Professional Documents
Culture Documents
Configuration Examples
Issue 01
Date 2020-06-04
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://e.huawei.com
Contents
Intended Audience
This document is intended for network engineers responsible for switch
configuration and management. You should be familiar with basic Ethernet
knowledge and have extensive experience in network deployment and
management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Security Conventions
● Password setting
– To ensure device security, use ciphertext when configuring a password
and change the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#
%#, %@%@ or @%@% as ciphertext and attempts to decrypt them. If
you configure a plaintext password that starts and ends with %^%#, %#
%#, %@%@ or @%@%, the switch decrypts it and records it into the
configuration file (plaintext passwords are not recorded for the sake of
security). Therefore, do not set a password starting and ending with %^
%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use
different ciphertext passwords. For example, the ciphertext password set
for the AAA feature cannot be used for other features.
● Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5.
3DES, RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are
Disclaimer
● This document is designed as a reference for you to configure your devices. Its
contents, including web pages, command line input and output, are based on
laboratory conditions. It provides instructions for general scenarios, but does
not cover all use cases of all product models. The examples given may differ
from your use case due to differences in software versions, models, and
configuration files. When configuring your device, alter the configuration
depending on your use case.
● The specifications provided in this document are tested in lab environment
(for example, a certain type of cards have been installed on the tested device
or only one protocol is run on the device). Results may differ from the listed
specifications when you attempt to obtain the maximum values with multiple
functions enabled on the device.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
This document provides typical campus network networking modes and a variety
of function-centered deployment examples, allowing you to quickly find
deployment examples of specific features and flexibly combine different
deployment modes based on your networking requirements. This document also
provides end-to-end scenario-tailored deployment practices for your reference,
facilitating network deployment according to the network design solution.
The following table describes the chapters in this document.
● For typical configuration examples of switch features, such as stacking, cluster switch
system (CSS), super virtual fabric (SVF), device login, upgrade, and access control list
(ACL), see S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical
Configuration Examples.
● For details about configuration examples of features, such as Virtual Extensible LAN
(VXLAN), hierarchical quality of service (HQoS), and cloud-based management, used in
solutions, see CloudCampus Solution Typical Configuration Examples.
and communicate with each other. Network connectivity deployment is the basis
of campus network construction.
Based on the services and scale of the campus network, the network connectivity
deployment on the campus network has the following key points:
Deployment Description
● There are two-layer and three-layer network architectures. Compared with the
three-layer architecture, the two-layer architecture does not have the
aggregation layer. This chapter uses the three-layer architecture as an
example. For differences between the two architectures, see 3.2 Deployment
Differences Between Two-Layer and Three-Layer Network Architectures.
● Multiple switches configured with the CSS or stacking function are virtualized
into one logical switch, simplifying the configuration and networking. For a
deployment example, see 3.4 Typical CSS and Stack Deployment.
● An ACU2 is an AC card that can be deployed in the same way as a standalone
AC. The only difference is that internal interconnection interfaces need to be
configured between an ACU2 and a modular switch. For details about the
deployment differences, see 3.3 Deployment Differences Between a
Standalone AC and an ACU2.
● The wireless network deployment examples described in this chapter apply to
common and high-density WLAN scenarios. For details about wireless
network deployment examples in agile distributed Wi-Fi and WDS backhaul
scenarios, see 5 Wireless Coverage Deployment.
CSS
Core layer
Access layer
CSS
Core layer
Stack
Aggregation layer
Access layer
Deployment Differences
The difference between the two network architectures is that the three-layer
network architecture has the aggregation layer, whereas the two-layer network
architecture does not have the layer. The aggregation layer is between the core
and access layers and connects to both layers. Aggregation switches aggregate
traffic from access switches, process the traffic, and provide uplinks to the core
layer.
The selection of the two network architectures depends on the following factors:
1. Network scale: For example, the number of NEs is related to the investment
cost.
2. Network complexity: The network maintenance cost and fault locating
complexity vary depending on the network complexity. The more complex the
network is and the more failure points are, the more difficult fault locating is
and the higher the maintenance cost is.
3. Transmission distance: A network using the three-layer architecture is larger
than a network using the two-layer architecture when the differences
between transmission media are not considered.
In general, the two-layer network architecture is applicable to small-scale
campuses because it is simple and contains a small number of NEs, and a network
constructed using this architecture has fewer failure points. The three-layer
network architecture is applicable to large-scale campuses because it is complex
and contains a large number of NEs, and a network constructed using this
architecture has more failure points.
The two-layer network architecture is usually used in actual deployment. If the
transmission distance is short and access devices can be directly connected to core
devices that provide enough interfaces, the aggregation layer can be omitted,
which is a common practice. This reduces the total cost and maintenance
workload, and facilitates network status monitoring.
The switch is connected to the ACU2 through XGE1/0/1 and XGE1/0/2, in which the first
digit 1 indicates the slot ID of the ACU2 on the switch. XGE1/0/1 indicates that the ACU2 is
installed in slot 1 of the switch. If the ACU2 is installed in slot 2 of the switch, the switch is
connected to the ACU2 through XGE2/0/1 and XGE2/0/2.
Switch ACU2
XGE1/0/1 XGE0/0/1
XGE1/0/2 XGE0/0/2
To increase the link bandwidth and improve the link reliability between the ACU2
and the switch, add the XGE interfaces connecting the ACU2 and the switch to
Eth-Trunk interfaces. Otherwise, only XGE0/0/1 on the ACU2 can be used, and
XGE0/0/2 remains Down.
Procedure
● Configure the ACU2.
● After you run the connect slot command, the command output varies according to
the version. Perform operations as prompted.
● To log in to the ACU2 on the standby switch in a CSS, run the local-telnet
command on the MPU of the master switch to log in to the standby switch, and
then run the connect slot command to log in to the ACU2.
<HUAWEI> connect slot 1
******************************************************
* Slot 1 output to mainboard *
******************************************************
Press Ctrl+D to quit
//Press Enter. The system redirects you to the console interface of the ACU2 to log in to the
ACU2.
<ACU2> system-view
[ACU2] vlan batch 100 101 //In this example, assume that the management VLAN is VLAN 100 and
the service VLAN is VLAN 101.
[ACU2] interface eth-trunk 0
[ACU2-Eth-Trunk0] port link-type trunk
[ACU2-Eth-Trunk0] port trunk allow-pass vlan 100 101
[ACU2-Eth-Trunk0] trunkport xgigabitethernet 0/0/1 0/0/2
[ACU2-Eth-Trunk0] quit
//Press Ctrl+D to log out of the ACU2.
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 /0/2
/1/
0/2 E2/1
Eth-Trunk 10 XG Eth-Trunk 20
The stack connection mode, CSS connection mode, and support for the stacking and CSS
functions vary according to device models. You can use the Stack & SVF Assistant or query
Stack Support and Version Requirements and Licensing Requirements and Limitations
for CSS to obtain detailed information about each device model.
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Table 3-1 Software and hardware configuration plan for the CSS
Item Data
Number of 2
member switches
CSS master The switch with the CSS ID 1 is the CSS master.
CSS priority The CSS priority of the switch with the CSS ID 1 is 150.
The switch with the CSS ID 2 uses the default CSS priority 1.
MAD The two member switches in the CSS are directly connected
using an independent cable for MAD. The cable connects
XGE1/1/0/10 and XGE2/1/0/10.
Item Data
Number of 2
member switches
Item Data
Stack master Change the stack IDs of the two member switches to 0 and
1 respectively. The switch with the stack ID 0 is the master
switch.
Stack priority The stack priority of the switch with the stack ID 0 is 150.
The switch with the stack ID 1 uses the default stack
priority 100.
Table 3-3 Plan for the connections between CSS and stack interfaces
Item Interface Number
Procedure
Step 1 Set up a CSS.
1. Power off the switches, install service cards, and connect CSS cables and the
MAD cable according to the following figure.
[Switch1] set css priority 150 //Set the CSS priority of Switch1 to 150.
[Switch1] interface css-port 1
[Switch1-css-port1] port interface xgigabitethernet 4/0/1 to xgigabitethernet 4/0/2 enable
[Switch1-css-port1] quit
[Switch1] interface css-port 2
[Switch1-css-port2] port interface xgigabitethernet 5/0/1 to xgigabitethernet 5/0/2 enable
[Switch1-css-port2] quit
[Switch1] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off LPU 150 Off
[Switch1] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch. To ensure that Switch1 becomes the master switch, restart it first.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] set css id 2 //Set the CSS ID to 2. Retain the default CSS priority of Switch2.
[Switch2] interface css-port 1
[Switch2-css-port1] port interface xgigabitethernet 4/0/1 to xgigabitethernet 4/0/2 enable
[Switch2-css-port1] quit
[Switch2] interface css-port 2
[Switch2-css-port2] port interface xgigabitethernet 5/0/1 to xgigabitethernet 5/0/2 enable
[Switch2-css-port2] quit
[Switch2] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 2 Off LPU 1 Off
[Switch2] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
3. After the switches are restarted, check whether the CSS is set up successfully.
# Check the CSS status by observing CSS indicators on MPUs of the switches.
The ACT indicator on an MPU of Switch1 is steady on, indicating that the
MPU is the CSS master MPU and Switch1 is the master switch.
The ACT indicator on an MPU of Switch2 is blinking green, indicating that the
MPU is the CSS standby MPU and Switch2 is the master switch.
# Log in to the CSS through the console interface on any MPU and run the
following commands to check whether the CSS is set up successfully.
Switch1 with a higher CSS priority becomes the master switch of the CSS.
When you run the display device command to check the CSS status, the CSS
name is Switch1.
<Switch1> display device
Chassis 1 (Master Switch)
S12700E-8's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
1 - LST7X24BX6E0 Present PowerOn Registered Normal NA
2 - LST7X24BX6E0 Present PowerOn Registered Normal NA
3 - - Present PowerOn Unregistered - NA
9 - LST7MPUE0000 Present PowerOn Registered Normal Master
10 - LST7MPUE0000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12700E-8's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/4/0/1 XGigabitEthernet2/4/0/1 2/1
2 1/1 XGigabitEthernet1/4/0/2 XGigabitEthernet2/4/0/2 2/1
3 1/2 XGigabitEthernet1/5/0/1 XGigabitEthernet2/5/0/1 2/2
4 1/2 XGigabitEthernet1/5/0/2 XGigabitEthernet2/5/0/2 2/2
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 2/1 XGigabitEthernet2/4/0/1 XGigabitEthernet1/4/0/1 1/1
2 2/1 XGigabitEthernet2/4/0/2 XGigabitEthernet1/4/0/2 1/1
3 2/2 XGigabitEthernet2/5/0/1 XGigabitEthernet1/5/0/1 1/2
4 2/2 XGigabitEthernet2/5/0/2 XGigabitEthernet1/5/0/2 1/2
<Switch1> system-view
[Switch1] sysname CORE //Change the CSS name to make it easy to remember.
2. Power off the switches, and connect stack cables and the MAD cable
according to the following figure.
As shown in Figure 3-6, two S5720-56C-HI-AC switches set up a stack, and
the stack interfaces are the same as the interfaces configured in the preceding
step.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ETH CONSOLE
PWR1
PWR2
Switch1
SYS
STAT
SPED
STCK
MODE
S5720-56C-HI 1 2 10G/1G 3 4
Switch2
PWR2
SYS
STAT
SPED
STCK
MODE
S5720-56C-HI 1 2 10G/1G 3 4
3. After the switches are restarted, check whether the stack is set up successfully.
<Switch1> display stack //The command output shows that the stack is set up successfully, and
Switch1 is the master switch.
Stack mode: Service-port
Stack topology type : Ring
Stack system MAC: 0018-82d2-2e85
MAC switch delay time: 10 min
Stack reserved vlan : 4093
Slot of the active management port: --
Slot Role Mac address Priority Device type
-------------------------------------------------------------
0 Master 0018-82d2-2e85 150 S5720-56C-HI-AC
1 Standby 0018-82c6-1f44 100 S5720-56C-HI-AC
<Switch1> system-view
[Switch1] sysname AGG1 //Change the stack name to one that is easier to remember.
Step 3 Configure Eth-Trunk interfaces between the CSS and stacks and between the
stacks and access switches.
1. Configure Eth-Trunk interfaces in the CSS.
<CORE> system-view
[CORE] interface eth-trunk 10 //Create an Eth-Trunk interface for connecting to AGG1.
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface xgigabitethernet 1/1/0/1
[CORE-XGigabitEthernet1/1/0/1] eth-trunk 10
[CORE-XGigabitEthernet1/1/0/1] quit
[CORE] interface xgigabitethernet 2/1/0/2
[CORE-XGigabitEthernet2/1/0/2] eth-trunk 10
[CORE-XGigabitEthernet2/1/0/2] quit
[CORE] interface eth-trunk 20 //Create an Eth-Trunk interface for connecting to AGG2.
[CORE-Eth-Trunk20] mode lacp
[CORE-Eth-Trunk20] quit
[CORE] interface xgigabitethernet 1/1/0/2
[CORE-XGigabitEthernet1/1/0/2] eth-trunk 20
[CORE-XGigabitEthernet1/1/0/2] quit
[CORE] interface xgigabitethernet 2/1/0/1
[CORE-XGigabitEthernet2/1/0/1] eth-trunk 20
[CORE-XGigabitEthernet2/1/0/1] quit
[AGG1-Eth-Trunk10] quit
[AGG1] interface xgigabitethernet 0/0/1
[AGG1-XGigabitEthernet0/0/1] eth-trunk 10
[AGG1-XGigabitEthernet0/0/1] quit
[AGG1] interface xgigabitethernet 1/0/1
[AGG1-XGigabitEthernet1/0/1] eth-trunk 10
[AGG1-XGigabitEthernet1/0/1] quit
[AGG1] interface eth-trunk 30 //Create an Eth-Trunk interface for connecting to access switch ACC1.
[AGG1-Eth-Trunk30] mode lacp
[AGG1-Eth-Trunk30] quit
[AGG1] interface gigabitethernet 0/0/3
[AGG1-GigabitEthernet0/0/3] eth-trunk 30
[AGG1-GigabitEthernet0/0/3] quit
[AGG1] interface gigabitethernet 1/0/3
[AGG1-GigabitEthernet1/0/3] eth-trunk 30
[AGG1-GigabitEthernet1/0/3] quit
----End
Configuration Scripts
The CSS and stack configurations are not recorded in the configuration file, but are instead
directly written into the flash memory. Therefore, the configuration file does not contain
the CSS and stack configurations, and contains only the MAD and Eth-Trunk interface
configurations.
● CSS configuration file
#
sysname CORE
#
interface Eth-Trunk10
mode lacp
#
interface Eth-Trunk20
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
return
Figure 3-7 Core switches functioning as the gateway for wired and wireless users
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1
/1/ /0/2
0/2 E2/1
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
AP group ap-group1
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see 3.4 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on core switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 50
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 50
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] port link-type access
[ACC1-GigabitEthernet0/0/4] port default vlan 20
[ACC1-GigabitEthernet0/0/4] port-isolate enable
[ACC1-GigabitEthernet0/0/4] stp edged-port enable
[ACC1-GigabitEthernet0/0/4] quit
Step 5 Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP
addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 30
[CORE-vlan30] dhcp snooping enable
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] dhcp snooping enable
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] dhcp snooping enable
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] dhcp snooping enable
[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services and
configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE] interface vlanif 30
[CORE-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-Vlanif30] dhcp select interface
[CORE-Vlanif30] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[CORE-Vlanif30] quit
[CORE] interface vlanif 40
[CORE-Vlanif40] ip address 172.16.40.1 255.255.255.0
[CORE-Vlanif40] dhcp select interface
[CORE-Vlanif40] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 255.255.255.0
[CORE-Vlanif50] dhcp select interface
[CORE-Vlanif50] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif50] quit
[CORE] interface vlanif 60
[CORE-Vlanif60] ip address 172.16.60.1 255.255.255.0
[CORE-Vlanif60] dhcp select interface
[CORE-Vlanif60] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif60] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif60] quit
# Create an AP group to add APs with the same configurations to the AP group.
[CORE] wlan
[CORE-wlan-view] ap-group name ap-group1
[CORE-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[CORE-wlan-view] regulatory-domain-profile name domain1
[CORE-wlan-regulate-domain-domain1] country-code cn
[CORE-wlan-regulate-domain-domain1] quit
[CORE-wlan-view] ap-group name ap-group1
[CORE-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-ap-group1] quit
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-wlan-view] ap auth-mode mac-auth
[CORE-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-wlan-ap-1] ap-name area_1
[CORE-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-1] quit
[CORE-wlan-view] ap-id 2 ap-mac ac85-3d95-d802
[CORE-wlan-ap-2] ap-name area_2
[CORE-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
# After powering on the APs, run the display ap all command on CORE to check
the AP running status. The command output shows that the State field displays
nor, indicating that the APs are in normal state.
[CORE] display ap all
Total AP information:
nor : normal [2]
ExtraInfo : Extra information
P : insufficient power supply
------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------------------------
1 ac85-3d95-d801 area_1 ap-group1 192.168.20.220 AP6050DN nor 0 58S -
2 ac85-3d95-d802 area_2 ap-group1 192.168.20.163 AP6050DN nor 0 1M:40S -
------------------------------------------------------------------------------------------------------
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-wlan-vap-prof-vap1] security-profile sec1
[CORE-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap1] quit
[CORE-wlan-view] vap-profile name vap2
[CORE-wlan-vap-prof-vap2] forward-mode tunnel
[CORE-wlan-vap-prof-vap2] service-vlan vlan-id 40
[CORE-wlan-vap-prof-vap2] security-profile sec2
[CORE-wlan-vap-prof-vap2] ssid-profile ssid2
[CORE-wlan-vap-prof-vap2] traffic-profile traff2
[CORE-wlan-vap-prof-vap2] ip source check user-bind enable
[CORE-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 252(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
166 172.16.50.167 001b-21c4-820f DHCP 85922 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
[CORE] display ip pool interface Vlanif60 used
Pool-name : Vlanif60
Pool-No :4
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE.
[CORE] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
mode lacp
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 60
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name traff2
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
return
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
return
Figure 3-8 Aggregation switches functioning as gateways for wired and wireless
users
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1/0/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
# Create VLANs.
[CORE] vlan batch 70 80 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
<AGG1> system-view
[AGG1] vlan batch 20 30 31 50 70
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 50
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/3] quit
Step 5 Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF
interfaces.
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.
[CORE] interface vlanif 70
[CORE-Vlanif70] ip address 172.16.70.1 255.255.255.0
[CORE-Vlanif70] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 30
[AGG1-vlan30] dhcp snooping enable
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] dhcp snooping enable
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] dhcp snooping enable
[AGG1-vlan50] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 31 for wireless services and
configure AGG1 to assign IP addresses to STAs from the interface address pools.
[AGG1] interface vlanif 30
[AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0
[AGG1-Vlanif30] dhcp select interface
[AGG1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[AGG1-Vlanif30] quit
[AGG1] interface vlanif 31
[AGG1-Vlanif31] ip address 172.16.31.1 255.255.255.0
[AGG1-Vlanif31] dhcp select interface
[AGG1-Vlanif31] dhcp server dns-list 192.168.100.2
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface vlanif 50
[AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0
[AGG1-Vlanif50] dhcp select interface
[AGG1-Vlanif50] dhcp server dns-list 192.168.100.2
[AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable
[AGG1-Vlanif50] quit
Step 8 Configure wireless services on AGG1 so that AP1 can go online. The configuration
on AGG2 is similar.
# Create an AP group to add APs with the same configurations to the AP group.
[AGG1] wlan
[AGG1-wlan-view] ap-group name ap-group1
[AGG1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[AGG1-wlan-view] regulatory-domain-profile name domain1
[AGG1-wlan-regulate-domain-domain1] country-code cn
[AGG1-wlan-regulate-domain-domain1] quit
[AGG1-wlan-view] ap-group name ap-group1
[AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[AGG1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG1-wlan-view] ap auth-mode mac-auth
[AGG1-wlan-view] ap-id 1 ap-mac ac85-3da6-a420
[AGG1-wlan-ap-1] ap-name area_1
[AGG1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
[AGG1-wlan-ap-1] quit
[AGG1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1 to check the
AP running status. The command output shows that the State field displays nor,
indicating that AP1 is in normal state.
[AGG1] display ap all
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
-----------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
ExtraInfo
-----------------------------------------------------------------------------------------------------
1 ac85-3da6-a420 area_1 ap-group1 192.168.20.43 AP6050DN nor 0 4S
-
-----------------------------------------------------------------------------------------------------
Step 9 Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
# Configure WLAN service parameters, and create security profiles, SSID profiles,
and a traffic profile.
[AGG1] wlan
[AGG1-wlan-view] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] quit
[AGG1-wlan-view] ssid-profile name ssid1
[AGG1-wlan-ssid-prof-ssid1] ssid Employee
[AGG1-wlan-ssid-prof-ssid1] quit
[AGG1-wlan-view] security-profile name sec2
[AGG1-wlan-sec-prof-sec2] quit
[AGG1-wlan-view] ssid-profile name ssid2
[AGG1-wlan-ssid-prof-ssid2] ssid Guest
[AGG1-wlan-ssid-prof-ssid2] quit
[AGG1-wlan-view] traffic-profile name traff
[AGG1-wlan-traffic-prof-traff] user-isolate l2
[AGG1-wlan-traffic-prof-traff] quit
# Create VAP profiles, configure the service data forwarding mode and service
VLANs, apply security profiles, SSID profiles, and the traffic profile, and enable
IPSG, dynamic ARP inspection, and strict STA IP address learning through DHCP.
[AGG1-wlan-view] vap-profile name vap1
[AGG1-wlan-vap-prof-vap1] forward-mode tunnel
[AGG1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[AGG1-wlan-vap-prof-vap1] security-profile sec1
[AGG1-wlan-vap-prof-vap1] ssid-profile ssid1
[AGG1-wlan-vap-prof-vap1] traffic-profile traff
[AGG1-wlan-vap-prof-vap1] ip source check user-bind enable
[AGG1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[AGG1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[AGG1-wlan-vap-prof-vap1] quit
[AGG1-wlan-view] vap-profile name vap2
[AGG1-wlan-vap-prof-vap2] forward-mode tunnel
[AGG1-wlan-vap-prof-vap2] service-vlan vlan-id 31
[AGG1-wlan-vap-prof-vap2] security-profile sec2
[AGG1-wlan-vap-prof-vap2] ssid-profile ssid2
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Run the following command on AGG1. The command outputs show that a
wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used
Pool-name : Vlanif50
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on AGG1.
[AGG1] display station ssid Employee
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
-----------------------------------------------------------------------------------------------
483f-e95a-eee0 1 area_1 1/1 5G 11n 144/133 -47 30
172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
vlan 50
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
return
#
return
In this example, core switches set up a CSS that functions as the gateway for
wired and wireless users on the entire network and is responsible for routing and
forwarding of user services on the entire network.
Figure 3-9 Native AC + SVF solution: the parent containing core switches
functioning as the gateway for wired and wireless users
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
E1 /0/2
/1/
0/2 E2/1
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
Item Data
Item Data
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● When an AS goes online, it must be unconfigured (has no startup
configuration file) and has no input on the console interface. Before
connecting an AS to an SVF system, you are advised to remove the cable on
the console interface.
● Each AS can be a stack of up to five member devices that are the same model
and provide the same number or different numbers of interfaces. An AS can
be a stack of devices of the same series but different models. In such an AS,
you can run the slot command to change the preconfigured device model.
● Each AS has a unique management MAC address. By default, the device MAC
address is used as the management MAC address. In this case, you can view
the MAC address on the MAC address label attached to the device. To specify
the management MAC address of an AS, run the as access manage-mac
command.
● If an AS is a stack, its name and MAC address have been preconfigured on the
parent of an SVF system, and the AS goes online and is connected to the SVF
system, you are advised to set up the stack for the AS and configure the
preconfigured MAC address as the management MAC address. When
preconfiguring the name and MAC address of the AS, configure the MAC
address of the stack master switch as the MAC address. In this case, the
management MAC address of the AS is the same as the preconfigured MAC
address by default, and no management MAC address needs to be configured.
If you configure the name and MAC address of the AS after it goes online and
is connected to the SVF system, the management MAC address does not need
to be configured.
● If switches whose downlink service interfaces can be configured as stack
member interfaces set up a stack through these interfaces, the switches
cannot join an SVF system as ASs.
● If downlink service interfaces of an AS are configured as member interfaces of
an uplink fabric port, all the downlink interfaces of the AS cannot be
configured as stack member interfaces.
● When replacing a faulty AS, pay attention to the following points:
– The AS can be replaced with only a device of the same model. If the new
device is of a different model, it joins the SVF system as a new AS and
does not inherit services of the replaced AS.
– Only a standalone AS can be replaced. If an AS is a stack, it cannot be
replaced.
– To ensure that a new AS that replaces the faulty AS can be successfully
authenticated, run the auth-mode none command to set the AS
authentication mode to none authentication, or run the whitelist mac-
address command to add the management MAC address of the new AS
to the whitelist. If the new AS has no management MAC address
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD on the switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
Step 3 Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP
addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 30
[CORE-vlan30] dhcp snooping enable
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] dhcp snooping enable
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] dhcp snooping enable
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] dhcp snooping enable
[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services and
configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE] interface vlanif 30
[CORE-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-Vlanif30] dhcp select interface
[CORE-Vlanif30] quit
[CORE] interface vlanif 40
[CORE-Vlanif40] ip address 172.16.40.1 255.255.255.0
[CORE-Vlanif40] dhcp select interface
[CORE-Vlanif40] quit
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 255.255.255.0
[CORE-Vlanif50] dhcp select interface
[CORE-Vlanif50] quit
[CORE] interface vlanif 60
[CORE-Vlanif60] ip address 172.16.60.1 255.255.255.0
[CORE-Vlanif60] dhcp select interface
[CORE-Vlanif60] quit
Step 4 Configure CORE as the parent to set up an SVF system with level-1 and level-2
ASs.
# Activate the license of the SVF system.
<CORE> license active xxxxxx.dat
# (Optional) Preconfigure the names of ASs. The MAC addresses specified in the
following commands are the management MAC addresses of the ASs.
● If you do not perform this step, the system will generate AS information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you perform this step, ensure that the configured model and mac-address are the
same as the actual AS information. The value of mac-address must be the management
or system MAC address of an AS. To view the management MAC address of an AS, run
the display as access configuration command on the AS. If the management MAC
address is displayed as --, set mac-address to the system MAC address when
configuring the AS name. If the parameter settings are different from the actual AS
information, the AS cannot go online.
[CORE] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
[CORE-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011 //Level-1
AS
[CORE-um-as-as-layer1-1] quit
[CORE-um] as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0022 //Level-1
AS
[CORE-um-as-as-layer1-2] quit
[CORE-um] as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033 //Level-2
AS
[CORE-um-as-as-layer2-1] quit
[CORE-um] as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0044 //Level-2
AS
[CORE-um-as-as-layer2-2] quit
To view the management MAC address of an AS, run the display as access configuration
command on the AS. If the management MAC address is displayed as --, the MAC address
configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC
address configured in the whitelist is the management MAC address of the AS.
[CORE] as-auth
[CORE-as-auth] undo auth-mode
[CORE-as-auth] whitelist mac-address 0200-0000-0011
[CORE-as-auth] whitelist mac-address 0200-0000-0022
[CORE-as-auth] whitelist mac-address 0200-0000-0033
[CORE-as-auth] whitelist mac-address 0200-0000-0044
[CORE-as-auth] quit
# Clear the configuration of AGG1 and restart AGG1. The SVF system can then be
set up. The configurations of AGG2, ACC1, and ACC2 are similar to the
configuration of AGG1.
Before restarting an AS, check whether the interface that connects the AS to the parent is a
downlink interface. To view all downlink interfaces on the AS, run the display port
connection-type access all command on the AS. If this interface is a downlink interface,
run the uni-mng up-direction fabric-port command in the user view on the AS to
configure this interface as a member interface of an uplink fabric port before restarting the
AS. Otherwise, the AS cannot go online. To check whether the interface has been
configured as a member interface of an uplink fabric port, run the display uni-mng up-
direction fabric-port command on the AS.
# After access switches are restarted successfully, you can view that ASs have gone
online on the parent.
[CORE] display as all
Total: 4, Normal: 4, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5720-SI 0200-0000-0011 192.168.20.254 normal as-layer1-1
1 S5720-SI 0200-0000-0022 192.168.20.253 normal as-layer1-2
2 S5720-SI 0200-0000-0033 192.168.20.252 normal as-layer2-1
3 S5720-SI 0200-0000-0044 192.168.20.251 normal as-layer2-2
--------------------------------------------------------------------------------
# Create an AP group to add APs with the same configurations to the AP group.
[CORE] wlan
[CORE-wlan-view] ap-group name ap-group
[CORE-wlan-ap-group-ap-group] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[CORE-wlan-view] regulatory-domain-profile name domain
[CORE-wlan-regulate-domain-domain] country-code cn
[CORE-wlan-regulate-domain-domain] quit
[CORE-wlan-view] ap-group name ap-group
[CORE-wlan-ap-group-ap-group] regulatory-domain-profile domain
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-ap-group] quit
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-wlan-view] ap auth-mode mac-auth
[CORE-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-wlan-ap-1] ap-name area_1
[CORE-wlan-ap-1] ap-group ap-group
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-1] quit
[CORE-wlan-view] ap-id 2 ap-mac ac85-3d95-d802
[CORE-wlan-ap-2] ap-name area_2
[CORE-wlan-ap-2] ap-group ap-group
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-2] quit
[CORE-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE to check
the AP running status. The command output shows that the State field displays
nor, indicating that the APs go online normally.
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-wlan-vap-prof-vap1] security-profile sec1
[CORE-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap1] quit
[CORE-wlan-view] vap-profile name vap2
[CORE-wlan-vap-prof-vap2] forward-mode tunnel
[CORE-wlan-vap-prof-vap2] service-vlan vlan-id 40
[CORE-wlan-vap-prof-vap2] security-profile sec2
[CORE-wlan-vap-prof-vap2] ssid-profile ssid2
[CORE-wlan-vap-prof-vap2] traffic-profile traff2
[CORE-wlan-vap-prof-vap2] ip source check user-bind enable
[CORE-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 5 252(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
202 172.16.50.203 0300-0000-0011 DHCP 75074 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
[CORE] display ip pool interface vlanif60 used
Pool-name : Vlanif60
Pool-No :4
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
132 172.16.60.133 0300-0000-0022 DHCP 85899 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE.
[CORE] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
sysname CORE
#
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name default
security-profile name sec1
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
ssid-profile name default
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
ap-group name ap-group1
radio 0
vap-profile vap1 wlan 1
radio 1
vap-profile vap1 wlan 1
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#
as-auth
undo auth-mode
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
whitelist mac-address 0200-0000-0033
whitelist mac-address 0200-0000-0044
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011
down-direction fabric-port 1 member-group interface Eth-Trunk 30
port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0022
down-direction fabric-port 1 member-group interface Eth-Trunk 40
port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4
as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0044
interface fabric-port 1
port member-group interface Eth-Trunk 10
interface fabric-port 2
port member-group interface Eth-Trunk 20
interface fabric-port 3
port member-group interface Eth-Trunk 30
interface fabric-port 4
port member-group interface Eth-Trunk 40
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
network-basic-profile name basic_profile_1
pass-vlan 50
network-basic-profile name basic_profile_2
pass-vlan 60
network-basic-profile name basic_profile_3
pass-vlan 50
network-basic-profile name basic_profile_4
pass-vlan 60
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface all
port-group name port_group_2
network-basic-profile basic_profile_2
as name as-layer1-2 interface all
port-group name port_group_3
network-basic-profile basic_profile_3
as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
port-group name port_group_4
network-basic-profile basic_profile_4
as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
port-group connect-ap name ap
as name as-layer2-1 interface GigabitEthernet 0/0/3
as name as-layer2-2 interface GigabitEthernet 0/0/3
#
return
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0 /2 E2
Eth-Trunk 10 XG Eth-Trunk 20
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and Layer 3
communication.
Table 3-15 Data plan for the SVF system containing AGG1 and ACC1
Item Data
Parent AGG1
Item Data
Table 3-16 Data plan for the SVF system containing AGG2 and ACC2
Item Data
Parent AGG2
Item Data
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● When an AS goes online, it must be unconfigured (has no startup
configuration file) and has no input on the console interface. Before
connecting an AS to an SVF system, you are advised to remove the cable on
the console interface.
● Each AS can be a stack of up to five member devices that are the same model
and provide the same number or different numbers of interfaces. An AS can
be a stack of devices of the same series but different models. In such an AS,
you can run the slot command to change the preconfigured device model.
● Each AS has a unique management MAC address. By default, the device MAC
address is used as the management MAC address. You can view the MAC
address on the MAC address label attached to the device or run the as access
manage-mac command to specify the management MAC address of the AS.
● If an AS is a stack, its name and MAC address have been preconfigured on the
parent of an SVF system, and the AS goes online and is connected to the SVF
system, you are advised to set up the stack for the AS and configure the
preconfigured MAC address as the management MAC address. When
preconfiguring the name and MAC address of the AS, configure the MAC
address of the stack master switch as the MAC address. In this case, the
management MAC address of the AS is the same as the preconfigured MAC
address by default, and no management MAC address needs to be configured.
If you configure the name and MAC address of the AS after it goes online and
is connected to the SVF system, the management MAC address does not need
to be configured.
● If switches whose downlink service interfaces can be configured as stack
member interfaces set up a stack through these interfaces, the switches
cannot join an SVF system as ASs.
● If downlink service interfaces of an AS are configured as member interfaces of
an uplink fabric port, all the downlink interfaces of the AS cannot be
configured as stack member interfaces.
● When replacing a faulty AS, pay attention to the following points:
– The AS can be replaced with only a device of the same model. If the new
device is of a different model, it joins the SVF system as a new AS and
does not inherit services of the replaced AS.
– Only a standalone AS can be replaced. If an AS is a stack, it cannot be
replaced.
– To ensure that a new AS that replaces the faulty AS can be successfully
authenticated, run the auth-mode none command to set the AS
authentication mode to none authentication, or run the whitelist mac-
address command to add the management MAC address of the new AS
to the whitelist. If the new AS has no management MAC address
configured, the system MAC address is used as the management MAC
address.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD on the switches.
For details, see 3.4 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on CORE.
# Create VLANs.
[CORE] vlan batch 70 80 1000
# Create Eth-Trunk 10 for connecting to AGG1 and add interfaces to the Eth-
Trunk. The configuration of the Eth-Trunk interface for connecting to AGG2 is
similar.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] description connect to AGG1
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] port link-type trunk
[CORE-Eth-Trunk10] port trunk allow-pass vlan 70
[CORE-Eth-Trunk10] quit
[CORE] interface xgigabitethernet 1/1/0/1
[CORE-XGigabitEthernet1/1/0/1] eth-trunk 10
[CORE-XGigabitEthernet1/1/0/1] quit
[CORE] interface xgigabitethernet 2/1/0/2
[CORE-XGigabitEthernet2/1/0/2] eth-trunk 10
[CORE-XGigabitEthernet2/1/0/2] quit
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70
Step 4 Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF
interfaces.
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.
[CORE] interface vlanif 70
[CORE-Vlanif70] ip address 172.16.70.1 255.255.255.0
[CORE-Vlanif70] quit
Step 5 Configure VLANIF interfaces on AGG1 and assign IP addresses to the VLANIF
interfaces. The configuration on AGG2 is similar.
# Create Layer 3 interface VLANIF 70 for connecting to CORE.
[AGG1] interface vlanif 70
[AGG1-Vlanif70] ip address 172.16.70.2 255.255.255.0
[AGG1-Vlanif70] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 30
[AGG1-vlan30] dhcp snooping enable
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] dhcp snooping enable
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] dhcp snooping enable
[AGG1-vlan50] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 31 for wireless services and
configure AGG1 to assign IP addresses to STAs from the interface address pools.
[AGG1] interface vlanif 30
[AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0
[AGG1-Vlanif30] dhcp select interface
[AGG1-Vlanif30] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[AGG1-Vlanif30] quit
[AGG1] interface vlanif 31
[AGG1-Vlanif31] ip address 172.16.31.1 255.255.255.0
[AGG1-Vlanif31] dhcp select interface
[AGG1-Vlanif31] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[AGG1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[AGG1-Vlanif31] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface vlanif 50
[AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0
[AGG1-Vlanif50] dhcp select interface
[AGG1-Vlanif50] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[AGG1-Vlanif50] quit
Step 8 Configure AGG1 as the parent to set up an SVF system with an AS. The
configuration on AGG2 is similar.
# Activate the license of the SVF system.
<AGG1> license active xxxxxx.dat
# (Optional) Preconfigure the name of the AS. The MAC address specified in the
following command is the management MAC address of the AS.
● If you do not perform this step, the system will generate AS information when the AS
connects to the SVF system. An AS name is in the format of system default name-
system MAC address.
● If you perform this step, ensure that the configured model and mac-address are the
same as the actual AS information. The value of mac-address must be the management
or system MAC address of an AS. To view the management MAC address of an AS, run
the display as access configuration command on the AS. If the management MAC
address is displayed as --, set mac-address to the system MAC address when
configuring the AS name. If the parameter settings are different from the actual AS
information, the AS cannot go online.
[AGG1] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
[AGG1-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
[AGG1-um-as-as-layer1-1] quit
To view the management MAC address of an AS, run the display as access configuration
command on the AS. If the management MAC address is displayed as --, the MAC address
configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC
address configured in the whitelist is the management MAC address of the AS.
[AGG1] as-auth
[AGG1-as-auth] undo auth-mode
[AGG1-as-auth] whitelist mac-address 00e0-0001-0033
[AGG1-as-auth] quit
# Clear the configuration of ACC1 and restart ACC1. The SVF system can then be
set up. The configuration on ACC2 is similar.
Before restarting an AS, check whether the interface that connects the AS to the parent is a
downlink interface. To view all downlink interfaces on the AS, run the display port
connection-type access all command on the AS. If this interface is a downlink interface,
run the uni-mng up-direction fabric-port command in the user view on the AS to
configure this interface as a member interface of an uplink fabric port before restarting the
AS. Otherwise, the AS cannot go online. To check whether the interface has been
configured as a member interface of an uplink fabric port, run the display uni-mng up-
direction fabric-port command on the AS.
<ACC1> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
<ACC1> reboot
# After the access switch is restarted successfully, you can view that the AS has
gone online on the parent.
[AGG1] display as all
Total: 1, Normal: 1, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5720-SI 00e0-0001-0033 192.168.20.66 normal as-layer1-1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
as-layer1-1 2019-10-23 05:55:29 Success/Success
--------------------------------------------------------------------------------
Step 9 Configure wireless services on AGG1 so that AP1 can go online. The configuration
on AGG2 is similar.
# Run the port-group connect-ap name command to create an AP port group
and bind it to the AS so that APs can go online in the SVF system.
[AGG1] uni-mng
[AGG1-um] port-group connect-ap name ap
[AGG1-um-portgroup-ap-ap] as name as-layer1-1 interface GigabitEthernet 0/0/3
[AGG1-um-portgroup-ap-ap] quit
[AGG1-um] commit as all
Warning: Committing the configuration will take a long time. Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait...
[AGG1-um] quit
# Create an AP group to add APs with the same configurations to the AP group.
[AGG1] wlan
[AGG1-wlan-view] ap-group name ap-group1
[AGG1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[AGG1-wlan-view] regulatory-domain-profile name domain1
[AGG1-wlan-regulate-domain-domain1] country-code cn
[AGG1-wlan-regulate-domain-domain1] quit
[AGG1-wlan-view] ap-group name ap-group1
[AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[AGG1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG1-wlan-view] ap auth-mode mac-auth
[AGG1-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[AGG1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AGG1-wlan-ap-1] quit
[AGG1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1 to check the
AP running status. The command output shows that the State field displays nor,
indicating that AP1 is in normal state.
[AGG1] display ap all
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------------------------
1 ac85-3d95-d801 area_1 ap-group1 192.168.20.243 AP6050DN nor 0 43S -
------------------------------------------------------------------------------------------------------
Step 10 Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
# Configure WLAN service parameters, and create security profiles, SSID profiles,
and a traffic profile.
[AGG1] wlan
[AGG1h-wlan-view] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] quit
[AGG1-wlan-view] ssid-profile name ssid1
[AGG1-wlan-ssid-prof-ssid1] ssid Employee
[AGG1-wlan-ssid-prof-ssid1] quit
[AGG1h-wlan-view] security-profile name sec2
[AGG1-wlan-sec-prof-sec2] quit
[AGG1-wlan-view] ssid-profile name ssid2
[AGG1-wlan-ssid-prof-ssid2] ssid Guest
[AGG1-wlan-ssid-prof-ssid2] quit
[AGG1-wlan-view] traffic-profile name traff
[AGG1-wlan-traffic-prof-traff] user-isolate l2
[AGG1-wlan-traffic-prof-traff] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles, SSID profiles, and the traffic profile, and
enable IPSG, dynamic ARP inspection, and strict STA IP address learning through
DHCP.
[AGG1-wlan-view] vap-profile name vap1
[AGG1-wlan-vap-prof-vap1] forward-mode tunnel
[AGG1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[AGG1-wlan-vap-prof-vap1] security-profile sec1
[AGG1-wlan-vap-prof-vap1] ssid-profile ssid1
[AGG1-wlan-vap-prof-vap1] traffic-profile traff
[AGG1-wlan-vap-prof-vap1] ip source check user-bind enable
[AGG1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[AGG1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[AGG1-wlan-vap-prof-vap1] quit
[AGG1-wlan-view] vap-profile name vap2
[AGG1-wlan-vap-prof-vap2] forward-mode tunnel
[AGG1-wlan-vap-prof-vap2] service-vlan vlan-id 31
[AGG1-wlan-vap-prof-vap2] security-profile sec2
[AGG1-wlan-vap-prof-vap2] ssid-profile ssid2
[AGG1-wlan-vap-prof-vap2] traffic-profile traff
[AGG1-wlan-vap-prof-vap2] ip source check user-bind enable
[AGG1-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[AGG1-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[AGG1-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 252(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
65 192.168.20.66 000b-099d-eb3b DHCP 74620 Used
242 192.168.20.243 ac85-3da6-a420 DHCP 83235 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Run the following command on AGG1. The command outputs show that a
wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used
Pool-name : Vlanif50
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
231 172.16.50.232 001b-21c4-820f DHCP 82799 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Wired and wireless users can communicate with each other.
# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1
PING 192.168.11.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=62 time=1 ms
Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=62 time=1 ms
Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=62 time=1 ms
Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=62 time=1 ms
Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=62 time=1 ms
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
port link-type trunk
port trunk allow-pass vlan 80
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.31.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
as-auth
whitelist mac-address 00e0-0001-0033
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
interface fabric-port 1
port member-group interface Eth-Trunk 30
as-admin-profile name admin_profile1
user asuser password %^%#sq5k3X.(.$5$SNQ$c%lMO&+13%>0}:$k#+2rG-06%^%#
network-basic-profile name basic_profile_1
user-vlan 50
as-group name admin_group1
as-admin-profile admin_profile1
as name as-layer1-1
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.21.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.41.0 0.0.0.255
#
capwap source interface vlanif21
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain2
ap-group name ap-group2
regulatory-domain-profile domain2
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
#
as-auth
whitelist mac-address 00e0-0001-0044
#
uni-mng
as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0044
interface fabric-port 2
port member-group interface Eth-Trunk 40
GE0/0/2 GE0/0/2
CORE-AC1 HSB CORE-AC2
XGE0/0/21 XGE0/0/21
XGE0/0/22 XGE0/0/22
Eth-Trunk 1
Server zone Eth-Trunk 2
(including RADIUS and
DNS servers) XGE1/1/0/3 XGE2/1/0/3
XGE1/1/0/4 XGE2/1/0/4
Core XGE1/2/0/1 CSS
layer CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
3 Configure DHCP on the CSS and ACs so Core switches and ACs
that the CSS function as a DHCP server
to assign IP addresses to wired and
wireless users and that the ACs function
as DHCP servers to assign IP addresses
to APs.
Data Plan
Item Data
AP group ap-group1
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions
may occur. If a VLAN is configured as both the management VLAN and
service VLAN, and the interface connecting a switch to an AP has the
management VLAN ID as the PVID, downstream packets in the service VLAN
are terminated when going out from the switch. In this case, services are
interrupted.
● In direct forwarding mode, service packets from APs are not encapsulated in
CAPWAP tunnels, but are directly forwarded to the upper-layer network.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
Step 2 Configure interfaces and VLANs on CORE, which is a CSS of core switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 40 50
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 30 40 50
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] port link-type trunk
[ACC1-GigabitEthernet0/0/4] port trunk pvid vlan 20
[ACC1-GigabitEthernet0/0/4] port trunk allow-pass vlan 20 30 40
[ACC1-GigabitEthernet0/0/4] port-isolate enable
[ACC1-GigabitEthernet0/0/4] stp edged-port enable
[ACC1-GigabitEthernet0/0/4] quit
Step 6 Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP
addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 30
[CORE-vlan30] dhcp snooping enable
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] dhcp snooping enable
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] dhcp snooping enable
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] dhcp snooping enable
[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services and
configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE] interface vlanif 30
[CORE-Vlanif30] ip address 172.16.30.1 255.255.255.0
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 255.255.255.0
[CORE-Vlanif50] dhcp select interface
[CORE-Vlanif50] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif50] quit
[CORE] interface vlanif 60
[CORE-Vlanif60] ip address 172.16.60.1 255.255.255.0
[CORE-Vlanif60] dhcp select interface
[CORE-Vlanif60] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif60] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif60] quit
Step 8 Configure routes from CORE-AC1 to the network segments of wired users and the
server area. The configuration on CORE-AC2 is similar.
[CORE-AC1] ip route-static 0.0.0.0 24 192.168.20.20
Step 9 Configure VRRP and HSB on CORE-AC1. The configuration on CORE-AC2 is similar.
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[CORE-AC1] hsb-group 0
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[CORE-AC1-hsb-group-0] quit
# After the configuration is complete, run the display vrrp command on CORE-
AC1 and CORE-AC2. The command output shows that the State field of CORE-
AC1 displays Master and that of CORE-AC2 displays Backup.
[CORE-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31
[CORE-AC2] display vrrp
Vlanif20 | Virtual Router 1
State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. The following
command output shows that the Service State field displays Connected,
indicating that the HSB channel has been established.
[CORE-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.1
Peer IP Address : 172.16.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[CORE-AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.2
Peer IP Address : 172.16.100.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
# Create an AP group to add APs with the same configurations to the AP group.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code cn
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-AC1-wlan-ap-group-ap-group1] quit
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-AC1-wlan-view] ap auth-mode mac-auth
[CORE-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-AC1-wlan-ap-1] ap-name area_1
[CORE-AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-AC1-wlan-ap-1] quit
[CORE-AC1-wlan-view] ap-id 2 ap-mac ac85-3d95-d802
[CORE-AC1-wlan-ap-2] ap-name area_2
[CORE-AC1-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-AC1-wlan-ap-2] quit
[CORE-AC1-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. The command output shows that the State field
displays nor, indicating that the APs are in normal state.
[CORE-AC1] display ap all
Total AP information:
nor : normal [2]
ExtraInfo : Extra information
P : insufficient power supply
---------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
---------------------------------------------------------------------------------------------------------
1 ac85-3d95-d801 area_1 ap-group1 192.168.20.41 AP6050DN nor 0 5M:26S -
2 ac85-3d95-d802 area_2 ap-group1 192.168.20.164 AP6050DN nor 0 2M:52S -
---------------------------------------------------------------------------------------------------------
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-AC1-wlan-view] vap-profile name vap1
[CORE-AC1-wlan-vap-prof-vap1] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-AC1-wlan-vap-prof-vap1] security-profile sec1
[CORE-AC1-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-AC1-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap1] quit
[CORE-AC1-wlan-view] vap-profile name vap2
[CORE-AC1-wlan-vap-prof-vap2] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap2] service-vlan vlan-id 40
[CORE-AC1-wlan-vap-prof-vap2] security-profile sec2
[CORE-AC1-wlan-vap-prof-vap2] ssid-profile ssid2
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff2
[CORE-AC1-wlan-vap-prof-vap2] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
Step 12 Configure wireless configuration synchronization in the scenario where VRRP and
HSB are configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Configure the source interface of CORE-AC2.
[CORE-AC2] capwap source interface vlanif 20
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. The command output shows that
the Status field displays cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC is restarted.
[CORE-AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AP6050DN V200R007C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
40 192.168.20.41 ac85-3d95-d801 DHCP 72528 Used
163 192.168.20.164 ac85-3d95-d802 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
wired users have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif50 used
Pool-name : Vlanif50
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
109 172.16.50.110 001b-21c4-820f DHCP 48538 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
[CORE] display ip pool interface vlanif60 used
Pool-name : Vlanif60
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
236 172.16.60.237 2cab-0098-15b1 DHCP 48050 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE-AC1.
[CORE-AC1] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 173/144 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
#
interface XGigabitEthernet2/1/0/4
eth-trunk 2
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
return
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
return
Server zone
(including RADIUS and
DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
AGG-AC1
E1
/1/ /1/0/ AGG-AC3
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Configuration Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions
may occur. If a VLAN is configured as both the management VLAN and
service VLAN, and the interface connecting a switch to an AP has the
management VLAN ID as the PVID, downstream packets in the service VLAN
are terminated when going out from the switch. In this case, services are
interrupted.
● In direct forwarding mode, service packets from APs are not encapsulated in
CAPWAP tunnels, but are directly forwarded to the upper-layer network.
