3-bgp] peer iBGP connect-interface LoopBack0
[S12700E-4_P3-bgp] peer iBGP password cipher huawei@123
[S12700E-4_P3-bgp] peer 2.2.2.55 as-number 64999
[S12700E-4_P3-bgp] peer 2.2.2.55 group iBGP

[S12700E-4_P3-bgp] peer 2001::15 as-number 64999
[S12700E-4_P3-bgp] peer 2001::15 group iBGP

[S12700E-4_P3-bgp-af-ipv6] peer 2001::15 enable

[S12700E-4_P3-bgp-af-ipv6] peer 2001::15 group iBGP
# Configure MP-BGP.
[S12700E-4_P3] bgp 64999
[S12700E-4_P3-bgp] ipv4-family vpnv4
[S12700E-4_P3-bgp-af-vpnv4] peer 2.2.2.55 enable
[S12700E-4_P3-bgp-af-vpnv4] quit
[S12700E-4_P3-bgp] ipv6-family vpnv6
[S12700E-4_P3-bgp-af-vpnv6] peer 2.2.2.55 enable
[S12700E-4_P3-bgp-af-vpnv6] quit
Step 4 Enable BFD globally, and enable BFD for OSPFv2 and BFD for OSPFv3.
[S12700E-4_P3] bfd
[S12700E-4_P3-bfd] quit
[S12700E-4_P3] ospf 1
[S12700E-4_P3-ospf-1] bfd all-interfaces enable
[S12700E-4_P3] ospfv3 1
[S12700E-4_P3-ospfv3-1] bfd all-interfaces enable
----End
9.6.4.3 Configuring RR_1

<RR_1> system-view
[RR_1] ipv6
[RR_1] vlan 3900
[RR_1-vlan3900] quit
[RR_1] interface Vlanif 3900
[RR_1-Vlanif3900] ip address 1.1.2.2 255.255.255.252
[RR_1-Vlanif3900] ipv6 enable
[RR_1-Vlanif3900] ipv6 address 2001:0:0:3B0::2/64
[RR_1-Vlanif3900] quit
[RR_1] interface Eth-Trunk 0
[RR_1-Eth-Trunk0] description To_S12704_P1
[RR_1-Eth-Trunk0] port link-type trunk
[RR_1-Eth-Trunk0] port trunk allow-pass vlan 3900
[RR_1-Eth-Trunk0] undo port trunk allow-pass vlan 1
[RR_1-Eth-Trunk0] mode lacp
[RR_1-Eth-Trunk0] quit
[RR_1] interface XGigabitEthernet 1/0/0
[RR_1-XGigabitEthernet1/0/0] eth-trunk 0
[RR_1-XGigabitEthernet1/0/0] quit
[RR_1] vlan 3940
[RR_1-vlan3940] quit
[RR_1] interface Vlanif 3940
[RR_1-Vlanif3940] ip address 1.1.2.6 255.255.255.252
[RR_1-Vlanif3940] ipv6 enable
[RR_1-Vlanif3940] ipv6 address 2001:0:0:3D0::2/64
[RR_1] interface Eth-Trunk 1
[RR_1-Eth-Trunk1] description To_S12704_P2

[RR_1-Eth-Trunk1] port link-type trunk

[RR_1-Eth-Trunk1] port trunk allow-pass vlan 3940
[RR_1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[RR_1-Eth-Trunk1] mode lacp
[RR_1-Eth-Trunk1] quit
[RR_1] interface XGigabitEthernet 1/0/1
[RR_1-XGigabitEthernet1/0/1] eth-trunk 1
[RR_1-XGigabitEthernet1/0/1] quit
[RR_1] interface LoopBack 0
[RR_1-LoopBack0] ip address 2.2.2.57 255.255.255.255
[RR_1-LoopBack0] ipv6 enable
[RR_1-LoopBack0] ipv6 address 2001::17/128
[RR_1-LoopBack0] quit