Service packets and management packets can be transmitted properly only if
the network between APs and the upper-layer network is added to the service
VLAN and the network between ACs and APs is added to the management
VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
Step 2 Configure interfaces and VLANs on CORE, which is a CSS of core switches.
# Create VLANs.
[CORE] vlan batch 70 80 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add the
interface to the Eth-Trunk.
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
[AGG-AC1] interface gigabitethernet 0/0/21
[AGG-AC1-GigabitEthernet0/0/21] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/21] quit
[AGG-AC1] interface gigabitethernet 0/0/22
[AGG-AC1-GigabitEthernet0/0/22] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/22] quit
Step 5 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname ACC1
[ACC1] vlan batch 20 30 31 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/2
[ACC1-GigabitEthernet0/0/2] port link-type access
[ACC1-GigabitEthernet0/0/2] port default vlan 50
[ACC1-GigabitEthernet0/0/2] port-isolate enable
[ACC1-GigabitEthernet0/0/2] stp edged-port enable
[ACC1-GigabitEthernet0/0/2] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type trunk
[ACC1-GigabitEthernet0/0/3] port trunk pvid vlan 20
[ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 30 31
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/3] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 30
[AGG1-vlan30] dhcp snooping enable
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] dhcp snooping enable
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] dhcp snooping enable
[AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 30 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.
[AGG1] interface Vlanif 30
[AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0
[AGG1-Vlanif30] dhcp select interface
[AGG1-Vlanif30] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG1-Vlanif30] quit
# Create Layer 3 interface VLANIF 31 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.
[AGG1] interface Vlanif 31
[AGG1-Vlanif30] ip address 172.16.31.1 255.255.255.0
[AGG1-Vlanif30] dhcp select interface
[AGG1-Vlanif30] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG1-Vlanif30] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface Vlanif 50
[AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0
[AGG1-Vlanif50] dhcp select interface
[AGG1-Vlanif50] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals.
[AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG1-Vlanif50] quit
[AGG1-ospf-1-area-0.0.0.1] quit
[CORE-ospf-1] quit
Step 8 Configure DHCP on AGG-AC1 so that AGG-AC1 can function as a DHCP server to
assign IP addresses to APs. The configuration on AGG-AC3 is similar.
[AGG-AC1] dhcp enable
[AGG-AC1] interface Vlanif 20
[AGG-AC1-Vlanif20] ip address 172.16.20.1 255.255.255.0
[AGG-AC1-Vlanif20] dhcp select interface
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.20
[AGG-AC1-Vlanif20] quit
Step 9 Configure VRRP and HSB on AGG-AC1. The configuration on AGG-AC2 is similar.
# Set the recovery delay of the VRRP group to 60 seconds.
[AGG-AC1] vrrp recover-delay 60
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.
[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
10241 peer-data-port 10241
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[AGG-AC1] hsb-group 0
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[AGG-AC1-hsb-group-0] quit
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. The command output shows that the State field of AGG-AC1
displays Master and that of AGG-AC2 displays Backup.
[AGG-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.3
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17
# Check the HSB service status on AGG-AC1 and AGG-AC2. The following
command output shows that the Service State field displays Connected,
indicating that the HSB channel has been established.
[AGG-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.200.1
Peer IP Address : 172.16.200.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AGG-AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.200.2
Peer IP Address : 172.16.200.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.
# Configure the AC's source interface.
[AGG-AC1] capwap source interface vlanif 20
# Create an AP group to add APs with the same configurations to the AP group.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code cn
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[AGG-AC1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d800
[AGG-AC1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG-AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AGG-AC1-wlan-ap-1] quit
[AGG-AC1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1-AC1 to check
the AP running status. The command output shows that the State field displays
nor, indicating that AP1 is in normal state.
[AGG-AC1] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [1]
-----------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-----------------------------------------------------------------------------------------------
1 ac85-3d95-d800 area_1 ap-group1 192.168.20.254 AP6010DN-AGN nor 0 2M:44S
-----------------------------------------------------------------------------------------------
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------------
# Configure WLAN service parameters, and create security profiles, SSID profiles,
and traffic profiles.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] quit
[AGG-AC1-wlan-view] ssid-profile name ssid1
[AGG-AC1-wlan-ssid-prof-ssid1] ssid test01
[AGG-AC1-wlan-ssid-prof-test01] quit
[AGG-AC1-wlan-view] traffic-profile name traff1
[AGG-AC1-wlan-traffic-prof-traff1] user-isolate l2
[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-view] security-profile name sec2
[AGG-AC1-wlan-sec-prof-sec2] quit
[AGG-AC1-wlan-view] ssid-profile name ssid2
[AGG-AC1-wlan-ssid-prof-ssid2] ssid test02
[AGG-AC1-wlan-ssid-prof-test02] quit
[AGG-AC1-wlan-view] traffic-profile name traff2
[AGG-AC1-wlan-traffic-prof-traff2] user-isolate l2
[AGG-AC1-wlan-traffic-prof-traff2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles, SSID profiles, and enable IPSG, dynamic ARP
inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name vap1
[AGG-AC1-wlan-vap-prof-test01] forward-mode direct-forward
[AGG-AC1-wlan-vap-prof-test01] service-vlan vlan-id 30
[AGG-AC1-wlan-vap-prof-test01] security-profile sec1
[AGG-AC1-wlan-vap-prof-test01] ssid-profile ssid1
[AGG-AC1-wlan-vap-prof-test01] traffic-profile traff1
[AGG-AC1-wlan-vap-prof-test01] ip source check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] arp anti-attack check user-bind enable
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
Mask : 255.255.255.0
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :251 Expired :0
Conflict :0 Disabled :2
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
interface eth-trunk 1
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
mode lacp
#
interface gigabitethernet 0/0/1
eth-trunk 1
#
interface gigabitethernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 200
undo port trunk allow-pass vlan 1
#
ospf 1 router-id 3.3.3.3
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name traff2
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
vap-profile name vap1
forward-mode direct-forward
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode direct-forward
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
vlan 50
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.1
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.1
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.1
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk1
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
mode lacp
#
interface Eth-Trunk10
description con to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 to 31 50
mode lacp
port-isolate enable
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
return
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 40
#
interface GigabitEthernet0/0/2
eth-trunk 40
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 21
stp edged-port enable
port-isolate enable group 1
#
return
Figure 3-13 Core switches and standalone ACs functioning as the gateways for
wired and wireless users respectively
GE0/0/2 GE0/0/2
CORE-AC1 HSB CORE-AC2
XGE0/0/21 XGE0/0/21
XGE0/0/22 XGE0/0/22
Eth-Trunk 1
Server zone Eth-Trunk 2
(including RADIUS and
DNS servers) XGE1/1/0/3 XGE2/1/0/3
XGE1/1/0/4 XGE2/1/0/4
Core XGE1/2/0/1 CSS
layer CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Deployment Precautions
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see 3.4 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on CORE, which is a CSS of core switches.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
[CORE-XGigabitEthernet1/1/0/3] quit
[CORE] interface xgigabitethernet 2/1/0/3
[CORE-XGigabitEthernet2/1/0/3] eth-trunk 1
[CORE-XGigabitEthernet2/1/0/3] quit
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 50
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/2
[ACC1-GigabitEthernet0/0/2] port link-type access
[ACC1-GigabitEthernet0/0/2] port default vlan 50
[ACC1-GigabitEthernet0/0/2] port-isolate enable
[ACC1-GigabitEthernet0/0/2] stp edged-port enable
[ACC1-GigabitEthernet0/0/2] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 20
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/3] quit
Step 6 Configure DHCP on CORE so that CORE functions as the DHCP server to assign IP
addresses to wired users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 50
[CORE-vlan50] dhcp snooping enable
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] dhcp snooping enable
[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 255.255.255.0
[CORE-Vlanif50] dhcp select interface
[CORE-Vlanif50] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif50] quit
[CORE] interface vlanif 60
[CORE-Vlanif60] ip address 172.16.60.1 255.255.255.0
[CORE-Vlanif60] dhcp select interface
[CORE-Vlanif60] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-Vlanif60] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
[CORE-Vlanif60] quit
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE-AC1] dhcp enable
[CORE-AC1] dhcp snooping enable
[CORE-AC1] vlan 30
[CORE-AC1-vlan30] dhcp snooping enable
[CORE-AC1-vlan30] quit
[CORE-AC1] vlan 40
[CORE-AC1-vlan40] dhcp snooping enable
[CORE-AC1-vlan40] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wired services and
configure CORE to assign IP addresses to wireless terminals from the interface
address pools.
[CORE-AC1] interface vlanif 30
[CORE-AC1-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-AC1-Vlanif30] dhcp select interface
[CORE-AC1-Vlanif30] dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
[CORE-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[CORE-AC1-Vlanif30] quit
[CORE-AC1] interface vlanif 40
[CORE-AC1-Vlanif40] ip address 172.16.40.1 255.255.255.0
[CORE-AC1-Vlanif40] dhcp select interface
[CORE-AC1-Vlanif40] dhcp server excluded-ip-address 172.16.40.2 172.16.40.3
[CORE-AC1-Vlanif40] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
[CORE-AC1-Vlanif40] quit
Step 9 Configure VRRP and HSB on CORE-AC1. The configuration on CORE-AC2 is similar.
# Set the recovery delay of the VRRP group to 60 seconds.
[CORE-AC1] vrrp recover-delay 60
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[CORE-AC1] hsb-group 0
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[CORE-AC1-hsb-group-0] quit
# After the configuration is complete, run the display vrrp command on CORE-
AC1 and CORE-AC2. The command output shows that the State field of CORE-
AC1 displays Master and that of CORE-AC2 displays Backup.
[CORE-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31
[CORE-AC2] display vrrp
Vlanif20 | Virtual Router 1
State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. The following
command output shows that the Service State field displays Connected,
indicating that the HSB channel has been established.
[CORE-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.1
Peer IP Address : 172.16.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[CORE-AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.2
Peer IP Address : 172.16.100.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
# Create an AP group to add APs with the same configurations to the AP group.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code cn
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-AC1-wlan-ap-group-ap-group1] quit
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-AC1-wlan-view] ap auth-mode mac-auth
[CORE-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d801
[CORE-AC1-wlan-ap-1] ap-name area_1
[CORE-AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-AC1-wlan-ap-1] quit
[CORE-AC1-wlan-view] ap-id 2 ap-mac ac85-3d95-d802
[CORE-AC1-wlan-ap-2] ap-name area_2
[CORE-AC1-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-AC1-wlan-ap-2] quit
[CORE-AC1-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. The command output shows that the State field
displays nor, indicating that the APs are in normal state.
[CORE-AC1] display ap all
Total AP information:
nor : normal [2]
ExtraInfo : Extra information
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-AC1-wlan-view] vap-profile name vap1
[CORE-AC1-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-AC1-wlan-vap-prof-vap1] security-profile sec1
[CORE-AC1-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff
[CORE-AC1-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap1] quit
[CORE-AC1-wlan-view] vap-profile name vap2
[CORE-AC1-wlan-vap-prof-vap2] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap2] service-vlan vlan-id 40
[CORE-AC1-wlan-vap-prof-vap2] security-profile sec2
[CORE-AC1-wlan-vap-prof-vap2] ssid-profile ssid2
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff
[CORE-AC1-wlan-vap-prof-vap2] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
Step 12 Configure wireless configuration synchronization in the scenario where VRRP and
HSB are configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. The command output shows that
the Status field displays cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC is restarted.
[CORE-AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AP6050DN V200R007C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
40 192.168.20.41 ac85-3d95-d801 DHCP 72528 Used
163 192.168.20.164 ac85-3d95-d802 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
wired users have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif50 used
Pool-name : Vlanif50
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
109 172.16.50.110 001b-21c4-820f DHCP 84875 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
[CORE] display ip pool interface vlanif60 used
Pool-name : Vlanif60
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
236 172.16.60.237 2cab-0098-15b1 DHCP 84434 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE-AC1.
[CORE-AC1] display station ssid Employee
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 1 area_1 1/1 5G 11ac 173/115 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
dhcp snooping enable
#
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
return
#
interface XGigabitEthernet0/0/22
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
return
Server zone
(including RADIUS and
DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG 2 XGE2/1/0/1
AGG-AC1
E1
/1/ /1/0/ AGG-AC3
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
Configuration Precautions
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see 3.4 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on CORE, which is a CSS of core switches.
# Create VLANs.
[CORE] vlan batch 70 80 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
<AGG1> system-view
[AGG1] vlan batch 20 30 31 50 70
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add the
interface to the Eth-Trunk.
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 30 31
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
[AGG-AC1] interface gigabitethernet 0/0/21
[AGG-AC1-GigabitEthernet0/0/21] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/21] quit
[AGG-AC1] interface gigabitethernet 0/0/22
[AGG-AC1-GigabitEthernet0/0/22] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/22] quit
Step 5 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
<ACC1> system-view
[ACC1] vlan batch 20 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/2
[ACC1-GigabitEthernet0/0/2] port link-type access
[ACC1-GigabitEthernet0/0/2] port default vlan 50
[ACC1-GigabitEthernet0/0/2] port-isolate enable
[ACC1-GigabitEthernet0/0/2] stp edged-port enable
[ACC1-GigabitEthernet0/0/2] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type trunk
[ACC1-GigabitEthernet0/0/3] port trunk pvid vlan 20
[ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 20
[ACC1-GigabitEthernet0/0/3] port-isolate enable
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/3] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for the service VLAN.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 50
[AGG1-vlan50] dhcp snooping enable
[AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface Vlanif 50
[AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0
[AGG1-Vlanif50] dhcp select interface
[AGG1-Vlanif50] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG1-Vlanif50] quit
# Create Layer 3 interface VLANIF 20 for wireless services and configure AGG-AC1
to assign IP addresses to APs from the interface address pool.
[AGG-AC1] dhcp enable
[AGG-AC1] interface Vlanif 20
[AGG-AC1-Vlanif20] ip address 172.16.20.1 255.255.255.0
[AGG-AC1-Vlanif20] dhcp select interface
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.20
[AGG-AC1-Vlanif20] quit
# Create Layer 3 interface VLANIF 30 for wireless services and configure AGG-AC1
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1] interface Vlanif 30
[AGG-AC1-Vlanif30] ip address 172.16.30.1 255.255.255.0
[AGG-AC1-Vlanif30] dhcp select interface
[AGG-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG-AC1-Vlanif30] quit
# Create Layer 3 interface VLANIF 31 for wireless services and configure AGG-AC1
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1] interface Vlanif 31
[AGG-AC1-Vlanif31] ip address 172.16.31.1 255.255.255.0
[AGG-AC1-Vlanif31] dhcp select interface
[AGG-AC1-Vlanif31] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
[AGG-AC1-Vlanif31] quit
Step 9 Configure VRRP and HSB on AGG-AC1. The configuration on AGG-AC2 is similar.
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.
[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
10241 peer-data-port 10241
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[AGG-AC1] hsb-group 0
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[AGG-AC1-hsb-group-0] quit
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. The command output shows that the State field of AGG-AC1
displays Master and that of AGG-AC2 displays Backup.
[AGG-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.3
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17
# Check the HSB service status on AGG-AC1 and AGG-AC2. The following
command output shows that the Service State field displays Connected,
indicating that the HSB channel has been established.
[AGG-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.200.1
Peer IP Address : 172.16.200.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AGG-AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.200.2
Peer IP Address : 172.16.200.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.
# Configure the AC's source interface.
# Create an AP group to add APs with the same configurations to the AP group.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code cn
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[AGG-AC1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac ac85-3d95-d800
[AGG-AC1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG-AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AGG-AC1-wlan-ap-1] quit
[AGG-AC1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1-AC1 to check
the AP running status. The command output shows that the State field displays
nor, indicating that AP1 is in normal state.
[AGG-AC1] display ap all
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------------
[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-view] security-profile name sec2
[AGG-AC1-wlan-sec-prof-sec2] quit
[AGG-AC1-wlan-view] ssid-profile name ssid2
[AGG-AC1-wlan-ssid-prof-ssid2] ssid test02
[AGG-AC1-wlan-ssid-prof-test02] quit
[AGG-AC1-wlan-view] traffic-profile name traff2
[AGG-AC1-wlan-traffic-prof-traff2] user-isolate l2
[AGG-AC1-wlan-traffic-prof-traff2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles, SSID profiles, and enable IPSG, dynamic ARP
inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name test01
[AGG-AC1-wlan-vap-prof-test01] forward-mode tunnel
[AGG-AC1-wlan-vap-prof-test01] service-vlan vlan-id 30
[AGG-AC1-wlan-vap-prof-test01] security-profile sec1
[AGG-AC1-wlan-vap-prof-test01] ssid-profile ssid1
[AGG-AC1-wlan-vap-prof-test01] traffic-profile traff1
[AGG-AC1-wlan-vap-prof-test01] ip source check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] arp anti-attack check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] learn-client-address dhcp-strict
[AGG-AC1-wlan-vap-prof-test01] quit
[AGG-AC1-wlan-view] vap-profile name test02
[AGG-AC1-wlan-vap-prof-test02] forward-mode tunnel
[AGG-AC1-wlan-vap-prof-test02] service-vlan vlan-id 31
[AGG-AC1-wlan-vap-prof-test02] security-profile sec2
[AGG-AC1-wlan-vap-prof-test02] ssid-profile ssid2
[AGG-AC1-wlan-vap-prof-test02] traffic-profile traff2
[AGG-AC1-wlan-vap-prof-test02] ip source check user-bind enable
[AGG-AC1-wlan-vap-prof-test02] arp anti-attack check user-bind enable
[AGG-AC1-wlan-vap-prof-test02] learn-client-address dhcp-strict
[AGG-AC1-wlan-vap-prof-test02] quit
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command in the VAP profile view.
----End
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :254 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
# After a wireless user connects to AP1, you can view information about the
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp select interface
dhcp server excluded-ip-address 192.168.20.2
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
interface Eth-Trunk 1
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
ospf 1 router-id 3.3.3.3
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name traff2
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
vap-profile name test01
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name test02
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
#
interface gigabitethernet 0/0/1
eth-trunk 1
#
interface gigabitethernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 200
undo port trunk allow-pass vlan 1
#
hsb-service 0
service-ip-port local-ip 172.16.200.2 peer-ip 172.16.200.1 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk1
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21
mode lacp
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 40 to 41 60
mode lacp
port-isolate enable
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet0/0/4
eth-trunk 2
#
interface GigabitEthernet0/0/5
eth-trunk 2
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
return
Determine the campus egress solution Select egress devices based on the
and egress devices to be deployed. egress link type, number and density
of interfaces, routing protocol, and
costs. In real-world networking,
Ethernet links are typically used, and
the number of egress routes is small
(usually less than 1,000 routes). To
reduce network construction costs,
firewalls are recommended as egress
devices.
Determine the routing solution used When egress devices are connected to
by egress gateways and user gateways. the Internet, static routing or Border
Gateway Protocol (BGP) is used. Static
routing can address service
requirements in most campus
networks. BGP needs to be deployed
only when multiple links are available
between an enterprise and an Internet
service provider (ISP) to provide
differentiated routing services.
The routing solution for the campus
internal network must support
communication between devices,
between terminals, and between
devices and terminals on the campus
network, as well as communication
between these devices and the
Internet and between terminals and
the Internet. Static routing or Open
Shortest Path First (OSPF) is typically
used.
In this example, two aggregation switches set up a stack named AGG and connect
to core switches, which set up a CSS named CORE. For details about the
networking below the core layer, see 3 Campus Network Connectivity
Deployment.
ISPA ISPB
GE1/0/1 GE1/0/5
GE1/0/5 GE1/0/1
Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/4 GE1/0/3
GE1/0/3 GE1/0/4
Eth-Trunk 10 Eth-Trunk 20
GE1/1/0/0
HTTP server GE2/1/0/1
GE1/1/0/1 GE2/1/0/0
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk30
GE1/0/1 GE2/0/1
Aggregation layer AGG
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
GE1/0/5 - - 202.2.1.2/24
GE1/0/2 - - 172.16.111.1/
24
GE1/0/5 - - 202.2.1.1/24
GE1/0/2 - - 172.16.111.2/
24
GE2/0/1
Deployment Procedure
Step 1 Configure the CSS and MAD functions on core switches, and configure the
stacking function on aggregation switches. For details, see 3.4 Typical CSS and
Stack Deployment.
Step 2 Configure Eth-Trunk interfaces.
# On FWA, create Eth-Trunk 10 to connect FWA to CORE, and add member
interfaces to Eth-Trunk 10.
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] mode lacp-static
[FWA-Eth-Trunk10] quit
[FWA] interface gigabitethernet 1/0/3
[FWA-GigabitEthernet1/0/3] eth-trunk 10
[FWA-GigabitEthernet1/0/3] quit
[FWA] interface gigabitethernet 1/0/4
[FWA-GigabitEthernet1/0/4] eth-trunk 10
[FWA-GigabitEthernet1/0/4] quit
# On CORE, create Eth-Trunk 10, Eth-Trunk 20, and Eth-Trunk 30 to connect CORE
to FWA, FWB, and AGG respectively, and add member interfaces to these Eth-
Trunks.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface gigabitethernet 1/1/0/0
[CORE-GigabitEthernet1/1/0/0] eth-trunk 10
[CORE-GigabitEthernet1/1/0/0] quit
[CORE] interface gigabitethernet 2/1/0/0
[CORE-GigabitEthernet2/1/0/0] eth-trunk 10
[CORE-GigabitEthernet2/1/0/0] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] mode lacp
[CORE-Eth-Trunk20] quit
[CORE] interface gigabitethernet 1/1/0/1
[CORE-GigabitEthernet1/1/0/1] eth-trunk 20
[CORE-GigabitEthernet1/1/0/1] quit
[CORE] interface gigabitethernet 2/1/0/1
[CORE-GigabitEthernet2/1/0/1] eth-trunk 20
[CORE-GigabitEthernet2/1/0/1] quit
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] quit
[CORE] interface gigabitethernet 1/2/0/0
[CORE-GigabitEthernet1/2/0/0] eth-trunk 30
[CORE-GigabitEthernet1/2/0/0] quit
[CORE] interface gigabitethernet 2/2/0/0
[CORE-GigabitEthernet2/2/0/0] eth-trunk 30
[CORE-GigabitEthernet2/2/0/0] quit
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] ip address 202.1.1.2 24 //Configure an IP address for the interface
connected to the ISPA network.
[FWB-GigabitEthernet1/0/1] gateway 202.1.1.254
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/5
[FWB-GigabitEthernet1/0/5] ip address 202.2.1.1 24 //Configure an IP address for the interface
connected to the ISPB network.
[FWB-GigabitEthernet1/0/5] gateway 202.2.1.254
[FWB-GigabitEthernet1/0/5] quit
[FWB] interface gigabitethernet 1/0/2
[FWB-GigabitEthernet1/0/2] ip address 172.16.111.2 24 //Configure an IP address for the heartbeat
interface.
[FWB-GigabitEthernet1/0/2] quit
[FWB] interface eth-trunk 20
[FWB-Eth-Trunk20] ip address 172.16.10.2 24 //Configure an IP address for the Eth-Trunk interface
connected to CORE.
[FWB-Eth-Trunk20] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 20 //Add Eth-Trunk 20 connected to the internal network
to the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name isp1 //Add the interface connected to the ISPA network to
the security zone isp1.
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/1
[FWB-zone-isp1] quit
[FWB] firewall zone name isp2 //Add the interface connected to the ISPB network to
the security zone isp2.
[FWB-zone-isp2] set priority 15
[FWB-zone-isp2] add interface gigabitethernet 1/0/5
[FWB-zone-isp2] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/2 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
# Configure IP addresses for interfaces on CORE.
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used
as the router ID of CORE.
[CORE-LoopBack0] quit
[CORE] vlan batch 10 40 50
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] port link-type access
[CORE-Eth-Trunk10] port default vlan 10
[CORE-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] port link-type access
[CORE-Eth-Trunk20] port default vlan 10
[CORE-Eth-Trunk20] quit
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] port link-type trunk
[CORE-Eth-Trunk30] port trunk allow-pass vlan 40
[CORE-Eth-Trunk30] quit
[CORE] interface vlanif 10
[CORE-Vlanif10] ip address 172.16.10.3 24 //Configure an IP address for the VLANIF interface
connected to the firewalls.
[CORE-Vlanif10] quit
[CORE] interface vlanif 40
[CORE-Vlanif40] ip address 172.16.40.1 24 //Configure an IP address for the service VLANIF
interface connected to AGG.
[CORE-Vlanif40] quit
[CORE] interface gigabitethernet 1/1/0/10
[CORE-GigabitEthernet1/1/0/10] port link-type access
[CORE-GigabitEthernet1/1/0/10] port default vlan 50
[CORE-GigabitEthernet1/1/0/10] quit
[CORE] interface vlanif 50
# Enable the IP-link function on FWB to detect whether ISP links are working
properly.
# Configure two default routes on FWA, with the next hops pointing to the access
points of the two ISP networks respectively.
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
# Configure two default routes on FWB, with the next hops pointing to the access
points of the two ISP networks respectively.
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
# On FWA, configure quick session backup, specify the heartbeat interface, and
enable HRP.
# On FWB, configure quick session backup, specify the heartbeat interface, and
enable HRP.
[FWB] hrp mirror session enable
[FWB] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
[FWB] hrp enable
# Configure source NAT policies to allow internal network users to access external
networks through post-NAT public IP addresses.
HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 172.16.40.1 172.16.40.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
This function requires a license and dynamic installation of the corresponding component
package.
This function requires a license and dynamic installation of the corresponding component
package.
Create an application behavior control file to prohibit HTTP and FTP operations
during working hours.
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit
Create an application behavior control file to permit only HTTP web browsing,
HTTP proxy surfing, and HTTP file download during break time.
HRP_M[FWA] profile type app-control name profile_app_rest
HRP_M[FWA-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_rest] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_rest] quit
Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to control
the application behavior of users during working hours.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
Configure the security policy policy_sec_rest and reference the time range
off_hours and application behavior control file profile_app_rest to control the
application behavior of users during non-working hours.
HRP_M[FWA-policy-security] rule name policy_sec_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_rest] user any
HRP_M[FWA-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_M[FWA-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] action permit
HRP_M[FWA-policy-security-rule-policy_sec_rest] quit
----End
Configuration Files
● FWA configuration file
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
hrp track interface Eth-Trunk 10
hrp mirror session enable
#
interface Eth-Trunk 10
mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
destination-zone isp2
source-address 172.16.40.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
source-zone isp2
destination-zone trust
destination-address 172.16.50.0 mask 255.255.255.0
action permit
rule name policy_sec_work
source-zone trust
destination-zone isp1
destination-zone isp2
time-range working_hours
profile app-control profile_app_work
action permit
rule name policy_sec_rest
source-zone trust
destination-zone isp1
destination-zone isp2
time-range off_hours
profile app-control profile_app_rest
action permit
#
nat address-group addressgroup1
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
nat address-group addressgroup2
mode pat
route enable
section 1 202.20.1.1 202.20.1.5
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.1 172.16.40.127
action source-nat address-group addressgroup1
rule name policy_nat_2
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.127 172.16.40.254
action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 202.10.1.10 8080 inside 172.16.50.10 80 no-
reverse
nat server web_for_isp2 zone isp2 protocol tcp global 202.20.1.10 8080 inside 172.16.50.10 80 no-
reverse
#
dns-smart enable
dns-smart group 1 type multi
undo shutdown
ip address 172.16.111.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
eth-trunk 20
#
interface GigabitEthernet1/0/4
undo shutdown
eth-trunk 20
#
interface GigabitEthernet1/0/5
undo shutdown
ip address 202.2.1.1 255.255.255.0
anti-ddos flow-statistic enable
gateway 202.2.1.254
bandwidth egress 200000 threshold 90
bandwidth ingress 200000 threshold 90
redirect-reverse next-hop 202.2.1.254
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk20
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/1
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet1/0/5
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
destination 202.1.1.254 interface GigabitEthernet1/0/1
#
ip-link name ip_link_2
destination 202.2.1.254 interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
ip route-static 202.10.1.100 255.255.255.255 NULL 0
ip route-static 202.20.1.100 255.255.255.255 NULL 0
#
multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
destination-zone isp2
source-address 172.16.40.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
source-zone isp2
destination-zone trust
destination-address 172.16.50.0 mask 255.255.255.0
action permit
rule name policy_sec_work
source-zone trust
destination-zone isp1
destination-zone isp2
time-range working_hours
profile app-control profile_app_work
action permit
rule name policy_sec_rest
source-zone trust
destination-zone isp1
destination-zone isp2
time-range off_hours
profile app-control profile_app_rest
action permit
#
nat address-group addressgroup1
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
nat address-group addressgroup2
mode pat
route enable
section 1 202.20.1.1 202.20.1.5
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.1 172.16.40.127
action source-nat address-group addressgroup1
rule name policy_nat_2
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.127 172.16.40.254
action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 202.10.1.10 8080 inside 172.16.50.10 80 no-
reverse
nat server web_for_isp2 zone isp2 protocol tcp global 202.20.1.10 8080 inside 172.16.50.10 80 no-
reverse
#
dns-smart enable
dns-smart group 1 type multi
out-interface GigabitEthernet 1/0/1 map 202.10.1.10
out-interface GigabitEthernet 1/0/5 map 202.20.1.10
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
interface gigabitethernet1/1/0/0
eth-trunk 10
#
interface GigabitEthernet1/1/1/7
mad detect mode direct
#
interface gigabitethernet2/1/0/0
eth-trunk 10
#
interface gigabitethernet1/1/0/1
eth-trunk 20
#
interface gigabitethernet2/1/0/1
eth-trunk 20
#
interface GigabitEthernet2/1/1/7
mad detect mode direct
#
interface gigabitethernet1/2/0/0
eth-trunk 30
#
interface gigabitethernet2/2/0/0
eth-trunk 30
#
interface gigabitethernet1/1/0/10
port link-type access
port default vlan 50
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.16.10.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 172.16.50.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
ip route-static 0.0.0.0 0.0.0.0 172.16.10.2
#
return
FWA FWB
CORE
Core
layer CSS
Aggregation
layer AGG1 AGG2
Figure 4-3 Physical interface connections of the campus egress where firewalls are
deployed in off-path mode
GE1/1/0
Eth-Trunk 1 Eth-Trunk 2
XGE1/4/0/0 XGE1/4/0/1 XGE2/4/0/0 XGE2/4/0/1
Internet-side CSS
Public
Eth-Trunk 4 Eth-Trunk 6
CORE
FWA FWB
Eth-Trunk 5 Eth-Trunk 7
Internal network-side
VRF-A
GE2/0/0 GE2/0/1 Eth-Trunk 1 GE2/0/1 GE2/0/0
Eth-Trunk 8 Eth-Trunk 9
GE1/3/0/1 GE1/3/0/2 GE2/3/0/1 GE2/3/0/2
AGG1 AGG2
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
VRRP of - - - 10.10.4.100/24
RouterA
and
RouterB
VRRP1 of - - - 10.10.2.5/24
FWA and
FWB (in
uplink
direction
)
VRRP2 of - - - 10.10.3.5/24
FWA and
FWB (in
downlink
direction
)
Deployment Procedure
Step 1 Configure the CSS and MAD functions on core switches. For details, see 3.4
Typical CSS and Stack Deployment.
Step 2 Configure Eth-Trunk interfaces and configure IP addresses for interfaces.
1. Configure RouterA. The configuration of RouterB is similar to that of RouterA.
# Create Eth-Trunk 1 and add member interfaces to Eth-Trunk 1.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface Eth-Trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface XGigabitethernet 1/0/1
[RouterA-XGigabitEthernet1/0/1] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/1] quit
[RouterA] interface XGigabitethernet 1/0/2
[RouterA-XGigabitEthernet1/0/2] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/2] quit
# Configure a sub-interface for dot1q VLAN tag termination, configure an IP
address for the sub-interface, and configure the sub-interface to terminate
VLAN 10.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.4.2 24
[CORE-Vlanif30] quit
[CORE] interface Eth-Trunk 8 //Add Eth-Trunk 8 to VLAN 100.
[CORE-Eth-Trunk8] port link-type trunk
[CORE-Eth-Trunk8] port trunk allow-pass vlan 100
[CORE-Eth-Trunk8] quit
[CORE] interface Vlanif 100 //Create VLANIF 100 to connect CORE to AGG1.
[CORE-Vlanif100] ip address 10.10.100.1 24
[CORE-Vlanif100] quit
[CORE] interface Eth-Trunk 9 //Add Eth-Trunk 9 to VLAN 200.
[CORE-Eth-Trunk9] port link-type trunk
[CORE-Eth-Trunk9] port trunk allow-pass vlan 200
[CORE-Eth-Trunk9] quit
[CORE] interface Vlanif 200 //Create VLANIF 200 to connect CORE to AGG2.
[CORE-Vlanif200] ip address 10.10.200.1 24
[CORE-Vlanif200] quit
3. Configuring the AGGs.
# On AGG1, create Eth-Trunk 1 to connect AGG1 to CORE, and add member
interfaces to Eth-Trunk 1. The configuration of AGG2 is similar to the
configuration of AGG1, and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname AGG1
[AGG1] vlan batch 100
[AGG1] interface eth-trunk 1
[AGG1-Eth-Trunk1] port link-type trunk
[AGG1-Eth-Trunk1] port trunk allow-pass vlan 100
[AGG1-Eth-Trunk1] mode lacp
[AGG1-Eth-Trunk1] quit
[AGG1] interface gigabitethernet 0/0/1
[AGG1-GigabitEthernet0/0/1] eth-trunk 1
[AGG1-GigabitEthernet0/0/1] quit
[AGG1] interface gigabitethernet 1/0/2
[AGG1-GigabitEthernet1/0/2] eth-trunk 1
[AGG1-GigabitEthernet1/0/2] quit
4. Configure the firewalls.
# Configure interfaces and add interfaces to security zones on FWA.
<sysname> system-view
[sysname] sysname FWA
[FWA] interface Eth-Trunk 4 //Configure the interface connected to CORE and allocate an IP
address to the interface.
[FWA-Eth-Trunk4] ip address 10.10.2.2 24
[FWA-Eth-Trunk4] mode lacp-static
[FWA-Eth-Trunk4] quit
[FWA] interface Gigabitethernet 1/0/0 //Add a member interface to Eth-Trunk 4.
[FWA-GigabitEthernet1/0/0] Eth-Trunk 4
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface Gigabitethernet 1/0/1 //Add a member interface to Eth-Trunk 4.
[FWA-GigabitEthernet1/0/1] Eth-Trunk 4
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface Eth-Trunk 5 //Configure the interface connected to CORE and allocate an IP
address to the interface.
[FWA-Eth-Trunk5] ip address 10.10.3.2 24
[FWA-Eth-Trunk5] mode lacp-static
[FWA-Eth-Trunk5] quit
[FWA] interface Gigabitethernet 1/1/0 //Add a member interface to Eth-Trunk 5.
[FWA-GigabitEthernet1/1/0] Eth-Trunk 5
[FWA-GigabitEthernet1/1/0] quit
[FWA] interface Gigabitethernet 1/1/1 //Add a member interface to Eth-Trunk 5.
[FWA-GigabitEthernet1/1/1] Eth-Trunk 5
[FWA-GigabitEthernet1/1/1] quit
[FWA] interface Eth-Trunk 1 //Configure the interface connecting FWA to FWB.
[FWA-Eth-Trunk1] ip address 10.1.1.1 24
[FWA-Eth-Trunk1] mode lacp-static
[FWA-Eth-Trunk1] quit
[FWA] interface Gigabitethernet 2/0/0 //Add a member interface to Eth-Trunk 1.
[FWA-GigabitEthernet2/0/0] Eth-Trunk 1
[FWA-GigabitEthernet2/0/0] quit
Step 4 Configure VRRP. Configure RouterA as the VRRP master and RouterB as the VRRP
backup.
# Configure RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address.
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of RouterA to make it become
the master router.
[RouterA-Eth-Trunk1.100] quit
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address.
[RouterB-Eth-Trunk1.100] quit
# Configure a static route in Public to forward uplink traffic, and set the next
hop of the route to the VRRP virtual IP address of routers.
[CORE] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
# Configure static routes in Public to forward downlink traffic, and set the
next hops of the routes to the virtual IP address of the VRRP group with VRID
1 of firewalls.
[CORE] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5
[CORE] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5
# Create the VPN instance VRF-A on CORE to forward uplink traffic, and bind
the interfaces connected to service networks and interfaces connected to
firewalls to VRF-A. Besides, configure a default route in VRF-A, with the next
hop being the virtual IP address of the VRRP group with VRID 2 of firewalls.
[CORE] ip vpn-instance VRF-A //Create the VPN instance VRF-A.
[CORE-vpn-instance-VRF-A] ipv4-family
[CORE-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CORE-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CORE-vpn-instance-VRF-A-af-ipv4] quit
[CORE-vpn-instance-VRF-A] quit
[CORE] interface Vlanif 100
[CORE-Vlanif100] ip binding vpn-instance VRF-A //Bind VLANIF 100 connecting CORE to service
network 1 to VRF-A.
[CORE-Vlanif100] ip address 10.10.100.1 24 //Reconfigure an IP address for VLANIF 100. When
VLANIF 100 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif100] quit
[CORE] interface Vlanif 200
[CORE-Vlanif200] ip binding vpn-instance VRF-A //Bind VLANIF 200 connecting CORE to service
network 2 to VRF-A.
[CORE-Vlanif200] ip address 10.10.200.1 24 //Reconfigure an IP address for VLANIF 200. When
VLANIF 200 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif200] quit
[CORE] interface Vlanif 30
[CORE-Vlanif30] ip binding vpn-instance VRF-A //Bind VLANIF 30 connecting CORE to firewalls to
VRF-A.
[CORE-Vlanif30] ip address 10.10.3.1 24 //Reconfigure an IP address for VLANIF 30. When VLANIF
30 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif30] quit
# Configure a default route in VRF-A, and set the next hop to the virtual IP
address of the VRRP group with VRID 2 of firewalls.
[CORE] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
2. Configure routers.
# Configure OSPF on RouterA.
[RouterA] ospf 100 router-id 2.2.2.2
[RouterA-ospf-100] area 0
[RouterA-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment
connected to CORE into OSPF.
[RouterA-ospf-100-area-0.0.0.0] quit
[RouterA-ospf-100] quit
[FWA-Eth-Trunk4] quit
[FWA] interface Eth-Trunk 5
[FWA-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 active
[FWA-Eth-Trunk5] quit
[FWA] hrp interface Eth-Trunk 1 remote 10.1.1.2 //Configure the heartbeat interface and enable HRP.
[FWA] hrp enable
After a hot standby group is successfully established between the active and standby
firewalls, the configurations and sessions on the active firewall are automatically
synchronized to the standby firewall. Therefore, you only need to perform the following
configurations on the active firewall FWA.
----End
# Ping VLANIF 100 bound to VRF-A on CORE from RouterA to verify that the
downlink between RouterA and VLANIF 100 is reachable.
<RouterA> Ping 10.10.100.1
Ping 10.10.100.1: 32 data bytes, Press Ctrl_C to break
Reply From 10.10.100.1: bytes=32 seq=1 ttl=253 time=235 ms
Reply From 10.10.100.1: bytes=32 seq=2 ttl=253 time=109 ms
Reply From 10.10.100.1: bytes=32 seq=3 ttl=253 time=79 ms
Reply From 10.10.100.1: bytes=32 seq=4 ttl=253 time=63 ms
Reply From 10.10.100.1: bytes=32 seq=5 ttl=253 time=63 ms
Configuration Files
● RouterA configuration file
#
sysname RouterA
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.4.100
vrrp vrid 1 priority 120
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet1/0/2
eth-trunk 1
#
ospf 100 router-id 2.2.2.2
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
● RouterB configuration file
#
sysname RouterB
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.4.100
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet1/0/2
eth-trunk 1
#
ospf 100 router-id 3.3.3.3
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
● CORE configuration file
#
sysname CORE
#
vlan batch 10 20 30 100 200
#
ip vpn-instance Public
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
ip vpn-instance VRF-A
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface Vlanif10
ip binding vpn-instance Public
ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance Public
ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance VRF-A
ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
ip binding vpn-instance VRF-A
ip address 10.10.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip binding vpn-instance VRF-A
ip address 10.10.200.1 255.255.255.0
dhcp select interface
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
mode lacp
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 10
mode lacp
#
interface Eth-Trunk4
port link-type access
port default vlan 20
mode lacp
#
interface Eth-Trunk5
port link-type access
port default vlan 30
mode lacp
#
interface Eth-Trunk6
port link-type access
port default vlan 20
mode lacp
#
interface Eth-Trunk7
port link-type access
port default vlan 30
mode lacp
#
interface Eth-Trunk8
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface Eth-Trunk9
port link-type trunk
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo shutdown
eth-trunk 1
#
firewall zone trust
set priority 85
add interface Eth-Trunk5
#
firewall zone untrust
set priority 5
add interface Eth-Trunk4
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
return
● FWB configuration file
#
sysname FWB
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
interface Eth-Trunk1
ip address 10.1.1.2 255.255.255.0
mode lacp-static
#
interface Eth-Trunk6
ip address 10.10.2.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 standby
mode lacp-static
#
interface Eth-Trunk7
ip address 10.10.3.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 standby
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 6
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 6
#
interface GigabitEthernet1/1/0
undo shutdown
eth-trunk 7
#
interface GigabitEthernet1/1/1
undo shutdown
eth-trunk 7
#
interface GigabitEthernet2/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo shutdown
eth-trunk 1
#
firewall zone trust
set priority 85
add interface Eth-Trunk7
#
firewall zone untrust
set priority 5
add interface Eth-Trunk6
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
return
Figure 4-4 Campus network where firewalls are directly connected to egress
routers
GE0/0/2 GE0/0/2
Egress RouterA RouterB
GE0/0/1 GE0/0/1
GE1/0/1 GE1/0/1
GE1/0/7 GE1/0/7
FWA FWB
GE2/0/4 GE2/0/4
GE2/0/3 GE2/0/3
Eth-Trunk 10 Eth-Trunk 20
Department A Department B
USG6300E V600R007C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
GE0/0/2 - - 8.8.8.1/24
GE0/0/2 - - 9.9.9.1/24
GE1/0/7 - - 10.10.1.1/24
GE2/0/4
GE1/0/7 - - 10.10.1.2/24
GE2/0/4
GE2/1/0/3
GE2/1/0/4
GE2/2/0/3
GE2/2/0/4
GE2/0/1
GE2/0/1
Deployment Procedure
Step 1 Configure the CSS and MAD functions on core switches, and configure the
stacking function on aggregation switches. For details, see 3.4 Typical CSS and
Stack Deployment.
Step 2 Configure Eth-Trunk interfaces.
2. Configure CORE.
# On CORE, create Eth-Trunk 10 to connect CORE to FWA, and add member
interfaces to Eth-Trunk 10.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface gigabitethernet 1/1/0/3
[CORE-GigabitEthernet1/1/0/3] eth-trunk 10
[CORE-GigabitEthernet1/1/0/3] quit
[CORE] interface gigabitethernet 2/1/0/3
[CORE-GigabitEthernet2/1/0/3] eth-trunk 10
[CORE-GigabitEthernet2/1/0/3] quit
3. Configure AGGs.
# On AGG1, create Eth-Trunk 100 and Eth-Trunk 115 to connect AGG1 to
CORE and an access switch respectively, and add member interfaces to Eth-
Trunk 100 and Eth-Trunk 115.
[AGG1] interface eth-trunk 100
[AGG1-Eth-Trunk100] mode lacp
[AGG1-Eth-Trunk100] quit
[AGG1] interface gigabitethernet 1/0/1
[AGG1-GigabitEthernet1/0/1] eth-trunk 100
[AGG1-GigabitEthernet1/0/1] quit
[AGG1] interface gigabitethernet 2/0/1
[AGG1-GigabitEthernet2/0/1] eth-trunk 100
[AGG1-GigabitEthernet2/0/1] quit
[AGG1] interface eth-trunk 115
[AGG1-Eth-Trunk115] mode lacp
[AGG1-Eth-Trunk115] quit
[AGG1] interface gigabitethernet 1/0/5
[AGG1-GigabitEthernet1/0/5] eth-trunk 115
[AGG1-GigabitEthernet1/0/5] quit
[AGG1] interface gigabitethernet 2/0/5
[AGG1t2/0/5] eth-trunk 115
[AGG1-GigabitEthernet2/0/5] quit
# Configure RouterB.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface loopback 0
[RouterB-LoopBack0] ip address 2.2.2.2 32 //Configure an IP address for loopback 0, which is also used as
the router ID of RouterB.
[RouterB-LoopBack0] quit
[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //Configure an IP address for the interface
connected to FWB.
[RouterB-GigabitEthernet0/0/1] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] ip address 202.10.2.1 24 //Configure an IP address for the interface
connected to the Internet.
[RouterB-GigabitEthernet0/0/2] quit
# Configure FWA.
[FWA] interface loopback 0
[FWA-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used as the
router ID of FWA.
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //Configure an IP address for the interface connected
to RouterA.
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/7
[FWA-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //Configure an IP address for the heartbeat interface.
[FWA-GigabitEthernet1/0/7] quit
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] ip address 10.3.1.1 24 //Configure an IP address for the Eth-Trunk interface connected
to CORE.
[FWA-Eth-Trunk10] quit
# Configure FWB.
[FWB] interface loopback 0
[FWB-LoopBack0] ip address 4.4.4.4 32 //Configure an IP address for loopback 0, which is also used as the
router ID of FWB.
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //Configure an IP address for the interface connected
to RouterB.
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/7
[FWB-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //Configure an IP address for the heartbeat interface.
[FWB-GigabitEthernet1/0/7] quit
[FWB] interface eth-trunk 20
[FWB-Eth-Trunk20] ip address 10.4.1.1 24 //Configure an IP address for the Eth-Trunk interface connected
to CORE.
[FWB-Eth-Trunk20] quit
# Configure CORE.
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 5.5.5.5 32 //Configure an IP address for loopback 0, which is also used as
the router ID of CORE.
[CORE-LoopBack0] quit
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] undo portswitch //By default, an Eth-Trunk interface works in Layer 2 mode. To use
an Eth-Trunk interface as a Layer 3 interface, run the undo portswitch command to change the Eth-Trunk
interface to Layer 3 mode.
[CORE-Eth-Trunk10] ip address 10.3.1.2 24 //Configure an IP address for Eth-Trunk 10 connected to FWA.
[CORE-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] undo portswitch
[CORE-Eth-Trunk20] ip address 10.4.1.2 24 //Configure an IP address for Eth-Trunk 20 connected to FWB.
[CORE-Eth-Trunk20] quit
[CORE] vlan batch 100 200 300
[CORE] interface eth-trunk 100
[CORE-Eth-Trunk100] port link-type hybrid
[CORE-Eth-Trunk100] port hybrid pvid vlan 100
[CORE-Eth-Trunk100] port hybrid untagged vlan 100
[CORE-Eth-Trunk100] quit
[CORE] interface vlanif 100
[CORE-Vlanif100] ip address 10.5.1.1 24 //Configure an IP address for the interface connected to AGG1.
[CORE-Vlanif100] quit
[CORE] interface eth-trunk 102
[CORE-Eth-Trunk102] port link-type hybrid
[CORE-Eth-Trunk102] port hybrid pvid vlan 200
[CORE-Eth-Trunk102] port hybrid untagged vlan 200
[CORE-Eth-Trunk102] quit
[CORE] interface vlanif 200
[CORE-Vlanif200] ip address 10.6.1.1 24 //Configure an IP address for the interface connected to AGG2.
[CORE-Vlanif200] quit
[CORE] interface gigabitethernet 1/1/0/10
[CORE-GigabitEthernet1/1/0/10] port link-type access
[CORE-GigabitEthernet1/1/0/10] port default vlan 300
[CORE-GigabitEthernet1/1/0/10] quit
[CORE] interface vlanif 300
[CORE-Vlanif300] ip address 10.100.1.1 24
[CORE-Vlanif300] quit
# Configure AGG1.
[AGG1] interface loopback 0
[AGG1-LoopBack0] ip address 6.6.6.6 32 //Configure an IP address for loopback 0, which is also used as
the router ID of AGG1.
[AGG1-LoopBack0] quit
[AGG1] vlan batch 100 500
[AGG1] interface eth-trunk 100
[AGG1-Eth-Trunk100] port link-type hybrid
[AGG1-Eth-Trunk100] port hybrid pvid vlan 100
[AGG1-Eth-Trunk100] port hybrid untagged vlan 100
[AGG1-Eth-Trunk100] quit
[AGG1] interface vlanif 100
[AGG1-Vlanif100] ip address 10.5.1.2 24 //Configure an IP address for the interface connected to CORE.
[AGG1-Vlanif100] quit
[AGG1] interface eth-trunk 115
[AGG1-Eth-Trunk115] port link-type hybrid
[AGG1-Eth-Trunk115] port hybrid pvid vlan 500
[AGG1-Eth-Trunk115] port hybrid untagged vlan 500
[AGG1-Eth-Trunk115] quit
[AGG1] interface vlanif 500
[AGG1-Vlanif500] ip address 192.168.1.1 24 //Configure an IP address for the interface connected to an
access switch.
[AGG1-Vlanif500] quit
# Configure AGG2.
[AGG2] interface loopback 0
[AGG2-LoopBack0] ip address 7.7.7.7 32 //Configure an IP address for loopback 0, which is also used as
the router ID of AGG2.