# Create OSPFv2 process 1, enable GR, and configure password authentication.
[RR_1] ospf 1 router-id 2.2.2.57
[RR_1-ospf-1] opaque-capability enable
[RR_1-ospf-1] graceful-restart
[RR_1-ospf-1] bandwidth-reference 1000000
[RR_1-ospf-1] area 0.0.0.0
[RR_1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[RR_1-ospf-1-area-0.0.0.0] quit
[RR_1-ospf-1] quit
# Configure IPSec.
[RR_1] ipsec proposal 1
[RR_1-ipsec-proposal-1] encapsulation-mode transport
[RR_1-ipsec-proposal-1] transform ah
[RR_1-ipsec-proposal-1] ah authentication-algorithm md5
[RR_1-ipsec-proposal-1] quit
[RR_1] ipsec sa area0
[RR_1-ipsec-sa-area0] proposal 1
[RR_1-ipsec-sa-area0] sa spi inbound ah 256
[RR_1-ipsec-sa-area0] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[RR_1-ipsec-sa-area0] sa spi outbound ah 256
[RR_1-ipsec-sa-area0] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00
[RR_1-ipsec-sa-area0] quit
# Create OSPFv3 process 1 and enable GR.

[RR_1] ospfv3 1
[RR_1-ospfv3-1] router-id 2.2.2.57
[RR_1-ospfv3-1] bandwidth-reference 1000000
[RR_1-ospfv3-1] ipsec sa area0
[RR_1-ospfv3-1] graceful-restart
[RR_1-ospfv3-1] quit

[RR_1] interface LoopBack 0
[RR_1-LoopBack0] ospf enable 1 area 0.0.0.0
[RR_1-LoopBack0] ospfv3 1 area 0.0.0.0
[RR_1-LoopBack0] quit
[RR_1] interface Vlanif3900
[RR_1-Vlanif3900] ospf enable 1 area 0.0.0.0
[RR_1-Vlanif3900] ospf network-type p2p

[RR_1-Vlanif3900] ospf cost 2000

[RR_1-Vlanif3900] ospfv3 1 area 0.0.0.0
[RR_1-Vlanif3900] ospfv3 network-type p2p
[RR_1-Vlanif3900] ospfv3 cost 2000
[RR_1] interface Vlanif3940
[RR_1-Vlanif3940] ospf enable 1 area 0.0.0.0
[RR_1-Vlanif3940] ospf network-type p2p
[RR_1-Vlanif3940] ospf cost 2000
[RR_1-Vlanif3940] ospfv3 1 area 0.0.0.0
[RR_1-Vlanif3940] ospfv3 network-type p2p
[RR_1-Vlanif3940] ospfv3 cost 2000
Step 3 Configure BGP and BGP4+, and configure RR_1 to establish IBGP peer
relationships with S12704_P1, S12704_P2, and RR_2.
[RR_1] bgp 64999
[RR_1-bgp] router-id 2.2.2.57
[RR_1-bgp] graceful-restart
[RR_1-bgp] group iBGP internal
[RR_1-bgp] peer iBGP connect-interface LoopBack0
[RR_1-bgp] peer iBGP password cipher huawei@123
[RR_1-bgp] peer 2.2.2.9 as-number 64999
[RR_1-bgp] peer 2.2.2.9 group iBGP
[RR_1-bgp] ipv4-family unicast
[RR_1-bgp-af-ipv4] peer iBGP enable
[RR_1-bgp-af-ipv4] peer iBGP next-hop-local
[RR_1-bgp-af-ipv4] peer iBGP advertise-community
[RR_1-bgp-af-ipv4] peer 2.2.2.9 reflect-client
[RR_1-bgp-af-ipv4] quit