[AGG2-LoopBack0] quit
[AGG2] vlan batch 200 600
[AGG2] interface eth-trunk 102
[AGG2-Eth-Trunk102] port link-type hybrid
[AGG2-Eth-Trunk102] port hybrid pvid vlan 200
[AGG2-Eth-Trunk102] port hybrid untagged vlan 200
[AGG2-Eth-Trunk200] quit
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
2. Configure the areas where downlink interfaces of CORE and uplink interfaces
of AGG1 and AGG2 belong as NSSAs 1 and 2 respectively.
# Configure CORE.
[CORE] ospf 1
[CORE-ospf-1] area 1
[CORE-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Advertise the network segment connected
to AGG1 into OSPF Area 1.
[CORE-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA.
[CORE-ospf-1-area-0.0.0.1] quit
[CORE-ospf-1] area 2
[CORE-ospf-1-area-0.0.0.2] network 10.6.1.0 0.0.0.255 //Advertise the network segment connected
to AGG2 into OSPF Area 2.
[CORE-ospf-1-area-0.0.0.2] nssa //Configure Area 2 as an NSSA.
[CORE-ospf-1-area-0.0.0.2] quit
[CORE-ospf-1] quit
# Configure AGG1.
[AGG1] ospf 1
[AGG1-ospf-1] area 1
[AGG1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into OSPF Area 1.
[AGG1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Advertise the network segment
connected to users into OSPF Area 1.
[AGG1-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA.
[AGG1-ospf-1-area-0.0.0.1] quit
[AGG1-ospf-1] quit
# Configure AGG2.
[AGG2] ospf 1
[AGG2-ospf-1] area 2
[AGG2-ospf-1-area-0.0.0.2] network 10.6.1.0 0.0.0.255 //Advertise the network segment connected
to CORE into OSPF Area 2.
[AGG2-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 //Advertise the network segment
connected to users into OSPF Area 2.
[AGG2-ospf-1-area-0.0.0.2] nssa //Configure Area 2 as an NSSA.
[AGG2-ospf-1-area-0.0.0.2] quit
[AGG2-ospf-1] quit
3. Configure default routes.
# On CORE, configure default routes with the next hops pointing to firewalls.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
# On FWA, configure a default route with the next hop pointing to RouterA.
[FWA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
# On FWB, configure a default route with the next hop pointing to RouterB.
[FWB] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
# On RouterA, configure a default route with the next hop being the IP
address of the connected carrier network device (public network gateway).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
# On RouterB, configure a default route with the next hop being the IP
address of the connected carrier network device (public network gateway).
[RouterB] ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
Step 5 Configure security zones, add interfaces to security zones, and configure security
policies on firewalls.
# Configure FWA.
[FWA] firewall zone trust
[FWA-zone-trust] add interface Eth-Trunk 10 //Add Eth-Trunk 10 connected to the internal network to
# Configure FWB.
[FWB] firewall zone trust
[FWB-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the internal network to the
trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the Internet to the
untrusted zone.
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] add interface gigabitethernet 1/0/7 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
[FWB] security-policy
[FWB-policy-security] rule name policy_dmz //Allow mutual access between the local zone and DMZ.
[FWB-policy-security-rule-policy_dmz] source-zone local
[FWB-policy-security-rule-policy_dmz] source-zone dmz
[FWB-policy-security-rule-policy_dmz] destination-zone local
[FWB-policy-security-rule-policy_dmz] destination-zone dmz
[FWB-policy-security-rule-policy_dmz] action permit
[FWB-policy-security-rule-policy_dmz] quit
[FWB-policy-security] rule name trust_to_untrust //Prohibit internal network users from accessing the
Internet.
[FWB-policy-security-rule-trust_to_untrust] source-zone trust
[FWB-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust] source-address 10.4.1.0 24
[FWB-policy-security-rule-trust_to_untrust] source-address 10.6.1.0 24
[FWB-policy-security-rule-trust_to_untrust] source-address 192.168.2.0 24
[FWB-policy-security-rule-trust_to_untrust] action deny
[FWB-policy-security-rule-trust_to_untrust] quit
[FWB-policy-security] rule name untrust_to_trust //Allow external network users to access the HTTP
server.
[FWB-policy-security-rule-untrust_to_trust] source-zone untrust
[FWB-policy-security-rule-untrust_to_trust] destination-zone trust
[FWB-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWB-policy-security-rule-untrust_to_trust] action permit
[FWB-policy-security-rule-untrust_to_trust] quit
[FWB-policy-security] quit
After a hot standby group is successfully established between the active and standby
firewalls, the configurations and sessions on the active firewall are automatically
synchronized to the standby firewall.
Step 7 Configure the DHCP server function on CORE and the DHCP relay function on
AGG1 and AGG2.
# Configure CORE as the DHCP server to allocate IP addresses to users.
[CORE] dhcp enable
[CORE] interface vlanif 100 //Configure CORE to allocate IP addresses to users in department A through
VLANIF 100.
[CORE-Vlanif100] dhcp select global
[CORE-Vlanif100] quit
[CORE] interface vlanif 200 //Configure CORE to allocate IP addresses to users in department B through
VLANIF 200.
[CORE-Vlanif200] dhcp select global
[CORE-Vlanif200] quit
[CORE] ip pool poola //Configure the IP address pool poola to allocate IP addresses to users in
department A.
[CORE-ip-pool-poola] network 192.168.1.0 mask 24
[CORE-ip-pool-poola] gateway-list 192.168.1.1
[CORE-ip-pool-poola] quit
[CORE] ip pool poolb //Configure the IP address pool poolb to allocate IP addresses to users in
department B.
[CORE-ip-pool-poolb] network 192.168.2.0 mask 24
[CORE-ip-pool-poolb] gateway-list 192.168.2.1
[CORE-ip-pool-poolb] quit
Assume that the carrier allocates the following public IP addresses to enterprise users:
8.8.8.2 to 8.8.8.10 and 9.9.9.2 to 9.9.9.10. IP addresses 8.8.8.2 and 9.9.9.2 are used by
RouterA and RouterB respectively to connect to the Internet. IP addresses 8.8.8.10 and
9.9.9.10 are the public IP addresses used by external network users to access the HTTP
server. Internal network users use the remaining public IP addresses to access the Internet.
# Configure NAT Server on RouterA and RouterB so that external network users
can access the HTTP server on the internal network.
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
[RouterA-GigabitEthernet0/0/2] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
[RouterB-GigabitEthernet0/0/2] quit
----End
Configuration Files
● RouterA configuration file
#
sysname RouterA
#
router id 1.1.1.1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 8.8.8.3 8.8.8.9
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 8.8.8.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
#
return
● RouterB configuration file
#
sysname RouterB
#
router id 2.2.2.2
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 9.9.9.3 9.9.9.10 mask 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 9.9.9.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
#
return
interface GigabitEthernet1/1/0/3
eth-trunk 10
#
interface GigabitEthernet1/1/0/4
eth-trunk 20
#
interface GigabitEthernet1/2/0/3
eth-trunk 100
#
interface GigabitEthernet1/2/0/4
eth-trunk 102
#
interface GigabitEthernet2/1/0/3
eth-trunk 10
#
interface GigabitEthernet2/1/0/4
eth-trunk 20
#
interface GigabitEthernet2/2/0/3
eth-trunk 100
#
interface GigabitEthernet2/2/0/4
eth-trunk 102
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
area 0.0.0.1
network 10.5.1.0 0.0.0.255
area 0.0.0.2
network 10.6.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return
interface GigabitEthernet1/0/1
eth-trunk 100
#
interface GigabitEthernet2/0/1
eth-trunk 100
#
interface GigabitEthernet1/0/5
eth-trunk 115
#
interface GigabitEthernet2/0/5
eth-trunk 115
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
ospf 1 router-id 6.6.6.6
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
nssa
#
return
nssa
#
return
Figure 4-5 Deploying IPSec on firewalls for secure communication with the
headquarters
Headquarters
GE2/0/0
Router
GE1/0/0
IPS
l
ne
ec
tun
t
un
ec
ne
IPS
l
GE1/0/0 GE1/0/0
GE1/0/3 GE1/0/3
Egress FWA FWB
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
Eth-Trunk 1 Eth-Trunk 1
GE1/1/1/0 GE2/1/1/0
GE1/1/1/1 GE2/1/1/1
CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation
AGG
layer
USG6300E V600R007C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
GE2/0/0 - - 10.10.0.1/24
GE1/0/3 - - 10.4.0.1/24
GE1/0/2
GE1/0/3 - - 10.4.0.2/24
GE1/0/2
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
GE2/2/0/0
GE2/0/1
Deployment Procedure
Step 1 Configure the CSS and MAD functions on core switches, and configure the
stacking function on aggregation switches. For details, see 3.4 Typical CSS and
Stack Deployment.
Step 2 Configure Eth-Trunk interfaces.
1. Configure the firewalls.
# On FWA, create Eth-Trunk 1 to connect FWA to CORE, and add member
interfaces to Eth-Trunk 1.
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] mode lacp-static
[FWA-Eth-Trunk1] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] eth-trunk 1
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/2
[FWA-GigabitEthernet1/0/2] eth-trunk 1
[FWA-GigabitEthernet1/0/2] quit
2. Configure routing.
# Configure a default route on the router and set the next hop to a public IP
address.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254
# Configure a default route on FWA and set the next hop to a public IP
address.
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
# Configure a default route on FWB and set the next hop to a public IP
address.
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
# On CORE, configure a default route with the next hop being the VRRP
virtual IP address of the firewalls.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
2. Configure HRP.
# On FWA, specify a heartbeat interface and enable HRP.
[FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2
[FWA] hrp enable
HRP_M[FWA] hrp mirror session enable //Enable quick session backup.
# After a hot standby group is successfully established between the active and
standby firewalls, the security policies configured on FWA will be automatically
synchronized to FWB.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local zone and
DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access the
Internet.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust //Prohibit external network users from accessing
the internal network.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit
# Configure source NAT policies to allow internal network users using the IP
address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses. If
both IPSec and NAT are configured on an interface, NAT is performed first.
Therefore, to prevent NAT from being performed on IPSec-protected data flows,
the ACL rule referenced by NAT needs to deny these data flows.
HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-address 10.10.0.0 24 //Assume that the private IP
This function requires a license and dynamic installation of the corresponding component
package.
# Create an application behavior control file to prohibit HTTP and FTP operations
during working hours.
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit
Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to prohibit
HTTP and FTP operations during working hours.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
----End
Number of IKE SA : 2
--------------------------------------------------------------------------------
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# Perform ping tests to verify that devices on the private networks of the
headquarters and branch can ping each other successfully. External network users
cannot access the internal network. Internal network users can access the Internet
but cannot play online games or watch online videos.
Configuration Files
● Router configuration file
#
sysname Router
#
ipsec authentication sha2 compatible enable
#
acl number 3000
rule 5 deny ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6![M%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
ipsec policy-template use1 10
security acl 3001
ike-peer vpn
proposal tran1
#
ipsec policy ipsec_vpn 10 isakmp template use1
#
interface GigabitEthernet1/0/0
ip address 202.2.1.1 255.255.255.0
ipsec policy ipsec_vpn
nat outbound 3000
#
interface GigabitEthernet2/0/0
ip address 10.10.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.2.1.254
#
return
● FWA configuration file
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.2
hrp mirror session enable
#
acl number 3001
rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 202.2.1.1
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
tunnel local 202.1.1.3
#
interface Eth-Trunk1
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 202.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 202.1.1.3 255.255.255.0 active
anti-ddos flow-statistic enable
gateway 202.1.1.254
ipsec policy ipsec_vpn
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.4.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.1
hrp mirror session enable
#
acl number 3001
rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 202.2.1.1
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
tunnel local 202.1.1.3
#
interface Eth-Trunk1
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 standby
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 202.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 202.1.1.3 255.255.255.0 standby
anti-ddos flow-statistic enable
gateway 202.1.1.254
ipsec policy ipsec_vpn
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.4.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range all
#
nat address-group addressgroup1 0
mode pat
section 0 202.10.1.1 202.10.1.5
route enable
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
destination-zone trust
action deny
rule name policy_sec_work
source-zone trust
destination-zone isp1
time-range working_hours
profile app-control profile_app_work
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.6.0.0 mask 255.255.255.0
destination-address 10.10.0.0 mask 255.255.255.0
action nat no-nat
rule name policy_nat_2
source-zone trust
destination-zone untrust
source-address range 10.6.0.1 mask 10.6.0.127
action nat address-group addressgroup1
#
return
ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.5.0.0 0.0.0.255
network 10.6.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return
Figure 4-6 Deploying IPSec on egress routers for communication between the
headquarters and branch
Branch
GE2/0/0
RouterC
GE1/0/0
IPS
l
ne
ec
tun
tun
ec
ne
IPS
l
GE1/0/0 GE1/0/0
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk 1 Eth-Trunk 1
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
Access
ACC1 ACC2
layer
Department A Department B
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
GE2/0/0 - - 10.10.200.1/2
4
GE1/0/1
GE1/0/2
Eth-Trunk 4 GE0/0/4
GE1/0/4
GE0/0/2
GE0/0/2
Deployment Procedure
Step 1 Configure the stacking function on core switches. For details, see 3.4 Typical CSS
and Stack Deployment.
Step 2 Configure Eth-Trunk interfaces.
# Configure RouterA. The configuration of RouterB is similar to that of RouterA.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 2/0/1
[RouterA-GigabitEthernet2/0/1] eth-trunk 1
[RouterA-GigabitEthernet2/0/1] quit
# Configure CORE.
<HUAWEI> system-view
[HUAWEI] sysname CORE
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] mode lacp
[CORE-Eth-Trunk1] quit
# Configure CORE.
[CORE] vlan batch 10 20 30 100
[CORE] interface Eth-Trunk 1
[CORE-Eth-Trunk1] port link-type trunk
[CORE-Eth-Trunk1] port trunk allow-pass vlan 10
[CORE-Eth-Trunk1] quit
[CORE] interface Eth-Trunk 2
[CORE-Eth-Trunk2] port link-type trunk
[CORE-Eth-Trunk2] port trunk allow-pass vlan 20
[CORE-Eth-Trunk2] quit
[CORE] interface Eth-Trunk 3
[CORE-Eth-Trunk3] port link-type trunk
[CORE-Eth-Trunk3] port trunk allow-pass vlan 100
[CORE-Eth-Trunk3] quit
[CORE] interface Eth-Trunk 4
[CORE-Eth-Trunk4] port link-type trunk
[CORE-Eth-Trunk4] port trunk allow-pass vlan 100
[CORE-Eth-Trunk4] quit
[CORE] interface vlanif 10
[CORE-Vlanif10] ip address 10.10.10.1 24
[CORE-Vlanif10] quit
[CORE] interface vlanif 20
[CORE-Vlanif20] ip address 10.10.20.1 24
[CORE-Vlanif20] quit
[CORE] interface vlanif 30
[CORE-Vlanif30] ip address 10.10.30.1 24
[CORE-Vlanif30] quit
[CORE] interface vlanif 100
[CORE-Vlanif100] ip address 10.10.100.4 24
[CORE-Vlanif100] quit
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit
2. Configure OSPF.
# Configure RouterA.
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
# Configure RouterB.
[RouterB] ospf 1 router-id 10.2.2.2
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
# Configure CORE.
[CORE] ospf 1 router-id 10.3.3.3
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
# Configure RouterC.
[RouterC] acl 3000
[RouterC-acl-adv-3000] rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0
0.0.0.255 //Define IPSec-protected data flows.
[RouterC-acl-adv-3000] rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0
# Configure RouterB.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
[RouterB-GigabitEthernet1/0/0] quit
# Configure RouterB.
[RouterB] ike peer vpn
[RouterB-ike-peer-vpn] undo version 2
[RouterB-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterB-ike-peer-vpn] ike-proposal 5
[RouterB-ike-peer-vpn] dpd type periodic
[RouterB-ike-peer-vpn] dpd idle-time 10
[RouterB-ike-peer-vpn] remote-address 3.3.3.2
[RouterB-ike-peer-vpn] quit
# Configure RouterC.
[RouterC] ike peer vpnr1
[RouterC-ike-peer-vpnr1] undo version 2
[RouterC-ike-peer-vpnr1] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr1] ike-proposal 5
[RouterC-ike-peer-vpnr1] dpd type periodic
[RouterC-ike-peer-vpnr1] dpd idle-time 10
[RouterC-ike-peer-vpnr1] remote-address 1.1.1.2
[RouterC-ike-peer-vpnr1] quit
[RouterC] ike peer vpnr2
[RouterC-ike-peer-vpnr2] undo version 2
[RouterC-ike-peer-vpnr2] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr2] ike-proposal 5
[RouterC-ike-peer-vpnr2] dpd type periodic
[RouterC-ike-peer-vpnr2] dpd idle-time 10
[RouterC-ike-peer-vpnr2] remote-address 2.2.2.2
[RouterC-ike-peer-vpnr2] quit
# Configure RouterB.
[RouterB] ipsec policy ipsec_vpn 10 isakmp
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] quit
# Configure RouterC.
[RouterC] ipsec policy ipsec_vpn 10 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpnr1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 20 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] ike-peer vpnr2
----End
Number of IKE SA : 2
--------------------------------------------------------------------------------
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# Perform ping tests to verify that devices on the private networks of the
headquarters and branch can ping each other successfully. Users in department A
can access the Internet, whereas users in department B cannot.
Configuration Files
● RouterA configuration file
#
sysname RouterA
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
#
ike peer vpn
undo version 2
pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6![M%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 3.3.3.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
vrrp vrid 1 priority 120
vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40
arp broadcast enable
#
interface GigabitEthernet1/0/0
ip address 1.1.1.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
nat outbound 3000
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
return
#
ike peer vpn
undo version 2
pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6![M%^%#
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 3.3.3.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
arp broadcast enable
#
interface GigabitEthernet1/0/0
ip address 2.2.2.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 4.4.4.3 www inside 10.10.30.2 8080
nat outbound 3000
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
ospf 1 router-id 10.2.2.2
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
#
return
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20
mode lacp
#
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 2
#
interface GigabitEthernet0/0/3
eth-trunk 3
#
interface GigabitEthernet0/0/4
eth-trunk 4
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 2
#
interface GigabitEthernet1/0/3
eth-trunk 3
#
interface GigabitEthernet1/0/4
eth-trunk 4
#
ospf 1 router-id 10.3.3.3
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
#
return
Networking Requirements
Two firewalls in a campus branch set up a hot standby group that functions as the
egress gateway of the campus network and connects to the Internet to filter
service traffic that enters and leaves the campus network, ensuring network
security. In addition, a router also functions as the egress gateway of the campus
network and connects to the headquarters through a private line. Two core
switches set up a CSS, which functions as the core of the campus network and
functions as the user gateway to allocate IP addresses to users. The specific service
requirements are as follows:
● Internal network users can access Internet resources but cannot play online
games or watch online videos.
● External network users are prohibited from accessing the internal network.
In this example, two aggregation switches set up a stack named AGG and connect
to core switches, which set up a CSS named CORE. For details about the
networking below the core layer, see 3 Campus Network Connectivity
Deployment.
Head
Priv
Eth-Trun
/1
/1
/1 GE2/1/1/0
/0
/1
/6
E1
E1
G
GE1/1/1/0 XG XGE2/6/0/1
GE2/1/1/1
CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer AGG
AR6300 V300R019C10
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface Interface
GE1/0/3 - - 10.4.0.1/24
GE1/0/2
GE1/0/3 - - 10.4.0.2/24
GE1/0/2
GE2/0/0
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
GE2/2/0/0
XGE2/6/0/1
GE2/0/1
Procedure
Step 1 Configure the CSS and MAD functions on core switches, and configure the
stacking function on aggregation switches. For details, see 3.4 Typical CSS and
Stack Deployment.
3. Configure CORE.
# On CORE, create Eth-Trunk 10 to connect CORE to FWA, and add member
interfaces to Eth-Trunk 10.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface gigabitethernet 1/1/1/0
[CORE-GigabitEthernet1/1/1/0] eth-trunk 10
[CORE-GigabitEthernet1/1/0/0] quit
[CORE] interface gigabitethernet 2/1/1/1
[CORE-GigabitEthernet2/1/1/1] eth-trunk 10
[CORE-GigabitEthernet2/1/1/1] quit
4. Configure AGG.
[FWB-Eth-Trunk1] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name isp1
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet
to the security zone isp1.
[FWB-zone-isp1] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
# Configure IP addresses for interfaces on the router.
[Router] interface loopback 0
[Router-LoopBack0] ip address 4.4.4.4 32 //Configure an IP address for loopback 0, which is also
used as the router ID of the router.
[Router-LoopBack0] quit
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] ip address 10.7.0.1 24 //Configure an IP address for the interface
connected to the Internet.
[Router-GigabitEthernet3/0/0] quit
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] ip address 10.8.0.254 24 //Configure an IP address for the interface connected
to CORE.
[Router-Eth-Trunk40] quit
# Configure IP addresses for interfaces on CORE.
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used
as the router ID of CORE.
[CORE-LoopBack0] quit
[CORE] vlan batch 20 40 50
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] port link-type access
[CORE-Eth-Trunk10] port default vlan 20
[CSS-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] port link-type access
[CORE-Eth-Trunk20] port default vlan 20
[CORE-Eth-Trunk20] quit
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] port link-type trunk
[CORE-Eth-Trunk30] port trunk allow-pass vlan 40
[CORE-Eth-Trunk30] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] port link-type trunk
[CORE-Eth-Trunk40] port trunk pvid vlan 50
[CORE-Eth-Trunk40] port trunk allow-pass vlan 50
[CORE-Eth-Trunk40] quit
[CORE] interface vlanif 20
[CORE-Vlanif20] ip address 10.3.0.254 24 //Configure an IP address for the VLANIF interface
connected to the firewalls.
[CORE-Vlanif20] quit
[CORE] interface vlanif 40
[CORE-Vlanif40] ip address 10.6.0.1 24 //Configure an IP address for the VLANIF interface connected
to AGG.
[CORE-Vlanif40] quit
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 10.8.0.1 24 //Configure an IP address for the VLANIF interface connected
to the router.
[CORE-Vlanif50] quit
# Configure interfaces on AGG.
[AGG] vlan batch 40
[AGG] interface eth-trunk 30
[AGG-Eth-Trunk30] port link-type trunk
2. Configure routing.
# Configure OSPF on FWA to advertise the network segments where
downlink interfaces belong.
[FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit
# Configure a default route on FWA and set the next hop to a public IP
address.
[FWA] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
# Configure a default route on FWB and set the next hop to a public IP
address.
[FWB] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
# On CORE, configure a default route with the next hop being the VRRP
virtual IP address of the firewalls.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
# Configure source NAT policies to allow internal network users using the IP
address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses.
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 10.6.0.1 10.6.0.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit
This function requires a license and dynamic installation of the corresponding component
package.
# Create an application behavior control file to prohibit HTTP and FTP operations
during working hours.
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to prohibit
HTTP and FTP operations during working hours.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
----End
Configuration Files
● FWA configuration file
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.2
hrp mirror session enable
#
interface Eth-Trunk1
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 202.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 202.1.1.3 255.255.255.0 active
anti-ddos flow-statistic enable
gateway 202.1.1.254
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.4.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range all
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
destination-zone trust
action deny
rule name policy_sec_work
source-zone trust
destination-zone isp1
time-range working_hours
profile app-control profile_app_work
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address range 10.6.0.1 10.6.0.127
action nat address-group addressgroup1
#
return
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range all
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 202.10.1.1 202.10.1.5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
destination-zone trust
action deny
rule name policy_sec_work
source-zone trust
destination-zone isp1
time-range working_hours
profile app-control profile_app_work
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address range 10.6.0.1 10.6.0.127
action nat address-group addressgroup1
#
return
#
interface Eth-Trunk40
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 50
mode lacp
#
interface GigabitEthernet1/1/1/0
eth-trunk 10
#
interface GigabitEthernet1/1/1/1
eth-trunk 20
#
interface GigabitEthernet1/2/0/0
eth-trunk 30
#
interface GigabitEthernet2/1/1/0
eth-trunk 20
#
interface GigabitEthernet2/1/1/1
eth-trunk 10
#
interface GigabitEthernet2/1/1/7
mad detect mode direct
#
interface GigabitEthernet2/2/0/0
eth-trunk 30
#
interface XGigabitEthernet1/6/0/1
eth-trunk 40
#
interface XGigabitEthernet2/6/0/1
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.5.0.0 0.0.0.255
network 10.6.0.0 0.0.0.255
network 10.8.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return
AC - AC6605 V200R019C10
AP - AP6050DN V200R019C00
# Enable the IGMP snooping function and the function of discarding unknown
multicast flows in a VLAN. IGMP snooping runs on a Layer 2 device and analyzes
IGMP messages exchanged between a Layer 3 device and hosts to create and
maintain a Layer 2 multicast forwarding table. Based on this table, the Layer 2
device forwards multicast packets at the data link layer.
<AC> system-view
[AC] wlan
[AC-wlan-view] traffic-profile name traff
[AC-wlan-traffic-prof-traff] igmp-snooping enable
[AC-wlan-traffic-prof-traff] quit
[AC-wlan-view] quit
[AC] vlan 10
[AC-vlan10] multicast drop-unknown
# Enable the function of converting ARP, ND, and DHCP packets to unicast
packets. This function is enabled by default. You are advised to retain the default
setting.
<AC> system-view
[AC] wlan
# Enable the function of suppressing ARP, ND, and DHCP packets. Broadcast or
multicast packets that failed to be converted to unicast packets are then discarded
on the air interface. This function is enabled by default. You are advised to retain
the default setting.
<AC> system-view
[AC] wlan
[AC-wlan-view] traffic-profile name traff
[AC-wlan-traffic-prof-traff] traffic-optimize bcmc unicast-send mismatch-action drop
GE0/0/24
Central AP:
PC1 AP1 PC2
AP2
GE0/0/1 GE0/0/2
GE0/0/24
Switch RU: ru_2
GE0/0/1
RU: ru_1
RU RU R450D V200R019C00
Data Plan
Item Data
AP group ap-group1
Item Data
Name ru_1
ru_2
Procedure
Step 1 Configure network connectivity and WLAN services on AP1 and AP2. For details,
see 3.5 Native AC Solution: Core Switches Function as the Gateway for Wired
and Wireless Users.
The following describes how to configure RUs and the access switch.
Step 2 Configure Switch to enable Layer 2 communication between the central AP and
RUs. If a Huawei switch is used, this configuration can be skipped as interfaces on
Huawei switches are added to VLAN 1 by default and can communicate at Layer
2. If a non-Huawei switch is used, perform the configuration to enable Layer 2
communication of uplink and downlink interfaces.
On the network between the central AP and RUs, service packets of STAs must be properly
forwarded. This example uses the tunnel forwarding mode. Therefore, you do not need to
configure packets in service VLANs to pass between the central AP and RUs. If the direct
forwarding mode is used, configure packets in the service VLANs to pass between the
central AP and RUs. The configuration varies depending on the central AP model as follows:
● For a gigabit central AP, such as AD9430DN-24, no configuration is required on Switch.
All packets from RUs are transmitted to the central AP through the MAC-IN-MAC
tunnel. Therefore, you only need to allow packets in the service VLANs to pass on the
central AP in the uplink direction.
● For a 10GE central AP, such as AD9431DN-24X, add the uplink and downlink
interfaces on Switch to the service VLANs. Service packets are forwarded in the
upstream direction of an RU. Therefore, packets in the service VLANs must be allowed
in the uplink direction of RUs.
Step 3 Configure names for the RUs and add them to the AP group.
<CORE> system-view
[CORE] wlan
[CORE-wlan-view] ap-id 3 ap-mac 00e0-fc00-1220
[CORE-wlan-ap-3] ap-name ru_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-3] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-3] quit
[CORE-wlan-view] ap-id 4 ap-mac 00e0-fc00-1240
[CORE-wlan-ap-4] ap-name ru_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-4] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-wlan-ap-4] quit
Step 4 Run the display ap all command to check the RU state. If the State field is
displayed as nor, the RUs go online properly.
[AC-wlan-view] display ap all
Total AP information:
After STAs find and associate with the SSID, wireless users can access the agile
distributed Wi-Fi network.
----End
Configuration Files
# AC configuration file
#
ap-id 3 type-id 84 ap-mac 00e0-fc00-1220 ap-sn 21500826400000000208
ap-name ru_1
ap-group ap-group1
ap-id 4 type-id 84 ap-mac 00e0-fc00-1240 ap-sn 21500826400000000209
ap-name ru_2
ap-group ap-group1
#
return
AC - AC6605 V200R019C10
AP - AP6050DN V200R019C00
<AC> system-view
[AC] wlan
[AC-wlan-view] ssid-profile name ssid1
[AC-wlan-ssid-prof-ssid1] max-sta-number 128 //Set the maximum number of STAs on the SSID profile to
128.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-ssid1] association-timeout 1 //Reduce the association aging time of STAs. The
recommended value is 1 minute.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-ssid1] beacon-2g-rate 11 //Increase the rate at which Beacon frames are sent on the
2.4 GHz radio. The recommended rate is 11 Mbit/s.
[AC-wlan-ssid-prof-ssid1] quit
[AC-wlan-view] vap-profile name vap1
[AC-wlan-vap-prof-vap1] undo band-steer disable //Enable band steering so that APs steer STAs to the 5
GHz radio preferentially, reducing the load and interference on the 2.4 GHz radio.
[AC-wlan-vap-prof-vap1] quit
[AC-wlan-view] traffic-profile name traff
[AC-wlan-traffic-prof-traff] rate-limit client down 4000 //Limit the STA rate. For example, set the rate
limit for downstream packets of STAs to 4000 kbit/s.
[AC-wlan-traffic-prof-traff] rate-limit client up 4000 //Limit the STA rate. For example, set the rate limit
for upstream packets of STAs to 4000 kbit/s.
[AC-wlan-traffic-prof-traff] quit
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0 //Configure radio 0.
[AC-wlan-radio-0/0] calibrate auto-channel-select disable //Disable automatic channel selection.
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable //Disable automatic transmit power selection.
[AC-wlan-radio-0/0] channel 20mhz 1 //Adjust the AP channel to reduce interference between APs. It is
recommended that channels be configured in a staggered manner, such as 1, 9, 5, and 13. This example
configures channel 1 on radio 0 with 20 MHz bandwidth. The specific channel configuration is subject to
the network planning result.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127 //Lower AP power to reduce interference between APs as much as possible.
However, the RSSI at the edge of the AP coverage area must be greater than -65 dBm. This example
configures the transmit power of 127 dBm. The specific transmit power configuration is subject to the
network planning result.
[AC-wlan-radio-0/0] quit
[AC-wlan-ap-0] radio 1 //Configure radio 1.
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 40mhz-plus 44
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] undo smart-roam disable //Enable smart roaming.
[AC-wlan-rrm-prof-rrm1] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-rrm1] smart-roam roam-threshold snr 15 //Set the SNR threshold to 15 dB.
[AC-wlan-rrm-prof-rrm1] airtime-fair-schedule enable // Enable airtime fair scheduling so that radio
channel resources are allocated to each user more properly.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-rrm1] dynamic-edca enable //Enable dynamic EDCA parameter adjustment. The
default value of the EDCA Best-Effort service threshold is recommended.
[AC-wlan-rrm-prof-rrm1] quit
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rts-cts-mode rts-cts //Set the RTS-CTS operation mode to rts-cts.
[AC-wlan-radio-2g-prof-radio2g] rts-cts-threshold 1400 //Set the RTS threshold to 1400 bytes.
[AC-wlan-radio-2g-prof-radio2g] beacon-interval 160 //Adjust the interval for sending Beacon frames. The
recommended interval is 160 TUs.
[AC-wlan-radio-2g-prof-radio2g] guard-interval-mode short //Set the GI mode to short to reduce extra
overheads and improve the transmission rate of APs.
[AC-wlan-radio-2g-prof-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54 //Modify the basic rate set. It
is recommended that low rates be removed from the basic rate set.
[AC-wlan-radio-2g-prof-radio2g] multicast-rate 11 //Configure the multicast rate. The default value is
recommended.
[AC-wlan-radio-2g-prof-radio2g] undo short-preamble disable //Enable the short preamble. If some STAs
on the network are equipped with outdated network adapters, disable this function.
[AC-wlan-radio-2g-prof-radio2g] quit
[AC-wlan-view] radio-5g-profile name radio5g
Configuration Files
# AC configuration file
#
wlan
traffic-profile name traff
rate-limit client up 4000
rate-limit client down 4000
ssid-profile name ssid1
association-timeout 1
max-sta-number 128
beacon-2g-rate 11
vap-profile name vap1
ssid-profile ssid1
traffic-profile traff
rrm-profile name rrm1
airtime-fair-schedule enable
smart-roam roam-threshold snr 15
dynamic-edca enable
radio-2g-profile name radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
rrm-profile rrm1
radio-5g-profile name radio5g
beacon-interval 160
multicast-rate 6
rrm-profile rrm1
ap-group name ap-group1
radio 0
radio-2g-profile radio2g
radio 1
radio-5g-profile radio5g
ap-id 0 type-id 30 ap-mac 00fc-e0a6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 1
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 44
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Area A
Area B
AP3
(leaf)
GE0/0/2
Switch_C
GE0/0/1
AP4
(root)
Area C
AP5
(leaf)
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
Deployment Precautions
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
Procedure
Step 1 Configure network connectivity and WLAN services on AP1. For details, see 3.5
Native AC Solution: Core Switches Function as the Gateway for Wired and
Wireless Users.
The following focuses on how to configure AP2, AP3, AP4, and AP5.
Step 2 Configure APs to go online on CORE.
# In the back-to-back WDS networking, create AP groups wds-root1 and wds-
root2 for root APs and AP groups wds-leaf1 and wds-leaf2 for leaf APs, and bind
the regulatory domain profile domain1 to the AP groups.
[CORE] wlan
[CORE-wlan-view] ap-group name wds-root1
[CORE-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-wds-root1] quit
[CORE-wlan-view] ap-group name wds-root2
[CORE-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-wds-root2] quit
[CORE-wlan-view] ap-group name wds-leaf1
[CORE-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-wds-leaf1] quit
[CORE-wlan-view] ap-group name wds-leaf2
[CORE-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
[CORE-wlan-ap-group-wds-leaf2] quit
# Add AP2 to the AP group wds-root1, AP4 to the AP group wds-root2, AP3 to
the AP group wds-leaf1, and AP5 to the AP group wds-leaf2.
[CORE] wlan
[CORE-wlan-view] ap auth-mode mac-auth
[CORE-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[CORE-wlan-ap-2] ap-name AP2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-2] ap-group wds-root1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
[CORE-wlan-ap-2] quit
[CORE-wlan-view] ap-id 3 ap-mac dcd2-fc04-b500
[CORE-wlan-ap-3] ap-name AP3
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-3] ap-group wds-leaf1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
[CORE-wlan-ap-3] quit
[CORE-wlan-view] ap-id 4 ap-mac dcd2-fcf6-76a0
[CORE-wlan-ap-4] ap-name AP4
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-4] ap-group wds-root2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
[CORE-wlan-ap-4] quit
[CORE-wlan-view] ap-id 5 ap-mac 60de-4476-e360
[CORE-wlan-ap-5] ap-name AP5
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[CORE-wlan-ap-5] ap-group wds-leaf2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
[CORE-wlan-ap-5] quit
# Configure radio parameters for WDS nodes. Radio 1 on the 5 GHz frequency
band is used as an example. The parameter coverage distance indicates the radio
coverage distance parameter, which is 3 (unit: 100 m) by default. This example
sets the radio coverage distance parameter to 4. You can configure the parameter
based on site requirements
[CORE-wlan-view] ap-group name wds-root1
[CORE-wlan-ap-group-wds-root1] radio 1
[CORE-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157 //Configure the channel and bandwidth
for the WDS link, which must be the same on the two ends of the link.
Warning: This action may cause service interruption. Continue?[Y/N]y
[CORE-wlan-group-radio-wds-root1/1] coverage distance 4 //Configure the radio coverage distance
parameter based on the actual distance between APs, based on which the APs adjust the values of
slottime, acktimeout, and ctstimeout.
[CORE-wlan-group-radio-wds-root1/1] quit
[CORE-wlan-ap-group-wds-root1] quit
[CORE-wlan-view] ap-group name wds-root2
[CORE-wlan-ap-group-wds-root2] radio 1
[CORE-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[CORE-wlan-group-radio-wds-root2/1] coverage distance 4
[CORE-wlan-group-radio-wds-root2/1] quit
[CORE-wlan-ap-group-wds-root2] quit
[CORE-wlan-view] ap-group name wds-leaf1
[CORE-wlan-ap-group-wds-leaf1] radio 1
[CORE-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[CORE-wlan-group-radio-wds-leaf1/1] coverage distance 4
[CORE-wlan-group-radio-wds-leaf1/1] quit
[CORE-wlan-ap-group-wds-leaf1] quit
[CORE-wlan-view] ap-group name wds-leaf2
[CORE-wlan-ap-group-wds-leaf2] radio 1
[CORE-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[CORE-wlan-group-radio-wds-leaf2/1] coverage distance 4
[CORE-wlan-group-radio-wds-leaf2/1] quit
[CORE-wlan-ap-group-wds-leaf2] quit
# Configure the security profile wds-sec referenced by WDS links. Configure the
security policy of WPA2+PSK+AES for this security profile.
[CORE-wlan-view] security-profile name wds-sec
[CORE-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[CORE-wlan-sec-prof-wds-sec] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS
mode to root. Bind the WDS profile to the security profile wds-sec and allow
packets from service VLAN 40 to pass through in tagged mode.
[CORE-wlan-view] wds-profile name wds-net1
[CORE-wlan-wds-prof-wds-net1] wds-name wds-net //Only APs with the same WDS name can set up
WDS links with each other.
[CORE-wlan-wds-prof-wds-net1] wds-mode root
[CORE-wlan-wds-prof-wds-net1] security-profile wds-sec
[CORE-wlan-wds-prof-wds-net1] vlan tagged 40
[CORE-wlan-wds-prof-wds-net1] quit
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS
mode to root. Bind the WDS profile to the security profile wds-sec and allow
packets from service VLAN 40 to pass through in tagged mode.
[CORE-wlan-view] wds-profile name wds-net2
[CORE-wlan-wds-prof-wds-net2] wds-name wds-net
[CORE-wlan-wds-prof-wds-net2] wds-mode root
[CORE-wlan-wds-prof-wds-net2] security-profile wds-sec
[CORE-wlan-wds-prof-wds-net2] vlan tagged 40
[CORE-wlan-wds-prof-wds-net2] quit
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS
mode to leaf. Bind the WDS profile to the security profile wds-sec and allow
packets from service VLAN 40 to pass through in tagged mode.
[CORE-wlan-view] wds-profile name wds-net3
[CORE-wlan-wds-prof-wds-net3] wds-name wds-net
[CORE-wlan-wds-prof-wds-net3] wds-mode leaf
[CORE-wlan-wds-prof-wds-net3] security-profile wds-sec
[CORE-wlan-wds-prof-wds-net3] vlan tagged 40
[CORE-wlan-wds-prof-wds-net3] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow
packets from the service VLAN to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 40
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 40
[Switch_C-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/1] stp edged-port enable
[Switch_C-GigabitEthernet0/0/1] port-isolate enable
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 40
[Switch_C-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection. For user access
authentication modes, see 6 Wired and Wireless User Access Authentication
Deployment.
[CORE-wlan-view] vap-profile name vap2
[CORE-wlan-vap-prof-vap2] forward-mode direct
[CORE-wlan-vap-prof-vap2] service-vlan vlan-id 40
[CORE-wlan-vap-prof-vap2] security-profile sec2
[CORE-wlan-vap-prof-vap2] ssid-profile ssid2
[CORE-wlan-vap-prof-vap2] traffic-profile traff2
[CORE-wlan-vap-prof-vap2] ip source check user-bind enable
[CORE-wlan-vap-prof-vap2] arp anti-attack check user-bind enable
[CORE-wlan-vap-prof-vap2] learn-client-address dhcp-strict
[CORE-wlan-vap-prof-vap2] quit
The prerequisites for running the ip source check user-bind enable command are as
follows:
As the IP packet check is based on the binding table:
● For DHCP users, DHCP snooping on the device has been enabled to automatically
generate dynamic binding entries.
● For users using static IP addresses, static binding entries have been manually configured.
The prerequisites for running the learn-client-address dhcp-strict command are as
follows:
● The DHCP trusted interface configured on an AP has been disabled using the undo
dhcp trust port command in the VAP profile view.
● STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command.
# Bind the VAP profile to the AP group wds-leaf2 to use the 2.4 GHz radio for
WLAN coverage.
[CORE-wlan-view] ap-group name wds-leaf2
[CORE-wlan-ap-group-wds-leaf2] vap-profile vap2 wlan 2 radio 0
[CORE-wlan-ap-group-wds-leaf2] quit
[CORE-wlan-view] quit
----End
# Run the display wlan wds link all command to check information about the
WDS links.
[CORE-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
-------------------------------------------------------------------------------------------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TSNR SNR(Ch0~2:dB)
-------------------------------------------------------------------------------------------------
AP2 AP3 1 3 157 root normal -44 -40 0 3 50 45/49/-
# After a wireless user connects to AP5, you can view information about the
wireless user on the AC.
[CORE-wlan-view] display station ssid test02
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
20ab-3720-e34a 5 AP5 0/2 2.4G 11n 117/115 -71 40 172.16.40.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
Configuration Files
# AC configuration file
#
wlan
traffic-profile name traff2
user-isolate l2
security-profile name sec2
security-profile name wds-sec
security wpa2 psk pass-phrase %^%#"G$t160(|>N&R$"<Z@6:\VY@T(}}]BJpHqK95`T6%^%# aes
ssid-profile name ssid2
ssid test02
vap-profile name vap2
service-vlan vlan-id 40
ssid-profile ssid2
traffic-profile traff2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac 60de-4476-e360
wds-profile name wds-net1
security-profile wds-sec
vlan tagged 40
wds-name wds-net
wds-mode root
wds-profile name wds-net2
security-profile wds-sec
vlan tagged 40
wds-name wds-net
wds-mode root
wds-profile name wds-net3
security-profile wds-sec
vlan tagged 40
wds-name wds-net
regulatory-domain-profile name domain1
ap-group name wds-leaf1
regulatory-domain-profile domain1
radio 1
wds-profile wds-net3
channel 40mhz-plus 157
coverage distance 4
ap-group name wds-leaf2
regulatory-domain-profile domain1
radio 0
vap-profile vap2 wlan 2
radio 1
wds-profile wds-net3
channel 40mhz-plus 149
coverage distance 4
ap-group name wds-root1
regulatory-domain-profile domain1
radio 1
wds-profile wds-net1
wds-whitelist-profile wds-list1
channel 40mhz-plus 157
coverage distance 4
ap-group name wds-root2
regulatory-domain-profile domain1
radio 1
wds-profile wds-net2
wds-whitelist-profile wds-list2
channel 40mhz-plus 149
coverage distance 4
ap-id 2 ap-mac 60de-4474-9640
ap-name AP2
ap-group wds-root1
ap-id 3 ap-mac dcd2-fc04-b500
ap-name AP3
ap-group wds-leaf1
ap-id 4 ap-mac dcd2-fcf6-76a0
ap-name AP4
ap-group wds-root2
ap-id 5 ap-mac 60de-4476-e360
ap-name AP5
ap-group wds-leaf2
provision-ap
#
return
● Authentication point location: The devices that function as user gateways are
typically configured as authentication points. As described in 3 Campus
Network Connectivity Deployment, when the native AC solution is used, you
are advised to deploy a switch that supports the native AC function as the
gateway for both wired and wireless users. When the standalone AC or ACU2
solution is used, you can deploy both wired and wireless gateways on a
switch, or deploy the wired gateway on a switch and the wireless gateway on
a standalone AC or an ACU2. In the examples where the standalone AC
solution is used, the gateway and authentication point for wireless users are
both deployed on a standalone AC or an ACU2.
● Policy-based control solutions: include Network Admission Control (NAC), free
mobility, and policy association. In the policy association solution, aggregation
or core switches are typically deployed as authentication points and access
switches as access points. This solution prevents users connected to the same
access device from communicating with each other before they are
authenticated, and allows administrators to easily obtain online user
information such as the interfaces on which users go online and the VLANs to
which users belong. A standalone AC or an ACU2 does not support the free
mobility solution for wireless users.
● In the following examples, Agile Controller-Campus functions as both the
access authentication server and user data source server.
User access authentication aims to implement user authentication and policy-
based control, which involves the following key nodes:
● Authentication point: a device or node responsible for user access
authentication.
● Access point: a device or node that determines whether a terminal is allowed
to access the network.
● Group policy enforcement point: a device or node that executes group policies
used in free mobility.
Figure 6-1 shows the positions of authentication points and access points when
core switches function as the authentication points for wired and wireless users.
Server zone
(including RADIUS
and DNS servers) CORE
Core CSS
layer
Aggregation
layer AGG1 AGG2
Authentication point
Access point
● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.
Figure 6-2 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1/1 0 /2
/0/ /1/
2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Group policy
enforcement point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● Free mobility is supported only in NAC unified mode.
● In this example, Agile Controller-Campus runs V100R003C50.
For details about other precautions, see "Licensing Requirements and Limitations for Free
Mobility" in the Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface eth-trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/4] quit
Name CORE -
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.
c. Click OK, select CORE, and click Synchronize. The communication status
of the switch becomes , and the synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address:
192.168.11.1
Controller port: 5222
Backup controller IP address:
-
Backup controller port:
-
Source IP address:
192.168.11.254
State: working
Connected controller:
master
Device protocol version:
2
Controller protocol version: 2
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. According to the
following table, bind employees to employee_group and click OK. Then bind
guests to guest_group and click OK.
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
1
2
--------------------------------------------------------------------------------
Total : 2
----End
Basic:
User ID : 49523
User name : user1
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.30.133
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5111
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/08/08 08:45:00
User accounting session ID : CORE00220000000030aa****0104173
User access type : 802.1x
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test01
Online time : 43(s)
Dynamic group index(Effective) : 1
Service Scheme Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Basic:
User ID : 115814
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.60.133
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20
User vlan event : Success
QinQVlan/UserVlan : 0/60
User vlan source : user request
User access time : 2019/08/08 08:12:29
User accounting session ID : CORE002200000000604e****0304466
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic group index(Effective) : 1
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 2, printed: 2
[CORE] display access-user username user2 detail
Basic:
User ID : 52993
User name : user2
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.40.9
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5112
User vlan event : Success
QinQVlan/UserVlan : 0/40
User vlan source : user request
User access time : 2019/08/08 08:57:47
User accounting session ID : CORE0022000000004005****0104f01
User access type : WEB
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test02
Online time : 23(s)
Web-server IP address : 192.168.100.10
Dynamic group index(Effective) : 2
Service Scheme Priority :0
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
● Choose Resource > User > Online User Management on Agile Controller-
Campus to check the user login information and the security groups to which
users belong.
● Verify that you can access the mail and video servers using the employee
account after passing 802.1X authentication, no matter where the terminals
are located.
Verify that you can access only the video server using the guest account after
passing MAC address-prioritized Portal authentication, no matter where the
terminal is located.
Verify that the employee and guest can communicate with each other.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
ucl-group 1
ucl-group 2
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
eth-trunk 10
#
return
of data. In addition, core switches are configured with the native AC function to
manage APs and transmit wireless service traffic on the entire network,
implementing wired and wireless convergence. Aggregation switches set up stacks
to implement device-level backup and increase the interface density and
forwarding bandwidth.
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired and wireless users on the entire network. These
users can access the network only after being authenticated. The specific
requirements are as follows:
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Policy association is deployed between core switches and access switches. The
core switches function as control devices to centrally authenticate users and
manage user access policies, and access devices only need to execute user
access policies. This function not only controls network access rights of users,
but also simplifies the configuration and management of access devices.
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
Figure 6-13 Core switches functioning as the authentication point for wired and
wireless users
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● In this example, Huawei's Agile Controller-Campus in V100R003C50 functions
as the Portal server and RADIUS server.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● For details about the devices that can function as control and access devices
in a policy association scenario and other precautions, see "Licensing
Requirements and Limitations for Policy Association" in S12700 Series Agile
Switches Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server and CAPWAP management network segment to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 24
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
[CORE-free-rule-default_free_rule] quit
Step 4 Configure the policy association function on core and access switches.
# Configure Eth-Trunk 10 and Eth-Trunk 20 on CORE as control points.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] authentication control-point
[CORE-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] authentication control-point
[CORE-Eth-Trunk20] quit
# Configure ACLs and ACL rules for user authorization on CORE. Specifically,
configure ACL 3001 and ACL 3002 to control the network access rights of
employees and guests, respectively.
[CORE] acl 3001 //Configure an ACL for authorization of employees, so that they can access the Internet
and service server after being authenticated.
# Configure the source interface for establishing a CAPWAP tunnel on each access
switch. The following uses ACC1 as an example. The configuration of ACC2 is
similar to that of ACC1.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on CORE
# Enable access switches to allow packets destined for the DNS server to pass
through. The following uses ACC1 as an example. The configuration of ACC2 is
similar to that of ACC1.
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.2 mask 24
[ACC1-free-rule-default_free_rule] quit
Step 5 On CORE, configure 802.1X authentication for employees and MAC address-
prioritized Portal authentication for guests.
Configure 802.1X authentication for employees.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
Step 6 Configure 802.1X authentication for employees on access switches. The following
uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.
If you log in to Agile Controller-Campus for the first time, use the super
administrator user name admin and password Changeme123. Change the
password immediately after the first login. Otherwise, Agile Controller-
Campus cannot be used.