[RR_1-bgp] peer 2001::13 as-number 64999
[RR_1-bgp] peer 2001::13 group iBGP
[RR_1-bgp] ipv6-family unicast
[RR_1-bgp-af-ipv6] peer iBGP enable
[RR_1-bgp-af-ipv6] peer iBGP next-hop-local
[RR_1-bgp-af-ipv6] peer iBGP advertise-community
[RR_1-bgp-af-ipv6] peer 2001::13 enable
[RR_1-bgp-af-ipv6] peer 2001::13 group iBGP
[RR_1-bgp-af-ipv6] peer 2001::13 reflect-client
[RR_1-bgp-af-ipv6] quit
[RR_1-bgp] quit
----End

9.6.4.4 Configuring Router_1

# Configure an IPv4 address and an IPv6 address for XGE0/0/1.
<Router_1> system-view
[Router_1] ipv6
[Router_1] interface XGigabitEthernet0/0/1
[Router_1-XGigabitEthernet0/0/1] undo portswitch
[Router_1-XGigabitEthernet0/0/1] description To_S12704_P1
[Router_1-XGigabitEthernet0/0/1] ip address 1.1.1.130 255.255.255.252
[Router_1-XGigabitEthernet0/0/1] ipv6 enable
[Router_1-XGigabitEthernet0/0/1] ipv6 address 2001:0:0:20E::2/64
[Router_1-XGigabitEthernet0/0/1] quit
# Configure an IPv4 address and an IPv6 address for XGE0/0/2.

[Router_1-XGigabitEthernet0/0/2] undo portswitch
[Router_1-XGigabitEthernet0/0/2] description To_S12704_P2
[Router_1-XGigabitEthernet0/0/2] ip address 1.1.1.134 255.255.255.252
[Router_1-XGigabitEthernet0/0/2] ipv6 enable
[Router_1-XGigabitEthernet0/0/2] ipv6 address 2001:0:0:20F::2/64
[Router_1] interface LoopBack 0
[Router_1-LoopBack0] ip address 2.2.2.11 255.255.255.255
[Router_1-LoopBack0] ipv6 enable
[Router_1-LoopBack0] ipv6 address 2001:F167::1/128
[Router_1-LoopBack0] quit

# Create OSPFv2 process 1, enable GR, and configure password authentication.
[Router_1] ospf 1 router-id 2.2.2.11
[Router_1-ospf-1] opaque-capability enable
[Router_1-ospf-1] graceful-restart
[Router_1-ospf-1] bandwidth-reference 1000000
[Router_1-ospf-1] area 0.0.0.0
[Router_1-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[Router_1-ospf-1-area-0.0.0.0] quit
[Router_1-ospf-1] quit
# Configure IPSec.
[Router_1] ipsec proposal 1
[Router_1-ipsec-proposal-1] encapsulation-mode transport
[Router_1-ipsec-proposal-1] transform ah
[Router_1-ipsec-proposal-1] ah authentication-algorithm md5
[Router_1-ipsec-proposal-1] quit
[Router_1] ipsec sa area0
[Router_1-ipsec-sa-area0] proposal 1
[Router_1-ipsec-sa-area0] sa spi inbound ah 256
[Router_1-ipsec-sa-area0] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff
[Router_1-ipsec-sa-area0] sa spi outbound ah 256
[Router_1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
[Router_1-ipsec-sa-area0] quit
# Create OSPFv3 process 1 and enable GR.

[Router_1] ospfv3 1
[Router_1-ospfv3-1] router-id 2.2.2.11

[Router_1-ospfv3-1] bandwidth-reference 1000000

[Router_1-ospfv3-1] ipsec sa area0
[Router_1-ospfv3-1] graceful-restart
[Router_1-ospfv3-1] quit

[Router_1] interface LoopBack 0
[Router_1-LoopBack0] ospf enable 1 area 0.0.0.0
[Router_1-LoopBack0] ospfv3 1 area 0.0.0.0
[Router_1-LoopBack0] quit
the OSPF cost value to implement route backup.
[Router_1-XGigabitEthernet0/0/1] ospf enable 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/1] ospf network-type p2p
[Router_1-XGigabitEthernet0/0/1] ospf cost 2000
[Router_1-XGigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/1] ospfv3 network-type p2p
[Router_1-XGigabitEthernet0/0/1] ospfv3 cost 2000
the OSPF cost value to implement route backup.
[Router_1-XGigabitEthernet0/0/2] ospf enable 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/2] ospf network-type p2p
[Router_1-XGigabitEthernet0/0/2] ospf cost 2050
[Router_1-XGigabitEthernet0/0/2] ospfv3 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/2] ospfv3 network-type p2p
[Router_1-XGigabitEthernet0/0/2] ospfv3 cost 2050
Step 3 Configure BGP and BGP4+, and configure Router_1 to establish an IBGP peer
[Router_1] bgp 64999
[Router_1-bgp] router-id 2.2.2.11
[Router_1-bgp] graceful-restart
[Router_1-bgp] group iBGP internal
[Router_1-bgp] peer iBGP connect-interface LoopBack0
[Router_1-bgp] peer iBGP password cipher huawei@123
[Router_1-bgp] peer 2.2.2.57 as-number 64999
[Router_1-bgp] peer 2.2.2.57 group iBGP
[Router_1-bgp] ipv4-family unicast
[Router_1-bgp-af-ipv4] peer iBGP enable
[Router_1-bgp-af-ipv4] peer iBGP next-hop-local
[Router_1-bgp-af-ipv4] peer iBGP advertise-community
[Router_1-bgp-af-ipv4] quit

[Router_1-bgp] peer 2001::17 as-number 64999
[Router_1-bgp] peer 2001::17 group iBGP
[Router_1-bgp-af-ipv6] peer iBGP enable
[Router_1-bgp-af-ipv6] peer iBGP next-hop-local
[Router_1-bgp-af-ipv6] peer iBGP advertise-community
[Router_1-bgp-af-ipv6] peer 2001::17 group iBGP
[Router_1-bgp] quit
Step 4 Configure EBGP on Router_1, and configure Router_1 to establish an EBGP peer
relationship with the user gateway at site A. The user gateway learns routes of site

A and imports the routes to the backbone area. In this manner, the two sites can
communicate with each other. Assume that Router_1 is connected to the user
gateway through XGE0/0/3.
# Configure an IP address for XGE0/0/3 and add XGE0/0/3 to a VLAN.
[Router_1] vlan 1101
[Router_1-vlan1101] quit
[Router_1] interface Vlanif 1101
[Router_1-Vlanif1101] ip address 101.1.1.2 255.255.255.0
[Router_1-Vlanif1101] ipv6 enable
[Router_1-Vlanif1101] ipv6 address 2000:101::1/64
[Router_1-Vlanif1101] quit
[Router_1-XGigabitEthernet0/0/3] port link-type trunk
[Router_1-XGigabitEthernet0/0/3] port trunk allow-pass vlan 1101
[Router_1-XGigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
# Configure EBGP peers. Assume that the IPv4 and IPv6 addresses of the user
gateway are 101.1.1.1 and 2000:101::2, respectively.
[Router_1] bgp 64999
[Router_1-bgp] peer 101.1.1.1 as-number 100
[Router_1-bgp] peer 2000:101::2 as-number 100
[Router_1-bgp-af-ipv6] peer 2000:101::2 enable
[Router_1-bgp] quit
----End

● Connect testers to the internal networks of site A and site B respectively to
simulate users at the two sites, and ping each other. Verify that the ping
operations are successful.


S12700E-4_P1 S12700E-4_P2
# #
sysname S12700E-4_P1 sysname S12700E-4_P2
# #
ipv6 ipv6
# #
# #
bfd bfd
# #
# #
# #
ospfv3 1 ospfv3 1
# #
ipv6 address 2001:0:0:3B0::1/64 ipv6 address 2001:0:0:3D0::1/64
# #
description To_S12700E-4_P2 description To_S12700E-4_P1
ipv6 address 2001:0:0:20A::1/64 ipv6 address 2001:0:0:20A::2/64
mode lacp mode lacp
# #
ipv6 address 2001:0:0:209::2/64 ipv6 address 2001:0:0:20B::1/64