2. Add switches so that they can communicate with Agile Controller-Campus.
Choose Resource > Device > Device Management, click Add, and configure
device information and authentication parameters.
Name CORE -
3. Create user groups and accounts. The following describes how to configure
the user group employee. The configuration of the user group guest is
similar.
b. Click in the operation area on the left, and create the user group
employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 115871
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 172.16.50.161
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk10 //Interface on which the user goes online
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/08/13 10:02:31
User accounting session ID : CORE00210000000050ab****030449f
User access type : 802.1x //User access type
AS ID :0 //ID of the access device
AS name : acc1 //Name of the access device
AS IP : 192.168.20.56 //IP address of the access device IP
AS MAC : 000b-099d-eb3b //MAC address of the access device MAC
AS Interface : GigabitEthernet0/0/2 //Access point
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization ACL
Dynamic service scheme : test //Service scheme
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.0.0
free-rule 2 source vlan 20
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.11.1:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
port trunk allow-pass vlan 20 50
authentication control-point
authentication-profile p1
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
port trunk allow-pass vlan 20 60
authentication control-point
authentication-profile p1
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name traff2
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
interface Eth-Trunk30
port link-type trunk
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
return
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.0
#
interface Vlanif20
ip address dhcp-alloc
#
interface Eth-Trunk30
port link-type trunk
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
authentication access-point
authentication-profile p1
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
authentication access-point
authentication-profile p1
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
Figure 6-24 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● In this example, Huawei's Agile Controller-Campus in V100R001 functions as
the Portal server and RADIUS server. In addition to V100R001, Agile
Controller-Campus can also run V100R002 or V100R003.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
For other precautions, see "Licensing Requirements and Limitations for NAC Unified Mode"
in the S12700 Series Agile Switches Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the RADIUS server template tem_rad and configure parameters for
interconnection between CORE and the RADIUS server. The parameters include the
IP addresses, port numbers, and shared keys of the RADIUS authentication and
accounting servers.
<CSS> system-view
[CSS] sysname CORE
[CORE] radius-server template tem_rad
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813
[CORE-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-radius-tem_rad] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[CORE] aaa
[CORE-aaa] service-scheme s1 //Configure service scheme s1 for authorization of employees if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s1] acl-id 3001
[CORE-aaa-service-s1] quit
[CORE-aaa] service-scheme s2 //Configure service scheme s1 for authorization of guests if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s2] acl-id 3002
[CORE-aaa-service-s2] quit
[CORE-aaa] quit
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
[CORE-wlan-vap-prof-vap2] authentication-profile p2
[CORE-wlan-vap-prof-vap2] quit
[CORE-wlan-view] quit
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface eth-trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/4] quit
Name CORE -
2. Create user groups and accounts. The following describes how to configure
the user group Employee. The configuration of the user group Guest is
similar.
a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
Employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group Employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 118293
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 172.16.60.133
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20 //Interface on which the user goes online
User vlan event : Success
QinQVlan/UserVlan : 0/60
User vlan source : user request
User access time : 2019/08/05 03:15:16
User accounting session ID : CORE00220000000060ad****0304e15
User access type : 802.1x //User access type
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s2
authentication event authen-server-up action re-authen
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
port trunk allow-pass vlan 20 50
authentication-profile p1
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
port trunk allow-pass vlan 20 60
authentication-profile p1
#
interface GigabitEthernet1/1/0/1
eth-trunk 10
#
interface GigabitEthernet1/1/0/2
eth-trunk 20
#
interface GigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface GigabitEthernet2/1/0/1
eth-trunk 20
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
#
capwap source interface vlanif20
#
wlan
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
return
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication CSS
DNS server XGE1/2/0/1
Core layer
server
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
Service server Special server Eth-Trunk 10 0/2 E2 Eth-Trunk 20
XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
Authentication point
Access point
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
Item Data
Deployment Precautions
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.6 Native AC Solution:
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/3
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
# Enable access devices to establish CAPWAP tunnels with the control device
without authentication.
[AGG1] as-auth
[AGG1-as-auth] auth-mode none
Warning: None authentication is configured, which has security risks. Continue? [Y/N]:y
[AGG1-as-auth] quit
# Configure the source interface used by the control device to establish a CAPWAP
tunnel.
[AGG1] capwap source interface vlanif 20
# Configure the source interface used by the access device to establish a CAPWAP
tunnel, and specify the IP address of the control device.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on AGG1
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
[AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the
DNS server after being authenticated.
[AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 8 deny ip destination any
[AGG1-acl-adv-3001] quit
[AGG1] acl 3002
[AGG1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the
Internet after being authenticated.
[AGG1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to access the
DNS server after being authenticated.
[AGG1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate
with each other.
[AGG1-acl-adv-3002] rule 4 permit ip destination 172.16.41.0 0.0.0.255 //Allow guests to communicate
with each other.
[AGG1-acl-adv-3002] rule 5 deny ip destination any
[AGG1-acl-adv-3002] quit
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
[AGG1-aaa] service-scheme s2 //Enable the switch to grant the network access rights in service scheme
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s2] acl-id 3002
[AGG1-aaa-service-s2] quit
[AGG1-aaa] quit
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
Step 8 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-28, and click OK.
Name AGG1 -
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)
Step 9 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 11 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-29, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. Access devices can go online on the control device.
2. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
3. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
4. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
5. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
2. Verify that the employees and guest can access only the authentication-free
resources, but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication. The following uses wired
access of an employee as an example.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on AGG1 to view information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
C:\Users\*******>
# On PC1, ping a resource in the post-authentication domain, for example,
the campus egress device with IP address 172.16.3.1. The ping operation fails.
C:\Users\*******>ping 172.16.3.1
C:\Users\*******>
3. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 3, printed: 3
# Run the display access-user username user1 detail command on AGG1 to
view the authentication, authorization, and access location (GE0/0/3 on
ACC1) information of user1.
[AGG1] display access-user username user1 detail
Basic:
User ID : 49208
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.172
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk30
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/09/03
17:16:16
User accounting session ID : LSW5-
AG0001800000005061****0300038
User access type : 802.1x
AS ID :0
AS name : acc1
AS IP : 192.168.20.220
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/3
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
Dynamic service scheme :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Basic:
User ID : 49212
User name : user2
Domain-name : huawei.com
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.81
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss2177
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/09/03
17:16:38
User accounting session ID : LSW5-
AG000180000000308a****030003e
User access type : 802.1x
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 251(s)
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username guest4 detail command on AGG1
to view the authentication, authorization, and access location (AP area_1)
information of guest4.
[AGG1] display access-user username guest4 detail
Basic:
User ID : 49216
User name : guest4
Domain-name : huawei.com
User MAC : 64b0-a6a3-f913
User IP address : 172.16.31.153
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss2180
User vlan event : Success
QinQVlan/UserVlan : 0/31
User vlan source : user request
User access time : 2019/09/03
17:37:22
User accounting session ID : LSW5-
AG0001800000003172****0300040
User access type : WEB
AP name : area_1
Radio ID :1
AP MAC : ac85-3da6-a420
SSID : Guest
Online time : 1148(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
Dynamic service scheme :-
Service Scheme Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
4. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
5. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81
C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 30
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
vlan 50
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication control-point
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
vlan 40
dhcp snooping enable
vlan 41
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk20
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
authentication control-point
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
capwap source interface vlanif21
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain2
ap-group name ap-group2
regulatory-domain-profile domain2
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
sysname ACC1
#
vlan batch 20 50
#
authentication-profile name p1
dot1x-access-profile d1
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
as access interface vlanif 20
as access controller ip-address 192.168.20.1
#
free-rule-template name default_free_rule
free-rule 1 destination any source any
#
interface Vlanif20
ip address dhcp-alloc
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
authentication access-point
authentication-profile p1
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
ip address dhcp-alloc
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 40
#
interface GigabitEthernet0/0/2
eth-trunk 40
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
stp edged-port enable
authentication access-point
authentication-profile p1
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 21
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication
DNS server
server XGE1/2/0/1 CSS
Core layer
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
Service server Special server
E1
/1/ /1/0/
0/2 E2 Eth-Trunk 20
Eth-Trunk 10 XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
Authentication point
Access point
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices
Involved
Data Plan
Item Data
Item Data
Deployment Precautions
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.6 Native AC Solution:
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/3
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
[AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the
DNS server after being authenticated.
[AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to
communicate with each other.
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
[AGG1-aaa] service-scheme s2 //Enable the switch to grant the network access rights in service scheme
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s2] acl-id 3002
[AGG1-aaa-service-s2] quit
[AGG1-aaa] quit
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes
Warning: This action may cause service interruption. Continue?[Y/N]y
[AGG1-wlan-sec-prof-sec1] quit
Step 7 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-36, and click OK.
Name AGG1 -
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)
Step 8 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 10 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-37, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
3. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
4. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
C:\Users\*******>
C:\Users\*******>
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 3, printed: 3
Basic:
User ID : 49175
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.172
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk30
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/09/02
17:14:30
User accounting session ID :
AG00018000000050ce****0300017
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
3. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
4. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81
C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 30
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 40
dhcp snooping enable
vlan 41
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk20
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
2
E1
/1 /1/0/
/0/ E2
Eth-Trunk 10 2 XG Eth-Trunk 20
Authentication point
Access point
Group policy
enforcement point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
Step 4 Configure combined 802.1X + MAC + Portal authentication for wired users on
CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for wired users, and bind the 802.1X access
profile, MAC access profile, and Portal access profile to the authentication profile.
[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] mac-access-profile mac1
[CORE-authen-profile-p1] portal-access-profile web1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure an authentication profile for wireless users, and set the authentication
mode to 802.1X authentication.
[CORE] authentication-profile name p3
[CORE-authen-profile-p3] dot1x-access-profile d1
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
Name CORE -
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.
c. Click OK. The communication status of the switch becomes , and the
synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. The following
describes how to add employee user1 to employee_group. The procedure of
adding guest user2 to guest_group is similar.
a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-46.
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
----End
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
dot1x-access-profile d1
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p3
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
dhcp select interface
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
dhcp select interface
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
dhcp select interface
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
dhcp select interface
#
interface Eth-Trunk10
port link-type hybrid
port hybrid tagged vlan 1 20 50
stp root-protection
stp edged-port disable
mode lacp
loop-detection disable
mad relay
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name default
security-profile name sec1
security wpa2 dot1x aes
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
AP group ap-group
Item Data
Item Data
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 4 Configure combined 802.1X + Portal authentication for wired users on CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for wired users, and bind the 802.1X access
profile and Portal access profile to the authentication profile.
[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] portal-access-profile web1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure an authentication profile for wireless users, and set the authentication
mode to 802.1X authentication.
[CORE] authentication-profile name p3
[CORE-authen-profile-p3] dot1x-access-profile d1
[CORE-authen-profile-p3] free-rule-template default_free_rule
[CORE-authen-profile-p3] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p3] quit
Name CORE -
2. Create user groups and accounts. The following describes how to configure
the user group Employee. The configuration of the user group Guest is
similar.
a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
Employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group Employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 81564
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 192.168.50.111
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk10
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/10/22 02:00:03
User accounting session ID : LSW900210000000050ad****0203e9c
User access type : 802.1x //User access type
AS ID :1
AS name : as-layer2-1 //AS on which the user goes online
AS IP : 192.168.20.212
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/10 //AS interface on which the user goes online
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
dot1x-access-profile d1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p3
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
authentication-profile p3
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
ap-group name ap-group1
radio 0
vap-profile vap1 wlan 1
radio 1
vap-profile vap1 wlan 1
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#
as-auth
undo auth-mode
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
whitelist mac-address 0200-0000-0033
whitelist mac-address 0200-0000-0044
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011
down-direction fabric-port 1 member-group interface Eth-Trunk 30
port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0022
down-direction fabric-port 1 member-group interface Eth-Trunk 40
port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4
as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0044
interface fabric-port 1
port member-group interface Eth-Trunk 10
interface fabric-port 2
port member-group interface Eth-Trunk 20
interface fabric-port 3
port member-group interface Eth-Trunk 30
interface fabric-port 4
port member-group interface Eth-Trunk 40
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
network-basic-profile name basic_profile_1
pass-vlan 50
network-basic-profile name basic_profile_2
pass-vlan 60
network-basic-profile name basic_profile_3
pass-vlan 50
network-basic-profile name basic_profile_4
pass-vlan 60
user-access-profile name test01
authentication-profile p1
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface all
port-group name port_group_2
network-basic-profile basic_profile_2
as name as-layer1-2 interface all
port-group name port_group_3
network-basic-profile basic_profile_3
as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
user-access-profile test01
port-group name port_group_4
network-basic-profile basic_profile_4
as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
user-access-profile test01
port-group connect-ap name ap
as name as-layer2-1 interface GigabitEthernet 0/0/3
as name as-layer2-2 interface GigabitEthernet 0/0/3
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
return
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired users, and standalone ACs in a hot standby (HSB)
group functions as the gateway and authentication point for wireless users. The
wired and wireless users can access the network only after being authenticated.
The specific requirements are as follows:
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Agile Controller-Campus delivers ACLs for authorization of successfully
authenticated users to control network access rights of these users of
different roles.
● Port isolation needs to be configured on access and aggregation switches to
control Layer 2 traffic of users.
Figure 6-55 Core switches and standalone ACs functioning as the authentication
points for wired and wireless users respectively
CORE-AC1 CORE-AC2
Server zone HSB
Eth-Trunk 30 Eth-Trunk 1
Eth-Trunk 2
Authentication
DNS server XGE1/2/0/1 CSS
server Core layer
CORE
XGE1/1/0/1 XG XGE2/1/0/1
E1 /2
/1/ / 1/0
Service server Special server 0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
AP group ap-group1
Table 6-56 Authentication service data plan for core switches and ACs
Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.
Deployment Precautions
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.11 Standalone AC
Solution: Core Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively.
Step 3 Configure the authentication service on ACs. The following uses CORE-AC1 as an
example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<CORE-AC1> system-view
[CORE-AC1] radius-server template tem_rad
[CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-AC1-radius-tem_rad] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[CORE-AC1] acl 3001
[CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0
[CORE-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0
[CORE-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.50.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.60.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 7 deny ip destination any
[CORE-AC1-acl-adv-3001] quit
Step 5 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-58, and click OK.
Table 6-58 Parameter settings for adding core switches and ACs on Agile
Controller-Campus
Name CORE AC
Authentication/Accounting Admin@123
key
Real-time accounting 15
interval (minute)
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 8 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-59, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
3. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
4. Employees can communicate with each other, but cannot communicate with
the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
C:\Users\*******>
2. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on CORE and CORE-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[CORE] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
[CORE-AC1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 115318
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.110
User vpn-instance :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on CORE-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[CORE-AC1] display access-user username user2 detail
Basic:
User ID : 32788
User name : user2
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.165
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17496
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/11/26
21:22:53
User accounting session ID : CORE-
AC00000000000030f0****0200014
User accounting mult session ID :
AC853DA6A42038CADA5E441A5DDD9****690329A
User access type : 802.1x
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Employee
Online time : 494(s)
Dynamic ACL ID(Effective) : 3001
User Group Priority :0
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
[CORE-AC1] display access-user username guest4 detail
Basic:
User ID : 16401
User name : guest4
User MAC : 64b0-a6a3-f913
User IP address : 172.16.40.210
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/40
User vlan source : user request
User access time : 2019/11/26
21:25:05
User accounting session ID : CORE-
AC000000000000401c****0100011
User accounting mult session ID :
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Guest
Online time : 421(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
User Group Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
3. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
4. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.165
C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.40.210
C:\Users\*******>
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^
%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.50.0 0.0.0.255
rule 6 permit ip destination 172.16.60.0 0.0.0.255
rule 7 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
free-rule 2 source vlan 20
#
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk1
description con to CORE-AC1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface Eth-Trunk2
description con to CORE-AC2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 60
authentication-profile p1
mode lacp
#
interface Eth-Trunk30
description con to Internet
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 1
#
interface XGigabitEthernet1/1/0/4
eth-trunk 2
#
interface XGigabitEthernet1/1/0/5
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 1
#
interface XGigabitEthernet2/1/0/4
eth-trunk 2
#
interface XGigabitEthernet2/1/0/5
eth-trunk 30
#
dot1x-access-profile name d1
#
return
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.50.0 0.0.0.255
rule 6 permit ip destination 172.16.60.0 0.0.0.255
rule 7 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 172.16.40.0 0.0.0.255
rule 4 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp select interface
dhcp server excluded-ip-address 192.168.20.2
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.40.2 172.16.40.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface XGigabitEthernet0/0/21
eth-trunk 1
#
interface XGigabitEthernet0/0/22
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 192.168.20.1
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.1
dhcp server excluded-ip-address 172.16.30.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.40.1
dhcp server excluded-ip-address 172.16.40.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
interface Eth-Trunk2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface XGigabitEthernet0/0/21
eth-trunk 2
#
interface XGigabitEthernet0/0/22
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.100.2 peer-ip 172.16.100.1 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^
%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
return
interface XGigabitEthernet1/0/1
eth-trunk 20
#
return
Server zone
Authentication Eth-Trunk 30
DNS server
server
XGE1/1/0/5 XGE2/1/0/5
XGE1/2/0/1 CSS
Core layer
Service server Special server
XGE1/1/0/1 XG CORE XGE2/1/0/1
AGG-AC2 AGG-AC1 E1/1 0/2
/0/ 2/1/ AGG-AC3 AGG-AC4
Eth-Trunk 10 E Eth-Trunk 20
HSB 2 XG HSB
XG
/0/
GE0/0/1
GE0/0/1
E
GE0
E0
0/
/0/1 GE0/0/4 GE0/0/4 /0/1
GE0
0/
XG
XGE1/0/1 XGE1/0/1
1
Eth-Trunk 1 Eth-Trunk 2
AGG1 AGG2
Aggregation GE0/0/5 GE0/0/5
layer GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Table 6-64 Authentication service data plan for aggregation switches and ACs
Item Data
Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.
Configuration Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions
Procedure
Step 1 Enable campus network connectivity. For details, see 3.10 Standalone AC
Solution: Aggregation Switches Function as Gateways for Wired and Wireless
Users.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] description con to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/5
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/5
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
Step 2 Configure the authentication service on aggregation switches. The following uses
AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
Step 3 Configure the authentication service on ACs. The following uses AGG-AC1 as an
example. The configurations of other ACs are similar to that of AGG-AC1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<AGG-AC1> system-view
[AGG-AC1] radius-server template tem_rad
[AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG-AC1-radius-tem_rad] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[AGG-AC1] acl 3001
[AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0
[AGG-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0
[AGG-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 8 deny ip destination any
[AGG-AC1-acl-adv-3001] quit
Step 5 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-64, and click OK.
Table 6-66 Parameter settings for adding aggregation switches and ACs on Agile
Controller-Campus
Authentication/ Admin@123
Accounting key
Real-time accounting 15
interval (minute)
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 8 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-67, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
[AGG-AC1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 32792
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.216
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk10
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/12/30
10:01:33
User accounting session ID :
AGG00018000000050ef****0200018
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on AGG-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[AGG-AC1] display access-user username user2 detail
Basic:
User ID : 16434
User name : user2
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.97
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17498
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/12/30
10:02:55
User accounting session ID :
AC2000000000000308d****0100032
User accounting mult session ID :
AC853DA6A42038CADA5E441A5E09C****B2526E4
User access type : 802.1x
AP name : area_1
Radio ID :1
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 115(s)
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
[AGG-AC1] display access-user username guest4 detail
Basic:
User ID : 32809
User name : guest4
User MAC : 64b0-a6a3-f913
User IP address : 172.16.31.165
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/31
User vlan source : user request
User access time : 2019/12/30
09:52:57
User accounting session ID :
AC200000000000031dd****0200029
User accounting mult session ID :
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Guest
Online time : 764(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
User Group Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
2. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
3. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.97
C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.31.165
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/5
eth-trunk 30
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/5
eth-trunk 30
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
#
vlan 50
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk1
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 to 31
mode lacp
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
dot1x-access-profile name d1
#
return
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.3 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk2
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 40 to 41
mode lacp
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
authentication-profile p1
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet0/0/4
eth-trunk 2
#
interface GigabitEthernet0/0/5
eth-trunk 2
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 7.7.7.7
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
dot1x-access-profile name d1
#
return
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.40.0 0.0.0.255
rule 6 permit ip destination 172.16.50.0 0.0.0.255
rule 7 permit ip destination 172.16.60.0 0.0.0.255
rule 8 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 172.16.31.0 0.0.0.255
rule 4 permit ip destination 172.16.41.0 0.0.0.255
rule 5 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 192.168.20.1
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
capwap source interface vlanif21
#
hsb-service 0
service-ip-port local-ip 172.16.201.1 peer-ip 172.16.201.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif21
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
return
7 Security Deployment
Local device You need to configure an You want to log in to the device
login through authentication mode and through the console port while
the console port a user level for the improving local login security.
console user interface.
If an aggregation device -
functions as the user gateway,
you can deploy security policies
by referring to security policy
deployment for core devices.
Configuring Security for Local Device Login Through the Console Port
Logging in to a switch through the console port (also called serial port) is a basic
login mode and forms the basis of other login modes such as Telnet and STelnet.
Once an attacker accesses the console port on a switch, the switch is exposed to
the attacker, causing security risks. You can configure the authentication mode,
user authentication information, and user level for the console user interface to
ensure security of switch login through the console port.
Deployment Precautions
● If you configure the console user interface after login through the console
port, the configuration takes effect at your next login.
● To ensure device security, you are required to change the default password
upon the first login and change the password periodically.
Procedure
Step 2 Configure authentication information and user level for the console user interface.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create local user
admin123 and set the login password to abcd@123.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user admin123 to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa] local-user admin123 service-type terminal //Set the access type of local user admin123
to terminal user, that is, console user.
Step 3 Connect to the switch through the console port and enter the user name and
password as prompted to log in to the switch. (In this example, the user name is
admin123 and the password is abcd@123.)
Login authentication
Username:admin123
Password:
<HUAWEI>
----End
Step 1 Configure a protocol type, an authentication mode, and a user level for the VTY
user interface.
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode aaa //Configure AAA authentication for the VTY user
interface.
[HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default,
SSH is used.
[HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15.
[HUAWEI-ui-vty0-4] quit
Step 2 Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function on the switch.
[HUAWEI] ssh user admin123 //Create SSH user admin123.
[HUAWEI] ssh user admin123 service-type stelnet //Set the service mode of the SSH user to STelnet.
To use password authentication, create a local user with the same name as the
SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Configure password authentication for
the SSH user.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with
the same user name as the SSH user and set a login password for the local user.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15.
[HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH.
[HUAWEI-aaa] quit
# Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The
following uses ECC authentication as an example. Steps for configuring RSA and
DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to configure the public key of
the SSH client on the SSH server. When the SSH client connects to the SSH server,
the SSH client passes the authentication if the private key of the client matches
the configured public key. For details about the public key on the client, see the
help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Configure ECC authentication for the SSH user.
[HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding format of ECC
public key key01 and enter the ECC public key view.
Enter "ECC public key" view, return system view with "peer-public-key end".
[HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view.
Enter "ECC key code" view, return last view with "public-key-code end".
[HUAWEI-dsa-key-code] 308188 //Copy the public key of the client, which is a hexadecimal character
string.
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-ecc-key-code] 171896FB 1FFC38CD
[HUAWEI-ecc-key-code] 0203
[HUAWEI-ecc-key-code] 010001
[HUAWEI-ecc-key-code] public-key-code end //Return to the public key view.
[HUAWEI-ecc-public-key] peer-public-key end //Return to the system view.
[HUAWEI] ssh user admin123 assign ecc-key key01 //Assign an existing public key key01 to user
admin123.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH
protocol.
Click Open. Enter the user name and password as prompted and press Enter to
log in to the SSH server. (The following information is for reference only.)
login as: admin123
Sent username "admin123"
admin123@10.10.10.20's password:
----End
● Configure IPSG.
# Configure IPSG against static binding entries.
<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a static
binding entry.
[HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 //Create a static
binding entry.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
# Configure IPSG against dynamic DHCP snooping binding entries. Before the
configuration, you need to configure DHCP snooping and generate dynamic
DHCP snooping binding entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
● Configure ND snooping.
<HUAWEI> system-view
[HUAWEI] nd snooping enable //Enable ND snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable //Enable ND snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the gateway.
[HUAWEI-GigabitEthernet0/0/2] nd snooping trusted //Configure the interface as a trusted
interface.
● Configure DAI.
Before the configuration, you need to configure DHCP snooping and generate
dynamic DHCP snooping binding entries or manually configure static DHCP
snooping binding entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable //Enable DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address //
Configure the device to check only IP addresses in ARP packets based on binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable //Enable
the alarm function for ARP packets discarded by DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 100 //Set
the alarm threshold for ARP packets discarded by DAI.
# If access users seldom change locations, you can configure port security to
change dynamic MAC addresses to sticky MAC addresses. This ensures that
bound MAC address entries are not lost after a device resets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky //Enable the sticky MAC
function on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
# If there are only a few access users and they seldom change locations, you
can configure secure static MAC addresses.
<HUAWEI> system-view
[HUAWEI] port-security static-flapping protect //Enable static MAC address
flapping detection.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Enable port isolation.
Table 7-4 describes the security policy deployment suggestions for core devices.
You can configure functions based on service requirements.
Configuration Examples
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car enable //Enable user-level rate limiting.
● Configure the device not to send ARP packets destined for other devices to
the CPU.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp optimized-passby enable //Configure the device not to
send ARP packets destined for other devices to the CPU.
<HUAWEI> system-view
[HUAWEI] arp gratuitous-arp send enable //Enable the device to send
gratuitous ARP packets.
[HUAWEI] arp gratuitous-arp send interval 60 //Set the interval for sending
gratuitous ARP packets.
Table 7-5 describes the security policy deployment suggestions for wireless
services. You can configure functions based on service requirements.
Configuration Examples
● External network users can access the HTTP server on the internal network.
To ensure the proper running of the server, defend against SYN flood, UDP
flood, and HTTP flood attacks.
● To prevent viruses from being introduced by emails, perform antivirus
detection on emails using HTTP and POP3 protocols.
● Defend against attacks such as worms, Trojan horses, and botnets.
● To ensure normal services, restrict P2P and online video traffic within 30
Mbit/s at any time. To better control P2P and online video traffic, restrict
connections of related applications within 10,000. To ensure the proper
running of email and ERP applications, assign a minimum of 60 Mbit/s
bandwidth for such traffic.
● Record employees' online behaviors to implement more refined security policy
control.
GE1/0/0 GE1/0/0
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk 10 Eth-Trunk 20
GE1/1/1/0 GE2/1/1/0
HTTP server GE1/1/1/1 GE2/1/1/1
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer
AGG
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface
GE1/0/3 - - 10.4.0.1/24
GE1/0/2
GE1/0/3 - - 10.4.0.2/24
GE1/0/2
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
GE2/2/0/0
GE2/0/1
Procedure
This section mainly describes security configurations of firewalls. For details about other
configurations, see 4 Campus Egress Deployment.
To configure URL filtering, you need to activate the license and ensure that the license is
within the validity period.
Ensure that the content security package has been loaded before configuring file and data
filtering.
Assume that the user in this example already exists on the firewall, and the authentication
configuration is complete.
The system has four security zones by default. If the default security zones do
not meet your service requirements, you can create security zones and define
their security levels. After creating a security zone, add interfaces to it. Then
all packets sent and received on the interfaces are considered in the security
zone. By default, an interface does not belong to any security zone and is
unable to communicate with interfaces in other security zones.
# Assign interfaces to security zones.
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name untrust //Add the interface connected to the external
network to the untrusted zone.
[FWA-zone-untrust] set priority 5
[FWA-zone-untrust] add interface gigabitethernet 1/0/0
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name untrust //Add the interface connected to the external network to
the untrusted zone.
[FWB-zone-untrust] set priority 5
[FWB-zone-untrust] add interface gigabitethernet 1/0/0
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWAA-policy-security] quit
# Configure a security policy for traffic from the internal network to the
external network (from the trusted zone to the untrusted zone).
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_av_1
# Configure a security policy for traffic from the trusted zone to the untrusted
zone and reference intrusion prevention profile profile_ips_pc.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_1
HRP_M[FWA-policy-security-rule-policy_sec_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-policy_sec_1] profile ips profile_ips_pc
HRP_M[FWA-policy-security-rule-policy_sec_1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_1] quit
Servers often suffer from SYN flood, UDP flood, and HTTP flood attacks. To ensure
the normal running of the servers, enable the anti-DDoS function on the firewall
to defend against the three types of DDoS attacks.
HRP_M[FWA] traffic-policy
HRP_M[FWA-policy-traffic] profile profile_p2p
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole both 30000
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FWA-policy-traffic-profile-profile_p2p] quit
The following example describes the bandwidth management configuration for BitTorrent
(BT) and YouTube services. You can specify other P2P services as required.
HRP_M[FWA-policy-traffic] rule name policy_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_p2p] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_p2p] application app BT YouKu
HRP_M[FWA-policy-traffic-rule-policy_p2p] action qos profile profile_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] quit
The following example describes the bandwidth management configuration for Outlook
Web Access (OWA) and Lotus Notes. You can specify other applications as required.
HRP_M[FWA-policy-traffic] rule name policy_email
HRP_M[FWA-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_email] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FWA-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FWA-policy-traffic-rule-policy_email] quit
# Follow-up procedure
By viewing various reports, audit logs, and user activity logs, you can obtain the
online behavior of employees to implement more refined security policy control.
----End
Configuration Files
● FWA configuration file
#
sysname FWA
#
interface GigabitEthernet1/0/0
anti-ddosflow-statistic enable
#
keyword-group name keyword1
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research
rule name rule1
keyword-group name keyword1
file-type all
application all
direction upload
action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 105 action block
category pre-defined subcategory-id 171 action block
category pre-defined subcategory-id 172 action block
category pre-defined subcategory-id 173 action block
category pre-defined subcategory-id 174 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 108 action block
category pre-defined subcategory-id 177 action block
category pre-defined subcategory-id 251 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
action permit
rule name policy_sec_user1
source-zone trust
destination-zone untrust
user user-group /default/priuser
profile file-block profile_file_user1
action permit
rule name policy_sec_research
source-zone trust
destination-zone untrust
user user-group /default/priuser
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
destination-zone untrust
user user-group /default/priuser
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
destination-zone untrust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
destination-zone untrust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return
8 QoS Deployment
to external priorities. There are eight CoS values, that is, eight per-hop
behaviors (PHBs): CS7, CS6, EF, AF4, AF3, AF2, AF1, and BE listed in
descending order of priority. Select a proper priority based on the actual
requirements for the packet delay, jitter, or packet loss ratio.
Figure 8-1 Aggregation switches functioning as gateways for wired and wireless
users
Server zone
(including RADIUS and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1
/1/ /0/2
0/2 E2/1
Eth-Trunk 10 XG Eth-Trunk 20
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Description
Deployment Precautions
In this example, special user traffic belongs to VLAN packets, so the remark
8021p command is used to re-mark 802.1p priorities of VLAN packets.
Packets of different types use different QoS priorities. VLAN packets use 802.1p
priorities, IP packets use DSCP priorities, and MPLS packets use EXP priorities. To
increase the priority of VoIP traffic, run the remark dscp ef command. This is
because VoIP traffic belongs to IP packets, and EF traffic requires low delay, low
jitter, and low packet loss ratio. Typical examples of EF traffic in practice are real-
time services such as video, voice, and video conferencing.
Deployment Procedure
Step 1 Configure devices at core, aggregation, and access layers to ensure connectivity of
the basic network.
For details, see 3.6 Native AC Solution: Aggregation Switches Function as
Gateways for Wired and Wireless Users.
Step 2 Configure an ACL. Create an ACL and configure an ACL rule to allow special user
traffic to pass through.
<AGG1> system-view
[AGG1] acl 3000
[AGG1-acl-adv-3000] rule permit ip source 172.16.50.0 0.0.0.255 //Allow packets with the source IP
address on the network segment that PC1 belongs to pass through.
[AGG1-acl-adv-3000] quit
Step 3 Configure a traffic classifier and reference the ACL rule to classify special user
traffic into one type.
[AGG1] traffic classifier c1
[AGG1-classifier-c1] if-match acl 3000
[AGG1-classifier-c1] quit
Step 4 Configure a traffic behavior to re-mark 802.1p priorities of VLAN packets with 5.
[AGG1] traffic behavior b1
[AGG1-behavior-b1] remark 8021p 5
[AGG1-behavior-b1] quit
Step 5 Configure a traffic policy and bind the traffic classifier and traffic behavior to the
traffic policy.
Step 6 Apply the traffic policy to a downlink interface of the aggregation switch to
increase the priority of incoming special user traffic.
[AGG1] interface eth-trunk 30 //Eth-Trunk 30 is the downlink interface of the aggregation switch.
[AGG1-Eth-Trunk30] traffic-policy p1 inbound
[AGG1-Eth-Trunk30] quit
----End
Configuration Files
AGG1
#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
dhcp enable
#
dhcp snooping enable
#
acl number 3000
rule 5 permit ip source 172.16.50.0 0.0.0.255
#
traffic classifier c1 operator or
if-match acl 3000
#
traffic behavior b1
remark 8021p 5
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
vlan 50
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
traffic-policy p1 inbound
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
return
Application Scenario
This case is applicable to a small- or medium-sized store with multiple APs
deployed to provide wireless access. In the store, a small number of wired
terminals are allowed to access the network and about 200 guests access the
network concurrently in peak hours.
Service Requirements
A small- or medium-sized store intends to build a network and has the following
requirements:
1. Guests access the Internet using wireless terminals. There are approximate
200 guests in peak hours.
2. The store provides Internet access and mobile office services for employees
who use wireless and wired terminals. There are around 20 employees in the
store.
3. Wireless terminals can access the Internet only after successful
authentication.
GE0/0/0
AR
GE0/0/2
AC GE0/0/12
GE0/0/1 GE0/0/11
Switch
/1 GE
E0/0 0/0
G /10
/8
G
0/0
E0
/0
GE
/9
...
AP1 AP8 AP9 PC
● Wired access
Employees can work and access the Internet using wired terminals in the
management area.
In the networking, the S5731-S functions as both a DHCP server to assign IP
addresses to wired terminals and a wired access gateway.
● Wi-Fi coverage
A WLAN covers the guest area and management area. Using wireless
terminals, guests in the guest area can access the Internet and employees in
the management area can work and access the Internet as well.
In the networking, the AC6605 manages wireless services, and APs register
with the AC across a Layer 3 network and forward service data packets in
direct forwarding mode.
The S5731-S functions as a DHCP server to assign IP addresses to all APs and
wireless terminals.
● Network egress
Network address translation (NAT) is configured on the AR6300 to translate
public and private IP addresses.
The AR6300 connects to the Internet through PPPoE dial-up.
● Security
An ACL is configured on the S5731-S to control guest access so that wireless
users in the guest area can access only the Internet but not terminals in the
management area.
The AC6605 manages wireless services. Wireless terminals in the guest area
and management area use WeChat authentication and WPA-WPA2
authentication, respectively.
In this case, eight APs are deployed in the guest area, and one AP and one wired
terminal (PC) are deployed in the management area. Determine the number of APs
and wired terminals in each area as needed.
To prevent interference between APs and ensure optimal WLAN coverage, determine
the positions where APs are to be installed, channel, bandwidth, and cabling solution
according to WLAN Indoor Settled Network Planning Guide before deploying APs.
Deployment Roadmap
1. Configure the egress router AR6300.
a. Configure PPPoE dialup for Internet access.
b. Configure the LAN.
c. Configure routes.
2. Configure the S5731-S switch.
a. Create VLANs, create VLANIF interfaces, and configure IP addresses for
the VLANIF interfaces.
b. Add VLANs to interfaces on the switch.
c. Enable the DHCP server function. The switch then can assign IP addresses
to APs, and wired and wireless terminals.
d. Configure an ACL to control user access. Guests in the guest area can
access only the Internet. This ensures data security in the management
area.
e. Configure a default static route with the next hop being the IP address of
a downlink interface on the egress router.
3. Configure the AC6605.
a. Configure network interconnection.
b. Configure APs to go online.
c. Configure WLAN services.
Data Plan
Password admin@huawei.com
Item Data
AR6300 V300R019C10
S5731-S V200R019C10
AC6605 V200R019C10
AP6050DN V200R019C00
Preparations
Before the configuration, log in to the web system of the AR router using a PC and
perform the following operations:
1. Change the IP address of the PC to 192.168.1.x, for example, 192.168.1.100.
The IP address cannot be set to 192.168.1.1.
2. Connect the PC to the management interface (marked with the Management
silkscreen) of the AR router using Ethernet cables.
3. Access https://192.168.1.1 using a browser on the PC and log in using the
default user name admin and default password admin@huawei.com.
Change the password as prompted upon the first login.
Procedure
Step 1 Configure PPPoE dialup for Internet access.
1. Choose Configuration > WAN Configuration > Ethernet Interface. The
Interface Configuration tab page is displayed.
2. In the Ethernet Interface Settings area, select the interface for Internet
access, select Broadband dialup (PPPoE) from the Connection mode drop-
down list box, set other parameters, and click OK, as shown in Figure 9-2.
4. Choose Advanced > IP > DHCP. On the DHCP Address Pool tab page, set
DHCP status of OFF, as shown in Figure 9-5.
----End
Preparations
Before the configuration, you need to log in to the web system of the switch using
a PC and perform the following operations.
In this example, all configurations of the S5731-S are performed in traditional
management mode. If the switch is in cloud-based management mode, log in to
the web system of the switch and change the switch to the traditional
management mode.
1. Connect the PC to the first Ethernet interface on the switch using network
cables.
2. Press and hold down the MODE button for at least 6 seconds. When all
indicators on the switch are steady green, the switch enters the initial
configuration mode. In initial configuration mode, the system sets the default
IP address 192.168.1.253/24 for VLANIF 4094 and sets the default level 15 for
the admin user.
3. Configure the PC with an IP address that is on the same subnet as the default
IP address of the switch so that the PC and switch can communicate with
each other at Layer 3.
4. Visit https://192.168.1.253 using a browser on the PC and log in using the
default user name admin and default password admin@huawei.com.
Change the password as prompted upon the first login.
5. By default, the switch works in traditional management mode. If the switch
works in cloud-based management mode, log in to the switch's web system,
choose Maintenance > System Maintenance > Device Working Mode, set
Device Working Mode to Traditional management mode, and click Apply.
Procedure
Step 1 Create VLANs, create VLANIF interfaces, and configure IP addresses for the VLANIF
interfaces.
1. Create VLAN 102 to which APs belong and configure an IP address for VLANIF
102.
– Choose Configuration > Basic Services > VLAN from the main menu.
The VLAN configuration page is displayed.
2. Create VLAN 100, VLAN 103, VLAN 2000, VLAN 2100, and VLAN 2200 as well
as VLANIF interfaces, and configure IP addresses for the VLANIF interfaces.
The configuration method is similar to that of VLAN 102. Table 9-9 lists the
involved configuration items.
– Select interfaces 1 to 8.
– Set Link Type to Trunk, Default VLAN to 102, and Pass VLAN(Tagged)
to 102,2000.
Figure 9-9 Configuring interfaces connected to the APs in the guest area
– Set Address pool type to Interface address pool, and select Vlanif102.
– Click Advanced, and set the IP address of the primary DNS server to
114.114.114.114.
The configuration method is similar to that of the IP address pool from which
the DHCP server assigns IP addresses to APs. Table 9-11 lists the involved
configuration items.
Step 4 Configure an ACL to limit access of wireless end users in the guest area.
1. Choose Configuration > Security Services > ACL from the main menu. The
ACL configuration page is displayed.
2. Click the VLAN ACL tab, set VLAN ID to 2000, and click Add to add an ACL
rule.
----End
Preparations
NOTICE
● Activate the license on the Huawei ESDP website by binding the activation
password to the ESN of the WLAN AC, that is, the SN on the label. Then
download the generated license file.
● Configure the social media authentication server. For details, see "Example for
Configuring Guest Access Using Social Media Accounts (GooglePlus,
Facebook, or Twitter Accounts)" in the Agile Controller-Campus Product
Documentation.
● Before the configuration, you need to log in to the web system of the WLAN
AC using a PC and perform the following operations:
a. Change the IP address of the wired network port on the PC to
169.254.1.x, such as 169.254.1.100. The IP address cannot be set to
169.254.1.1.
b. Connect the PC to any idle network port on the AC using a network
cable.
c. Visit https://169.254.1.1 using a browser on the PC and log in using the
default user name admin and default password admin@huawei.com.
Change the password as prompted upon the first login.
Procedure
Step 1 Configure system parameters of the AC.
1. Configure basic AC parameters.
– Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
– Set Country/Region. The following uses China as an example. Set
System time to Manual and Date and time to PC Time.
– Expand License Loading, import the license file, and activate it.
– Click Next. The Port Configuration page is displayed.
2. Configure ports on the AC.
– Select GigabitEthernet0/0/1, expand Batch Modify, and set Interface
type to Trunk and VLAN (Tagged) to 100.
– Click OK.
– Expand Static Route Table, and then click Create. The Create Static
Route Table dialog box is displayed.
– Configure a default route with the next hop being GE0/0/11 (using IP
address 10.100.1.1) on the switch.
– Click OK.
– Click Next.
– Skip the AC backup configuration and click Next. The AC Source Address
page is displayed.
4. Configure the AC source address.
– Set AC source address to Vlanif100.
– Enter the information about each AP in the AP template. The items in the
following table are involved.
Item Description
AP group
▪ Add AP1 to AP8 deployed in
the guest area to ap-group1.
▪ You can check the MAC address and SN on the label attached on each AP.
▪ You are advised to use the WLAN Planner to export the planned settings to
a .csv file, such as the radio ID, AP channel, frequency bandwidth, and power,
and then fill the information into the AP template. Set the longitude and
latitude in the template based on your site requirements.
– Click Finish.
2. Configure a Wi-Fi network for guests.
– Click Create. The Basic Information page is displayed.
– Set SSID Name to guest and Service VLAN ID to 2000.
– Click OK.
– Select the created authentication-free rule and click Apply. In the dialog
box that is displayed, click OK.
----End
Application Scenario
This example describes the broadband remote access server (BRAS) scenario,
where an ME60 functions as a gateway and an authentication point to implement
user access authentication (IPoE access, PPPoE access, and MAC address
authentication). It is applicable to higher education campus networks with large
numbers of users (more than 20,000).
Service Requirements
A higher education campus network needs to implement integrated
authentication on wired and wireless networks in dormitories and teachers' office
areas. The requirements are as follows:
● Access requirements
Both wired and wireless networks are deployed, allowing for access of both
wired and wireless users.
Internal network users can access external networks ISP1 and ISP2 (such as
the Internet and education network), and external network users can access
server resources on the internal network.
● Authentication requirements
Wired and wireless users need to be authenticated before accessing networks.
Wired users are authenticated using PPPoE, wireless users are authenticated
using IPoE, and dumb terminals are authenticated based on their MAC
addresses.
● Network access rights requirements
Wired and wireless users have different accounts and network access rights
based on roles such as students and teachers, as described in Table 9-13.
Student and teacher accounts are managed by a local authentication,
authorization, and accounting (AAA) server, which are used for
authentication, accounting, and authorization. The local AAA server also
functions as an AAA proxy to forward business accounts to the carrier's AAA
server for authentication.
● Accounting requirements
Students and teachers are not charged when accessing the campus internal
network, and are charged when accessing external networks ISP1 and ISP2.
● Security requirements
For network security purposes, network devices need to identify and filter
traffic entering and leaving the campus network.
ISP1
GE1/0/2
GE1/0/1
GE1/0
USG6315E_A
GE1/0
10GE1/0/
ME6
10GE
XGE5
S12708E
XG
XGE3/
S6730-H_A
XGE1/0/1
GE0/0/1
S5735-L_A
GE0/0/5 GE0/0/4
GE0/0/3
Dumb
PC Laptop Mob
terminal pho
Student dormitory area
Service Design
● Access requirements design
An ME60 is deployed as a gateway and an authentication point for wired and
wireless users to dynamically assign IP addresses to users and authenticate
them.
All aggregation switches are connected to a core switch S12708E. The
S12708E has the native AC function enabled to manage network-wide APs
and implement wireless network access. The native AC function removes the
need of a hardware AC, reducing investment in network devices.
S5735-L switches are deployed as access switches and are connected to
S6730-H switches at the aggregation layer. 802.1Q in 802.1Q (QinQ) is
configured on access switches to isolate users. Inner VLAN IDs are assigned to
different interfaces in areas; for example, VLANs 2001 to 3500 are assigned to
downlink interfaces of access switches in the student dormitory area and
teaching and office areas. Outer VLAN IDs are assigned to different floors in
different areas; for example, VLANs 101 to 200 are assigned to downlink
interfaces of aggregation switches in the student dormitory area, and VLANs
201 to 400 are assigned to downlink interfaces of aggregation switches in the
teaching and office areas.
The S12708E transparently transmits QinQ packets to the ME60, and the
ME60 terminate QinQ packets.
The egress firewalls USG6680 function as the egress gateway of the external
network to isolate external networks from the internal network. They are
enabled with network address translation (NAT) to implement
communication between the internal and external networks. Additionally,
they are enabled with intelligent uplink selection to dynamically select
outbound interfaces based on the egress link bandwidth, improving link
resource utilization and user experience.
● Authentication requirements design
As an authentication device, the ME60 provides wired and wireless users with
various authentication modes, including IPoE authentication, PPPoE
authentication, and MAC address authentication.
Users can access external networks only after passing web authentication.
● Network access rights and accounting requirements design
The ME60 is configured with destination address accounting (DAA) to
implement rate limiting and accounting based on different users and
destination addresses.
● Security requirements
Egress firewalls are configured with security policies to filter users' Internet
access packets to prevent users from accessing unauthorized websites, as well
as to monitor and trace user packets.
S12700E V200R019C10
S6730-H V200R019C10
S5735-L V200R019C10
ME60 V800R008C10
USG6315E V800R007C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses,
routes, and services.
GE1/0/7 172.16.11.5/30
GE1/0/1 202.1.1.1/24
GE1/0/2 202.2.1.2/24
Loopback 0 172.16.10.1/32
GE1/0/7 172.16.11.9/30
GE1/0/1 202.1.1.2/24
GE1/0/2 202.2.1.1/24
Loopback 0 172.16.10.2/32
GE1/0/2 172.16.11.10/30
GE1/1/1.4010 172.16.11.14/30
Loopback 0 172.16.10.3/32
10.253.128.0/17 172.16.11.6/30
10.254.0.0/17 172.16.11.6/30
10.254.128.0/17 172.16.11.6/30
172.16.10.2/32 172.16.11.6/30
172.16.10.3/32 172.16.11.6/30
172.16.10.4/32 172.16.11.6/30
192.168.10.0/24 172.16.11.6/30
10.253.128.0/17 172.16.11.10/30
10.254.0.0/17 172.16.11.10/30
10.254.128.0/17 172.16.11.10/30
172.16.10.1/32 172.16.11.10/30
172.16.10.3/32 172.16.11.10/30
172.16.10.4/32 172.16.11.10/30
192.168.10.0/24 172.16.11.10/30
172.16.10.2/32 172.16.11.9/30
172.16.10.4/32 172.16.11.13/30
0.0.0.0/0 172.16.11.5/30
0.0.0.0/0 172.16.11.9/30
172.16.10.2/32 172.16.11.14/30
172.16.10.3/32 172.16.11.14/30
Item Data
Item Data
Item Data
Item Data
Item Data
Item Data
Item Data
Item Data
Item Data
Item Data
# Add downlink interfaces connected to wired users to inner VLANs, with each
interface being added to a unique VLAN. The following example describes how to
add GE0/0/3 to VLAN 2001.
[S5735-L_A] interface GigabitEthernet 0/0/3
[S5735-L_A-GigabitEthernet0/0/3] port link-type access
[S5735-L_A-GigabitEthernet0/0/3] port default vlan 2001
[S5735-L_A-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_A-GigabitEthernet0/0/3] quit
Step 2 Configure an uplink interface on S5735-L_A to allow packets from all service
VLANs and the management VLAN to pass through.
[S5735-L_A] interface GigabitEthernet 0/0/1
[S5735-L_A-GigabitEthernet0/0/1] port link-type trunk
[S5735-L_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5735-L_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 600 2001 to 3500 4004
[S5735-L_A-GigabitEthernet0/0/1] quit
# Add downlink interfaces connected to wired users to inner VLANs, with each
interface being added to a unique VLAN. The following example describes how to
add GE0/0/3 to VLAN 2001.
[S5735-L_B] interface GigabitEthernet 0/0/3
[S5735-L_B-GigabitEthernet0/0/3] port link-type access
[S5735-L_B-GigabitEthernet0/0/3] port default vlan 2001
[S5735-L_B-GigabitEthernet0/0/3] stp edged-port enable
[S5735-L_B-GigabitEthernet0/0/3] quit
Step 4 Configure an uplink interface on S5735-L_B to allow packets from all service
VLANs and the management VLAN to pass through.
----End
# Configure outer VLANs for wired and wireless users on downlink interfaces, with
each interface being added to a unique VLAN. Additionally, enable the interfaces
to allow packets from the management VLAN of APs and the VLAN of dumb
terminals to pass through. The following uses XGE1/0/1 as an example to describe
how to configure outer VLAN 101 for wired users and outer VLAN 1601 for
wireless users.
[S6730-H_A] interface XGigabitEthernet 1/0/1
[S6730-H_A-XGigabitEthernet1/0/1] port link-type hybrid
[S6730-H_A-XGigabitEthernet1/0/1] undo port hybrid vlan 1
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid tagged vlan 600 4004
[S6730-H_A-XGigabitEthernet1/0/1] port hybrid untagged vlan 101 1601
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 2001 to 3000 stack-vlan 101
[S6730-H_A-XGigabitEthernet1/0/1] port vlan-stacking vlan 3001 to 3500 stack-vlan 1601
[S6730-H_A-XGigabitEthernet1/0/1] quit
Step 2 Configure an uplink interface on S6730-H_A to allow packets from all service
VLANs and the management VLAN to pass through.
[S6730-H_A] interface XGigabitEthernet 3/0/0
[S6730-H_A-XGigabitEthernet3/0/0] port link-type trunk
[S6730-H_A-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1
[S6730-H_A-XGigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200 600 1601 to 1800 4004
[S6730-H_A-XGigabitEthernet3/0/0] quit
# Configure outer VLANs for wired and wireless users on downlink interfaces, with
each interface being added to a unique VLAN. Additionally, enable the interfaces
to allow packets from the management VLAN of APs and the VLAN of dumb
terminals to pass through. The following uses XGE1/0/1 as an example to describe
how to configure outer VLAN 201 for wired users and outer VLAN 1801 for
wireless users.
[S6730-H_B] interface XGigabitEthernet 1/0/1
[S6730-H_B-XGigabitEthernet1/0/1] port link-type hybrid
Step 4 Configure an uplink interface on S6730-H_B to allow packets from all service
VLANs and the management VLAN to pass through.
[S6730-H_B] interface XGigabitEthernet 3/0/0
[S6730-H_B-XGigabitEthernet3/0/0] port link-type trunk
[S6730-H_B-XGigabitEthernet3/0/0] undo port trunk allow-pass vlan 1
[S6730-H_B-XGigabitEthernet3/0/0] port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
[S6730-H_B-XGigabitEthernet3/0/0] quit
----End
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
Step 2 Create VLANs in a batch, including outer VLANs 101 to 400 for wired users, outer
VLANs 1601 to 2000 for wireless users, VLANs 3001 to 3500 for wireless services,
VLAN 600 for dumb terminals, management VLAN 4004 for APs, and VLAN 4010
for connecting to the ME60.
[S12708E] vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
Step 5 Configure static routes to firewalls and the ME60, with the next-hop address being
172.16.11.14.
[S12708E] ip route-static 172.16.10.1 32 172.16.11.14
[S12708E] ip route-static 172.16.10.2 32 172.16.11.14
[S12708E] ip route-static 172.16.10.3 32 172.16.11.14
# Configure the switch as a DHCP server to assign IP addresses to APs from the IP
address pool on VLANIF 4004.
[S12708E] dhcp enable
[S12708E] interface Vlanif4004
[S12708E-Vlanif4004] ip address 10.250.0.1 20
[S12708E-Vlanif4004] arp-proxy enable
[S12708E-Vlanif4004] arp-proxy inner-sub-vlan-proxy enable
[S12708E-Vlanif4004] dhcp select interface
[S12708E-Vlanif4004] quit
# Create an AP group to which APs with the same configurations will be added.
[S12708E] wlan
[S12708E-wlan-view] ap-group name ap-group1
[S12708E-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and
apply the profile to the AP group.
[S12708E-wlan-view] regulatory-domain-profile name domain1
[S12708E-wlan-regulate-domain-domain1] country-code cn
[S12708E-wlan-regulate-domain-domain1] quit
[S12708E-wlan-view] ap-group name ap-group1
[S12708E-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continu e?[Y/N]:y
[S12708E-wlan-ap-group-ap-group1] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online properly.
[S12708E-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
-----------------------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
-----------------------------------------------------------------------------------------------------------------------
0 acf9-703e-ad00 area_1 ap-group1 10.250.12.109 AP4050DN nor 0 1D:0H:34M:33S -
-----------------------------------------------------------------------------------------------------------------------
Total: 1
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[S12708E-wlan-view] ssid-profile name wlan-ssid
[S12708E-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[S12708E-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service data forwarding mode and service
VLAN, and bind the security profile and SSID profile to the VAP profile.
[S12708E-wlan-view] vap-profile name wlan-vap
[S12708E-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[S12708E-wlan-vap-prof-wlan-vap] service-vlan vlan-id 3001
[S12708E-wlan-vap-prof-wlan-vap] security-profile wlan-security
[S12708E-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[S12708E-wlan-vap-prof-wlan-vap] traffic-profile name new-vap-traffic-1
[S12708E-wlan-traffic-prof-new-vap-traffic-1] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[S12708E-wlan-view] ap-group name ap-group1
[S12708E-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[S12708E-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[S12708E-wlan-ap-group-ap-group1] quit
The automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when the two functions are disabled.
The channel and power settings for the AP radios in this example are for reference only. In
practice, configure the channel and power of AP radios based on the actual country code
and network planning.
----End
Step 3 Enable IPoE access to provide IPoE access authentication for wireless student and
teacher users on the campus network. As a gateway and an authentication device,
the ME60 assigns private IP addresses to wireless users who are successfully
authenticated and grants network access rights to these users accordingly. Users
can access external networks only after passing web authentication.
1. Configure AAA schemes.
# Configure an authentication scheme.
[~ME60] aaa
[~ME60-aaa] http-redirect enable
[*ME60-aaa] authentication-scheme none
[*ME60-aaa-authen-none] authentication-mode radius
[*ME60-aaa-authen-none] commit
[~ME60-aaa-authen-none] quit
7. Configure domains.
# Configure domain pre-authen as the pre-authentication domain for web
authentication.
[~ME60] aaa
[~ME60-aaa] domain pre-authen
[*ME60-aaa-domain-pre-authen] user-group pre-web
[*ME60-aaa-domain-pre-authen] authentication-scheme none
[*ME60-aaa-domain-pre-authen] accounting-scheme none
[*ME60-aaa-domain-pre-authen] ip-pool pre-pool
[*ME60-aaa-domain-pre-authen] web-server 192.168.10.53
[*ME60-aaa-domain-pre-authen] web-server url http://192.168.10.53/help/help.html
[*ME60-aaa-domain-pre-authen] commit
[~ME60-aaa-domain-pre-authen] quit
[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit
# Configure domain jg as an authentication domain for web authentication.
[~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] user-group pre-web
[*ME60-aaa-domain-jg] authentication-scheme authen
[*ME60-aaa-domain-jg] accounting-scheme acc
[*ME60-aaa-domain-jg] ip-pool jiaoshi
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[*ME60-aaa-domain-jg] radius-server group radius
[*ME60-aaa-domain-jg] quota-out online
[~ME60-aaa-domain-jg] quit
[~ME60-aaa] quit
8. Configure UCLs.
[~ME60] acl 6010
[*ME60-acl-ucl-6010] rule 3 permit ip source user-group pre-web destination ip-address
192.168.10.2 0
[*ME60-acl-ucl-6010] rule 6 permit ip source user-group pre-web destination ip-address
192.168.10.53 0
[*ME60-acl-ucl-6010] rule 7 permit ip source user-group pre-web destination ip-address
192.168.10.55 0
[*ME60-acl-ucl-6010] rule 10 permit ip source user-group pre-web destination ip-address
192.168.10.241 0
[*ME60-acl-ucl-6010] rule 15 permit ip source user-group pre-web destination ip-address
10.255.57.5 0
[*ME60-acl-ucl-6010] commit
[~ME60-acl-ucl-6010] quit
[~ME60] acl 6011
[*ME60-acl-ucl-6011] rule 5 permit tcp source user-group pre-web destination-port eq www
[*ME60-acl-ucl-6011] rule 10 permit tcp source user-group pre-web destination-port eq 8080
[*ME60-acl-ucl-6011] rule 20 permit ip source user-group pre-web
[*ME60-acl-ucl-6011] commit
[~ME60-acl-ucl-6011] quit
9. Configure a traffic policy.
[~ME60] traffic classifier 6010 operator or
[*ME60-classifier-6010] if-match acl 6010
[*ME60-classifier-6010] commit
[~ME60-classifier-6010] quit
[~ME60] traffic classifier 6011 operator or
[*ME60-classifier-6011] if-match acl 6011
[*ME60-classifier-6011] commit
[~ME60-classifier-6011] quit
[~ME60] traffic behavior 6010
[*ME60-behavior-6010] permit
[*ME60-behavior-6010] commit
[~ME60-behavior-6010] quit
[~ME60] traffic behavior 6011
[*ME60-behavior-6011] http-redirect
[*ME60-behavior-6011] commit
[~ME60-behavior-6011] quit
[~ME60] traffic policy traffic-policy-1
[*ME60-trafficpolicy-traffic-policy-1] share-mode
[*ME60-trafficpolicy-traffic-policy-1] classifier 6010 behavior 6010
[*ME60-trafficpolicy-traffic-policy-1] classifier 6011 behavior 6011
[*ME60-trafficpolicy-traffic-policy-1] commit
[~ME60-trafficpolicy-traffic-policy-1] quit
[~ME60] traffic-policy traffic-policy-1 inbound
[~ME60] traffic-policy traffic-policy-1 outbound
10. Configure BAS interfaces.
[~ME60] interface gigabitethernet1/1/1.1001
[*ME60-GigabitEthernet1/1/1.1001] description xuesheng-web
[*ME60-GigabitEthernet1/1/1.1001] user-vlan 3001 3500 qinq 1601 1800
[*ME60-GigabitEthernet1/1/1.1001-vlan-3001-3500-QinQ-1601-1800] quit
[*ME60-GigabitEthernet1/1/1.1001] bas
[*ME60-GigabitEthernet1/1/1.1001-bas] access-type layer2-subscriber default-domain pre-
authentication pre-authen authentication xs
Step 4 Enable PPPoE access to provide PPPoE access authentication for wired student and
teacher users on the campus network. As a gateway and an authentication device,
the ME60 sends user names and passwords to the RADIUS server for
authentication, and assigns IP address to users after they are successfully
authenticated.
The following describes only the PPPoE access configuration for students. For
details about how to configure AAA schemes, a RADIUS server, and authentication
domains, see the IPoE access configuration.
1. Configure IP address pools.
# Configure IP address pool xuesheng.
[~ME60] ip pool xuesheng bas local
[*ME60-ip-pool-xuesheng] gateway 10.254.0.1 255.255.128.0
[*ME60-ip-pool-xuesheng] section 0 10.254.0.2 10.254.127.254
[*ME60-ip-pool-xuesheng] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-xuesheng] lease 0 12 0
[*ME60-ip-pool-xuesheng] commit
[~ME60-ip-pool-xuesheng] quit
# Configure IP address pool pre-ppp.
[~ME60] ip pool pre-ppp bas local
[*ME60-ip-pool-pre-ppp] gateway 10.253.128.1 255.255.128.0
[*ME60-ip-pool-pre-ppp] section 0 10.253.128.2 10.253.255.254
[*ME60-ip-pool-pre-ppp] dns-server 192.168.10.2 10.255.57.5
[*ME60-ip-pool-pre-ppp] lease 0 12 0
[*ME60-ip-pool-pre-ppp] commit
[~ME60-ip-pool-pre-ppp] quit
2. Configure user group pre-ppp.
[~ME60] user-group pre-ppp
3. Configure pre-authentication domain pre-ppp.
[~ME60] aaa
[~ME60-aaa] domain pre-ppp
[*ME60-aaa-domain-pre-ppp] user-group pre-ppp
[*ME60-aaa-domain-pre-ppp] authentication-scheme none
[*ME60-aaa-domain-pre-ppp] accounting-scheme none
[*ME60-aaa-domain-pre-ppp] ip-pool pre-ppp
[*ME60-aaa-domain-pre-ppp] web-server 192.168.10.55
[*ME60-aaa-domain-pre-ppp] web-server url http://192.168.10.55/help/help.html
[*ME60-aaa-domain-pre-ppp] commit
[~ME60-aaa-domain-pre-ppp] quit
[~ME60-aaa] quit
4. Configure UCLs.
[~ME60] acl 6012
[*ME60-acl-ucl-6012] rule 5 permit ip source user-group pre-ppp destination ip-address
192.168.10.55 0
[*ME60-acl-ucl-6012] rule 6 permit ip source user-group pre-ppp destination ip-address
192.168.10.53 0
[*ME60-acl-ucl-6012] rule 15 permit ip source user-group pre-ppp destination ip-address
192.168.10.2 0
[*ME60-acl-ucl-6012] commit
[~ME60-acl-ucl-6012] quit
[~ME60] acl 6013
[*ME60-acl-ucl-6013] rule 5 permit tcp source user-group pre-ppp destination-port eq www
[*ME60-acl-ucl-6013] rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
[*ME60-acl-ucl-6013] rule 20 deny ip source user-group pre-ppp
[*ME60-acl-ucl-6013] commit
[~ME60-acl-ucl-6013] quit
Step 5 Configure MAC address authentication for dumb terminals such as printers and
fax machines. MAC address authentication is used to simplify web authentication.
When MAC address authentication is configured, a web authentication user only
needs to enter the user name and password at the first authentication, and the
RADIUS server records the user's MAC address. Upon the next web authentication
of the user, the RADIUS server performs authentication based on the user's MAC
address, removing the need to enter the user name and password again.
The following describes only the configuration of MAC address authentication. For
details about how to configure AAA schemes, a RADIUS server, a web server, IP
address pools, and UCL rules, see the IPoE and PPPoE access configurations.
1. In the AAA view, configure the ME60 to use the MAC address carried in access
request packets as the pure user name.
[~ME60] aaa
[~ME60-aaa] default-user-name include mac-address -
[*ME60-aaa] default-password cipher Root@123
[*ME60-aaa] authentication-scheme mac
[*ME60-aaa-authen-mac] authening authen-fail online authen-domain pre-authen
[*ME60-aaa-authen-mac] commit
[~ME60-aaa-authen-mac] quit
[~ME60-aaa] quit
Step 6 Configure DAA at different tariff levels to implement bandwidth control defined
on the basis of different destination addresses of user access traffic. You can
configure different bandwidths for students, teachers, business users, and dumb
terminals to access the campus internal network, for example, 10 Mbit/s for
students, 20 Mbit/s for teachers, and 20 Mbit/s for dumb terminals. Bind business
accounts to teacher or student accounts on the campus network, and configure a
bandwidth of 50 Mbit/s for students and teachers to access external networks.
The following describes only the DAA configuration. For details about how to
configure AAA schemes, a RADIUS server, and a web server, see the IPoE access
configuration.
[*ME60-classifier-6001] commit
[~ME60-classifier-6001] quit
# Configure traffic classifier 6003.
[~ME60] traffic classifier 6003 operator or
[*ME60-classifier-6003] if-match acl 6003
[*ME60-classifier-6003] commit
[~ME60-classifier-6003] quit
# Configure traffic classifier 6005.
[~ME60] traffic classifier 6005 operator or
[*ME60-classifier-6005] if-match acl 6005
[*ME60-classifier-6005] commit
[~ME60-classifier-6005] quit
# Configure DAA traffic behavior 6001.
[~ME60] traffic behavior 6001
[*ME60-behavior-6001] tariff-level 1
[*ME60-behavior-6001] car
[*ME60-behavior-6001] traffic-statistic
[*ME60-behavior-6001] commit
[~ME60-behavior-6001] quit
# Configure DAA traffic behavior 6003.
[~ME60] traffic behavior 6003
[*ME60-behavior-6003] tariff-level 1
[*ME60-behavior-6003] car
[*ME60-behavior-6003] traffic-statistic
[*ME60-behavior-6003] commit
[~ME60-behavior-6003] quit
# Configure DAA traffic behavior 6005.
[~ME60] traffic behavior 6005
[*ME60-behavior-6005] tariff-level 1
[*ME60-behavior-6005] car
[*ME60-behavior-6005] traffic-statistic
[*ME60-behavior-6005] commit
[~ME60-behavior-6005] quit
# Configure DAA traffic policy traffic_policy_daa.
[~ME60] traffic policy traffic_policy_daa
[*ME60-trafficpolicy-traffic_policy_daa] share-mode
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6003 behavior 6003
[*ME60-trafficpolicy-traffic_policy_daa] classifier 6005 behavior 6005
[*ME60-trafficpolicy-traffic_policy_daa] commit
[~ME60-trafficpolicy-traffic_policy_daa] quit
# Apply the DAA traffic policy traffic_policy_daa globally.
[~ME60] accounting-service-policy traffic_policy_daa
4. Configure QoS profiles.
[~ME60] qos-profile 10M
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard inbound
[*ME60-qos-profile-10M] car cir 10000 cbs 1870000 green pass red discard outbound
[*ME60-qos-profile-10M] quit
[*ME60] qos-profile 20M
[*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard inbound
[*ME60-qos-profile-20M] car cir 20000 cbs 3740000 green pass red discard outbound
[*ME60-qos-profile-20M] quit
[*ME60] qos-profile 50M
[*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard inbound
[*ME60-qos-profile-50M] car cir 50000 cbs 9350000 green pass red discard outbound
[*ME60-qos-profile-50M] commit
[*ME60-qos-profile-50M] quit
5. Configure DAA service policies.
[~ME60] value-added-service policy 10m daa
[*ME60-vas-policy-10m] accounting-scheme none
[*ME60-vas-policy-10m] traffic-separate enable
[*ME60-vas-policy-10m] tariff-level 1 qos-profile 10M
[*ME60-vas-policy-10m] quit
[*ME60] value-added-service policy 20m daa
[*ME60-vas-policy-20m] accounting-scheme none
[*ME60-vas-policy-20m] traffic-separate enable
[*ME60-vas-policy-20m] tariff-level 1 qos-profile 20M
[*ME60-vas-policy-20m] quit
[*ME60] value-added-service policy 50m daa
[*ME60-vas-policy-50m] accounting-scheme none
[*ME60-vas-policy-50m] traffic-separate enable
[*ME60-vas-policy-50m] tariff-level 1 qos-profile 50M
[*ME60-vas-policy-50m] commit
[~ME60-vas-policy-50m] quit
6. Configure domains.
[~ME60] aaa
[~ME60-aaa] domain xs
[*ME60-aaa-domain-xs] value-added-service account-type none
[*ME60-aaa-domain-xs] value-added-service policy 10m
[*ME60-aaa-domain-xs] commit
[~ME60-aaa-domain-xs] quit
[~ME60-aaa] domain jg
[*ME60-aaa-domain-jg] value-added-service account-type none
[*ME60-aaa-domain-jg] value-added-service policy 20m
[~ME60-aaa-domain-jg] commit
[~ME60-aaa-domain-jg] quit
----End
[USG6315E_B-GigabitEthernet1/0/6] quit
[USG6315E_B] interface gigabitethernet 1/0/7
[USG6315E_B-GigabitEthernet1/0/7] ip address 172.16.11.9 30
[USG6315E_B-GigabitEthernet1/0/7] quit
# Add each interface to the corresponding security zone. Specifically, add the
interfaces connected to the internal network to security zone trust, add the
interfaces connected to the ISP1 network to security zone isp1, add the interfaces
connected to the ISP2 network to security zone isp2, and add the heartbeat
interfaces between firewalls to the DMZ.
[USG6315E_A] firewall zone trust
[USG6315E_A-zone-trust] set priority 85
[USG6315E_A-zone-trust] add interface gigabitethernet 1/0/7
[USG6315E_A-zone-trust] quit
[USG6315E_A] firewall zone name isp1
[USG6315E_A-zone-isp1] set priority 10
[USG6315E_A-zone-isp1] add interface gigabitethernet 1/0/1
[USG6315E_A-zone-isp1] quit
[USG6315E_A] firewall zone name isp2
[USG6315E_A-zone-isp2] set priority 15
[USG6315E_A-zone-isp2] add interface gigabitethernet 1/0/2
[USG6315E_A-zone-isp2] quit
[USG6315E_A] firewall zone dmz
[USG6315E_A-zone-dmz] set priority 50
[USG6315E_A-zone-dmz] add interface gigabitethernet 1/0/6
[USG6315E_A-zone-dmz] quit
[USG6315E_B] firewall zone trust
[USG6315E_B-zone-trust] set priority 85
[USG6315E_B-zone-trust] add interface gigabitethernet 1/0/7
[USG6315E_B-zone-trust] quit
[USG6315E_B] firewall zone name isp1
[USG6315E_B-zone-isp1] set priority 10
[USG6315E_B-zone-isp1] add interface gigabitethernet 1/0/1
[USG6315E_B-zone-isp1] quit
[USG6315E_B] firewall zone name isp2
[USG6315E_B-zone-isp2] set priority 15
[USG6315E_B-zone-isp2] add interface gigabitethernet 1/0/2
[USG6315E_B-zone-isp2] quit
[USG6315E_B] firewall zone dmz
[USG6315E_B-zone-dmz] set priority 50
[USG6315E_B-zone-dmz] add interface gigabitethernet 1/0/6
[USG6315E_B-zone-dmz] quit
# Enable the IP-link function to detect whether ISP links are working properly.
# Configure two default routes on each firewall, with the next hops pointing to
the access points of the two ISP networks respectively.
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[USG6315E_A] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-link ip_link_1
[USG6315E_B] ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-link ip_link_2
Step 5 Configure security policies to allow communication between the local zone and
DMZ, allow internal network users to access external networks, and allow external
network users to access the internal HTTP server.
After a hot standby group is successfully established between the active and standby
firewalls, the security policies configured on USG6315E_A will be automatically
synchronized to USG6315E_B. The following describe only the configuration on
USG6315E_A.
[USG6315E_A] security-policy
[USG6315E_A-policy-security] rule name policy_dmz
[USG6315E_A-policy-security-rule-policy_dmz] source-zone local
[USG6315E_A-policy-security-rule-policy_dmz] source-zone dmz
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone local
[USG6315E_A-policy-security-rule-policy_dmz] destination-zone dmz
[USG6315E_A-policy-security-rule-policy_dmz] action permit
[USG6315E_A-policy-security-rule-policy_dmz] quit
[USG6315E_A-policy-security] rule name trust_to_untrust
[USG6315E_A-policy-security-rule-trust_to_untrust] source-zone trust
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp1
[USG6315E_A-policy-security-rule-trust_to_untrust] destination-zone isp2
[USG6315E_A-policy-security-rule-trust_to_untrust] action permit
[USG6315E_A-policy-security-rule-trust_to_untrust] quit
[USG6315E_A-policy-security] rule name untrust_to_trust
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp1
[USG6315E_A-policy-security-rule-untrust_to_trust] source-zone isp2
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-zone trust
[USG6315E_A-policy-security-rule-untrust_to_trust] destination-address 192.168.10.0 24
[USG6315E_A-policy-security-rule-untrust_to_trust] action permit
[USG6315E_A-policy-security-rule-untrust_to_trust] quit
[USG6315E_A-policy-security] quit
# Configure source NAT policies to allow internal network users to access the
Internet through post-NAT public IP addresses.
[USG6315E_A] nat-policy
[USG6315E_A-policy-nat] rule name policy_nat_1
[USG6315E_A-policy-nat-rule-policy_nat_1] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_1] destination-zone isp1
[USG6315E_A-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1
[USG6315E_A-policy-nat-rule-policy_nat_1] quit
[USG6315E_A-policy-nat] rule name policy_nat_2
[USG6315E_A-policy-nat-rule-policy_nat_2] source-zone trust
[USG6315E_A-policy-nat-rule-policy_nat_2] destination-zone isp2
[USG6315E_A-policy-nat-rule-policy_nat_2] action nat address-group addressgroup2
[USG6315E_A-policy-nat-rule-policy_nat_2] quit
[USG6315E_A-policy-nat] quit
This function requires a license and dynamic installation of the corresponding component
package.
# Create an application behavior control file to prohibit HTTP and FTP operations
during the class time.
[USG6315E_A] profile type app-control name profile_app_work
[USG6315E_A-profile-app-control-profile_app_work] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control proxy action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control web-browse action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] http-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_work] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_work] quit
# Create an application behavior control file to allow only HTTP web browsing,
HTTP proxy surfing, and HTTP file download during the break time.
[USG6315E_A] profile type app-control name profile_app_rest
[USG6315E_A-profile-app-control-profile_app_rest] http-control post action deny
[USG6315E_A-profile-app-control-profile_app_rest] http-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file delete action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
[USG6315E_A-profile-app-control-profile_app_rest] ftp-control file direction download action deny
[USG6315E_A-profile-app-control-profile_app_rest] quit
# Configure the security policy policy_sec_work and reference the time range
working_hours and application behavior control file profile_app_work to control
the application behavior of students during the class time.
[USG6315E_A] security-policy
[USG6315E_A-policy-security] rule name policy_sec_work
[USG6315E_A-policy-security-rule-policy_sec_work] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_work] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_work] user any
[USG6315E_A-policy-security-rule-policy_sec_work] time-range working_hours
[USG6315E_A-policy-security-rule-policy_sec_work] profile app-control profile_app_work
[USG6315E_A-policy-security-rule-policy_sec_work] action permit
[USG6315E_A-policy-security-rule-policy_sec_work] quit
# Configure the security policy policy_sec_rest and reference the time range
off_hours and application behavior control file profile_app_rest to control the
application behavior of students during the break time.
[USG6315E_A-policy-security] rule name policy_sec_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] source-zone trust
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp1
[USG6315E_A-policy-security-rule-policy_sec_rest] destination-zone isp2
[USG6315E_A-policy-security-rule-policy_sec_rest] user any
[USG6315E_A-policy-security-rule-policy_sec_rest] time-range off_hours
[USG6315E_A-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
[USG6315E_A-policy-security-rule-policy_sec_rest] action permit
[USG6315E_A-policy-security-rule-policy_sec_rest] quit
----End
Step 2 User 1 and user 2 access the network in the student dormitory through wired
authentication and wireless authentication, respectively. After the authentication
succeeds, you can check the user information on the ME60, including the interface
of the access switch from which the wired user goes online and the AP from which
the wireless user goes online. On the ME60, you can check information about
online users, check whether users have obtained corresponding network access
rights, and check whether user 1 and user 2 can access the post-authentication
domain.
Step 3 User 1 and user 2 access the network in the teaching and office areas through
wired authentication and wireless authentication, respectively. After the
authentication succeeds, you can check the user information on the ME60,
including the interface of the access switch from which the wired user goes online
and the AP from which the wireless user goes online. On the ME60, you can check
information about online users, check whether users have obtained corresponding
network access rights, and check whether user 1 and user 2 can access the post-
authentication domain.
----End
S6730-H_A S6730-H_B
# #
sysname S6730-H_A sysname S6730-H_B
# #
vlan batch 101 to 200 600 1601 to 1800 4004 vlan batch 201 to 400 600 1801 to 2000 4004
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet1/0/1
port link-type hybrid port link-type hybrid
undo port hybrid vlan 1 undo port hybrid vlan 1
port hybrid tagged vlan 600 4004 port hybrid tagged vlan 600 4004
port hybrid untagged vlan 101 1601 port hybrid untagged vlan 201 1801
port vlan-stacking vlan 2001 to 3000 stack-vlan port vlan-stacking vlan 2001 to 3000 stack-vlan
101 201
port vlan-stacking vlan 3001 to 3500 stack-vlan port vlan-stacking vlan 3001 to 3500 stack-vlan
1601 1801
# #
S12708E
#
sysname S12708E
#
vlan batch 101 to 400 600 1601 to 2000 3001 to 3500 4004 4010
#
dhcp enable
#
interface Vlanif4004
ip address 10.250.0.1 255.255.240.0
arp-proxy enable
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
#
interface Vlanif4010
ip address 172.16.11.13 255.255.255.252
#
interface XGigabitEthernet4/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 200 600 1601 to 1801 4004
port-isolate enable group 1
#
interface XGigabitEthernet4/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201 to 400 600 1801 to 2000 4004
port-isolate enable group 1
#
interface XGigabitEthernet5/0/7
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 400 600 1601 to 2000 4004 4010
#
interface LoopBack0
ip address 172.16.10.4 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.14
ip route-static 172.16.10.2 255.255.255.255 172.16.11.14
ip route-static 172.16.10.3 255.255.255.255 172.16.11.14
#
capwap source interface vlanif4004
#
wlan
traffic-profile name new-vap-traffic-1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 3001
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile new-vap-traffic-1
regulatory-domain-profile name domain1
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 75 ap-mac acf9-703e-ad00 ap-sn 21500831023GJ1006553
ap-group ap-group1
radio 0
S12708E
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
ME60
#
sysname ME60
#
value-added-service enable
#
user-group pre-web
user-group pre-ppp
user-group xuesheng
user-group jiaoshi
#
radius-server source interface LoopBack0
radius-server authorization 192.168.10.55 shared-key-cipher %^%#&|-oI:&#&%<ZBPF\0s@"-
vgF~lVjpAB5w[5XP4=4%^%#
radius-server authorization 192.168.10.241 shared-key-cipher %^%#O1n13EDPo9e7bHWac{b7-
FtB(:e}f@pT-p6l=$<*%^%#
#
radius-server group radius
radius-server shared-key-cipher %^%#l$~9,kQZF!:j]$R54Ka~=3]%L8^w7,E+Ft2X*}:@%^
%#
radius-server authentication 192.168.10.55 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
undo radius-server user-name domain-included
#
radius-server group mac
radius-server shared-key-cipher %^%#/W@Y%>vX8EzCg<LzjKV$G(0j&;2"}:5Nzy3pc[=+%^%#
radius-server authentication 192.168.10.55 1812 weight 0
radius-server accounting 192.168.10.55 1813 weight 0
#
qos-profile 50M
car cir 50000 cbs 9350000 green pass red discard inbound
car cir 50000 cbs 9350000 green pass red discard outbound
#
qos-profile 20M
car cir 20000 cbs 3740000 green pass red discard inbound
car cir 20000 cbs 3740000 green pass red discard outbound
#
qos-profile 10M
car cir 10000 cbs 1870000 green pass red discard inbound
car cir 10000 cbs 1870000 green pass red discard outbound
#
ip pool jiaoshi bas local
gateway 10.254.128.1 255.255.128.0
section 0 10.254.128.2 10.254.255.254
excluded-ip-address 10.254.128.2 10.254.129.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-pool bas local
gateway 10.253.0.1 255.255.128.0
section 0 10.253.0.2 10.253.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool pre-ppp bas local
gateway 10.253.128.1 255.255.128.0
section 0 10.253.128.2 10.253.255.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
ip pool xuesheng bas local
gateway 10.254.0.1 255.255.128.0
section 0 10.254.0.2 10.254.127.254
dns-server 192.168.10.2 10.255.57.5
lease 0 12 0
#
acl number 6001
ME60
rule 5 permit ip source user-group shangye destination ip-address 10.0.0.0 0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group shangye
rule 15 permit ip source user-group shangye destination ip-address 172.16.0.0 0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group shangye
rule 25 permit ip source user-group shangye destination ip-address 192.168.0.0 0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group shangye
#
acl number 6003
rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0
0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group
jiaoshi
rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0
0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group
jiaoshi
rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0
0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group
jiaoshi
#
acl number 6005
rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0
0.255.255.255
rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group
xuesheng
rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0
0.15.255.255
rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group
xuesheng
rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0
0.0.255.255
rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng
#
acl number 6010
rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0
rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0
rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0
rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0
rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5
0
#
acl number 6011
rule 5 permit tcp source user-group pre-web destination-port eq www
rule 10 permit tcp source user-group pre-web destination-port eq 8080
rule 20 permit ip source user-group pre-web
#
acl number 6012
rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0
rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0
rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2
0
#
acl number 6013
rule 5 permit tcp source user-group pre-ppp destination-port eq www
rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
rule 20 deny ip source user-group pre-ppp
#
traffic classifier 6001 operator or
if-match acl 6001
#
traffic classifier 6003 operator or
if-match acl 6003
#
traffic classifier 6005 operator or
if-match acl 6005
ME60
#
traffic classifier 6010 operator or
if-match acl 6010
#
traffic classifier 6011 operator or
if-match acl 6011
#
traffic classifier 6012 operator or
if-match acl 6012
#
traffic classifier 6013 operator or
if-match acl 6013
#
traffic behavior 6001
car
tariff-level 1
traffic-statistic
#
traffic behavior 6003
car
tariff-level 1
traffic-statistic
#
traffic behavior 6005
car
tariff-level 1
traffic-statistic
#
traffic behavior 6010
#
traffic behavior 6011
http-redirect
#
traffic behavior 6012
#
traffic behavior 6013
http-redirect
#
traffic policy traffic-policy-1
share-mode
classifier 6010 behavior 6010 precedence 1
classifier 6011 behavior 6011 precedence 2
classifier 6012 behavior 6012 precedence 3
classifier 6013 behavior 6013 precedence 4
#
traffic policy traffic_policy_daa
share-mode
classifier 6003 behavior 6003 precedence 1
classifier 6005 behavior 6005 precedence 2
#
aaa
http-redirect enable
default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$
default-user-name include mac-address -
local-user root password irreversible-cipher +Hv$!xKCa#UY6\$GWJ!N4[QH.O/'HIa@AoURN`>;R"Z8PtIa
\3AZAy6Sa60(C6GCN
#
authentication-scheme none
#
authentication-scheme authen
#
accounting-scheme none
accounting-mode none
#
accounting-scheme acc
accounting interim interval 15
ME60
#
domain pre-authen
authentication-scheme none
accounting-scheme none
ip-pool pre-pool
user-group pre-web
web-server 192.168.10.53
web-server url http://192.168.10.53/help/help.html
#
domain xs
authentication-scheme authen
accounting-scheme acc
radius-server group radius
ip-pool xuesheng
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 10m
user-group pre-web
web-server 192.168.10.53
web-server url http://192.168.10.53/help/help.html
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain jg
authentication-scheme authen
accounting-scheme acc
radius-server group radius
ip-pool jiaoshi
value-added-service account-type none
value-added-service policy 20m
user-group pre-web
portal-server 192.168.10.100
portal-server url http://192.168.10.100/portal/
quota-out online
#
domain pre-ppp
authentication-scheme none
accounting-scheme none
ip-pool pre-ppp
user-group pre-ppp
web-server 192.168.10.55
web-server url http://192.168.10.55/help/help.html
#
domain mac
authentication-scheme mac
accounting-scheme acc
radius-server group mac
ip-pool pre-pool
mac-authentication enable
#
value-added-service policy 10m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 10M
#
value-added-service policy 20m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 20M
#
value-added-service policy 50m daa
accounting-scheme none
traffic-separate enable
tariff-level 1 qos-profile 50M
#
ME60
interface Virtual-Template1
ppp authentication-mode auto
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.11.6 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.11.10 255.255.255.252
#
interface GigabitEthernet 1/1/1.1000
description xuesheng-ppp
user-vlan 2001 3000 qinq 101 200
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs
dhcp session-mismatch action offline
authentication-method ppp web
#
#
interface GigabitEthernet 1/1/1.1001
description xuesheng-web
user-vlan 3001 3500 qinq 1601 1800
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.1002
description jiaoshi-ppp
user-vlan 2001 3000 qinq 201 400
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-ppp authen
tication jg
dhcp session-mismatch action offline
authentication-method ppp web
#
#
interface GigabitEthernet 1/1/1.1003
description jiaoshi-web
user-vlan 3001 3500 qinq 1801 2000
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.1101
description mac-web
user-vlan 600
bas
#
access-type layer2-subscriber default-domain pre-authentication mac authentication jg
dhcp session-mismatch action offline
authentication-method web
#
#
interface GigabitEthernet 1/1/1.4010
vlan-type dot1q 4010
ME60
ip address 172.16.11.14 255.255.255.252
#
interface LoopBack0
ip address 172.16.10.3 255.255.255.255
#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.5
ip route-static 172.16.10.2 255.255.255.255 172.16.11.9
ip route-static 172.16.10.4 255.255.255.255 172.16.11.13
#
web-auth-server source interface LoopBack0
web-auth-server 192.168.10.53 port 50100 key cipher %^%#S2#I1~`Kc/>vz1F4u3q+_DHT)ZE^`"n:w>!
li(<C%^%#
#
traffic-policy traffic-policy-1 inbound
traffic-policy traffic-policy-1 outbound
#
accounting-service-policy traffic_policy_daa
#
return
USG6315E_A USG6315E_B
# #
sysname USG6315E_A sysname USG6315E_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/6 remote hrp interface GigabitEthernet 1/0/6 remote
172.16.11.2 172.16.11.1
hrp mirror session enable hrp mirror session enable
hrp track interface GigabitEthernet 1/0/7 hrp track interface GigabitEthernet 1/0/7
# #
dns-smart enable dns-smart enable
# #
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend route-record enable firewall defend route-record enable
firewall defend source-route enable firewall defend source-route enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
firewall defend smurf enable firewall defend smurf enable
irewall defend land enable irewall defend land enable
# #
USG6315E_A USG6315E_B
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/6 add interface GigabitEthernet1/0/6
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
set priority 10 set priority 10
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
set priority 15 set priority 15
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
# #
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip- ip route-static 0.0.0.0 0.0.0.0 202.1.1.254 track ip-
link ip_link_1 link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip- ip route-static 0.0.0.0 0.0.0.0 202.2.1.254 track ip-
link ip_link_2 link ip_link_2
ip route-static 10.253.0.0 255.255.128.0 172.16.11.6 ip route-static 10.253.0.0 255.255.128.0
ip route-static 10.253.128.0 255.255.128.0 172.16.11.10
172.16.11.6 ip route-static 10.253.128.0 255.255.128.0
ip route-static 10.254.0.0 255.255.128.0 172.16.11.6 172.16.11.10
ip route-static 10.254.128.0 255.255.128.0 ip route-static 10.254.0.0 255.255.128.0
172.16.11.6 172.16.11.10
ip route-static 172.16.10.2 255.255.255.255 ip route-static 10.254.128.0 255.255.128.0
172.16.11.6 172.16.11.10
ip route-static 172.16.10.3 255.255.255.255 ip route-static 172.16.10.1 255.255.255.255
172.16.11.6 172.16.11.10
ip route-static 172.16.10.4 255.255.255.255 ip route-static 172.16.10.3 255.255.255.255
172.16.11.6 172.16.11.10
ip route-static 192.168.10.0 255.255.255.0 ip route-static 172.16.10.4 255.255.255.255
172.16.11.6 172.16.11.10
ip route-static 202.1.1.100 255.255.255.255 NULL 0 ip route-static 192.168.10.0 255.255.255.0
ip route-static 202.2.1.100 255.255.255.255 NULL 0 172.16.11.10
# ip route-static 202.1.1.100 255.255.255.255 NULL
anti-ddos syn-flood source-detect 0
anti-ddos udp-flood dynamic-fingerprint-learn ip route-static 202.2.1.100 255.255.255.255 NULL
anti-ddos udp-frag-flood dynamic-fingerprint-learn 0
anti-ddos http-flood defend alert-rate 2000 #
anti-ddos http-flood source-detect mode basic anti-ddos syn-flood source-detect
anti-ddos baseline-learn start anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos baseline-learn apply anti-ddos udp-frag-flood dynamic-fingerprint-
anti-ddos baseline-learn tolerance-value 100 learn
# anti-ddos http-flood defend alert-rate 2000
nat server web_for_isp1 0 zone isp1 protocol tcp anti-ddos http-flood source-detect mode basic
global 202.1.1.10 8080 inside 192.168.10.10 www anti-ddos baseline-learn start
no-reverse anti-ddos baseline-learn apply
nat server web_for_isp2 1 zone isp2 protocol tcp anti-ddos baseline-learn tolerance-value 100
global 202.2.1.10 8080 inside 192.168.10.10 www #
no-reverse nat server web_for_isp1 0 zone isp1 protocol tcp
# global 202.1.1.10 8080 inside 192.168.10.10 www
profile type app-control name profile_app_work no-reverse
http-control web-browse action deny nat server web_for_isp2 1 zone isp2 protocol tcp
http-control proxy action deny global 202.2.1.10 8080 inside 192.168.10.10 www
http-control post action deny no-reverse
http-control file direction upload action deny #
http-control file direction download action deny profile type app-control name profile_app_work
ftp-control file delete action deny http-control web-browse action deny
ftp-control file direction upload action deny http-control proxy action deny
ftp-control file direction download action deny http-control post action deny
# http-control file direction upload action deny
profile type app-control name profile_app_rest http-control file direction download action deny
http-control post action deny ftp-control file delete action deny
http-control file direction upload action deny ftp-control file direction upload action deny
ftp-control file delete action deny ftp-control file direction download action deny
ftp-control file direction upload action deny #
USG6315E_A USG6315E_B
ftp-control file direction download action deny profile type app-control name profile_app_rest
# http-control post action deny
http-control file direction upload action deny
nat address-group addressgroup1 ftp-control file delete action deny
0 ftp-control file direction upload action deny
mode ftp-control file direction download action deny
pat #
route
enable nat address-group addressgroup1
section 0 202.1.1.1 0
202.1.1.5 mode
# pat
USG6315E_A USG6315E_B
destination-zone isp1 rule name policy_sec_rest
action nat address-group addressgroup1 source-zone trust
rule name policy_nat_2 destination-zone isp1
source-zone trust destination-zone isp2
destination-zone isp2 time-range off_hours
action nat address-group addressgroup2 profile app-control profile_app_rest
# action permit
return #
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone isp1
action nat address-group addressgroup1
rule name policy_nat_2
source-zone trust
destination-zone isp2
action nat address-group addressgroup2
#
return
Service Requirements
Economic and social development makes traveling by subway become a major
way to avoid traffic congestion in cities. A more diverse range of IP services and
increasing data traffic require a highly secure and reliable subway public
transportation system. The legacy subway bearer network can no longer meet
these requirements, and a more robust, reliable bearer network is required by a
digital subway system. A modernized subway bearer network needs to meet the
following requirements:
Solution Overview
The HoVPN-based HSR solution is designed to ensure network reliability,
scalability, maintainability, and multi-service supporting capability, provide a
hierarchical network structure, and reduce networking costs. Figure 9-17 shows
the network topology in the HSR solution.
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
BFD for Core_SPE1 BFD for
VRRP VRRP
TE HSB TE HSB
VPN FRR VPN FRR
TE HSB
VPN FRR
BFD for
VRRP
Site2_UPE3 Site2_UPE4
CE2
vpna
Subway site 1
In Figure 9-17,
● Three S12700E switches on the core layer are fully connected to form a core
ring, while the data center site and two subway sites exchange data across
the core ring.
Service Deployment
IGP Use OSPF as an IGP and run OSPF between aggregation and core
switches to ensure that there are reachable routes between these
switches and establish Multiprotocol Label Switching (MPLS) Label
Distribution Protocol (LDP) and MPLS Traffic Engineering (TE) tunnels
using OSPF routes.
Routin Use routing policies to set the route preferred value and community
g attribute to filter, select, and back up routes.
policie
s
MPLS Run LDP between aggregation and core switches to transmit L3VPN
LDP data on links for label switching. Configure BFD for label switched
paths (LSPs) to implement fast link switchovers.
MPLS Deploy MPLS TE tunnels to transmit L3VPN traffic. That is, establish
TE the primary and backup TE tunnels between each S6730-H switch and
its directly connected S12700E, and establish the primary and backup
tunnels between each S12700E switch and its directly connected
S6730-H switch. Enable TE HSB and configure BFD for TE HSB to allow
traffic to be switched from the faulty primary TE tunnel to the backup
TE tunnel within 50 ms.
L3VPN Configure different VPNs for services such as daily office, advertising
media, and train control management to isolate these services. In this
scenario, one VPN is configured as an example.
Item Description
BFD Use BFD on each node to detect faults and implement fast traffic
switchovers in case of faults. In this example, you need to deploy
multiple services, including BFD for VRRP, BFD for LSP, and BFD for TE,
to complete end-to-end switchovers within 50 ms.
Core nodes Use S12700E switches as core nodes and data center
and data aggregation nodes, and install MPUEs and X series LPUs on
center these switches.
aggregation To ensure reliability, ensure that:
nodes
● Eth-Trunk member interfaces reside on the same LPU.
● On the same device, any two interfaces connected to other
devices reside on different LPUs.
Version Requirements
Network Topology
Construct a network based on the topology shown in Figure 9-18, name network
devices, configure IP addresses for network devices and the service interfaces as
well as user interfaces of the devices.
XGE0/0/1 XGE0/0/1
XGE0/0/4
Site2_UPE3 Site2_UPE4
XGE0/0/4
XGE0/0/2.150 XGE0/0/2.150
CE2
vpna
Eth-Trunk 5 XGigabitEthernet1/0/0
XGigabitEthernet1/0/1
XGigabitEthernet1/0/2
XGigabitEthernet1/0/3
Eth-Trunk 17 XGigabitEthernet6/0/0
XGigabitEthernet6/0/1
XGigabitEthernet6/0/2
XGigabitEthernet6/0/3
Eth-Trunk 2 XGigabitEthernet3/0/4
XGigabitEthernet3/0/5
XGigabitEthernet3/0/6
XGigabitEthernet3/0/7
Eth-Trunk 17 XGigabitEthernet5/0/0
XGigabitEthernet5/0/1
XGigabitEthernet5/0/2
XGigabitEthernet5/0/3
Eth-Trunk 2 XGigabitEthernet2/0/4
XGigabitEthernet2/0/5
XGigabitEthernet2/0/6
XGigabitEthernet2/0/7
Eth-Trunk 7 XGigabitEthernet4/0/4
XGigabitEthernet4/0/5
XGigabitEthernet4/0/6
XGigabitEthernet4/0/7
Eth-Trunk 7 XGigabitEthernet6/0/4
XGigabitEthernet6/0/5
XGigabitEthernet6/0/6
XGigabitEthernet6/0/7
Data Plan
Set parameters based on network requirements (such as the network scale and topology).
The following table lists the recommended values and precautions for reference only.
Device information includes the site name, device role, and device number. Each
device is named in the format of AA_BBX.
For example, Site1_UPE1 indicates a UPE numbered 1 at site 1. The following table
describes the data plan.
Procedure
● Configure the device name.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of other devices are similar to the configuration of Site1_UPE1.
sysname Site1_UPE1
----End
Procedure
Step 1 Add physical interfaces to Eth-Trunk interfaces.
The following uses the configuration of Core_SPE1 as an example. The
configurations of other devices are similar to that of Core_SPE1.
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet5/0/4
eth-trunk 4
#
interface XGigabitEthernet5/0/5
eth-trunk 4
#
interface XGigabitEthernet5/0/6
eth-trunk 4
#
interface XGigabitEthernet5/0/7
eth-trunk 4
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
undo portswitch
description Core_SPE1 to Core_SPE2
ip address 172.17.4.8 255.255.255.254
mode lacp
#
interface Eth-Trunk5
undo portswitch
description Core_SPE1 to Core_SPE3
ip address 172.17.4.2 255.255.255.254
mode lacp
#
interface Eth-Trunk17
undo portswitch
description Core_SPE1 to Site1_UPE1
ip address 172.17.4.10 255.255.255.254
mode lacp
#
interface XGigabitEthernet6/0/4
undo portswitch
description Core_SPE1 to Site3_UPE6
ip address 172.17.10.2 255.255.255.254
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
Step 4 Create Eth-Trunk load balancing profiles and apply the profiles to Eth-Trunk
interfaces.
Configure load balancing based on the source and destination port numbers. The
following uses the configuration of Core_SPE1 as an example. The configurations
of other devices are similar to that of Core_SPE1.
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
load-balance enhanced profile CUSTOM
#
----End
Context
To implement link switchovers within 50 ms, devices must support the 3.3-ms
interval for sending and receiving BFD packets. Devices need to meet the following
requirements:
● For the S12700E, MPUs must be LST7MPUE0000 or LST7MPUE000K0.
● For the S6730-H, the set service-mode command must be run to configure
the switch to work in enhanced BFD mode.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
#
bfd
#
----End
OS Core_SPE1
P PF
F OS
PF
OS
OS
PF
PF
OS
OS
PF
OS
PF
PF
OS
Site1_UPE2 Site3_UPE5
OSPF
OSPF
OSPF
Site2_UPE3 Site2_UPE4
CE2 OSPF
vpna
Deployment Roadmap
Configure OSPF as an IGP to ensure that there are reachable routes between
devices on the entire network, and establish MPLS LDP and MPLS TE tunnels using
OSPF routes. The configuration roadmap is as follows:
1. Add all devices to Area 0 and advertise their directly connected network
segments and loopback 1 addresses.
2. Configure all interfaces that are not running OSPF as silent interfaces to
prohibit these interfaces from receiving and sending OSPF packets. This
configuration enhances OSPF networking adaptability and reduces system
resource consumption.
3. Set the OSPF network type to point-to-point (P2P) on the interconnected
main interfaces using IP addresses with 31-bit subnet masks.
4. Configure synchronization between LDP and OSPF to prevent traffic loss
caused by a primary/backup LSP switchover.
Context
Configuring OSPF ensures that there are reachable public network routes between
UPE devices and SPE devices.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
router id 172.16.0.5 //Configure a router ID.
#
interface Eth-Trunk4
ospf network-type p2p //Set the OSPF network type to P2P on the interconnected main interface
using IP addresses with 31-bit subnet masks.
#
interface Eth-Trunk5
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
interface XGigabitEthernet6/0/4
ospf network-type p2p
#
ospf 1
silent-interface all //Disable all interfaces from sending and receiving OSPF packets.
undo silent-interface Eth-Trunk4 //Enable the interface to send and receive OSPF packets.