S12700E-4_P1 S12700E-4_P2
mode lacp mode lacp
# #
description To_RR_1 description To_RR_1
mode lacp mode lacp
# #
# #
# #
# #
description To_Router_1 description To_Router_1
ipv6 address 2001:0:0:20E::1/64 ipv6 address 2001:0:0:20F::1/64
# #
# #
bgp 64999 bgp 64999
peer iBGP password cipher %^%#eamS: peer iBGP password cipher %^%#eamS:
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^ 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
%# peer 2.2.2.57 as-number 64999
peer 2.2.2.57 as-number 64999 peer 2.2.2.57 group iBGP
peer 2.2.2.57 group iBGP peer 2001::17 as-number 64999
peer 2001::17 as-number 64999 peer 2001::17 group iBGP
# ipv4-family unicast
ipv4-family unicast undo synchronization
undo synchronization peer iBGP enable
peer iBGP enable peer iBGP next-hop-local
peer iBGP next-hop-local peer iBGP advertise-community
peer iBGP advertise-community peer 2.2.2.57 enable
peer 2.2.2.57 enable peer 2.2.2.57 group iBGP
peer 2.2.2.57 group iBGP #
# ipv6-family unicast
ipv6-family unicast undo synchronization
undo synchronization peer iBGP enable

S12700E-4_P1 S12700E-4_P2
peer iBGP enable peer iBGP next-hop-local
peer iBGP next-hop-local peer iBGP advertise-community
peer iBGP advertise-community peer 2001::17 enable
peer 2001::17 enable peer 2001::17 group iBGP
# ospf 1 router-id 2.2.2.10
ospf 1 router-id 2.2.2.9 bfd all-interfaces enable
bfd all-interfaces enable silent-interface all
silent-interface all undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk1 undo silent-interface Vlanif3940
undo silent-interface Vlanif3900 undo silent-interface XGigabitEthernet2/0/3
undo silent-interface XGigabitEthernet2/0/3 opaque-capability enable
opaque-capability enable graceful-restart
graceful-restart bandwidth-reference 1000000
bandwidth-reference 1000000 stub-router on-startup
stub-router on-startup area 0.0.0.0
area 0.0.0.0 authentication-mode md5 1 cipher %^
authentication-mode md5 1 cipher %^ %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T%^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y %#
%T%^%# #
# return
return

S12700E-4_P3 S12700E-4_P4
# #
sysname S12700E-4_P3 sysname S12700E-4_P4
# #
ipv6 ipv6
# #
# #
bfd bfd
# #
# #
# #
ospfv3 1 ospfv3 1
# #
ipv6 address 2001:0:0:330::1/64 ipv6 address 2001:0:0:430::1/64
# #
ipv6 address 2001:0:0:208::1/64 ipv6 address 2001:0:0:208::2/64
mode lacp mode lacp
# #
ipv6 address 2001:0:0:209::1/64 ipv6 address 2001:0:0:20B::2/64

S12700E-4_P3 S12700E-4_P4
mode lacp mode lacp
# #
description To_RR_2 description To_RR_2
mode lacp mode lacp
# #
# #
# #
# #
description To_Router_2 description To_Router_2
ipv6 address 2001:0:0:20C::1/64 ipv6 address 2001:0:0:20D::1/64
# #
# #
bgp 64999 bgp 64999
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%# 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
# #
# #

S12700E-4_P3 S12700E-4_P4
# #
undo silent-interface Vlanif3900 undo silent-interface Vlanif3940
undo silent-interface XGigabitEthernet2/0/3 undo silent-interface XGigabitEthernet2/0/3
stub-router on-startup stub-router on-startup
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^ authentication-mode md5 1 cipher %^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T
%^%# %^%#
# #
return return