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10 //Set the route calculation interval to 10 ms to speed up route
convergence.
lsa-originate-interval 0 //Set the interval for updating LSAs to 0.
lsa-arrival-interval 0 //Set the interval for receiving LSAs to 0. Then the changes of the topology or
routes can be detected immediately, speeding up route convergence.
graceful-restart period 600 //Enable OSPF GR.
flooding-control //Restrict the flooding of updated LSAs to maintain the stability of OSPF neighbor
relationships.
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^
%# //Set the OSPF area authentication mode and password.
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
#
● Configure UPE devices.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to that of Site1_UPE1.
router id 172.16.2.51
#
interface Eth-Trunk7
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
graceful-restart period 600
bandwidth-reference 100000 //Set the bandwidth reference value for calculating interface costs.
flooding-control
area 0.0.0.0
----End
Neighbors
Neighbors
Neighbors
8
1
2
6 9
Site1_UPE2 Site3_UPE5
3
Core_SPE2 Core_SPE3
10
12
11
Site2_UPE3 Site2_UPE4
Deployment Roadmap
The deployment roadmap is as follows:
1. Configure LSR IDs and enable MPLS LDP globally and on each interface.
2. Configure synchronization between LDP and OSPF to prevent traffic loss
caused by a primary/backup LSP switchover.
3. Configure LDP GR to ensure uninterrupted traffic forwarding during a
primary/backup switchover or protocol restart.
4. Configure BFD for LSP to quickly detect LDP LSP faults on the core ring.
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
mpls lsr-id 172.16.0.5 //Set an MPLS LSR ID. Using a loopback interface address is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP and enable the egress node to assign labels to the
penultimate hop.
#
mpls ldp //Enable MPLS LDP globally.
#
interface Eth-Trunk4
mpls
mpls ldp //Enable MPLS LDP on the interface.
#
interface Eth-Trunk5
mpls
mpls ldp //Enable MPLS LDP on the interface.
#
interface Eth-Trunk17
mpls
mpls ldp //Enable MPLS LDP on the interface.
#
interface XGigabitEthernet6/0/4
mpls
mpls ldp //Enable MPLS LDP on the interface.
#
----End
Context
LDP LSRs set up LSPs using OSPF. If the LDP session on the primary link fails (not
caused by a link failure) or the primary link recovers from a failure,
synchronization between LDP and OSPF can be configured to prevent traffic loss
caused by a primary/backup LSP switchover.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
interface Eth-Trunk4
ospf ldp-sync //Enable synchronization between LDP and OSPF on the interface.
ospf timer ldp-sync hold-down 20 //Set the interval during which the interface waits for creating
an LDP session before establishing an OSPF neighbor relationship.
#
interface Eth-Trunk5
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface Eth-Trunk17
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface XGigabitEthernet6/0/4
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
● Configure UPE devices.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to that of Site1_UPE1.
interface Eth-Trunk7
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface Eth-Trunk17
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
----End
Context
LDP graceful restart (GR) ensures uninterrupted traffic forwarding during a
primary/backup switchover or protocol restart.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
mpls ldp
graceful-restart //Enable LDP GR.
#
----End
Context
To improve the reliability of LDP LSPs between SPE devices on the core ring,
configure static BFD for LDP LSPs to rapidly detect faults of LDP LSPs.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-Trunk4 //Enable
static BFD to monitor the LDP LSP between Core_SPE1 and Core_SPE2.
discriminator local 317 //Specify the local discriminator. The local discriminator of the local end
must be the same as the remote discriminator of the remote end.
discriminator remote 137 //Specify a remote discriminator.
detect-multiplier 8 //Specify the local BFD detection multiplier.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Enable the system to modify the port status table (PST) when the BFD session status
changes to speed up the switchover.
commit //Commit the BFD session configuration.
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface Eth-Trunk5 //Enable
static BFD to monitor the LDP LSP between Core_SPE1 and Core_SPE3.
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End
--------------------------------------------------------------------------------
32 23 172.16.0.4 Up S_LDP_LSP Eth-Trunk4
317 137 172.16.0.3 Up S_LDP_LSP Eth-Trunk5
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
Core_SPE2 Core_SPE3
Primary TE1
Primary TE3
2 Ba
3 1 TE ck
up 5 7
up TE
ack 4
B
6
2
Site2_UPE3 4 Site2_UPE4
8
TE隧道主路径
TE隧道备路径
同色虚线表示TE隧道的主备路径
管道表示L3VPN业务的主备TE隧道
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
interface Eth-Trunk4
mpls te //Enable MPLS TE on the interface.
mpls te link administrative group c //Configure an administrative group attribute for selecting the
primary and backup paths of a TE tunnel.
mpls rsvp-te //Enable RSVP-TE on the interface.
#
interface Eth-Trunk5
mpls te
mpls te link administrative group 30
mpls rsvp-te
#
interface Eth-Trunk17
mpls te
mpls te link administrative group 4
mpls rsvp-te
#
interface XGigabitEthernet6/0/4
mpls te
mpls te link administrative group 20
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque LSA capability.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the current OSPF area.
#
interface Tunnel611 //Specify the tunnel from Core_SPE1 to Site1_UPE1.
description Core_SPE1 to Site1_UPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface to borrow the IP
address of loopback 1.
tunnel-protocol mpls te //Configure MPLS TE as a tunneling protocol.
destination 172.16.2.51 //Configure the IP address of Site1_UPE1 as the tunnel destination IP
address.
mpls te tunnel-id 71 //Set a tunnel ID, which must be valid and unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of the primary CR-LSP for
selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity attribute of the hot-standby
CR-LSP.
mpls te backup hot-standby //Set the backup mode of the tunnel to hot-standby mode.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for the configuration to take
effect.
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure CR-LSPs to be preferentially selected.
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
----End
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/5 ms
[Core_SPE1] ping lsp te Tunnel611 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes, press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=2 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=3 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=4 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=5 time=3 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
● Run the tracert lsp te Tunnel command to detect LSPs.
The following uses Tunnel 611 from Core_SPE1 to Site1_UPE1 as an example.
Ensure that the primary and hot-standby tunnel paths are different.
[Core_SPE1]tracert lsp te Tunnel611
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.11/[1078 ]
1 172.16.2.51 3 ms Egress
Procedure
● Configure SPE devices.
----End
Procedure
● Configure SPE devices.
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup //Enable static BFD to detect the
hot-standby CR-LSP of Tunnel 611.
discriminator local 6116 //Specify the local discriminator. The local discriminator of the local end
must be the same as the remote discriminator of the remote end.
discriminator remote 6115 //Specify a remote discriminator.
detect-multiplier 8 //Specify the local BFD detection multiplier.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Enable the system to modify the PST when the BFD session status changes to speed
up the switchover.
commit //Commit the BFD session configuration.
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static BFD to detect the
primary CR-LSP of Tunnel 611.
discriminator local 6112
discriminator remote 6111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_b bind mpls-te interface Tunnel622 te-lsp backup //Enable static BFD to detect
the hot-standby CR-LSP of Tunnel 622.
discriminator local 6226
discriminator remote 6225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_m bind mpls-te interface Tunnel622 te-lsp //Enable static BFD to detect the
primary CR-LSP of Tunnel 622.
discriminator local 6222
discriminator remote 6221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_b bind mpls-te interface Tunnel721 te-lsp backup //Enable static BFD to detect the
hot-standby CR-LSP of Tunnel 721.
discriminator local 7216
discriminator remote 7215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp //Enable static BFD to detect the
primary CR-LSP of Tunnel 721.
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup //Enable static BFD to detect the
hot-standby CR-LSP of Tunnel 711.
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp //Enable static BFD to detect the
primary CR-LSP of Tunnel 711.
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End
L3VPN
te
rou
L3
ic
N
f
VP
VP
eci
L3
N
Sp
Site1_UPE2 Site3_UPE5
Core_SPE2 Core_SPE3
VPN FRR
Specific route
Default route
L3
L3VPN
L3VPN
VP
N
Site2_UPE3 Site2_UPE4
IP+VPN hybrid FRR
CE2
vpna
1. Deploy MP-BGP.
– Establish Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationships between UPE and SPE devices, and between SPE devices.
– Plan a route target (RT) to make traffic from UPE devices to SPE devices
be transmitted by default routes and traffic from SPE devices to UPE
devices be transmitted by specific routes.
– Configure a routing policy to ensure that traffic from a specific UPE
device to other sites is preferentially forwarded by the SPE device directly
connected to the UPE device.
– Configure a routing policy to ensure that traffic from a specific SPE device
to other sites is preferentially forwarded by the UPE device directly
connected to the SPE device.
– Configure a route filtering policy to prevent a specific SPE device at a site
from advertising ARP Vlink direct routes to UPE devices at other sites.
– Configure a route filtering policy to prevent a specific SPE device from
receiving routes of sites directly connected to this SPE device from other
SPE devices. If an SPE device receives such routes from other SPE devices,
routing loops may occur. For example, prevent Core_SPE2 from receiving
any routes of Site1 from Core_SPE1 or any routes of Site2 from
Core_SPE3.
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Site1_UPE1 interface -
XGigabitEthernet1/0/4.20
0: 172.18.200.66/26
Site1_UPE2 interface -
XGigabitEthernet1/0/4.20
0: 172.18.200.67/26
Site2_UPE3 interface -
XGigabitEthernet0/0/2.15
0: 172.18.150.2/26
Site2_UPE4 interface -
XGigabitEthernet0/0/2.15
0: 172.18.150.3/26
Site3_UPE5 interface -
XGigabitEthernet0/0/2.10
0: 172.18.100.2/26
Site3_UPE6 interface -
XGigabitEthernet0/0/2.10
0: 172.18.100.3/26
BGP 6500 6500 6500 6500 6500 6500 6500 6500 6500
proce 0 0 0 0 0 0 0 0 0
ss ID
Route 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
r ID 6.0.5 6.0.3 6.0.4 6.2.51 6.2.50 6.2.75 6.2.76 6.2.87 6.2.86
Peer devC devC devC devC devC devC devC devC devC
group ore: ore: ore: ore: ore: ore: ore: ore: ore:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.3, 6.0.4, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.4, 6.0.4,
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.4 6.0.5 6.0.5 6.0.5 6.0.5 6.0.4 6.0.4 6.0.5 6.0.5
devH devH devH devH devH devH devH devH devH
ost: ost: ost: ost: ost: ost: ost: ost: ost:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.2.50 6.2.50 6.2.75 6.2.50 6.2.51 6.2.76 6.2.75 6.2.86 6.2.87
, , ,
172.1 172.1 172.1
6.2.51 6.2.51 6.2.76
, , ,
172.1 172.1 172.1
6.2.86 6.2.75 6.2.86
, , ,
172.1 172.1 172.1
6.2.87 6.2.76 6.2.87
policy Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl
vpn- e e e e e e e e e
target
Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
BGP Connections
Site1_UPE1 10 Site3_UPE6
12 0:100 00
0:1
57 :12 10 13:13
CE1 20 72
0 CE3
:57 0:5
vpna 20 2 vpna
57
Core_SPE1
30 0
0 30
200
200
200 200
Site1_UPE2 30
0 0 Site3_UPE5
30
20
00
12 0:200 0:3
57 :12 30 13:13
20 20
:57 :57
20 20
57
Core_SPE2 Core_SPE3
5720:5720
5720:5720
300
300
20
200:200
300:300
0
20 0
23:23
23:23
Site2_UPE3 Site2_UPE4
BGP peers
CE2 Route preferred
vpna n
value
Route community
attribute
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp //Configure a tunnel selector to enable Core_SPE1 to select
any tunnel for route recursion when the next-hop address prefix of a VPNv4 route is the IP address
prefix of another SPE.
#
tunnel-selector TSel permit node 10 //Configure a tunnel selector to allow the routes received from
an IBGP peer to recurse to a TE tunnel if the routes need to be forwarded to another IBGP peer and
the next hops of the routes need to be changed to the local IP address.
apply tunnel-policy TE
#
bgp 65000
group devCore internal //Create an IBGP peer group.
peer devCore connect-interface LoopBack1 //Specify loopback 1 and its address as the source
interface and address of BGP messages.
peer 172.16.0.3 as-number 65000 //Establish a peer relationship between SPE devices.
peer 172.16.0.3 group devCore //Add Core_SPE1 to the peer group.
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
----End
Context
VPN instances need to be configured to advertise VPNv4 routes and forward data
to achieve communication over an L3VPN.
Procedure
● Configure SPE devices.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to that
of Core_SPE1.
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 5:1 //Configure an RD.
tnl-policy TSel //Configure a TE tunnel for the VPN instance.
vpn-target 0:1 export-extcommunity //Configure the extended community attribute VPN target.
vpn-target 0:1 import-extcommunity
#
bgp 65000
#
ipv4-family vpnv4
nexthop recursive-lookup delay 10 //Set the delay in responding to next-hop changes to 10s.
route-select delay 120 //Set the route selection delay to 120s to prevent traffic interruptions
caused by fast route switchback.
#
ipv4-family vpn-instance vpna
default-route imported //Import default routes to the VPN instance vpna.
nexthop recursive-lookup route-policy delay_policy //Configure BGP next-hop recursion based on
the routing policy delay_policy.
----End
Deployment Roadmap
The deployment roadmap is as follows:
1. Deploy VRRP on two UPE devices at a site to ensure reliability for uplink
traffic of CE devices. The following uses Site1 as an example, as shown in
Figure 9-23:
– Configure Site1_UPE1 as the master device and Site1_UPE2 as the backup
device in a VRRP group. If Site1_UPE1 fails, the uplink traffic of CE1 can
be rapidly switched to Site1_UPE2.
– Configure BFD for VRRP so that BFD can quickly detect faults and instruct
the VRRP backup device to become the new master device. In addition,
hardware directly sends gratuitous ARP packets, to instruct access devices
to forward traffic to the new master device.
– Configure backup devices to forward service traffic. A device in the
backup state can forward service traffic as long as it receives service
traffic. This prevents service traffic loss and shortens the service
interruption time if an aggregation device is faulty.
If the number of VRRP groups exceeds the default maximum value, run the set vrrp
max-group-number max-group-number command on a UPE device to set the
maximum number of supported VRRP groups.
CE1
vpna
Master
FD
kB
rac
Pt
R
VR
Backup
Configure the backup device
to forward service traffic
Site1_UPE2 Upstream
2. Deploy VPN FRR on a UPE device. If the TE tunnel between the UPE device
and an SPE device is faulty, traffic is automatically switched to the TE tunnel
between the UPE device and another SPE device at the same site. The
following uses Site1_UPE1 as an example, as shown in Figure 9-24.
Site1_UPE1 has two TE tunnels to Core_SPE1 and Core_SPE2 respectively.
Deploying VPN FRR on Site1_UPE1 ensures that traffic is rapidly switched to
Core_SPE2 if Core_SPE1 is faulty.
Core_SPE1
L3VPN
Backup path
Site1_UPE2
Upstream
Core_SPE2
3. Deploy VPN FRR on an SPE device. If the SPE device is faulty, VPN services are
switched to another SPE device, implementing a fast E2E switchover of VPN
services. The following uses Core_SPE1 as an example, as shown in Figure
9-25.
Core_SPE1 has two LSPs to Core_SPE2 and Core_SPE3 respectively. Configuring
VPN FRR on Core_SPE1 ensures that traffic is rapidly switched to Core_SPE3 if
Core_SPE2 is faulty.
Core_SPE1
VPN FRR
N
L3
VP
VP
Core_SPE2 Core_SPE3
Downstream
4. Deploy VPN FRR on an SPE device. If the TE tunnel between the SPE device
and a UPE device is faulty, traffic is automatically switched to the TE tunnel
between the SPE device and another UPE device at the same site. The
following uses Core_SPE2 as an example, as shown in Figure 9-26:
Core_SPE2 has two TE tunnels to Site2_UPE3 and Site2_UPE4 respectively.
Deploying VPN FRR on Core_SPE2 ensures that traffic is rapidly switched to
Site2_UPE4 if Site2_UPE3 is faulty.
Core_SPE2 Core_SPE3
VPN FRR
Primary path
Ba
cku L3V
L3VPN
p p PN
ath
Site2_UPE3 Site2_UPE4
CE2 Downstream
vpna
5. Deploy IP + VPN hybrid FRR on UPE devices. If the interface of a UPE device
detects a fault on the link between the UPE device and its connected CE
device, the UPE device quickly switches traffic to its remote UPE device, which
then forwards the traffic to the CE device. The following uses Site2 as an
example, as shown in Figure 9-27:
If the link from Site2_UPE3 to CE2 is faulty, traffic is forwarded to Site2_UPE4
through an LSP and then to CE2 using a private IP address, improving
network reliability.
MPLD LDP
Site2_UPE3 Site2_UPE4
IP+VPN hybrid FRR
Primary
Backup path
path
CE2 Downstream
vpna
6. Deploy VPN GR on all UPE devices and SPE devices to ensure uninterrupted
VPN traffic forwarding during an active/standby switchover on the device that
is transmitting VPN services.
Procedure
● Configure SPE devices.
----End
Destination: 172.18.150.0/26
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.75 Neighbour: 172.16.2.75
State: Active Adv Relied Age: 21h55m50s
Tag: 0 Priority: low
Label: 1025 QoSInfo: 0x0
IndirectID: 0x185
RelayNextHop: 0.0.0.0 Interface: Tunnel111
TunnelID: 0x2 Flags: RD
BkNextHop: 172.16.2.76 BkInterface: Tunnel121
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x3 BkPESecTunnelID: 0x0
BkIndirectID: 0xd
● Run the display ip routing-table vpn-instance command on UPE devices to
check the hybrid FRR status.
The following uses the command output of Site2_UPE3 as an example. The
fields in boldface indicate the backup next hop, backup label, and backup
tunnel ID. The command output shows that a hybrid FRR entry has been
generated. The command output shows that the master hybrid FRR route
points to the local sub-interface, and the backup route points to the UPE
device with the IP address 172.16.2.76 at the same site.
[Site2_UPE3]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 2
Destination: 172.18.150.4/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 172.18.150.4 Neighbour: 0.0.0.0
State: Active Adv Age: 1d02h36m21s
Tag: 0 Priority: high
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: XGigabitEthernet0/0/2.150
TunnelID: 0x0 Flags: D
BkNextHop: 172.16.2.76 BkInterface: XGigabitEthernet0/0/4
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x4800001b BkPESecTunnelID: 0x0
BkIndirectID: 0x0
Destination: 172.18.150.4/32
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet5/0/4
eth-trunk 4
#
interface XGigabitEthernet5/0/5
eth-trunk 4
#
interface XGigabitEthernet5/0/6
eth-trunk 4
#
interface XGigabitEthernet5/0/7
eth-trunk 4
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
interface XGigabitEthernet6/0/4
undo portswitch
description Core_SPE1 to Site3_UPE6
ip address 172.17.10.2 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 20
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
interface Tunnel611
description Core_SPE1 to Site1_UPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.51
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.4 enable
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_b bind mpls-te interface Tunnel721 te-lsp backup
discriminator local 7216
discriminator remote 7215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk2
undo portswitch
description Core_SPE2 to Core_SPE3
ip address 172.17.4.0 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk4
undo portswitch
description Core_SPE2 to Core_SPE1
ip address 172.17.4.9 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
undo portswitch
description Core_SPE2 to Site1_UPE2
ip address 172.17.4.12 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 8
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet3/0/4
eth-trunk 2
#
interface XGigabitEthernet3/0/5
eth-trunk 2
#
interface XGigabitEthernet3/0/6
eth-trunk 2
#
interface XGigabitEthernet3/0/7
eth-trunk 2
#
interface XGigabitEthernet5/0/0
eth-trunk 17
#
interface XGigabitEthernet5/0/1
eth-trunk 17
#
interface XGigabitEthernet5/0/2
eth-trunk 17
#
interface XGigabitEthernet5/0/3
eth-trunk 17
#
interface XGigabitEthernet5/0/5
undo portswitch
description Core_SPE2 to Site2_UPE3
ip address 172.16.8.178 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet6/0/4
eth-trunk 4
#
interface XGigabitEthernet6/0/5
eth-trunk 4
#
interface XGigabitEthernet6/0/6
eth-trunk 4
#
interface XGigabitEthernet6/0/7
eth-trunk 4
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.3 255.255.255.255
#
interface Tunnel111
description Core_SPE2 to Site2_UPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.75
mpls te tunnel-id 111
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel121
description Core_SPE2 to Site2_UPE4
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.76
mpls te tunnel-id 121
mpls te record-route
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk2
undo portswitch
description Core_SPE3 to Core_SPE2
ip address 172.17.4.1 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
undo portswitch
description Core_SPE3 to Core_SPE1
ip address 172.17.4.3 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 30
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet2/0/4
eth-trunk 2
#
interface XGigabitEthernet2/0/5
eth-trunk 2
#
interface XGigabitEthernet2/0/6
eth-trunk 2
#
interface XGigabitEthernet2/0/7
eth-trunk 2
#
interface XGigabitEthernet6/0/1
undo portswitch
description Core_SPE3 to Site3_UPE5
ip address 172.16.8.213 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 10
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet6/0/3
undo portswitch
description Core_SPE3 to Site2_UPE4
ip address 172.16.8.183 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.4 255.255.255.255
#
interface Tunnel112
description Core_SPE3 to Site2_UPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.75
mpls te tunnel-id 112
mpls te bfd enable
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel122
description Core_SPE3 to Site2_UPE4
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.76
mpls te tunnel-id 122
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel712
description Core_SPE3 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 321
mpls te record-route
mpls te affinity property 10 mask 10
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE5_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7222
discriminator remote 7221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE6_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7126
discriminator remote 7125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE6_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7122
discriminator remote 7121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.51 255.255.255.255
#
interface Tunnel611
description Site1_UPE1 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel612
description Site1_UPE1 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 72
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-ip
172.18.200.66
discriminator local 2200
discriminator remote 1200
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 200
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp
discriminator local 6121
discriminator remote 6122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
mpls
mpls te
mpls te link administrative group 8
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
mode lacp
least active-linknumber 4
#
interface XGigabitEthernet1/0/4
port link-type trunk
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.200.67 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.200.65
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 1200 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
interface XGigabitEthernet6/0/4
eth-trunk 7
#
interface XGigabitEthernet6/0/5
eth-trunk 7
#
interface XGigabitEthernet6/0/6
eth-trunk 7
#
interface XGigabitEthernet6/0/7
eth-trunk 7
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.50 255.255.255.255
#
interface Tunnel621
description Site1_UPE2 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 81
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel622
description Site1_UPE2 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.200.66 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-ip
172.18.200.67
discriminator local 1200
discriminator remote 2200
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 300
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#GUPhWw-[LH2O6#NMxtJAl!Io8W~iF'![mQF[\9GI%^%#
network 172.16.2.50 0.0.0.0
network 172.16.2.92 0.0.0.0
network 172.17.4.13 0.0.0.0
network 172.17.4.15 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.51
#
route-policy p_iBGP_host_ex permit node 0
apply community 200:200 5720:5720 12:12
#
route-policy p_iBGP_RR_ex permit node 0
apply community 200:200 5720:5720 12:12
#
arp expire-time 62640
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE2toSPE1_b bind mpls-te interface Tunnel622 te-lsp backup
discriminator local 6225
discriminator remote 6226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE1_m bind mpls-te interface Tunnel622 te-lsp
discriminator local 6221
discriminator remote 6222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE2_b bind mpls-te interface Tunnel621 te-lsp backup
discriminator local 6215
discriminator remote 6216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE2_m bind mpls-te interface Tunnel621 te-lsp
discriminator local 6211
discriminator remote 6212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.75
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site2_UPE3 to Core_SPE2
ip address 172.16.8.179 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.150
dot1q termination vid 150
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.150.2 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.150.1
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site2_UPE3 to Site2_UPE4
ip address 172.16.8.180 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
process-pst
commit
#
bfd UPE3toSPE3_m bind mpls-te interface Tunnel112 te-lsp
discriminator local 1121
discriminator remote 1122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
graceful-restart
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.100
dot1q termination vid 100
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.100.2 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.100.1
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site3_UPE5 to Site3_UPE6
ip address 172.17.10.0 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site3_UPE5 to Core_SPE3
ip address 172.16.8.212 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.87 255.255.255.255
#
interface Tunnel721
description Site3_UPE5 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel722
description Site3_UPE5 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 322
mpls te record-route
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.86
#
route-policy p_iBGP_host_ex permit node 0
apply community 300:300 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 300:300 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE5toSPE1_b bind mpls-te interface Tunnel721 te-lsp backup
discriminator local 7215
discriminator remote 7216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE1_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7211
discriminator remote 7212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_b bind mpls-te interface Tunnel722 te-lsp backup
discriminator local 7225
discriminator remote 7226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7221
discriminator remote 7222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
interface Tunnel711
description Site3_UPE6 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel712
description Site3_UPE6 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 321
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.100.2 vpn-instance vpna interface XGigabitEthernet0/0/2.100 source-ip
172.18.100.3 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.4 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 200
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 300
peer devHost enable
peer devHost advertise-community
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#<3.TS63Ml*_Gn]2$}@O/G8llX)VNvDY\kT;4E9-A%#%#
network 172.16.2.86 0.0.0.0
network 172.17.10.1 0.0.0.0
network 172.17.10.3 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.87
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE6toSPE1_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7115
discriminator remote 7116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE1_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7111
discriminator remote 7112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7125
discriminator remote 7126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7121
discriminator remote 7122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
Service Requirements
Residential buildings and office buildings are the places where people live and
work, and have the following characteristics:
● Users are densely distributed, and the required egress bandwidth is increasing.
● Users of various types may have different bandwidth requirements and
consumption levels.
● There are diverse service types and access modes.
● There are a large number of routes.
● The bandwidth usage is subject to user activities. Network congestion may
occur during peak hours.
The following lists the specific network requirements:
● Access requirements
Provide wired access for IPv4/IPv6 dual-stack services.
Provide differentiated multi-GE access, such as 10 Gbit/s and 1 Gbit/s, for
different types of users.
Reuse existing third-party access switches at some sites.
● Refined bandwidth requirements
Provide customized bandwidths for different users based on their payment
levels.
Guarantee the bandwidth of VIP users upon network congestion.
● Route control requirements
Flexibly control route forwarding and reduce the number of routes on devices,
mitigating the pressure on device performance.
● Reliability requirements
Provide device-level, card-level, and link-level reliability.
● Security requirements
Prevent access from unauthorized devices, as well as malicious attacks.
Figure 9-28 Networking diagram for Internet access of home users and enterprise
users
RR ISP backbone
network
Eth-Trunk 2 Eth-Trunk 2
Eth-Trunk 1 S6730-H-2
Egress S6730-H-1
gateway Eth-Trunk 1 Eth-Trunk 4
Eth-Trunk 3 Eth-Trunk 3
Eth-Trunk 4
Eth-Trunk 102
Eth-Trunk 2 Eth-Trunk 2
Aggregation Eth-Trunk
S6730-H-3 S6730-H-4 101 S5731-H-5
switch
XGE0/0/1 XGE0/0/1 Eth-Trunk 1
Eth-Trunk 1
XGE0/0/47 XGE0/0/48 Third-party
Access access switch
switch S5735-L-6
XGE0/0/1 XGE0/0/2
connecting to the virtual private LAN service (VPLS) network, so that S5731-
H-5 adds the same outer VLAN tag to the service packets in different VLANs
sent from the third-party access switch. This configuration saves VLAN IDs on
the public network. S5731-H-5 is configured with Martini VPLS and uses the
Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) as
the signaling protocol.
On the new network to be built, S6730-H switches are deployed at the
aggregation layer to reduce the number of egress gateway interfaces, and the
access switch S5735-L-6 is deployed as the user gateway at the access layer to
provide 10GE interfaces for Internet access.
S6730-H switches function as egress gateways and are connected to the ISP
backbone network.
IPv4/IPv6 dual-stack is enabled on the entire network. The Border Gateway
Protocol (BGP) and BGP for IPv6 (BGP4+) are configured to advertise routes,
while Open Shortest Path First version 2 (OSPFv2) and OSPFv3 are configured
to calculate and select routes.
● Refined bandwidth requirements
The access switch S5735-L-6 is configured with traffic policing to provide
different access bandwidths for users of different payment levels.
● Route control requirements
The downstream area of the egress gateways and is configured as an OSPF
stub area to reduce the number of routes in the area.
The access switch S5735-L-6 selects routes through OSPF and establishes a
BGP peer relationship with the remote route reflector (RR) to advertise and
receive routes. S5735-L-6 forwards traffic to upstream devices through the
default routes generated in the OSPF stub area and to downstream devices
through direct routes and static routes.
The egress gateways S6730-H establish Internal Border Gateway Protocol
(IBGP) peer relationships with the remote RR to receive and advertise routes,
and establish OSPFv2 and OSPFv3 neighbor relationships with the access
switch S5735-L-6 to exchange routing information. The egress gateways
forward traffic to upstream devices through default routes and OSPF routes
and to downstream devices through BGP routes.
S5731-H-5 imports static routes and direct routes to the BGP routing table
and advertise them to the RR on the ISP backbone network. Routing policies
are configured to flexibly control route import and filter out unwanted routes.
● Reliability requirements
S5731-H switches set up a stack to ensure device-level reliability. The switches
are configured with multi-active detection (MAD) to detect multi-master
conflicts if the stack splits. An inter-card downlink Eth-Trunk is configured
between S5731-H-5 and the downstream third-party access switch to ensure
link-level reliability.
The access switch S5735-L-6 connects to aggregation switches through dual
uplinks and uses active/standby OSPF routes to ensure device-level and link-
level reliability. Bidirectional Forwarding Detection (BFD) for OSPF is
configured on the switch to accelerate convergence of OSPF routes. OSPF
Graceful Restart (GR) is also configured to ensure proper data forwarding
when OSPF restarts.
● Security requirements
Message-digest algorithm 5 (MD5) authentication is enabled on OSPFv2-
enabled interfaces and Internet Protocol Security (IPSec) is enabled in the
OSPFv3 process.
MD5 authentication is performed for TCP connections over which BGP
sessions are established. This improves the security of BGP peer connections.
MD5 authentication is performed for TCP connections over which LDP
sessions are established. This improves the security of LDP session
connections.
IBGP peer relationships are established through loopback interfaces and
password authentication is enabled.
Deployment Roadmap
The configuration roadmap is as follows:
1. Configure interfaces, add them to corresponding VLANs, and assign IPv4 and
IPv6 addresses to interfaces.
2. Configure S5731-H aggregation switches to set up a stack (S5731-H-5) to
ensure device-level reliability.
3. Configure OSPFv2 and OSPFv3 on the egress gateways S6730-H-1 and S6730-
H-2, the access switch S5735-L-6, as well as the aggregation switch stack
S5731-H-5 to implement Layer 3 communication. Configure BGP so that all
the preceding devices can establish BGP peer relationships with the RR on the
ISP backbone network.
4. Configure Layer 2 transparent transmission in a VLAN on the aggregation
switches S6730-H-3 and S6730-H-4.
5. Enable MD5 authentication on OSPFv2-enabled interfaces, enable IPSec in the
OSPFv3 process, and configure BGP peers to perform MD5 authentication
when setting up TCP connections.
6. Configure the downstream area of the egress gateways as an OSPF stub area
to reduce the size of the routing table in the area.
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses,
routes, and services.
Egress gateway S6730- VLANs 200 and 201 VLANs to which S6730-
H-1 H-1 and S6730-H-2
belong
Egress gateway S6730- VLANs 200 and 201 VLANs to which S6730-
H-2 H-1 and S6730-H-2
belong
FE80:F60::A39 (link-
local address)
FE80:F60::A3D (link-
local address)
FE80:F60::A32 (link-
local address)
Loopback - 1.1.1.104/32 -
0
- 2001:F60::66/128 -
FE80:F60::A3A (link-
local address)
FE80:F60::A3E (link-
local address)
FE80:F60::A36 (link-
local address)
Loopback - 1.1.1.105/32 -
0
- 2001:F60::67/128 -
Loopback - 1.1.1.107/32 -
0
Loopback - 1.1.1.106/32 -
0
- 2001:F60::68/128 -
# Configure IPSec.
[S6730-H-1] ipsec proposal 1
[S6730-H-1-ipsec-proposal-1] encapsulation-mode transport
[S6730-H-1-ipsec-proposal-1] transform ah
[S6730-H-1-ipsec-proposal-1] ah authentication-algorithm md5
[S6730-H-1-ipsec-proposal-1] quit
[S6730-H-1] ipsec sa area0
[S6730-H-1-ipsec-sa-area0] proposal 1
[S6730-H-1-ipsec-sa-area0] sa spi inbound ah 256
[S6730-H-1-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S6730-H-1-ipsec-sa-area0] sa spi outbound ah 256
[S6730-H-1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[S6730-H-1-ipsec-sa-area0] quit
[S6730-H-1] ipsec sa stub
[S6730-H-1-ipsec-sa-stub] proposal 1
[S6730-H-1-ipsec-sa-stub] sa spi inbound ah 1256
[S6730-H-1-ipsec-sa-stub] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S6730-H-1-ipsec-sa-stub] sa spi outbound ah 1256
[S6730-H-1-ipsec-sa-stub] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[S6730-H-1-ipsec-sa-stub] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 200, VLANIF 201, VLANIF 210, VLANIF
280, VLANIF 2350, and loopback 0. Enable OSPFv2 and OSPFv3 on VLANIF 200,
VLANIF 2350, and loopback 0 in area 0, and on other interfaces in the stub area.
The following example enables OSPFv2 and OSPFv3 on VLANIF 200:
[S6730-H-1] interface Vlanif 200
[S6730-H-1-Vlanif200] ospf authentication-mode md5 1 cipher huawei@123
[S6730-H-1-Vlanif200] ospf network-type p2p
[S6730-H-1-Vlanif200] ospf enable 1 area 0.0.0.0
[S6730-H-1-Vlanif200] ospfv3 1 area 0.0.0.0
[S6730-H-1-Vlanif200] ospfv3 network-type p2p
[S6730-H-1-Vlanif200] quit
# Create a BGP process and configure peer relationships. Assume that RRs
working in active/standby mode are deployed on the ISP backbone network, and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4 and their IPv6 addresses are
2001:F60::3 and 2001:F60::4, respectively.
[S6730-H-1] bgp 64700
[S6730-H-1-bgp] router-id 1.1.1.104
[S6730-H-1-bgp] peer 1.1.1.3 as-number 64700
[S6730-H-1-bgp] peer 1.1.1.3 connect-interface LoopBack0
[S6730-H-1-bgp] peer 1.1.1.3 password cipher huawei@123
[S6730-H-1-bgp] peer 1.1.1.4 as-number 64700
[S6730-H-1-bgp] peer 1.1.1.4 connect-interface LoopBack0
[S6730-H-1-bgp] peer 1.1.1.4 password cipher huawei@123
[S6730-H-1-bgp] peer 2001:F60::3 as-number 64700
[S6730-H-1-bgp] peer 2001:F60::3 connect-interface LoopBack0
[S6730-H-1-bgp] peer 2001:F60::3 password cipher huawei@123
[S6730-H-1-bgp] peer 2001:F60::4 as-number 64700
[S6730-H-1-bgp] peer 2001:F60::4 connect-interface LoopBack0
[S6730-H-1-bgp] peer 2001:F60::4 password cipher huawei@123
[S6730-H-1-bgp] ipv4-family unicast
[S6730-H-1-bgp-af-ipv4] peer 1.1.1.3 enable
[S6730-H-1-bgp-af-ipv4] peer 1.1.1.4 enable
[S6730-H-1-bgp-af-ipv4] quit
[S6730-H-1-bgp] ipv6-family unicast
[S6730-H-1-bgp-af-ipv6] peer 2001:F60::3 enable
[S6730-H-1-bgp-af-ipv6] peer 2001:F60::4 enable
[S6730-H-1-bgp-af-ipv6] quit
[S6730-H-1-bgp] quit
----End
# Enable OSPFv2 on VLANIF 2401, VLANIF 2402, and loopback 0. The following
example enables OSPFv2 on VLANIF 2401.
[S5731-H-5] interface Vlanif 2401
[S5731-H-5-Vlanif2401] ospf authentication-mode md5 1 cipher huawei@123
[S5731-H-5-Vlanif2401] ospf network-type p2p
[S5731-H-5-Vlanif2401] ospf enable 1 area 1.1.1.104
[S5731-H-5-Vlanif2401] quit
# Create a BGP process and configure peer relationships. Assume that RRs
working in active/standby mode are deployed on the ISP backbone network and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4, respectively.
[S5731-H-5] bgp 64700
[S5731-H-5-bgp] router-id 1.1.1.107
----End
# Create an Eth-Trunk, and add the Eth-Trunk and a physical interface to a VLAN.
<S6730-H-3> system-view
[S6730-H-3] vlan batch 210
[S6730-H-3] interface Eth-Trunk 2
[S6730-H-3-Eth-Trunk2] mode lacp
[S6730-H-3-Eth-Trunk2] port link-type trunk
[S6730-H-3-Eth-Trunk2] undo port trunk allow-pass vlan 1
[S6730-H-3-Eth-Trunk2] port trunk allow-pass vlan 210
[S6730-H-3-Eth-Trunk2] quit
[S6730-H-3] interface XGigabitEthernet 0/0/1
[S6730-H-3-XGigabitEthernet0/0/1] port link-type trunk
[S6730-H-3-XGigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S6730-H-3-XGigabitEthernet0/0/1] port trunk allow-pass vlan 210
[S6730-H-3-XGigabitEthernet0/0/1] quit
----End
# Enable OSPFv2 and OSPFv3 on VLANIF 210, VLANIF 250, and loopback 0. The
following example enables OSPFv2 and OSPFv3 on VLANIF 210:
[S5735-L-6] interface Vlanif 210
[S5735-L-6-Vlanif210] ospf authentication-mode md5 1 cipher huawei@123
[S5735-L-6-Vlanif210] ospf network-type p2p
[S5735-L-6-Vlanif210] ospf enable 1 area 1.1.1.104
[S5735-L-6-Vlanif210] ospfv3 1 area 1.1.1.104
Step 3 Configure BGP on S5735-L-6 to import specified static routes (such as the routes
carrying tags 6000 and 6001) from the user side to the BGP routing table.
# Create routing policies.
[S5735-L-6] route-policy STATIC-to-BGP permit node 10
[S5735-L-6-route-policy] if-match tag 6000
[S5735-L-6-route-policy] route-policy STATIC-to-BGP permit node 20
[S5735-L-6-route-policy] if-match tag 6001
[S5735-L-6-route-policy] route-policy STATIC-to-BGP deny node 30
[S5735-L-6-route-policy] quit
# Create a BGP process and configure peer relationships. Assume that RRs
working in active/standby mode are deployed on the ISP backbone network, and
their IPv4 addresses are 1.1.1.3 and 1.1.1.4 and their IPv6 addresses are
2001:F60::3 and 2001:F60::4, respectively.
[S5735-L-6] bgp 64700
[S5735-L-6-bgp] router-id 1.1.1.106
[S5735-L-6-bgp] peer 1.1.1.3 as-number 64700
[S5735-L-6-bgp] peer 1.1.1.3 connect-interface LoopBack0
[S5735-L-6-bgp] peer 1.1.1.3 password cipher huawei@123
[S5735-L-6-bgp] peer 1.1.1.4 as-number 64700
[S5735-L-6-bgp] peer 1.1.1.4 connect-interface LoopBack0
[S5735-L-6-bgp] peer 1.1.1.4 password cipher huawei@123
[S5735-L-6-bgp] peer 2001:F60::3 as-number 64700
[S5735-L-6-bgp] peer 2001:F60::3 connect-interface LoopBack0
[S5735-L-6-bgp] peer 2001:F60::3 password cipher huawei@123
[S5735-L-6-bgp] peer 2001:F60::4 as-number 64700
[S5735-L-6-bgp] peer 2001:F60::4 connect-interface LoopBack0
[S5735-L-6-bgp] peer 2001:F60::4 password cipher huawei@123
[S5735-L-6-bgp] ipv4-family unicast
[S5735-L-6-bgp-af-ipv4] import-route static route-policy STATIC-to-BGP
[S5735-L-6-bgp-af-ipv4] peer 1.1.1.3 enable
[S5735-L-6-bgp-af-ipv4] peer 1.1.1.4 enable
[S5735-L-6-bgp-af-ipv4] quit
[S5735-L-6-bgp] ipv6-family unicast
[S5735-L-6-bgp-af-ipv6] import-route static route-policy STATIC-to-BGP
[S5735-L-6-bgp-af-ipv6] peer 2001:F60::3 enable
[S5735-L-6-bgp-af-ipv6] peer 2001:F60::4 enable
[S5735-L-6-bgp-af-ipv6] quit
[S5735-L-6-bgp] quit
----End
----End
Service Requirements
Large enterprises are usually connected to the backbone area of an ISP network.
ISPs can provide the following access services for large enterprise customers:
● Private line access for content service providers
● Internet access for data centers of large enterprises
● Internet access for users on enterprise campus networks
This scenario has the following characteristics:
● A large number of routes
● Flexible routing policies
● High access bandwidth
In most cases, enterprises have the following service requirements on the ISP
backbone network:
● Access requirements
Provide wired access for IPv4/IPv6 dual-stack services.
Provide high-bandwidth access and multi-gigabit access, such as 10 Gbit/s
and 1 Gbit/s, for different types of users.
● Route control requirements
Meet flexible route forwarding requirements.
Control route advertisement and import based on routing policies.
Control traffic routes through explicit paths of traffic engineering (TE)
tunnels.
● Reliability requirements
Ensure bandwidth using multiple egress links.
Ensure high reliability and service continuity for important services such as
enterprise private line services.
Provide backup functions for key network nodes to ensure reliable
transmission of data services.
Shorten the service interruption time as much as possible to ensure user
experience upon an intermittent link disconnection or a device fault.
● Security requirements
Prevent access from unauthorized devices, as well as malicious attacks.
Meet security compliance requirements.
Control user access to ensure network security.
Internet
Router
Eth-Trunk 0 Eth-Trunk 1
RR1 RR2
Eth-Trunk 1 Eth-Trunk 0
Eth-Trunk 0 Eth-Trunk 1
Eth-Trunk 5 Eth-Trunk 5
Eth-Trunk 4
Eth-Trunk 3
Eth-Trunk 4 Eth-Trunk 3
P1 P2
Eth-Trunk 2 Eth-Trunk 2
Eth-Trunk 0 Eth-Trunk 1 Eth-Trunk 0 Eth-Trunk 1
Eth-Trunk 0
Eth-Trunk 1
Eth-Trunk 1 Eth-Trunk 0
SW1 SW2
S5735-L S5735-L
Eth-Trunk 2 Eth-Trunk 2
Enterprise 1 Enterprise 2
In this example, S12700E series switches are used as P devices, RRs, and Router.
Deployment Roadmap
The configuration roadmap is as follows:
1. Configure interfaces, add them to corresponding VLANs, and assign IPv4 and
IPv6 addresses to interfaces.
2. Configure OSPF between PE devices, P devices, Router, and RRs. Configure
BGP, and configure PE devices, P devices, and Router to establish IBGP peer
relationships with RRs.
3. Enable MD5 authentication on OSPF-enabled interfaces, and configure BGP
peers to perform MD5 authentication when establishing TCP connections.
4. Enable MPLS and MPLS RSVP on PE devices, P devices, and Router, and
establish TE tunnels between PE devices and Router.
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses,
routes, and services.
Loopback 0 - 4.4.4.143/32 -
2001::149/128
Loopback 0 - 4.4.4.144/32 -
2001::14A/128
Loopback 0 - 4.4.4.1/32 -
2001::21/128
Loopback 0 - 4.4.4.2/32 -
2001::22/128
Loopback 0 - 4.4.4.39/32 -
2001::31/128
Loopback 0 - 4.4.4.27/32 -
2001::15/128
Loopback 0 - 4.4.4.28/32 -
2001::16/128
Eth-Trunk 1 Interface
connected to
PE2
<PE1> system-view
[PE1] ipv6
[PE1] interface Eth-Trunk 0
[PE1-Eth-Trunk0] undo portswitch
[PE1-Eth-Trunk0] description To_P1
[PE1-Eth-Trunk0] ip address 1.1.1.2 255.255.255.252
[PE1-Eth-Trunk0] ipv6 enable
[PE1-Eth-Trunk0] ipv6 address 2001:0:0:4D9::2/64
[PE1-Eth-Trunk0] mode lacp
[PE1-Eth-Trunk0] quit
[PE1] interface XGigabitEthernet 1/0/0
[PE1-XGigabitEthernet1/0/0] eth-trunk 0
[PE1-XGigabitEthernet1/0/0] quit
[PE1] interface XGigabitEthernet 2/0/0
[PE1-XGigabitEthernet2/0/0] eth-trunk 0
[PE1-XGigabitEthernet2/0/0] quit
# Create Eth-Trunk 1 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/1 and XGE2/0/1 to Eth-Trunk 1.
[PE1] interface Eth-Trunk 1
[PE1-Eth-Trunk1] undo portswitch
[PE1-Eth-Trunk1] description To_P2
[PE1-Eth-Trunk1] ip address 1.1.1.10 255.255.255.252
[PE1-Eth-Trunk1] ipv6 enable
[PE1-Eth-Trunk1] ipv6 address 2001:0:0:4DB::2/64
[PE1-Eth-Trunk1] mode lacp
[PE1-Eth-Trunk1] quit
[PE1] interface XGigabitEthernet 1/0/1
[PE1-XGigabitEthernet1/0/1] eth-trunk 1
[PE1-XGigabitEthernet1/0/1] quit
[PE1] interface XGigabitEthernet 2/0/1
[PE1-XGigabitEthernet2/0/1] eth-trunk 1
[PE1-XGigabitEthernet2/0/1] quit
# Create Eth-Trunk 2 and configure its IPv4 address. Enable LACP, and add
XGE3/0/0 and XGE4/0/0 to Eth-Trunk 2.
[PE1] interface Eth-Trunk 2
[PE1-Eth-Trunk2] undo portswitch
[PE1-Eth-Trunk2] description To_SW1
[PE1-Eth-Trunk2] ip address 2.2.2.205 255.255.255.252
[PE1-Eth-Trunk2] mode lacp
[PE1-Eth-Trunk2] quit
[PE1] interface XGigabitEthernet 3/0/0
[PE1-XGigabitEthernet3/0/0] eth-trunk 2
[PE1-XGigabitEthernet3/0/0] quit
[PE1] interface XGigabitEthernet 4/0/0
[PE1-XGigabitEthernet4/0/0] eth-trunk 2
[PE1-XGigabitEthernet4/0/0] quit
# Create Eth-Trunk 3 and configure its IPv4 address. Enable LACP, and add
XGE3/0/1 and XGE4/0/1 to Eth-Trunk 3.
[PE1] interface Eth-Trunk 3
[PE1-Eth-Trunk3] undo portswitch
[PE1-Eth-Trunk3] description To_SW2
[PE1-Eth-Trunk3] ip address 3.3.3.114 255.255.255.248
[PE1-Eth-Trunk3] mode lacp
[PE1-Eth-Trunk3] quit
[PE1] interface XGigabitEthernet 3/0/1
[PE1-XGigabitEthernet3/0/1] eth-trunk 3
[PE1-XGigabitEthernet3/0/1] quit
[PE1] interface XGigabitEthernet 4/0/1
[PE1-XGigabitEthernet4/0/1] eth-trunk 3
[PE1-XGigabitEthernet4/0/1] quit
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[PE1] ospfv3 1
[PE1-ospfv3-1] router-id 4.4.4.143
[PE1-ospfv3-1] bandwidth-reference 1000000
[PE1-ospfv3-1] graceful-restart
[PE1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0 and set the network type to P2P.
[PE1] interface Eth-Trunk 0
[PE1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[PE1-Eth-Trunk0] ospf network-type p2p
[PE1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[PE1-Eth-Trunk0] ospfv3 network-type p2p
[PE1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[PE1-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1 and set the network type to P2P.
[PE1] interface Eth-Trunk 1
[PE1-Eth-Trunk1] ospf enable 1 area 0.0.0.0
Step 3 Configure MPLS and RSVP-TE globally and enable them on all Layer 3 interfaces
of PE1.
# Configure MPLS RSVP-TE and enable MPLS globally.
[PE1] mpls lsr-id 4.4.4.143
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls rsvp-te hello
[PE1-mpls] mpls rsvp-te srefresh
[PE1-mpls] quit
# Configure TE tunnels.
[PE1] interface Tunnel1
[PE1-Tunnel1] ip address unnumbered interface LoopBack0
[PE1-Tunnel1] tunnel-protocol mpls te
[PE1-Tunnel1] destination 4.4.4.1
[PE1-Tunnel1] mpls te tunnel-id 1
[PE1-Tunnel1] mpls te signalled tunnel-name pe1->P1-1
[PE1-Tunnel1] mpls te record-route label
[PE1-Tunnel1] mpls te path explicit-path TO-P1-1
[PE1-Tunnel1] mpls te path explicit-path TO-P1-2 secondary
[PE1-Tunnel1] mpls te backup hot-standby
[PE1-Tunnel1] mpls te igp shortcut ospf
[PE1-Tunnel1] mpls te igp metric absolute 10
[PE1-Tunnel1] mpls te reserved-for-binding
[PE1-Tunnel1] ospf enable 1 area 0.0.0.0
[PE1-Tunnel1] mpls
[PE1-Tunnel1] mpls te commit
[PE1-Tunnel1] quit
[PE1] interface Tunnel2
[PE1-Tunnel2] ip address unnumbered interface LoopBack0
[PE1-Tunnel2] tunnel-protocol mpls te
[PE1-Tunnel2] destination 4.4.4.2
[PE1-Tunnel2] mpls te tunnel-id 2
[PE1-Tunnel2] mpls te signalled tunnel-name pe1->P2-1
[PE1-Tunnel2] mpls te record-route label
[PE1-Tunnel2] mpls te path explicit-path TO-P2-1
[PE1-Tunnel2] mpls te path explicit-path TO-P2-2 secondary
[PE1-Tunnel2] mpls te backup hot-standby
[PE1-Tunnel2] mpls te igp shortcut ospf
[PE1-Tunnel2] mpls te igp metric absolute 10
[PE1-Tunnel2] mpls te reserved-for-binding
[PE1-Tunnel2] ospf enable 1 area 0.0.0.0
[PE1-Tunnel2] mpls
[PE1-Tunnel2] mpls te commit
[PE1-Tunnel2] quit
[PE1] interface Tunnel3
[PE1-Tunnel3] ip address unnumbered interface LoopBack0
[PE1-Tunnel3] tunnel-protocol mpls te
[PE1-Tunnel3] destination 4.4.4.39
[PE1-Tunnel3] mpls te tunnel-id 19
[PE1-Tunnel3] mpls te signalled tunnel-name pe1->router-1
[PE1-Tunnel3] mpls te record-route label
[PE1-Tunnel3] mpls te path explicit-path TO-ROUTER-1
[PE1-Tunnel3] mpls te path explicit-path TO-ROUTER-2 secondary
[PE1-Tunnel3] mpls te backup hot-standby
[PE1-Tunnel3] mpls te igp shortcut ospf
[PE1-Tunnel3] mpls te igp metric absolute 10
[PE1-Tunnel3] mpls te reserved-for-binding
Step 5 Configure BGP and BGP4+, and configure PE1 to establish IBGP peer relationships
with RR1 and RR2 and establish an EBGP peer relationship with SW1.
# Start the BGP process and configure BGP peers.
[PE1] bgp 2519
[PE1-bgp] router-id 4.4.4.143
[PE1-bgp] graceful-restart
[PE1-bgp] group IPv6-PRIVATEAS_CUSTOMER external
[PE1-bgp] group PRIVATEAS_CUSTOMER external
[PE1-bgp] peer 2.2.2.206 as-number 64901
[PE1-bgp] peer 2.2.2.206 group PRIVATEAS_CUSTOMER
[PE1-bgp] peer 2.2.2.206 password cipher huawei@123
[PE1-bgp] group iBGP internal
[PE1-bgp-af-ipv6] quit
[PE1-bgp] quit
----End
# Create Eth-Trunk 1 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/1 and XGE2/0/1 to Eth-Trunk 1.
[PE2] interface Eth-Trunk 1
[PE2-Eth-Trunk1] undo portswitch
[PE2-Eth-Trunk1] description To_P2
[PE2-Eth-Trunk1] ip address 1.1.1.14 255.255.255.252
[PE2-Eth-Trunk1] ipv6 enable
[PE2-Eth-Trunk1] ipv6 address 2001:0:0:4DC::2/64
[PE2-Eth-Trunk1] mode lacp
[PE2-Eth-Trunk1] quit
[PE2] interface XGigabitEthernet 1/0/1
[PE2-XGigabitEthernet1/0/1] eth-trunk 1
[PE2-XGigabitEthernet1/0/1] quit
[PE2] interface XGigabitEthernet 2/0/1
[PE2-XGigabitEthernet2/0/1] eth-trunk 1
[PE2-XGigabitEthernet2/0/1] quit
# Create Eth-Trunk 2 and configure its IPv4 address. Enable LACP, and add
XGE3/0/0 and XGE4/0/0 to Eth-Trunk 2.
# Create Eth-Trunk 3 and configure its IPv4 address. Enable LACP, and add
XGE3/0/1 and XGE4/0/1 to Eth-Trunk 3.
[PE2] interface Eth-Trunk 3
[PE2-Eth-Trunk3] undo portswitch
[PE2-Eth-Trunk3] description To_SW2
[PE2-Eth-Trunk3] ip address 3.3.3.115 255.255.255.248
[PE2-Eth-Trunk3] mode lacp
[PE2-Eth-Trunk3] quit
[PE2] interface XGigabitEthernet 3/0/1
[PE2-XGigabitEthernet3/0/1] eth-trunk 3
[PE2-XGigabitEthernet3/0/1] quit
[PE2] interface XGigabitEthernet 4/0/1
[PE2-XGigabitEthernet4/0/1] eth-trunk 3
[PE2-XGigabitEthernet4/0/1] quit
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[PE2] interface LoopBack 0
[PE2-LoopBack0] ip address 4.4.4.144 255.255.255.255
[PE2-LoopBack0] ipv6 enable
[PE2-LoopBack0] ipv6 address 2001::14A/128
[PE2-LoopBack0] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[PE2] ospfv3 1
[PE2-ospfv3-1] router-id 4.4.4.144
[PE2-ospfv3-1] bandwidth-reference 1000000
[PE2-ospfv3-1] graceful-restart
[PE2-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0 and set the network type to P2P.
[PE2] interface Eth-Trunk 0
[PE2-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[PE2-Eth-Trunk0] ospf network-type p2p
[PE2-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[PE2-Eth-Trunk0] ospfv3 network-type p2p
[PE2-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[PE2-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1 and set the network type to P2P.
[PE2] interface Eth-Trunk 1
[PE2-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[PE2-Eth-Trunk1] ospf network-type p2p
[PE2-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[PE2-Eth-Trunk1] ospfv3 network-type p2p
[PE2-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
[PE2-Eth-Trunk1] quit
Step 3 Configure MPLS and RSVP-TE globally and enable them on all Layer 3 interfaces
of PE2.
# Configure MPLS RSVP-TE and enable MPLS globally.
[PE2] mpls lsr-id 4.4.4.144
[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] mpls rsvp-te
[PE2-mpls] mpls rsvp-te hello
[PE2-mpls] mpls rsvp-te srefresh
[PE2-mpls] quit
# Configure TE tunnels.
[PE2] interface Tunnel1
[PE2-Tunnel1] ip address unnumbered interface LoopBack0
[PE2-Tunnel1] tunnel-protocol mpls te
[PE2-Tunnel1] destination 4.4.4.1
[PE2-Tunnel1] mpls te tunnel-id 1
[PE2-Tunnel1] mpls te signalled tunnel-name pe2->P1-1
[PE2-Tunnel1] mpls te record-route label
[PE2-Tunnel1] mpls te path explicit-path TO-P1-1
[PE2-Tunnel1] mpls te path explicit-path TO-P1-2 secondary
[PE2-Tunnel1] mpls te backup hot-standby
[PE2-Tunnel1] mpls te igp shortcut ospf
[PE2-Tunnel1] mpls te igp metric absolute 10
[PE2-Tunnel1] mpls te reserved-for-binding
[PE2-Tunnel1] ospf enable 1 area 0.0.0.0
[PE2-Tunnel1] mpls
[PE2-Tunnel1] mpls te commit
[PE2-Tunnel1] quit
[PE2] interface Tunnel2
[PE2-Tunnel2] ip address unnumbered interface LoopBack0
[PE2-Tunnel2] tunnel-protocol mpls te
[PE2-Tunnel2] destination 4.4.4.2
[PE2-Tunnel2] mpls te tunnel-id 2
[PE2-Tunnel2] mpls te signalled tunnel-name pe2->P2-1
[PE2-Tunnel2] mpls te record-route label
[PE2-Tunnel2] mpls te path explicit-path TO-P2-1
[PE2-Tunnel2] mpls te path explicit-path TO-P2-2 secondary
[PE2-Tunnel2] mpls te backup hot-standby
[PE2-Tunnel2] mpls te igp shortcut ospf
[PE2-Tunnel2] mpls te igp metric absolute 10
[PE2-Tunnel2] mpls te reserved-for-binding
[PE2-Tunnel2] ospf enable 1 area 0.0.0.0
[PE2-Tunnel2] mpls
[PE2-Tunnel2] mpls te commit
[PE2-Tunnel2] quit
[PE2] interface Tunnel3
[PE2-Tunnel3] ip address unnumbered interface LoopBack0
[PE2-Tunnel3] tunnel-protocol mpls te
[PE2-Tunnel3] destination 4.4.4.39
[PE2-Tunnel3] mpls te tunnel-id 3
[PE2-Tunnel3] mpls te signalled tunnel-name pe2->router-1
[PE2-Tunnel3] mpls te record-route label
[PE2-Tunnel3] mpls te path explicit-path TO-ROUTER-1
[PE2-Tunnel3] mpls te path explicit-path TO-ROUTER-2 secondary
[PE2-Tunnel3] mpls te backup hot-standby
[PE2-Tunnel3] mpls te igp shortcut ospf
[PE2-Tunnel3] mpls te igp metric absolute 10
[PE2-Tunnel3] mpls te reserved-for-binding
[PE2-Tunnel3] ospf enable 1 area 0.0.0.0
[PE2-Tunnel3] mpls
[PE2-Tunnel3] mpls te commit
[PE2-Tunnel3] quit
[PE2] interface Tunnel4
[PE2-Tunnel4] ip address unnumbered interface LoopBack0
[PE2-Tunnel4] tunnel-protocol mpls te
[PE2-Tunnel4] destination 4.4.4.39
[PE2-Tunnel4] mpls te tunnel-id 4
[PE2-Tunnel4] mpls te signalled tunnel-name pe2->router-2
[PE2-Tunnel4] mpls te record-route label
[PE2-Tunnel4] mpls te path explicit-path TO-ROUTER-2
[PE2-Tunnel4] mpls te path explicit-path TO-ROUTER-1 secondary
[PE2-Tunnel4] mpls te backup hot-standby
[PE2-Tunnel4] mpls te igp shortcut ospf
[PE2-Tunnel4] mpls te igp metric absolute 10
[PE2-Tunnel4] mpls te reserved-for-binding
[PE2-Tunnel4] ospf enable 1 area 0.0.0.0
[PE2-Tunnel4] mpls
[PE2-Tunnel4] mpls te commit
[PE2-Tunnel4] quit
[PE2] interface Tunnel5
[PE2-Tunnel5] ip address unnumbered interface LoopBack0
[PE2-Tunnel5] tunnel-protocol mpls te
[PE2-Tunnel5] destination 4.4.4.143
[PE2-Tunnel5] mpls te tunnel-id 5
[PE2-Tunnel5] mpls te signalled tunnel-name pe2->pe1-1
[PE2-Tunnel5] mpls te record-route label
[PE2-Tunnel5] mpls te path explicit-path TO-PE1-1
[PE2-Tunnel5] mpls te path explicit-path TO-PE1-2 secondary
[PE2-Tunnel5] mpls te backup hot-standby
[PE2-Tunnel5] mpls te igp shortcut ospf
[PE2-Tunnel5] mpls te igp metric absolute 10
[PE2-Tunnel5] mpls te reserved-for-binding
[PE2-Tunnel5] ospf enable 1 area 0.0.0.0
[PE2-Tunnel5] mpls
Step 5 Configure BGP and BGP4+, and configure PE2 to establish IBGP peer relationships
with RR1 and RR2 and establish an EBGP peer relationship with SW1.
[PE2-bgp-af-ipv6] quit
[PE2-bgp] quit
----End
# Create Eth-Trunk 1 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/1 and XGE2/0/1 to Eth-Trunk 1.
[P1] interface Eth-Trunk 1
[P1-Eth-Trunk1] undo portswitch
[P1-Eth-Trunk1] description To_PE2
[P1-Eth-Trunk1] ip address 1.1.1.5 255.255.255.252
[P1-Eth-Trunk1] ipv6 enable
[P1-Eth-Trunk1] ipv6 address 2001:0:0:4DA::1/64
[P1-Eth-Trunk1] mode lacp
[P1-Eth-Trunk1] quit
[P1] interface XGigabitEthernet 1/0/1
[P1-XGigabitEthernet1/0/1] eth-trunk 1
[P1-XGigabitEthernet1/0/1] quit
[P1] interface XGigabitEthernet 2/0/1
[P1-XGigabitEthernet2/0/1] eth-trunk 1
[P1-XGigabitEthernet2/0/1] quit
# Create Eth-Trunk 2 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE3/0/0 and XGE4/0/0 to Eth-Trunk 2.
[P1] interface Eth-Trunk 2
[P1-Eth-Trunk2] undo portswitch
[P1-Eth-Trunk2] description To_P2
[P1-Eth-Trunk2] ip address 1.1.2.9 255.255.255.252
[P1-Eth-Trunk2] ipv6 enable
[P1-Eth-Trunk2] ipv6 address 2001:0:0:4D8::1/64
[P1-Eth-Trunk2] mode lacp
[P1-Eth-Trunk2] quit
[P1] interface XGigabitEthernet 3/0/0
[P1-XGigabitEthernet3/0/0] eth-trunk 2
[P1-XGigabitEthernet3/0/0] quit
[P1] interface XGigabitEthernet 4/0/0
[P1-XGigabitEthernet4/0/0] eth-trunk 2
[P1-XGigabitEthernet4/0/0] quit
# Create Eth-Trunk 3 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE3/0/1 and XGE4/0/1 to Eth-Trunk 3.
[P1] interface Eth-Trunk 3
[P1-Eth-Trunk3] undo portswitch
[P1-Eth-Trunk3] description To_RR1
[P1-Eth-Trunk3] ip address 1.1.2.233 255.255.255.252
[P1-Eth-Trunk3] ipv6 enable
[P1-Eth-Trunk3] ipv6 address 2001:0:0:4D7::1/64
[P1-Eth-Trunk3] mode lacp
[P1-Eth-Trunk3] quit
[P1] interface XGigabitEthernet 3/0/1
[P1-XGigabitEthernet3/0/1] eth-trunk 3
[P1-XGigabitEthernet3/0/1] quit
[P1] interface XGigabitEthernet 4/0/1
[P1-XGigabitEthernet4/0/1] eth-trunk 3
[P1-XGigabitEthernet4/0/1] quit
# Create Eth-Trunk 4 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE3/0/2 and XGE4/0/2 to Eth-Trunk 4.
[P1] interface Eth-Trunk 4
[P1-Eth-Trunk4] undo portswitch
[P1-Eth-Trunk4] description To_RR2
[P1-Eth-Trunk4] ip address 1.1.2.189 255.255.255.252
[P1-Eth-Trunk4] ipv6 enable
[P1-Eth-Trunk4] ipv6 address 2001:0:0:4E2::1/64
[P1-Eth-Trunk4] mode lacp
[P1-Eth-Trunk4] quit
[P1] interface XGigabitEthernet 3/0/2
[P1-XGigabitEthernet3/0/2] eth-trunk 4
[P1-XGigabitEthernet3/0/2] quit
[P1] interface XGigabitEthernet 4/0/2
[P1-XGigabitEthernet4/0/2] eth-trunk 4
[P1-XGigabitEthernet4/0/2] quit
# Create Eth-Trunk 5 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE3/0/3 and XGE4/0/3 to Eth-Trunk 5.
[P1] interface Eth-Trunk 5
[P1-Eth-Trunk5] undo portswitch
[P1-Eth-Trunk5] description To_Router
[P1-Eth-Trunk5] ip address 1.1.2.225 255.255.255.252
[P1-Eth-Trunk5] ipv6 enable
[P1-Eth-Trunk5] ipv6 address 2001:0:0:4D5::1/64
[P1-Eth-Trunk5] mode lacp
[P1-Eth-Trunk5] quit
[P1] interface XGigabitEthernet 3/0/3
[P1-XGigabitEthernet3/0/3] eth-trunk 5
[P1-XGigabitEthernet3/0/3] quit
[P1] interface XGigabitEthernet 4/0/3
[P1-XGigabitEthernet4/0/3] eth-trunk 5
[P1-XGigabitEthernet4/0/3] quit
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[P1] interface LoopBack 0
[P1-LoopBack0] ip address 4.4.4.1 255.255.255.255
[P1-LoopBack0] ipv6 enable
[P1-LoopBack0] ipv6 address 2001::21/128
[P1-LoopBack0] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[P1] ospfv3 1
[P1-ospfv3-1] router-id 4.4.4.1
[P1-ospfv3-1] bandwidth-reference 1000000
[P1-ospfv3-1] graceful-restart
[P1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0 and set the network type to P2P.
[P1] interface Eth-Trunk 0
[P1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk0] ospf network-type p2p
[P1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk0] ospfv3 network-type p2p
[P1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[P1-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1 and set the network type to P2P.
[P1] interface Eth-Trunk 1
[P1-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk1] ospf network-type p2p
[P1-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk1] ospfv3 network-type p2p
[P1-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
[P1-Eth-Trunk1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 2 and set the network type to P2P.
[P1] interface Eth-Trunk 2
[P1-Eth-Trunk2] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk2] ospf network-type p2p
[P1-Eth-Trunk2] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk2] ospfv3 network-type p2p
[P1-Eth-Trunk2] ospfv3 ipsec sa ospfv3-sa
[P1-Eth-Trunk2] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 3 and set the network type to P2P.
[P1] interface Eth-Trunk 3
[P1-Eth-Trunk3] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk3] ospf network-type p2p
[P1-Eth-Trunk3] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk3] ospfv3 network-type p2p
[P1-Eth-Trunk3] ospfv3 ipsec sa ospfv3-sa
[P1-Eth-Trunk3] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 4, set the network type to P2P, and set
the OSPF cost value.
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 5, set the network type to P2P, and set
the OSPF cost value.
[P1] interface Eth-Trunk 5
[P1-Eth-Trunk5] ospf enable 1 area 0.0.0.0
[P1-Eth-Trunk5] ospf network-type p2p
[P1-Eth-Trunk5] ospfv3 1 area 0.0.0.0
[P1-Eth-Trunk5] ospfv3 network-type p2p
[P1-Eth-Trunk5] ospfv3 ipsec sa ospfv3-sa
[P1-Eth-Trunk5] quit
Step 3 Configure MPLS and RSVP-TE globally and enable them on all Layer 3 interfaces
of P1.
# Configure MPLS RSVP-TE and enable MPLS globally.
[P1] mpls lsr-id 4.4.4.1
[P1] mpls
[P1-mpls] mpls te
[P1-mpls] mpls rsvp-te
[P1-mpls] mpls rsvp-te hello
[P1-mpls] mpls rsvp-te srefresh
[P1-mpls] quit
[P1-Eth-Trunk5] mpls te
[P1-Eth-Trunk5] mpls rsvp-te
[P1-Eth-Trunk5] mpls rsvp-te hello
[P1-Eth-Trunk5] quit
# Configure TE tunnels.
[P1] interface Tunnel1
[P1-Tunnel1] ip address unnumbered interface LoopBack0
[P1-Tunnel1] tunnel-protocol mpls te
[P1-Tunnel1] destination 4.4.4.143
[P1-Tunnel1] mpls te tunnel-id 1
[P1-Tunnel1] mpls te signalled tunnel-name P1->pe1-1
[P1-Tunnel1] mpls te record-route label
[P1-Tunnel1] mpls te path explicit-path TO-PE1-1
[P1-Tunnel1] mpls te path explicit-path TO-PE1-2 secondary
[P1-Tunnel1] mpls te backup hot-standby
[P1-Tunnel1] mpls te igp shortcut ospf
[P1-Tunnel1] mpls te igp metric absolute 10
[P1-Tunnel1] mpls te reserved-for-binding
[P1-Tunnel1] ospf enable 1 area 0.0.0.0
[P1-Tunnel1] mpls
[P1-Tunnel1] mpls te commit
[P1-Tunnel1] quit
[P1] interface Tunnel2
[P1-Tunnel2] ip address unnumbered interface LoopBack0
[P1-Tunnel2] tunnel-protocol mpls te
[P1-Tunnel2] destination 4.4.4.144
[P1-Tunnel2] mpls te tunnel-id 2
[P1-Tunnel2] mpls te signalled tunnel-name P1->pe2-1
[P1-Tunnel2] mpls te record-route label
[P1-Tunnel2] mpls te path explicit-path TO-PE2-1
[P1-Tunnel2] mpls te path explicit-path TO-PE2-2 secondary
[P1-Tunnel2] mpls te backup hot-standby
[P1-Tunnel2] mpls te igp shortcut ospf
[P1-Tunnel2] mpls te igp metric absolute 10
[P1-Tunnel2] mpls te reserved-for-binding
[P1-Tunnel2] ospf enable 1 area 0.0.0.0
[P1-Tunnel2] mpls
[P1-Tunnel2] mpls te commit
[P1-Tunnel2] quit
Step 5 Configure BGP and BGP4+, and configure P1 to establish IBGP peer relationships
with RR1 and RR2.
----End
# Create Eth-Trunk 1 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/1 and XGE2/0/1 to Eth-Trunk 1.
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[RR1] interface LoopBack 0
[RR1-LoopBack0] ip address 4.4.4.27 255.255.255.255
[RR1-LoopBack0] ipv6 enable
[RR1-LoopBack0] ipv6 address 2001::15/128
[RR1-LoopBack0] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[RR1] ospfv3 1
[RR1-ospfv3-1] router-id 4.4.4.27
[RR1-ospfv3-1] bandwidth-reference 1000000
[RR1-ospfv3-1] graceful-restart
[RR1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0, set the network type to P2P, and set
the OSPF cost value.
[RR1] interface Eth-Trunk 0
[RR1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[RR1-Eth-Trunk0] ospf network-type p2p
[RR1-Eth-Trunk0] ospf cost 10000
[RR1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[RR1-Eth-Trunk0] ospfv3 network-type p2p
[RR1-Eth-Trunk0] ospfv3 cost 10000
[RR1-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[RR1-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1, set the network type to P2P, and set
the OSPF cost value.
[RR1] interface Eth-Trunk 1
[RR1-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[RR1-Eth-Trunk1] ospf network-type p2p
[RR1-Eth-Trunk1] ospf cost 1000
[RR1-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[RR1-Eth-Trunk1] ospfv3 network-type p2p
[RR1-Eth-Trunk1] ospfv3 cost 1000
[RR1-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
[RR1-Eth-Trunk1] quit
Step 3 Configure BGP and BGP4+, and configure RR1 to establish IBGP peer relationships
with other network elements (NEs).
# Start the BGP process and configure BGP peers.
[RR1] bgp 2519
[RR1-bgp] router-id 4.4.4.27
[RR1-bgp] graceful-restart
[RR1-bgp] group iBGP internal
[RR1-bgp] peer iBGP connect-interface LoopBack0
[RR1-bgp] peer 4.4.4.1 as-number 2519
[RR1-bgp] peer 4.4.4.1 group iBGP
[RR1-bgp] peer 4.4.4.1 password cipher huawei@123
[RR1-bgp] peer 4.4.4.2 as-number 2519
[RR1-bgp] peer 4.4.4.2 group iBGP
[RR1-bgp] peer 4.4.4.2 password cipher huawei@123
[RR1-bgp] peer 4.4.4.39 as-number 2519
[RR1-bgp] peer 4.4.4.39 group iBGP
[RR1-bgp] peer 4.4.4.39 password cipher huawei@123
[RR1-bgp] peer 4.4.4.143 as-number 2519
[RR1-bgp] peer 4.4.4.143 group iBGP
[RR1-bgp] peer 4.4.4.143 password cipher huawei@123
[RR1-bgp] peer 4.4.4.144 as-number 2519
[RR1-bgp] peer 4.4.4.144 group iBGP
[RR1-bgp] peer 4.4.4.144 password cipher huawei@123
[RR1-bgp] peer 2001::149 as-number 2519
[RR1-bgp] peer 2001::149 group iBGP
[RR1-bgp] peer 2001::149 password cipher huawei@123
[RR1-bgp] peer 2001::14A as-number 2519
[RR1-bgp] peer 2001::14A group iBGP
[RR1-bgp] peer 2001::14A password cipher huawei@123
[RR1-bgp] peer 2001::21 as-number 2519
[RR1-bgp] peer 2001::21 group iBGP
[RR1-bgp] peer 2001::21 password cipher huawei@123
[RR1-bgp] peer 2001::22 as-number 2519
[RR1-bgp] peer 2001::22 group iBGP
[RR1-bgp] peer 2001::22 password cipher huawei@123
[RR1-bgp] peer 2001::31 as-number 2519
[RR1-bgp] peer 2001::31 group iBGP
[RR1-bgp] peer 2001::31 password cipher huawei@123
----End
# Create Eth-Trunk 1 and configure its IPv4 and IPv6 addresses. Enable LACP, and
add XGE1/0/1 and XGE2/0/1 to Eth-Trunk 1.
[Router] interface Eth-Trunk 1
[Router-Eth-Trunk1] undo portswitch
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[Router] interface LoopBack 0
[Router-LoopBack0] ip address 4.4.4.39 255.255.255.255
[Router-LoopBack0] ipv6 enable
[Router-LoopBack0] ipv6 address 2001::31/128
[Router-LoopBack0] quit
# Create OSPFv2 process 1, specify the router ID, create area 0, enable GR, and
configure password authentication.
[Router] ospf 1 router-id 4.4.4.39
[Router-ospf-1] silent-interface all
[Router-ospf-1] undo silent-interface Eth-Trunk0
[Router-ospf-1] undo silent-interface Eth-Trunk1
[Router-ospf-1] default-route-advertise always
[Router-ospf-1] preference 80
[Router-ospf-1] opaque-capability enable
[Router-ospf-1] graceful-restart
[Router-ospf-1] bandwidth-reference 1000000
[Router-ospf-1] enable traffic-adjustment
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[Router-ospf-1-area-0.0.0.0] mpls-te enable
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[Router] ospfv3 1
[Router-ospfv3-1] router-id 4.4.4.39
[Router-ospfv3-1] bandwidth-reference 1000000
[Router-ospfv3-1] graceful-restart
[Router-ospfv3-1] default-route-advertise always
[Router-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0 and set the network type to P2P.
[Router] interface Eth-Trunk 0
[Router-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[Router-Eth-Trunk0] ospf network-type p2p
[Router-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[Router-Eth-Trunk0] ospfv3 network-type p2p
[Router-Eth-Trunk0] ospfv3 ipsec sa ospfv3-sa
[Router-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1 and set the network type to P2P.
[Router] interface Eth-Trunk 1
[Router-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[Router-Eth-Trunk1] ospf network-type p2p
[Router-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[Router-Eth-Trunk1] ospfv3 network-type p2p
[Router-Eth-Trunk1] ospfv3 ipsec sa ospfv3-sa
[Router-Eth-Trunk1] quit
Step 3 Configure MPLS and RSVP-TE globally and enable them on all Layer 3 interfaces
of Router
# Configure MPLS RSVP-TE and enable MPLS globally.
[Router] mpls lsr-id 4.4.4.39
[Router] mpls
[Router-mpls] mpls te
[Router-mpls] mpls rsvp-te
[Router-mpls] mpls rsvp-te hello
[Router-mpls] mpls rsvp-te srefresh
[Router-mpls] quit
# Configure TE tunnels.
[Router] interface Tunnel1
[Router-Tunnel1] ip address unnumbered interface LoopBack0
[Router-Tunnel1] tunnel-protocol mpls te
[Router-Tunnel1] destination 4.4.4.143
[Router-Tunnel1] mpls te tunnel-id 1
[Router-Tunnel1] mpls te signalled tunnel-name router->pe1-1
[Router-Tunnel1] mpls te record-route label
[Router-Tunnel1] mpls te path explicit-path TO-PE1-1
[Router-Tunnel1] mpls te path explicit-path TO-PE1-2 secondary
[Router-Tunnel1] mpls te backup hot-standby
[Router-Tunnel1] mpls te igp shortcut ospf
[Router-Tunnel1] mpls te igp metric absolute 10
[Router-Tunnel1] mpls te reserved-for-binding
[Router-Tunnel1] ospf enable 1 area 0.0.0.0
[Router-Tunnel1] mpls
[Router-Tunnel1] mpls te commit
[Router-Tunnel1] quit
[Router] interface Tunnel2
[Router-Tunnel2] ip address unnumbered interface LoopBack0
[Router-Tunnel2] tunnel-protocol mpls te
[Router-Tunnel2] destination 4.4.4.144
[Router-Tunnel2] mpls te tunnel-id 2
[Router-Tunnel2] mpls te signalled tunnel-name router->pe2-1
[Router-Tunnel2] mpls te record-route label
[Router-Tunnel2] mpls te path explicit-path TO-PE2-1
[Router-Tunnel2] mpls te path explicit-path TO-PE2-2 secondary
[Router-Tunnel2] mpls te backup hot-standby
[Router-Tunnel2] mpls te igp shortcut ospf
[Router-Tunnel2] mpls te igp metric absolute 10
[Router-Tunnel2] mpls te reserved-for-binding
[Router-Tunnel2] ospf enable 1 area 0.0.0.0
[Router-Tunnel2] mpls
[Router-Tunnel2] mpls te commit
[Router-Tunnel2] quit
Step 5 Configure BGP and BGP4+, and configure Router to establish IBGP peer
relationships with RR1 and RR2.
# Start the BGP process and configure BGP peers.
[Router] bgp 2519
[Router-bgp] router-id 4.4.4.39
[Router-bgp] graceful-restart
[Router-bgp] group iBGP internal
[Router-bgp] peer iBGP connect-interface LoopBack0
[Router-bgp] peer 4.4.4.27 as-number 2519
[Router-bgp] peer 4.4.4.27 group iBGP
[Router-bgp] peer 4.4.4.27 password cipher huawei@123
[Router-bgp] peer 4.4.4.28 as-number 2519
[Router-bgp] peer 4.4.4.28 group iBGP
[Router-bgp] peer 4.4.4.28 password cipher huawei@123
[Router-bgp] peer 2001::15 as-number 2519
[Router-bgp] peer 2001::15 group iBGP
----End
# Create Eth-Trunk 1 and configure its IPv4 address. Enable LACP, and add
XGE0/0/3 and XGE0/0/4 to Eth-Trunk 1.
[SW1] interface Eth-Trunk 1
[SW1-Eth-Trunk1] undo portswitch
[SW1-Eth-Trunk1] description To_PE2
[SW1-Eth-Trunk1] ip address 2.2.2.254 255.255.255.252
[SW1-Eth-Trunk1] mode lacp
[SW1-Eth-Trunk1] quit
[SW1] interface XGigabitEthernet 0/0/3
[SW1-XGigabitEthernet0/0/3] eth-trunk 1
[SW1-XGigabitEthernet0/0/3] quit
[SW1] interface XGigabitEthernet 0/0/4
[SW1-XGigabitEthernet0/0/4] eth-trunk 1
[SW1-XGigabitEthernet0/0/4] quit
# Create Eth-Trunk 2, enable LACP, and add XGE0/0/5 and XGE0/0/6 to Eth-Trunk
2.
[SW1] interface Eth-Trunk 2
[SW1-Eth-Trunk2] port link-type trunk
[SW1-Eth-Trunk2] undo port trunk allow-pass vlan 1
[SW1-Eth-Trunk2] port trunk allow-pass vlan 300
[SW1-Eth-Trunk2] mode lacp
[SW1-Eth-Trunk2] quit
[SW1] interface XGigabitEthernet 0/0/5
[SW1-XGigabitEthernet0/0/5] eth-trunk 2
[SW1-XGigabitEthernet0/0/5] quit
[SW1] interface XGigabitEthernet 0/0/6
[SW1-XGigabitEthernet0/0/6] eth-trunk 2
[SW1-XGigabitEthernet0/0/6] quit
Step 2 Configure BGP and configure SW1 to establish EBGP peer relationships with PE
devices.
# Start the BGP process and configure BGP peers.
[SW1] bgp 64901
[SW1-bgp] graceful-restart
[SW1-bgp] group eBGP1 external
[SW1-bgp] peer eBGP1 connect-interface Eth-Trunk0
[SW1-bgp] peer 2.2.2.205 as-number 2519
[SW1-bgp] peer 2.2.2.205 group eBGP1
[SW1-bgp] peer 2.2.2.205 password cipher huawei@123
[SW1-bgp] group eBGP2 external
[SW1-bgp] peer eBGP2 connect-interface Eth-Trunk1
[SW1-bgp] peer 2.2.2.253 as-number 2519
[SW1-bgp] peer 2.2.2.253 group eBGP2
[SW1-bgp] peer 2.2.2.253 password cipher huawei@123
[SW1-bgp-af-ipv4] ipv4-family unicast
[SW1-bgp-af-ipv4] undo synchronization
[SW1-bgp-af-ipv4] network 5.5.5.0 255.255.255.0
[SW1-bgp-af-ipv4] quit
[SW1-bgp] quit
----End
# Create Eth-Trunk 0, enable LACP, and add XGE0/0/1 and XGE0/0/2 to Eth-Trunk
0.
[SW2] interface Eth-Trunk 0
[SW2-Eth-Trunk0] port link-type trunk
[SW2-Eth-Trunk0] undo port trunk allow-pass vlan 1
[SW2-Eth-Trunk0] port trunk allow-pass vlan 100
[SW2-Eth-Trunk0] stp disable
# Create Eth-Trunk 1, enable LACP, and add XGE0/0/3 and XGE0/0/4 to Eth-Trunk
1.
[SW2] interface Eth-Trunk 1
[SW2-Eth-Trunk1] port link-type trunk
[SW2-Eth-Trunk1] undo port trunk allow-pass vlan 1
[SW2-Eth-Trunk1] port trunk allow-pass vlan 100
[SW2-Eth-Trunk1] stp disable
[SW2-Eth-Trunk1] mode lacp
[SW2-Eth-Trunk1] quit
[SW2] interface XGigabitEthernet 0/0/3
[SW2-XGigabitEthernet0/0/3] eth-trunk 1
[SW2-XGigabitEthernet0/0/3] quit
[SW2] interface XGigabitEthernet 0/0/4
[SW2-XGigabitEthernet0/0/4] eth-trunk 1
[SW2-XGigabitEthernet0/0/4] quit
# Create Eth-Trunk 2, enable LACP, and add XGE0/0/5 and XGE0/0/6 to Eth-Trunk
2.
[SW2] interface Eth-Trunk 2
[SW2-Eth-Trunk2] port link-type trunk
[SW2-Eth-Trunk2] undo port trunk allow-pass vlan 1
[SW2-Eth-Trunk2] port trunk allow-pass vlan 200
[SW2-Eth-Trunk2] stp disable
[SW2-Eth-Trunk2] mode lacp
[SW2-Eth-Trunk2] quit
[SW2] interface XGigabitEthernet 0/0/5
[SW2-XGigabitEthernet0/0/5] eth-trunk 2
[SW2-XGigabitEthernet0/0/5] quit
[SW2] interface XGigabitEthernet 0/0/6
[SW2-XGigabitEthernet0/0/6] eth-trunk 2
[SW2-XGigabitEthernet0/0/6] quit
----End
----End
SW1 SW2
peer eBGP1 enable
peer 2.2.2.205 enable
peer 2.2.2.205 group eBGP1
peer eBGP2 enable
peer 2.2.2.253 enable
peer 2.2.2.253 group eBGP2
#
return
PE1 PE2
# #
sysname PE1 sysname PE2
# #
ipv6 ipv6
# #
mpls lsr-id 4.4.4.143 mpls lsr-id 4.4.4.144
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mpls rsvp-te srefresh mpls rsvp-te srefresh
# #
explicit-path TO-P1-1 explicit-path TO-P1-1
next hop 1.1.1.1 next hop 1.1.1.5
# #
explicit-path TO-P1-2 explicit-path TO-P1-2
next hop 1.1.1.9 next hop 1.1.1.13
next hop 1.1.2.9 next hop 1.1.2.9
# #
explicit-path TO-P2-1 explicit-path TO-P2-1
next hop 1.1.1.9 next hop 1.1.1.13
# #
explicit-path TO-P2-2 explicit-path TO-P2-2
next hop 1.1.1.1 next hop 1.1.1.5
next hop 1.1.2.10 next hop 1.1.2.10
# #
explicit-path TO-PE2-1 explicit-path TO-PE1-1
next hop 1.1.1.1 next hop 1.1.1.5
next hop 1.1.1.6 next hop 1.1.1.2
# #
explicit-path TO-PE2-2 explicit-path TO-PE1-2
next hop 1.1.1.9 next hop 1.1.1.13
next hop 1.1.1.14 next hop 1.1.1.10
# #
explicit-path TO-ROUTER-1 explicit-path TO-ROUTER-1
next hop 1.1.1.1 next hop 1.1.1.5
next hop 1.1.2.226 next hop 1.1.2.226
# #
explicit-path TO-ROUTER-2 explicit-path TO-ROUTER-2
next hop 1.1.1.9 next hop 1.1.1.13
next hop 1.1.2.230 next hop 1.1.2.230
# #
mpls rsvp-te peer 1.1.1.1 mpls rsvp-te peer 1.1.1.5
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%^%# %#
# #
mpls rsvp-te peer 1.1.1.9 mpls rsvp-te peer 1.1.1.13
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%^%# %#
# #
ipsec proposal ah-md5 ipsec proposal ah-md5
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa ospfv3-sa ipsec sa ospfv3-sa
proposal ah-md5 proposal ah-md5
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
PE1 PE2
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 4.4.4.143 router-id 4.4.4.144
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
# #
interface Eth-Trunk0 interface Eth-Trunk0
undo portswitch undo portswitch
description To_P1 description To_P1
ipv6 enable ipv6 enable
ip address 1.1.1.2 255.255.255.252 ip address 1.1.1.6 255.255.255.252
ipv6 address 2001:0:0:4D9::2/64 ipv6 address 2001:0:0:4DA::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
more lacp more lacp
# #
interface Eth-Trunk1 interface Eth-Trunk1
undo portswitch undo portswitch
description To_P2 description To_P2
ipv6 enable ipv6 enable
ip address 1.1.1.10 255.255.255.252 ip address 1.1.1.14 255.255.255.252
ipv6 address 2001:0:0:4DB::2/64 ipv6 address 2001:0:0:4DC::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
more lacp more lacp
# #
interface Eth-Trunk2 interface Eth-Trunk2
undo portswitch undo portswitch
description To_SW1 description To_SW1
ip address 2.2.2.205 255.255.255.252 ip address 2.2.2.253 255.255.255.252
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk3 interface Eth-Trunk3
undo portswitch undo portswitch
description To_SW2 description To_SW2
ip address 3.3.3.114 255.255.255.248 ip address 3.3.3.115 255.255.255.248
vrrp vrid 1 virtual-ip 3.3.3.113 vrrp vrid 1 virtual-ip 3.3.3.113
vrrp vrid 1 priority 150 vrrp vrid 1 track interface Eth-Trunk0 reduced 30
vrrp vrid 1 preempt-mode timer delay 120 vrrp vrid 1 track interface Eth-Trunk1 reduced 30
vrrp vrid 1 track interface Eth-Trunk0 reduced 30 vrrp vrid 1 authentication-mode md5 %^%#r-
vrrp vrid 1 track interface Eth-Trunk1 reduced 30 cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
vrrp vrid 1 authentication-mode md5 %^%#r- %#
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A ospf cost 20000
%^%# ospf enable 1 area 0.0.0.0
ospf cost 10000 mode lacp
ospf enable 1 area 0.0.0.0 #
mode lacp interface XGigabitEthernet1/0/0
# eth-trunk 0
interface XGigabitEthernet1/0/0 #
PE1 PE2
eth-trunk 0 interface XGigabitEthernet1/0/1
# eth-trunk 1
interface XGigabitEthernet1/0/1 #
eth-trunk 1 interface XGigabitEthernet2/0/0
# eth-trunk 0
interface XGigabitEthernet2/0/0 #
eth-trunk 0 interface XGigabitEthernet2/0/1
# eth-trunk 1
interface XGigabitEthernet2/0/1 #
eth-trunk 1 interface XGigabitEthernet3/0/0
# eth-trunk 2
interface XGigabitEthernet3/0/0 #
eth-trunk 2 interface XGigabitEthernet3/0/1
# eth-trunk 3
interface XGigabitEthernet3/0/1 #
eth-trunk 3 interface XGigabitEthernet4/0/0
# eth-trunk 2
interface XGigabitEthernet4/0/0 #
eth-trunk 2 interface XGigabitEthernet4/0/1
# eth-trunk 3
interface XGigabitEthernet4/0/1 #
eth-trunk 3 interface LoopBack0
# ipv6 enable
interface LoopBack0 ip address 4.4.4.144 255.255.255.255
ipv6 enable ipv6 address 2001::14A/128
ip address 4.4.4.143 255.255.255.255 ospfv3 1 area 0.0.0.0
ipv6 address 2001::149/128 ospf enable 1 area 0.0.0.0
ospfv3 1 area 0.0.0.0 #
ospf enable 1 area 0.0.0.0 interface Tunnel1
# ip address unnumbered interface LoopBack0
interface Tunnel1 tunnel-protocol mpls te
ip address unnumbered interface LoopBack0 destination 4.4.4.1
tunnel-protocol mpls te mpls te tunnel-id 1
destination 4.4.4.1 mpls te signalled tunnel-name pe2->P1-1
mpls te tunnel-id 1 mpls te record-route label
mpls te signalled tunnel-name pe1->P1-1 mpls te path explicit-path TO-P1-1
mpls te record-route label mpls te path explicit-path TO-P1-2 secondary
mpls te path explicit-path TO-P1-1 mpls te backup hot-standby
mpls te path explicit-path TO-P1-2 secondary mpls te igp shortcut ospf
mpls te backup hot-standby mpls te igp metric absolute 10
mpls te igp shortcut ospf mpls te reserved-for-binding
mpls te igp metric absolute 10 mpls te commit
mpls te reserved-for-binding ospf enable 1 area 0.0.0.0
mpls te commit mpls
ospf enable 1 area 0.0.0.0 #
mpls interface Tunnel2
# ip address unnumbered interface LoopBack0
interface Tunnel2 tunnel-protocol mpls te
ip address unnumbered interface LoopBack0 destination 4.4.4.2
tunnel-protocol mpls te mpls te tunnel-id 2
destination 4.4.4.2 mpls te signalled tunnel-name pe2->P2-1
mpls te tunnel-id 2 mpls te record-route label
mpls te signalled tunnel-name pe1->P2-1 mpls te path explicit-path TO-P2-1
mpls te record-route label mpls te path explicit-path TO-P2-2 secondary
mpls te path explicit-path TO-P2-1 mpls te backup hot-standby
mpls te path explicit-path TO-P2-2 secondary mpls te igp shortcut ospf
mpls te backup hot-standby mpls te igp metric absolute 10
mpls te igp shortcut ospf mpls te reserved-for-binding
mpls te igp metric absolute 10 mpls te commit
mpls te reserved-for-binding ospf enable 1 area 0.0.0.0
mpls te commit mpls
ospf enable 1 area 0.0.0.0 #
mpls interface Tunnel3
# ip address unnumbered interface LoopBack0
interface Tunnel3 tunnel-protocol mpls te
ip address unnumbered interface LoopBack0 destination 4.4.4.39
PE1 PE2
tunnel-protocol mpls te mpls te tunnel-id 3
destination 4.4.4.39 mpls te signalled tunnel-name pe2->router-1
mpls te tunnel-id 19 mpls te record-route label
mpls te signalled tunnel-name pe1->router-1 mpls te path explicit-path TO-ROUTER-1
mpls te record-route label mpls te path explicit-path TO-ROUTER-2 secondary
mpls te path explicit-path TO-ROUTER-1 mpls te backup hot-standby
mpls te path explicit-path TO-ROUTER-2 mpls te igp shortcut ospf
secondary mpls te igp metric absolute 10
mpls te backup hot-standby mpls te reserved-for-binding
mpls te igp shortcut ospf mpls te commit
mpls te igp metric absolute 10 ospf enable 1 area 0.0.0.0
mpls te reserved-for-binding mpls
mpls te commit #
ospf enable 1 area 0.0.0.0 interface Tunnel4
mpls ip address unnumbered interface LoopBack0
# tunnel-protocol mpls te
interface Tunnel4 destination 4.4.4.39
ip address unnumbered interface LoopBack0 mpls te tunnel-id 4
tunnel-protocol mpls te mpls te signalled tunnel-name pe2->router-2
destination 4.4.4.39 mpls te record-route label
mpls te tunnel-id 20 mpls te path explicit-path TO-ROUTER-2
mpls te signalled tunnel-name pe1->router-2 mpls te path explicit-path TO-ROUTER-1 secondary
mpls te record-route label mpls te backup hot-standby
mpls te path explicit-path TO-ROUTER-2 mpls te igp shortcut ospf
mpls te path explicit-path TO-ROUTER-1 mpls te igp metric absolute 10
secondary mpls te reserved-for-binding
mpls te backup hot-standby mpls te commit
mpls te igp shortcut ospf ospf enable 1 area 0.0.0.0
mpls te igp metric absolute 10 mpls
mpls te reserved-for-binding #
mpls te commit interface Tunnel5
ospf enable 1 area 0.0.0.0 ip address unnumbered interface LoopBack0
mpls tunnel-protocol mpls te
# destination 4.4.4.143
interface Tunnel5 mpls te tunnel-id 5
ip address unnumbered interface LoopBack0 mpls te signalled tunnel-name pe2->pe1-1
tunnel-protocol mpls te mpls te record-route label
destination 4.4.4.144 mpls te path explicit-path TO-PE1-1
mpls te tunnel-id 69 mpls te path explicit-path TO-PE1-2 secondary
mpls te signalled tunnel-name pe1->pe2-1 mpls te backup hot-standby
mpls te record-route label mpls te igp shortcut ospf
mpls te path explicit-path TO-PE2-1 mpls te igp metric absolute 10
mpls te path explicit-path TO-PE2-2 secondary mpls te reserved-for-binding
mpls te backup hot-standby mpls te commit
mpls te igp shortcut ospf ospf enable 1 area 0.0.0.0
mpls te igp metric absolute 10 mpls
mpls te reserved-for-binding #
mpls te commit interface Tunnel6
ospf enable 1 area 0.0.0.0 ip address unnumbered interface LoopBack0
mpls tunnel-protocol mpls te
# destination 4.4.4.143
interface Tunnel6 mpls te tunnel-id 6
ip address unnumbered interface LoopBack0 mpls te signalled tunnel-name pe2->pe1-2
tunnel-protocol mpls te mpls te record-route label
destination 4.4.4.144 mpls te path explicit-path TO-PE1-2
mpls te tunnel-id 70 mpls te path explicit-path TO-PE1-1 secondary
mpls te signalled tunnel-name pe1->pe2-2 mpls te backup hot-standby
mpls te record-route label mpls te igp shortcut ospf
mpls te path explicit-path TO-PE2-2 mpls te igp metric absolute 10
mpls te path explicit-path TO-PE2-1 secondary mpls te reserved-for-binding
mpls te backup hot-standby mpls te commit
mpls te igp shortcut ospf ospf enable 1 area 0.0.0.0
mpls te igp metric absolute 10 mpls
mpls te reserved-for-binding #
mpls te commit bgp 2519
ospf enable 1 area 0.0.0.0 router-id 4.4.4.144
PE1 PE2
mpls graceful-restart
# group IPv6-PRIVATEAS_CUSTOMER external
bgp 2519 group PRIVATEAS_CUSTOMER external
router-id 4.4.4.143 peer 2.2.2.254 as-number 64901
graceful-restart peer 2.2.2.254 group PRIVATEAS_CUSTOMER
group IPv6-PRIVATEAS_CUSTOMER external peer 2.2.2.254 password cipher %^%#r-
group PRIVATEAS_CUSTOMER external cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 2.2.2.206 as-number 64901 %#
peer 2.2.2.206 group PRIVATEAS_CUSTOMER group iBGP internal
peer 2.2.2.206 password cipher %^%#r- peer iBGP connect-interface LoopBack0
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 4.4.4.27 as-number 2519
%^%# peer 4.4.4.27 group iBGP
group iBGP internal peer 4.4.4.27 password cipher %^%#r-
peer iBGP connect-interface LoopBack0 cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 4.4.4.27 as-number 2519 %#
peer 4.4.4.27 group iBGP peer 4.4.4.28 as-number 2519
peer 4.4.4.27 password cipher %^%#r- peer 4.4.4.28 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 4.4.4.28 password cipher %^%#r-
%^%# cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 4.4.4.28 as-number 2519 %#
peer 4.4.4.28 group iBGP peer 2001::15 as-number 2519
peer 4.4.4.28 password cipher %^%#r- peer 2001::15 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 2001::15 password cipher %^%#r-
%^%# cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 2001::15 as-number 2519 %#
peer 2001::15 group iBGP peer 2001::16 as-number 2519
peer 2001::15 password cipher %^%#r- peer 2001::16 group iBGP
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A peer 2001::16 password cipher %^%#r-
%^%# cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
peer 2001::16 as-number 2519 %#
peer 2001::16 group iBGP #
peer 2001::16 password cipher %^%#r- ipv4-family unicast
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A undo synchronization
%^%# preference 170 170 130
# import-route static route-policy STATIC-to-BGP
ipv4-family unicast peer IPv6-PRIVATEAS_CUSTOMER enable
undo synchronization peer PRIVATEAS_CUSTOMER enable
preference 170 170 130 peer PRIVATEAS_CUSTOMER advertise-community
import-route static route-policy STATIC-to-BGP peer 2.2.2.254 enable
peer IPv6-PRIVATEAS_CUSTOMER enable peer 2.2.2.254 group PRIVATEAS_CUSTOMER
peer PRIVATEAS_CUSTOMER enable peer 2.2.2.254 route-policy DENY-ANY_ROUTE-
peer PRIVATEAS_CUSTOMER advertise- OUT export
community peer 2.2.2.254 default-route-advertise route-policy
peer 2.2.2.206 enable PRIVATEAS_CUSTOMER-DEFAULT-OUT conditional-
peer 2.2.2.206 group PRIVATEAS_CUSTOMER route-match-any 0.0.0.0 0.0.0.0
peer 2.2.2.206 route-policy DENY-ANY_ROUTE- peer iBGP enable
OUT export peer iBGP next-hop-local
peer 2.2.2.206 default-route-advertise route- peer iBGP advertise-community
policy PRIVATEAS_CUSTOMER-DEFAULT-OUT peer 4.4.4.27 enable
conditional-route-match-any 0.0.0.0 0.0.0.0 peer 4.4.4.27 group iBGP
peer iBGP enable peer 4.4.4.28 enable
peer iBGP next-hop-local peer 4.4.4.28 group iBGP
peer iBGP advertise-community #
peer 4.4.4.27 enable ipv6-family unicast
peer 4.4.4.27 group iBGP undo synchronization
peer 4.4.4.28 enable preference 170 170 130
peer 4.4.4.28 group iBGP import-route static route-policy STATIC-to-BGP
# peer IPv6-PRIVATEAS_CUSTOMER enable
ipv6-family unicast peer IPv6-PRIVATEAS_CUSTOMER advertise-
undo synchronization community