RR_1 RR_2
# #
sysname RR_1 sysname RR_2
# #
ipv6 ipv6
# #
vlan batch 3900 3940 vlan batch 3900 3940
# #
# #
# #
ospfv3 1 ospfv3 1
# #
ipv6 address 2001:0:0:3B0::2/64 ipv6 address 2001:0:0:330::2/64
# #
ipv6 address 2001:0:0:3D0::2/64 ipv6 address 2001:0:0:430::2/64
# #
mode lacp mode lacp
# #
mode lacp mode lacp
# #

RR_1 RR_2
# #
# #
# #
bgp 64999 bgp 64999
# #
# #
# #
area 0.0.0.0 area 0.0.0.0

RR_1 RR_2
%^%# %^%#
# #
return return

Router_1 Router_2
# #
sysname Router_1 sysname Router_2
# #
ipv6 ipv6
# #
# #
# #
# #
ospfv3 1 ospfv3 1
# #
ipv6 address 2000:101::1/64 ipv6 address 1000:101::1/64
# #
ipv6 address 2001:0:0:20E::2/64 ipv6 address 2001:0:0:20C::2/64
# #
ipv6 address 2001:0:0:20F::2/64 ipv6 address 2001:0:0:20D::2/64
# #
# #

Router_1 Router_2
ipv6 address 2001:F167::1/128 ipv6 address 2001:F168::1/128
# #
bgp 64999 bgp 64999
peer 2000:101::2 as-number 100 peer 2000:101::3 as-number 100
# #
# #
peer 2000:101::2 enable peer 2000:101::3 enable
# #
area 0.0.0.0 area 0.0.0.0
%^%# %^%#
# #
return return

Campus Networks Typical Configuration Examples

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Campus Networks Typical Configuration Examples

Uploaded by

Copyright:

Available Formats

Campus Networks Typical

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. i

1 About This Document.............................................................................................................1

4 Campus Egress Deployment............................................................................................. 186

5 Wireless Coverage Deployment....................................................................................... 292

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. ii

5.5 WDS Backhaul..................................................................................................................................................................... 300

6 Wired and Wireless User Access Authentication Deployment.................................311

7 Security Deployment.......................................................................................................... 580

8 QoS Deployment................................................................................................................. 622

9 Campus Network Deployment Practices....................................................................... 629

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. iii

9.1.5 Verifying the Deployment............................................................................................................................................ 651

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. iv

9.3.6.5 Configuring Reliability Protection.......................................................................................................................... 751

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. v

9.6.4.2 Configuring S12700E-4_P3....................................................................................................................................... 887

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. vi

1 About This Document

Indicates a potentially hazardous

Supplements the important

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 1

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

{ x | y | ... } Optional items are grouped in braces and separated

[ x | y | ... ] Optional items are grouped in brackets and

{ x | y | ... }* Optional items are grouped in braces and separated

[ x | y | ... ]* Optional items are grouped in brackets and

&<1-n> The parameter before the & sign can be repeated 1

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 2

irreversible. Using the encryption algorithms DES, 3DES, RSA (RSA-1024 or

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 3

2 Quick Guide to This Document

Category Chapter Description

Feature- Campus Network Describes how to deploy campus network

Campus Egress Describes how to deploy the

Wireless Coverage Provides typical wireless coverage

Wired and Wireless Describes how to deploy wired and wireless

Security Describes how to deploy campus internal

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 4

Category Chapter Description

QoS Deployment Describes how to deploy QoS for some

Scenario- Campus Network Provides complete end-to-end campus

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 5

3 Campus Network Connectivity

3.1 Key Points of Network Connectivity Deployment

3.1 Key Points of Network Connectivity Deployment

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 6

● Determine whether to use a two-layer or three-layer network architecture.

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 7

● Determine whether to deploy Super Virtual Fabric (SVF).

3.2 Deployment Differences Between Two-Layer and

Two-Layer Network Architecture

Figure 3-1 Two-layer network architecture

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 8

To ensure device-level and link-level reliability on the network, it is recommended

Three-Layer Network Architecture

Figure 3-2 Three-layer network architecture