preference 170 170 130 peer iBGP enable
import-route static route-policy STATIC-to-BGP peer iBGP next-hop-local
peer IPv6-PRIVATEAS_CUSTOMER enable peer iBGP advertise-community
peer IPv6-PRIVATEAS_CUSTOMER advertise- peer 2001::15 enable
community peer 2001::15 group iBGP
peer iBGP enable peer 2001::16 enable
PE1 PE2
peer iBGP next-hop-local peer 2001::16 group iBGP
peer iBGP advertise-community #
peer 2001::15 enable ospf 1 router-id 4.4.4.144
peer 2001::15 group iBGP silent-interface all
peer 2001::16 enable undo silent-interface Eth-Trunk0
peer 2001::16 group iBGP undo silent-interface Eth-Trunk1
# preference 80
ospf 1 router-id 4.4.4.143 opaque-capability enable
silent-interface all graceful-restart
undo silent-interface Eth-Trunk0 bandwidth-reference 1000000
undo silent-interface Eth-Trunk1 enable traffic-adjustment
preference 80 area 0.0.0.0
opaque-capability enable authentication-mode md5 1 cipher %^%#r-
graceful-restart cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
bandwidth-reference 1000000 %#
enable traffic-adjustment mpls-te enable
area 0.0.0.0 #
authentication-mode md5 1 cipher %^%#r- route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A permit node 100
%^%# if-match ip-prefix DEFAULT-ROUTE
mpls-te enable apply community no-export
# #
route-policy PRIVATEAS_CUSTOMER-DEFAULT- route-policy PRIVATEAS_CUSTOMER-DEFAULT-OUT
OUT permit node 100 deny node 200
if-match ip-prefix DEFAULT-ROUTE #
apply community no-export route-policy DENY-ANY_ROUTE-OUT deny node 100
# #
route-policy PRIVATEAS_CUSTOMER-DEFAULT- route-policy STATIC-to-BGP permit node 200
OUT deny node 200 if-match tag 2519
# apply local-preference 9000
route-policy DENY-ANY_ROUTE-OUT deny node apply origin igp
100 apply community 2519:1
# #
route-policy STATIC-to-BGP permit node 200 ip ip-prefix DEFAULT-ROUTE index 5 permit 0.0.0.0 0
if-match tag 2519 #
apply local-preference 10000 ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk3
apply origin igp 3.3.3.116 tag 2519
apply community 2519:1 #
# return
ip ip-prefix DEFAULT-ROUTE index 5 permit
0.0.0.0 0
#
ip route-static 6.6.6.0 255.255.255.0 Eth-Trunk3
3.3.3.116 tag 2519
#
return
P1 P2
# #
sysname P1 sysname P2
# #
ipv6 ipv6
# #
mpls lsr-id 4.4.4.1 mpls lsr-id 4.4.4.2
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mpls rsvp-te srefresh mpls rsvp-te srefresh
# #
explicit-path TO-PE1-1 explicit-path TO-PE1-1
next hop 1.1.1.2 next hop 1.1.1.10
# #
explicit-path TO-PE1-2 explicit-path TO-PE1-2
next hop 1.1.2.10 next hop 1.1.2.9
next hop 1.1.1.10 next hop 1.1.1.2
# #
explicit-path TO-PE2-1 explicit-path TO-PE2-1
next hop 1.1.1.6 next hop 1.1.1.14
# #
explicit-path TO-PE2-2 explicit-path TO-PE2-2
next hop 1.1.2.10 next hop 1.1.2.9
next hop 1.1.1.14 next hop 1.1.1.6
# #
mpls rsvp-te peer 1.1.1.2 mpls rsvp-te peer 1.1.1.10
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
mpls rsvp-te peer 1.1.1.6 mpls rsvp-te peer 1.1.1.14
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
mpls rsvp-te peer 1.1.2.10 mpls rsvp-te peer 1.1.2.9
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
mpls rsvp-te peer 1.1.2.226 mpls rsvp-te peer 1.1.2.230
mpls rsvp-te authentication cipher %^%#r- mpls rsvp-te authentication cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
ipsec proposal ah-md5 ipsec proposal ah-md5
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa ospfv3-sa ipsec sa ospfv3-sa
proposal ah-md5 proposal ah-md5
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK- OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 4.4.4.1 router-id 4.4.4.2
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
P1 P2
# #
interface Eth-Trunk0 interface Eth-Trunk0
undo portswitch undo portswitch
description To_PE1 description To_PE1
ipv6 enable ipv6 enable
ip address 1.1.1.1 255.255.255.252 ip address 1.1.1.9 255.255.255.252
ipv6 address 2001:0:0:4D9::1/64 ipv6 address 2001:0:0:4DB::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mode lacp mode lacp
# #
interface Eth-Trunk1 interface Eth-Trunk1
undo portswitch undo portswitch
description To_PE2 description To_PE2
ipv6 enable ipv6 enable
ip address 1.1.1.5 255.255.255.252 ip address 1.1.1.13 255.255.255.252
ipv6 address 2001:0:0:4DA::1/64 ipv6 address 2001:0:0:4DC::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mode lacp mode lacp
# #
interface Eth-Trunk2 interface Eth-Trunk2
undo portswitch undo portswitch
description To_P2 description To_P2
ipv6 enable ipv6 enable
ip address 1.1.2.9 255.255.255.252 ip address 1.1.2.10 255.255.255.252
ipv6 address 2001:0:0:4D8::1/64 ipv6 address 2001:0:0:4D8::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mode lacp mode lacp
# #
interface Eth-Trunk3 interface Eth-Trunk3
undo portswitch undo portswitch
description To_RR1 description To_RR1
ipv6 enable ipv6 enable
ip address 1.1.2.233 255.255.255.252 ip address 1.1.2.237 255.255.255.252
ipv6 address 2001:0:0:4D7::1/64 ipv6 address 2001:0:0:4D6::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk4 interface Eth-Trunk4
P1 P2
undo portswitch undo portswitch
description To_RR2 description To_RR2
ipv6 enable ipv6 enable
ip address 1.1.2.189 255.255.255.252 ip address 1.1.2.193 255.255.255.252
ipv6 address 2001:0:0:4E2::1/64 ipv6 address 2001:0:0:4E1::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk5 interface Eth-Trunk5
undo portswitch undo portswitch
description To_Router description To_Router
ipv6 enable ipv6 enable
ip address 1.1.2.225 255.255.255.252 ip address 1.1.2.229 255.255.255.252
ipv6 address 2001:0:0:4D5::1/64 ipv6 address 2001:0:0:4D4::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
mpls te mpls te
mpls rsvp-te mpls rsvp-te
mpls rsvp-te hello mpls rsvp-te hello
mode lacp mode lacp
# #
interface XGigabitEthernet1/0/0 interface XGigabitEthernet1/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet1/0/1
eth-trunk 1 eth-trunk 1
# #
interface XGigabitEthernet2/0/0 interface XGigabitEthernet2/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet2/0/1 interface XGigabitEthernet2/0/1
eth-trunk 1 eth-trunk 1
# #
interface XGigabitEthernet3/0/0 interface XGigabitEthernet3/0/0
eth-trunk 2 eth-trunk 2
# #
interface XGigabitEthernet3/0/1 interface XGigabitEthernet3/0/1
eth-trunk 3 eth-trunk 3
# #
interface XGigabitEthernet3/0/2 interface XGigabitEthernet3/0/2
eth-trunk 4 eth-trunk 4
# #
interface XGigabitEthernet3/0/3 interface XGigabitEthernet3/0/3
eth-trunk 5 eth-trunk 5
# #
interface XGigabitEthernet4/0/0 interface XGigabitEthernet4/0/0
eth-trunk 2 eth-trunk 2
# #
interface XGigabitEthernet4/0/1 interface XGigabitEthernet4/0/1
eth-trunk 3 eth-trunk 3
# #
interface XGigabitEthernet4/0/2 interface XGigabitEthernet4/0/2
eth-trunk 4 eth-trunk 4
# #
interface XGigabitEthernet4/0/3 interface XGigabitEthernet4/0/3
eth-trunk 5 eth-trunk 5
# #
interface LoopBack0 interface LoopBack0
P1 P2
ipv6 enable ipv6 enable
ip address 4.4.4.1 255.255.255.255 ip address 4.4.4.2 255.255.255.255
ipv6 address 2001::21/128 ipv6 address 2001::22/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface Tunnel1 interface Tunnel1
ip address unnumbered interface LoopBack0 ip address unnumbered interface LoopBack0
tunnel-protocol mpls te tunnel-protocol mpls te
destination 4.4.4.143 destination 4.4.4.143
mpls te tunnel-id 1 mpls te tunnel-id 1
mpls te signalled tunnel-name P1->pe1-1 mpls te signalled tunnel-name P2->pe1-1
mpls te record-route label mpls te record-route label
mpls te path explicit-path TO-PE1-1 mpls te path explicit-path TO-PE1-1
mpls te path explicit-path TO-PE1-2 secondary mpls te path explicit-path TO-PE1-2 secondary
mpls te backup hot-standby mpls te backup hot-standby
mpls te igp shortcut ospf mpls te igp shortcut ospf
mpls te igp metric absolute 10 mpls te igp metric absolute 10
mpls te reserved-for-binding mpls te reserved-for-binding
mpls te commit mpls te commit
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
# #
interface Tunnel2 interface Tunnel2
ip address unnumbered interface LoopBack0 ip address unnumbered interface LoopBack0
tunnel-protocol mpls te tunnel-protocol mpls te
destination 4.4.4.144 destination 4.4.4.144
mpls te tunnel-id 2 mpls te tunnel-id 2
mpls te signalled tunnel-name P1->pe2-1 mpls te signalled tunnel-name P2->pe2-1
mpls te record-route label mpls te record-route label
mpls te path explicit-path TO-PE2-1 mpls te path explicit-path TO-PE2-1
mpls te path explicit-path TO-PE2-2 secondary mpls te path explicit-path TO-PE2-2 secondary
mpls te backup hot-standby mpls te backup hot-standby
mpls te igp shortcut ospf mpls te igp shortcut ospf
mpls te igp metric absolute 10 mpls te igp metric absolute 10
mpls te reserved-for-binding mpls te reserved-for-binding
mpls te commit mpls te commit
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mpls mpls
# #
bgp 2519 bgp 2519
router-id 4.4.4.1 router-id 4.4.4.2
graceful-restart graceful-restart
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer 4.4.4.27 as-number 2519 peer 4.4.4.27 as-number 2519
peer 4.4.4.27 group iBGP peer 4.4.4.27 group iBGP
peer 4.4.4.27 password cipher %^%#r- peer 4.4.4.27 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 4.4.4.28 as-number 2519 peer 4.4.4.28 as-number 2519
peer 4.4.4.28 group iBGP peer 4.4.4.28 group iBGP
peer 4.4.4.28 password cipher %^%#r- peer 4.4.4.28 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 2001::15 as-number 2519 peer 2001::15 as-number 2519
peer 2001::15 group iBGP peer 2001::15 group iBGP
peer 2001::15 password cipher %^%#r- peer 2001::15 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 2001::16 as-number 2519 peer 2001::16 as-number 2519
peer 2001::16 group iBGP peer 2001::16 group iBGP
peer 2001::16 password cipher %^%#r- peer 2001::16 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
# #
P1 P2
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
preference 170 170 130 preference 170 170 130
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 4.4.4.27 enable peer 4.4.4.27 enable
peer 4.4.4.27 group iBGP peer 4.4.4.27 group iBGP
peer 4.4.4.28 enable peer 4.4.4.28 enable
peer 4.4.4.28 group iBGP peer 4.4.4.28 group iBGP
# #
ipv6-family unicast ipv6-family unicast
undo synchronization undo synchronization
preference 170 170 130 preference 170 170 130
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2001::15 enable peer 2001::15 enable
peer 2001::15 group iBGP peer 2001::15 group iBGP
peer 2001::16 enable peer 2001::16 enable
peer 2001::16 group iBGP peer 2001::16 group iBGP
# #
ospf 1 router-id 4.4.4.1 ospf 1 router-id 4.4.4.2
silent-interface all silent-interface all
undo silent-interface Eth-Trunk0 undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk1 undo silent-interface Eth-Trunk1
undo silent-interface Eth-Trunk2 undo silent-interface Eth-Trunk2
undo silent-interface Eth-Trunk3 undo silent-interface Eth-Trunk3
undo silent-interface Eth-Trunk4 undo silent-interface Eth-Trunk4
undo silent-interface Eth-Trunk5 undo silent-interface Eth-Trunk5
preference 80 preference 80
opaque-capability enable opaque-capability enable
graceful-restart graceful-restart
bandwidth-reference 1000000 bandwidth-reference 1000000
enable traffic-adjustment enable traffic-adjustment
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^%#r- authentication-mode md5 1 cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
mpls-te enable mpls-te enable
# #
return return
RR1 RR2
# #
sysname RR1 sysname RR2
# #
ipv6 ipv6
# #
ipsec proposal ah-md5 ipsec proposal ah-md5
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa ospfv3-sa ipsec sa ospfv3-sa
proposal ah-md5 proposal ah-md5
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 4.4.4.27 router-id 4.4.4.28
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
# #
interface Eth-Trunk0 interface Eth-Trunk0
undo portswitch undo portswitch
description To_P1 description To_P1
ipv6 enable ipv6 enable
ip address 1.1.2.234 255.255.255.252 ip address 1.1.2.190 255.255.255.252
ipv6 address 2001:0:0:4D7::2/64 ipv6 address 2001:0:0:4E2::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 10000 ospfv3 cost 10000
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf cost 10000 ospf cost 10000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk1 interface Eth-Trunk1
undo portswitch undo portswitch
description To_P2 description To_P2
ipv6 enable ipv6 enable
ip address 1.1.2.238 255.255.255.252 ip address 1.1.2.194 255.255.255.252
ipv6 address 2001:0:0:4D6::2/64 ipv6 address 2001:0:0:4E1::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 1000 ospfv3 cost 1000
ospfv3 network-type p2p ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa ospfv3 ipsec sa ospfv3-sa
ospf cost 1000 ospf cost 1000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface XGigabitEthernet1/0/0 interface XGigabitEthernet1/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet1/0/1
eth-trunk 1 eth-trunk 1
# #
interface XGigabitEthernet2/0/0 interface XGigabitEthernet2/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet2/0/1 interface XGigabitEthernet2/0/1
RR1 RR2
eth-trunk 1 eth-trunk 1
# #
interface LoopBack0 interface LoopBack0
ipv6 enable ipv6 enable
ip address 4.4.4.27 255.255.255.255 ip address 4.4.4.28 255.255.255.255
ipv6 address 2001::15/128 ipv6 address 2001::16/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
bgp 2519 bgp 2519
router-id 4.4.4.27 router-id 4.4.4.28
graceful-restart graceful-restart
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer 4.4.4.1 as-number 2519 peer 4.4.4.1 as-number 2519
peer 4.4.4.1 group iBGP peer 4.4.4.1 group iBGP
peer 4.4.4.1 password cipher %^%#r- peer 4.4.4.1 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 4.4.4.2 as-number 2519 peer 4.4.4.2 as-number 2519
peer 4.4.4.2 group iBGP peer 4.4.4.2 group iBGP
peer 4.4.4.2 password cipher %^%#r- peer 4.4.4.2 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 4.4.4.39 as-number 2519 peer 4.4.4.39 as-number 2519
peer 4.4.4.39 group iBGP peer 4.4.4.39 group iBGP
peer 4.4.4.39 password cipher %^%#r- peer 4.4.4.39 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 4.4.4.143 as-number 2519 peer 4.4.4.143 as-number 2519
peer 4.4.4.143 group iBGP peer 4.4.4.143 group iBGP
peer 4.4.4.143 password cipher %^%#r- peer 4.4.4.143 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 4.4.4.144 as-number 2519 peer 4.4.4.144 as-number 2519
peer 4.4.4.144 group iBGP peer 4.4.4.144 group iBGP
peer 4.4.4.144 password cipher %^%#r- peer 4.4.4.144 password cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
peer 2001::21 as-number 2519 peer 2001::21 as-number 2519
peer 2001::21 group iBGP peer 2001::21 group iBGP
peer 2001::21 password cipher %^%#Df[B&= peer 2001::21 password cipher %^%#Df[B&=
%EiAdjp',]J'aTYKvRU]aRoBMw)c#ueRO@%^%# %EiAdjp',]J'aTYKvRU]aRoBMw)c#ueRO@%^%#
peer 2001::22 as-number 2519 peer 2001::22 as-number 2519
peer 2001::22 group iBGP peer 2001::22 group iBGP
peer 2001::22 password cipher %^%#%L73Zh@& peer 2001::22 password cipher %^%#%L73Zh@&
+U}9+\%GU<M07v}SO%{f!6WO<j)(rUmI%^%# +U}9+\%GU<M07v}SO%{f!6WO<j)(rUmI%^%#
peer 2001::31 as-number 2519 peer 2001::31 as-number 2519
peer 2001::31 group iBGP peer 2001::31 group iBGP
peer 2001::31 password cipher %^%#]/ peer 2001::31 password cipher %^%#]/
q`QBny7KG<(T%tM)TLc2V8%cmLN2*o1cUuyt]U q`QBny7KG<(T%tM)TLc2V8%cmLN2*o1cUuyt]U
%^%# %^%#
peer 2001::149 as-number 2519 peer 2001::149 as-number 2519
peer 2001::149 group iBGP peer 2001::149 group iBGP
peer 2001::149 password cipher %^%# peer 2001::149 password cipher %^%#
$_KwO"PsP)Cv2\~rmZ%;":hb$ZTRE@4rnYAtEusX $_KwO"PsP)Cv2\~rmZ%;":hb$ZTRE@4rnYAtEusX
%^%# %^%#
peer 2001::14A as-number 2519 peer 2001::14A as-number 2519
peer 2001::14A group iBGP peer 2001::14A group iBGP
peer 2001::14A password cipher %^ peer 2001::14A password cipher %^
%#N0~G8KObA6aSzL;d,n&YVsT0$!\G{6suKiATq=)G %#N0~G8KObA6aSzL;d,n&YVsT0$!\G{6suKiATq=)G
%^%# %^%#
# #
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
reflector cluster-id 2519 reflector cluster-id 2519
RR1 RR2
peer iBGP enable peer iBGP enable
peer iBGP advertise-community peer iBGP advertise-community
peer 4.4.4.1 enable peer 4.4.4.1 enable
peer 4.4.4.1 group iBGP peer 4.4.4.1 group iBGP
peer 4.4.4.1 reflect-client peer 4.4.4.1 reflect-client
peer 4.4.4.2 enable peer 4.4.4.2 enable
peer 4.4.4.2 group iBGP peer 4.4.4.2 group iBGP
peer 4.4.4.2 reflect-client peer 4.4.4.2 reflect-client
peer 4.4.4.39 enable peer 4.4.4.39 enable
peer 4.4.4.39 group iBGP peer 4.4.4.39 group iBGP
peer 4.4.4.39 reflect-client peer 4.4.4.39 reflect-client
peer 4.4.4.143 enable peer 4.4.4.143 enable
peer 4.4.4.143 group iBGP peer 4.4.4.143 group iBGP
peer 4.4.4.143 reflect-client peer 4.4.4.143 reflect-client
peer 4.4.4.144 enable peer 4.4.4.144 enable
peer 4.4.4.144 group iBGP peer 4.4.4.144 group iBGP
peer 4.4.4.144 reflect-client peer 4.4.4.144 reflect-client
# #
ipv6-family unicast ipv6-family unicast
undo synchronization undo synchronization
reflector cluster-id 2519 reflector cluster-id 2519
preference 170 170 130 preference 170 170 130
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2001::21 enable peer 2001::21 enable
peer 2001::21 group iBGP peer 2001::21 group iBGP
peer 2001::21 reflect-client peer 2001::21 reflect-client
peer 2001::22 enable peer 2001::22 enable
peer 2001::22 group iBGP peer 2001::22 group iBGP
peer 2001::22 reflect-client peer 2001::22 reflect-client
peer 2001::31 enable peer 2001::31 enable
peer 2001::31 group iBGP peer 2001::31 group iBGP
peer 2001::31 reflect-client peer 2001::31 reflect-client
peer 2001::149 enable peer 2001::149 enable
peer 2001::149 group iBGP peer 2001::149 group iBGP
peer 2001::149 reflect-client peer 2001::149 reflect-client
peer 2001::14A enable peer 2001::14A enable
peer 2001::14A group iBGP peer 2001::14A group iBGP
peer 2001::14A reflect-client peer 2001::14A reflect-client
# #
ospf 1 router-id 4.4.4.27 ospf 1 router-id 4.4.4.28
silent-interface all silent-interface all
undo silent-interface Eth-Trunk0 undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk1 undo silent-interface Eth-Trunk1
preference 80 preference 80
opaque-capability enable opaque-capability enable
graceful-restart graceful-restart
bandwidth-reference 1000000 bandwidth-reference 1000000
enable traffic-adjustment enable traffic-adjustment
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^%#r- authentication-mode md5 1 cipher %^%#r-
cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^ cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^
%# %#
mpls-te enable mpls-te enable
# #
return return
Router
#
sysname Router
#
ipv6
#
mpls lsr-id 4.4.4.39
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te srefresh
#
explicit-path TO-PE1-1
next hop 1.1.2.225
next hop 1.1.1.2
#
explicit-path TO-PE1-2
next hop 1.1.2.229
next hop 1.1.1.10
#
explicit-path TO-PE2-1
next hop 1.1.2.225
next hop 1.1.1.6
#
explicit-path TO-PE2-2
next hop 1.1.2.229
next hop 1.1.1.14
#
mpls rsvp-te peer 1.1.2.225
mpls rsvp-te authentication cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
mpls rsvp-te peer 1.1.2.229
mpls rsvp-te authentication cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
ipsec proposal ah-md5
encapsulation-mode transport
transform ah
ah authentication-algorithm md5
#
ipsec sa ospfv3-sa
proposal ah-md5
sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!Hx#FYZ:oDR:
\BEGkIsK$LtsnQ%^%#
#
ospfv3 1
router-id 4.4.4.1
bandwidth-reference 1000000
graceful-restart
default-route-advertise always
#
interface Eth-Trunk0
undo portswitch
description To_P1
ipv6 enable
ip address 1.1.2.226 255.255.255.252
ipv6 address 2001:0:0:4D5::2/64
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa
ospf cost 10000
ospf network-type p2p
ospf enable 1 area 0.0.0.0
Router
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mode lacp
#
interface Eth-Trunk1
undo portswitch
description To_P2
ipv6 enable
ip address 1.1.2.230 255.255.255.252
ipv6 address 2001:0:0:4D4::2/64
ospfv3 1 area 0.0.0.0
ospfv3 cost 1000
ospfv3 network-type p2p
ospfv3 ipsec sa ospfv3-sa
ospf network-type p2p
ospf enable 1 area 0.0.0.0
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mode lacp
#
interface XGigabitEthernet1/0/0
eth-trunk 0
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet2/0/0
eth-trunk 0
#
interface XGigabitEthernet2/0/1
eth-trunk 1
#
interface LoopBack0
ipv6 enable
ip address 4.4.4.39 255.255.255.255
ipv6 address 2001::31/128
ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0
#
interface Tunnel1
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 4.4.4.143
mpls te tunnel-id 1
mpls te signalled tunnel-name router->pe1-1
mpls te record-route label
mpls te path explicit-path TO-PE1-1
mpls te path explicit-path TO-PE1-2 secondary
mpls te backup hot-standby
mpls te igp shortcut ospf
mpls te igp metric absolute 10
mpls te reserved-for-binding
mpls te commit
ospf enable 1 area 0.0.0.0
mpls
#
interface Tunnel2
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 4.4.4.144
mpls te tunnel-id 2
mpls te signalled tunnel-name router->pe2-1
Router
mpls te record-route label
mpls te path explicit-path TO-PE2-1
mpls te path explicit-path TO-PE2-2 secondary
mpls te backup hot-standby
mpls te igp shortcut ospf
mpls te igp metric absolute 10
mpls te reserved-for-binding
mpls te commit
ospf enable 1 area 0.0.0.0
mpls
#
bgp 2519
router-id 4.4.4.39
graceful-restart
group iBGP internal
peer iBGP connect-interface LoopBack0
peer 4.4.4.27 as-number 2519
peer 4.4.4.27 group iBGP
peer 4.4.4.27 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 4.4.4.28 as-number 2519
peer 4.4.4.28 group iBGP
peer 4.4.4.28 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 2001::15 as-number 2519
peer 2001::15 group iBGP
peer 2001::15 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
peer 2001::16 as-number 2519
peer 2001::16 group iBGP
peer 2001::16 password cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
#
ipv4-family unicast
undo synchronization
preference 170 170 130
peer iBGP enable
peer iBGP next-hop-local
peer iBGP advertise-community
peer 4.4.4.27 enable
peer 4.4.4.27 group iBGP
peer 4.4.4.28 enable
peer 4.4.4.28 group iBGP
#
ipv6-family unicast
undo synchronization
preference 170 170 130
peer iBGP enable
peer iBGP next-hop-local
peer iBGP advertise-community
peer 2001::15 enable
peer 2001::15 group iBGP
peer 2001::16 enable
peer 2001::16 group iBGP
#
ospf 1 router-id 4.4.4.39
default-route-advertise always
silent-interface all
undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk1
preference 80
opaque-capability enable
graceful-restart
bandwidth-reference 1000000
enable traffic-adjustment advertise
area 0.0.0.0
authentication-mode md5 1 cipher %^%#r-cY&8yb<(u#B}3bmEoRd6qkX.GNMPEiY2D^bV*A%^%#
mpls-te enable
#
return
Service Requirements
The ISP backbone network providing mutual access of internal networks of an
enterprise is a core area and has the following characteristics:
● A large number of routes
● IPv4/IPv6 dual stack
● Flexible routing policies
● A large number of users and heavy traffic
The following lists the main service requirements of the ISP backbone network
that provides mutual access of internal networks of an enterprise:
● Route control requirements
Provide flexible route forwarding, and control route advertisement and import
based on routing policies.
● Reliability requirements
Ensure bandwidth using multiple egress links.
Ensure high reliability and service continuity for important services such as
enterprise private line services.
Provide backup functions for key network nodes to ensure reliable
transmission of data services.
Shorten the service interruption time as much as possible to ensure user
experience upon an intermittent link disconnection or a device fault.
● Security requirements
Prevent access from unauthorized devices, as well as malicious attacks.
Meet security compliance requirements.
Control user access to ensure network security.
Networking Diagram
Figure 9-30 shows the networking diagram for mutual access between internal
networks of an enterprise through the backbone network in a project.
Figure 9-30 Networking diagram for mutual access between internal networks of
an enterprise through the backbone network
RR_1 RR_2
S12700E-4_P2 S12700E-4_P4
In this example, S12700E series switches are used as RRs and Router.
Deployment Roadmap
The configuration roadmap is as follows:
1. Configure interfaces, add them to corresponding VLANs, and assign IPv4 and
IPv6 addresses to interfaces.
2. On four P devices (S12700E-4_P1, S12700E-4_P2, S12700E-4_P3, and
S12700E-4_P4), configure OSPFv2 and OSPFv3, configure BGP and BGP4+,
configure them to establish IBGP peer relationships with RRs, and configure
Multiprotocol Extensions for BGP (MP-BGP).
3. Enable MD5 authentication on OSPFv2-enabled interfaces, enable IPSec in the
OSPFv3 process, and configure BGP peers to perform MD5 authentication
when setting up TCP connections.
Data Plan
The following tables describe the data plans for VLANs, interfaces, IP addresses,
routes, and services.
Loopback - 2.2.2.9/32 -
0 2001::13/128
Loopback - 2.2.2.10/32 -
0 2001::14/128
Loopback - 2.2.2.3/32 -
0 2001::11/128
Loopback - 2.2.2.4/32 -
0 2001::12/128
Loopback - 2.2.2.57/32 -
0 2001::17/128
Loopback - 2.2.2.55/32 -
0 2001::15/128
Loopback - 2.2.2.11/32 -
0 2001:F167::1/128
Loopback - 2.2.2.1/32 -
0 2001:F168::1/128
# Create Eth-Trunk 1, configure its IPv4 and IPv6 addresses, enable LACP, and add
XGE2/0/0 to Eth-Trunk 1.
[S12700E-4_P1] interface Eth-Trunk 1
[S12700E-4_P1-Eth-Trunk1] undo portswitch
[S12700E-4_P1-Eth-Trunk1] description To_S12700E-4_P3
[S12700E-4_P1-Eth-Trunk1] ip address 1.1.1.2 255.255.255.252
[S12700E-4_P1-Eth-Trunk1] ipv6 enable
[S12700E-4_P1-Eth-Trunk1] ipv6 address 2001:0:0:209::2/64
[S12700E-4_P1-Eth-Trunk1] mode lacp
[S12700E-4_P1-Eth-Trunk1] quit
[S12700E-4_P1] interface XGigabitEthernet 2/0/0
[S12700E-4_P1-XGigabitEthernet2/0/0] eth-trunk 1
[S12700E-4_P1-XGigabitEthernet2/0/0] quit
# Create VLAN 3900, and configure an IPv4 address and an IPv6 address for
VLANIF 3900. Create Eth-Trunk 2, enable LACP, and add XGE1/0/1 to Eth-Trunk 2.
[S12700E-4_P1] vlan 3900
[S12700E-4_P1-vlan3900] quit
[S12700E-4_P1] interface Vlanif 3900
[S12700E-4_P1-Vlanif3900] ip address 1.1.2.1 255.255.255.252
[S12700E-4_P1-Vlanif3900] ipv6 enable
[S12700E-4_P1-Vlanif3900] ipv6 address 2001:0:0:3B0::1/64
[S12700E-4_P1-Vlanif3900] quit
[S12700E-4_P1] interface Eth-Trunk 2
[S12700E-4_P1-Eth-Trunk2] description To_RR_1
[S12700E-4_P1-Eth-Trunk2] port link-type trunk
[S12700E-4_P1-Eth-Trunk2] port trunk allow-pass vlan 3900
[S12700E-4_P1-Eth-Trunk2] undo port trunk allow-pass vlan 1
[S12700E-4_P1-Eth-Trunk2] mode lacp
[S12700E-4_P1-Eth-Trunk2] quit
[S12700E-4_P1] interface XGigabitEthernet 1/0/1
[S12700E-4_P1-XGigabitEthernet1/0/1] eth-trunk 2
[S12700E-4_P1-XGigabitEthernet1/0/1] quit
# Configure an IPv4 address and an IPv6 address for XGE2/0/3 that connects
S12700E-4_P1 to the egress router Router_1 of site A.
[S12700E-4_P1]interface XGigabitEthernet 2/0/3
[S12700E-4_P1-XGigabitEthernet2/0/3] description To_Router_1
[S12700E-4_P1-XGigabitEthernet2/0/3] undo portswitch
[S12700E-4_P1-XGigabitEthernet2/0/3] ip address 1.1.1.129 255.255.255.252
[S12700E-4_P1-XGigabitEthernet2/0/3] ipv6 enable
[S12700E-4_P1-XGigabitEthernet2/0/3] ipv6 address 2001:0:0:20E::1/64
[S12700E-4_P1-XGigabitEthernet2/0/3] quit
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[S12700E-4_P1] interface LoopBack 0
[S12700E-4_P1-LoopBack0] ip address 2.2.2.9 255.255.255.255
[S12700E-4_P1-LoopBack0] ipv6 enable
[S12700E-4_P1-LoopBack0] ipv6 address 2001::13/128
[S12700E-4_P1-LoopBack0] quit
# Configure IPSec.
[S12700E-4_P1] ipsec proposal 1
[S12700E-4_P1-ipsec-proposal-1] encapsulation-mode transport
[S12700E-4_P1-ipsec-proposal-1] transform ah
[S12700E-4_P1-ipsec-proposal-1] ah authentication-algorithm md5
[S12700E-4_P1-ipsec-proposal-1] quit
[S12700E-4_P1] ipsec sa area0
[S12700E-4_P1-ipsec-sa-area0] proposal 1
[S12700E-4_P1-ipsec-sa-area0] sa spi inbound ah 256
[S12700E-4_P1-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S12700E-4_P1-ipsec-sa-area0] sa spi outbound ah 256
[S12700E-4_P1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[S12700E-4_P1-ipsec-sa-area0] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[S12700E-4_P1] ospfv3 1
[S12700E-4_P1-ospfv3-1] router-id 2.2.2.9
[S12700E-4_P1-ospfv3-1] bandwidth-reference 1000000
[S12700E-4_P1-ospfv3-1] ipsec sa area0
[S12700E-4_P1-ospfv3-1] graceful-restart
[S12700E-4_P1-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P1] interface Eth-Trunk 0
[S12700E-4_P1-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk0] ospf network-type p2p
[S12700E-4_P1-Eth-Trunk0] ospf cost 500
[S12700E-4_P1-Eth-Trunk0] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk0] ospfv3 network-type p2p
[S12700E-4_P1-Eth-Trunk0] ospfv3 cost 500
[S12700E-4_P1-Eth-Trunk0] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P1] interface Eth-Trunk 1
[S12700E-4_P1-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk1] ospf network-type p2p
[S12700E-4_P1-Eth-Trunk1] ospf cost 1000
[S12700E-4_P1-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Eth-Trunk1] ospfv3 network-type p2p
[S12700E-4_P1-Eth-Trunk1] ospfv3 cost 1000
[S12700E-4_P1-Eth-Trunk1] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 3900, set the network type to P2P, and
set the OSPF cost value.
[S12700E-4_P1] interface Vlanif 3900
[S12700E-4_P1-Vlanif3900] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-Vlanif3900] ospf network-type p2p
[S12700E-4_P1-Vlanif3900] ospf cost 2000
[S12700E-4_P1-Vlanif3900] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-Vlanif3900] ospfv3 network-type p2p
[S12700E-4_P1-Vlanif3900] ospfv3 cost 2000
[S12700E-4_P1-Vlanif3900] quit
# Enable OSPFv2 and OSPFv3 on XGE2/0/3, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P1] interface XGigabitEthernet 2/0/3
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf enable 1 area 0.0.0.0
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf network-type p2p
[S12700E-4_P1-XGigabitEthernet2/0/3] ospf cost 2000
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 1 area 0.0.0.0
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 network-type p2p
[S12700E-4_P1-XGigabitEthernet2/0/3] ospfv3 cost 2000
[S12700E-4_P1-XGigabitEthernet2/0/3] quit
Step 3 Configure BGP and BGP4+, and configure S12700E-4_P1 to establish an IBGP peer
relationship with RR_1.
Step 4 Enable BFD globally, and enable BFD for OSPFv2 and BFD for OSPFv3.
[S12700E-4_P1] bfd
[S12700E-4_P1-bfd] quit
[S12700E-4_P1] ospf 1
[S12700E-4_P1-ospf-1] bfd all-interfaces enable
[S12700E-4_P1-ospf-1] quit
[S12700E-4_P1] ospfv3 1
[S12700E-4_P1-ospfv3-1] bfd all-interfaces enable
[S12700E-4_P1-ospfv3-1] quit
----End
# Create Eth-Trunk 0, configure its IPv4 and IPv6 addresses, enable LACP, and add
XGE1/0/0 to Eth-Trunk 0.
<S12700E-4_P3> system-view
[S12700E-4_P3] ipv6
[S12700E-4_P3] interface Eth-Trunk 0
[S12700E-4_P3-Eth-Trunk0] undo portswitch
[S12700E-4_P3-Eth-Trunk0] description To_S12700E-4_P4
[S12700E-4_P3-Eth-Trunk0] ip address 1.1.1.9 255.255.255.252
[S12700E-4_P3-Eth-Trunk0] ipv6 enable
[S12700E-4_P3-Eth-Trunk0] ipv6 address 2001:0:0:208::1/64
[S12700E-4_P3-Eth-Trunk0] mode lacp
[S12700E-4_P3-Eth-Trunk0] quit
[S12700E-4_P3] interface XGigabitEthernet 1/0/0
[S12700E-4_P3-XGigabitEthernet1/0/0] eth-trunk 0
[S12700E-4_P3-XGigabitEthernet1/0/0] quit
# Create Eth-Trunk 1, configure its IPv4 and IPv6 addresses, enable LACP, and add
XGE2/0/0 to Eth-Trunk 1.
[S12700E-4_P3] interface Eth-Trunk 1
[S12700E-4_P3-Eth-Trunk1] undo portswitch
[S12700E-4_P3-Eth-Trunk1] description To_S12700E-4_P1
[S12700E-4_P3-Eth-Trunk1] ip address 1.1.1.1 255.255.255.252
[S12700E-4_P3-Eth-Trunk1] ipv6 enable
[S12700E-4_P3-Eth-Trunk1] ipv6 address 2001:0:0:209::1/64
[S12700E-4_P3-Eth-Trunk1] mode lacp
[S12700E-4_P3-Eth-Trunk1] quit
[S12700E-4_P3] interface XGigabitEthernet 2/0/0
[S12700E-4_P3-XGigabitEthernet2/0/0] eth-trunk 1
[S12700E-4_P3-XGigabitEthernet2/0/0] quit
# Create VLAN 3900, and configure an IPv4 address and an IPv6 address for
VLANIF 3900. Create Eth-Trunk 2, enable LACP, and add XGE1/0/1 to Eth-Trunk 2.
[S12700E-4_P3] vlan 3900
[S12700E-4_P3-vlan3900] quit
[S12700E-4_P3] interface Vlanif 3900
[S12700E-4_P3-Vlanif3900] ip address 1.1.4.1 255.255.255.252
[S12700E-4_P3-Vlanif3900] ipv6 enable
[S12700E-4_P3-Vlanif3900] ipv6 address 2001:0:0:330::1/64
[S12700E-4_P3-Vlanif3900] quit
[S12700E-4_P3] interface Eth-Trunk 2
[S12700E-4_P3-Eth-Trunk2] description To_RR_2
[S12700E-4_P3-Eth-Trunk2] port link-type trunk
[S12700E-4_P3-Eth-Trunk2] port trunk allow-pass vlan 3900
[S12700E-4_P3-Eth-Trunk2] undo port trunk allow-pass vlan 1
[S12700E-4_P3-Eth-Trunk2] mode lacp
[S12700E-4_P3-Eth-Trunk2] quit
[S12700E-4_P3] interface XGigabitEthernet 1/0/1
[S12700E-4_P3-XGigabitEthernet1/0/1] eth-trunk 2
[S12700E-4_P3-XGigabitEthernet1/0/1] quit
# Configure an IPv4 address and an IPv6 address for XGE2/0/3 that connects
S12700E-4_P3 to the egress router Router_2 of site B.
[S12700E-4_P3]interface XGigabitEthernet 2/0/3
[S12700E-4_P3-XGigabitEthernet2/0/3] description To_Router_2
[S12700E-4_P3-XGigabitEthernet2/0/3] undo portswitch
[S12700E-4_P3-XGigabitEthernet2/0/3] ip address 1.1.1.121 255.255.255.252
[S12700E-4_P3-XGigabitEthernet2/0/3] ipv6 enable
[S12700E-4_P3-XGigabitEthernet2/0/3] ipv6 address 2001:0:0:20C::1/64
[S12700E-4_P3-XGigabitEthernet2/0/3] quit
# Create OSPFv2 process 1, specify the router ID, create area 0, enable GR, and
configure password authentication.
[S12700E-4_P3] ospf 1 router-id 2.2.2.3
[S12700E-4_P3-ospf-1] silent-interface all
[S12700E-4_P3-ospf-1] undo silent-interface Eth-Trunk0
[S12700E-4_P3-ospf-1] undo silent-interface Eth-Trunk1
[S12700E-4_P3-ospf-1] undo silent-interface Vlanif3900
[S12700E-4_P3-ospf-1] undo silent-interface XGigabitEthernet2/0/3
[S12700E-4_P3-ospf-1] opaque-capability enable
[S12700E-4_P3-ospf-1] graceful-restart
[S12700E-4_P3-ospf-1] bandwidth-reference 1000000
[S12700E-4_P3-ospf-1] stub-router on-startup
[S12700E-4_P3-ospf-1] area 0.0.0.0
[S12700E-4_P3-ospf-1-area-0.0.0.0] authentication-mode md5 1 cipher huawei@123
[S12700E-4_P3-ospf-1-area-0.0.0.0] quit
[S12700E-4_P3-ospf-1] quit
# Configure IPSec.
[S12700E-4_P3] ipsec proposal 1
[S12700E-4_P3-ipsec-proposal-1] encapsulation-mode transport
[S12700E-4_P3-ipsec-proposal-1] transform ah
[S12700E-4_P3-ipsec-proposal-1] ah authentication-algorithm md5
[S12700E-4_P3-ipsec-proposal-1] quit
[S12700E-4_P3] ipsec sa area0
[S12700E-4_P3-ipsec-sa-area0] proposal 1
[S12700E-4_P3-ipsec-sa-area0] sa spi inbound ah 256
[S12700E-4_P3-ipsec-sa-area0] sa authentication-hex inbound ah cipher
112233445566778899aabbccddeeff00
[S12700E-4_P3-ipsec-sa-area0] sa spi outbound ah 256
[S12700E-4_P3-ipsec-sa-area0] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[S12700E-4_P3-ipsec-sa-area0] quit
# Create OSPFv3 process 1, specify the router ID, and enable GR.
[S12700E-4_P3] ospfv3 1
[S12700E-4_P3-ospfv3-1] router-id 2.2.2.3
[S12700E-4_P3-ospfv3-1] bandwidth-reference 1000000
[S12700E-4_P3-ospfv3-1] ipsec sa area0
[S12700E-4_P3-ospfv3-1] graceful-restart
[S12700E-4_P3-ospfv3-1] quit
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 0, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P3] interface Eth-Trunk 0
[S12700E-4_P3-Eth-Trunk0] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-Eth-Trunk0] ospf network-type p2p
# Enable OSPFv2 and OSPFv3 on Eth-Trunk 1, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P3] interface Eth-Trunk 1
[S12700E-4_P3-Eth-Trunk1] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-Eth-Trunk1] ospf network-type p2p
[S12700E-4_P3-Eth-Trunk1] ospf cost 1000
[S12700E-4_P3-Eth-Trunk1] ospfv3 1 area 0.0.0.0
[S12700E-4_P3-Eth-Trunk1] ospfv3 network-type p2p
[S12700E-4_P3-Eth-Trunk1] ospfv3 cost 1000
[S12700E-4_P3-Eth-Trunk1] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 3900, set the network type to P2P, and
set the OSPF cost value.
[S12700E-4_P3] interface Vlanif 3900
[S12700E-4_P3-Vlanif3900] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-Vlanif3900] ospf network-type p2p
[S12700E-4_P3-Vlanif3900] ospf cost 2000
[S12700E-4_P3-Vlanif3900] ospfv3 1 area 0.0.0.0
[S12700E-4_P3-Vlanif3900] ospfv3 network-type p2p
[S12700E-4_P3-Vlanif3900] ospfv3 cost 2000
[S12700E-4_P3-Vlanif3900] quit
# Enable OSPFv2 and OSPFv3 on XGE2/0/3, set the network type to P2P, and set
the OSPF cost value.
[S12700E-4_P3] interface XGigabitEthernet 2/0/3
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf enable 1 area 0.0.0.0
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf network-type p2p
[S12700E-4_P3-XGigabitEthernet2/0/3] ospf cost 2000
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 1 area 0.0.0.0
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 network-type p2p
[S12700E-4_P3-XGigabitEthernet2/0/3] ospfv3 cost 2000
[S12700E-4_P3-XGigabitEthernet2/0/3] quit
Step 3 Configure BGP and BGP4+, and configure S12700E-4_P3 to establish an IBGP peer
relationship with RR_2.
# Start the BGP process and configure BGP peers.
[S12700E-4_P3] bgp 64999
[S12700E-4_P3-bgp] router-id 2.2.2.3
[S12700E-4_P3-bgp] graceful-restart
[S12700E-4_P3-bgp] group iBGP internal
[S12700E-4_P3-bgp] peer iBGP connect-interface LoopBack0
[S12700E-4_P3-bgp] peer iBGP password cipher huawei@123
[S12700E-4_P3-bgp] peer 2.2.2.55 as-number 64999
[S12700E-4_P3-bgp] peer 2.2.2.55 group iBGP
[S12700E-4_P3-bgp] ipv4-family unicast
[S12700E-4_P3-bgp-af-ipv4] peer iBGP enable
[S12700E-4_P3-bgp-af-ipv4] peer iBGP next-hop-local
[S12700E-4_P3-bgp-af-ipv4] peer iBGP advertise-community
[S12700E-4_P3-bgp-af-ipv4] quit
# Configure MP-BGP.
[S12700E-4_P3] bgp 64999
[S12700E-4_P3-bgp] ipv4-family vpnv4
[S12700E-4_P3-bgp-af-vpnv4] peer 2.2.2.55 enable
[S12700E-4_P3-bgp-af-vpnv4] quit
[S12700E-4_P3-bgp] ipv6-family vpnv6
[S12700E-4_P3-bgp-af-vpnv6] peer 2.2.2.55 enable
[S12700E-4_P3-bgp-af-vpnv6] quit
[S12700E-4_P3-bgp] quit
Step 4 Enable BFD globally, and enable BFD for OSPFv2 and BFD for OSPFv3.
[S12700E-4_P3] bfd
[S12700E-4_P3-bfd] quit
[S12700E-4_P3] ospf 1
[S12700E-4_P3-ospf-1] bfd all-interfaces enable
[S12700E-4_P3-ospf-1] quit
[S12700E-4_P3] ospfv3 1
[S12700E-4_P3-ospfv3-1] bfd all-interfaces enable
[S12700E-4_P3-ospfv3-1] quit
----End
# Create VLAN 3940, and configure an IPv4 address and an IPv6 address for
VLANIF 3940. Create Eth-Trunk 1, enable LACP, and add XGE1/0/1 to Eth-Trunk 1.
[RR_1] vlan 3940
[RR_1-vlan3940] quit
[RR_1] interface Vlanif 3940
[RR_1-Vlanif3940] ip address 1.1.2.6 255.255.255.252
[RR_1-Vlanif3940] ipv6 enable
[RR_1-Vlanif3940] ipv6 address 2001:0:0:3D0::2/64
[RR_1-Vlanif3940] quit
[RR_1] interface Eth-Trunk 1
[RR_1-Eth-Trunk1] description To_S12704_P2
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[RR_1] interface LoopBack 0
[RR_1-LoopBack0] ip address 2.2.2.57 255.255.255.255
[RR_1-LoopBack0] ipv6 enable
[RR_1-LoopBack0] ipv6 address 2001::17/128
[RR_1-LoopBack0] quit
# Configure IPSec.
[RR_1] ipsec proposal 1
[RR_1-ipsec-proposal-1] encapsulation-mode transport
[RR_1-ipsec-proposal-1] transform ah
[RR_1-ipsec-proposal-1] ah authentication-algorithm md5
[RR_1-ipsec-proposal-1] quit
[RR_1] ipsec sa area0
[RR_1-ipsec-sa-area0] proposal 1
[RR_1-ipsec-sa-area0] sa spi inbound ah 256
[RR_1-ipsec-sa-area0] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[RR_1-ipsec-sa-area0] sa spi outbound ah 256
[RR_1-ipsec-sa-area0] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00
[RR_1-ipsec-sa-area0] quit
# Enable OSPFv2 and OSPFv3 on VLANIF 3900, set the network type to P2P, and
set the OSPF cost value.
[RR_1] interface Vlanif3900
[RR_1-Vlanif3900] ospf enable 1 area 0.0.0.0
[RR_1-Vlanif3900] ospf network-type p2p
# Enable OSPFv2 and OSPFv3 on VLANIF 3940, set the network type to P2P, and
set the OSPF cost value.
[RR_1] interface Vlanif3940
[RR_1-Vlanif3940] ospf enable 1 area 0.0.0.0
[RR_1-Vlanif3940] ospf network-type p2p
[RR_1-Vlanif3940] ospf cost 2000
[RR_1-Vlanif3940] ospfv3 1 area 0.0.0.0
[RR_1-Vlanif3940] ospfv3 network-type p2p
[RR_1-Vlanif3940] ospfv3 cost 2000
[RR_1-Vlanif3940] quit
Step 3 Configure BGP and BGP4+, and configure RR_1 to establish IBGP peer
relationships with S12704_P1, S12704_P2, and RR_2.
# Start the BGP process and configure BGP peers.
[RR_1] bgp 64999
[RR_1-bgp] router-id 2.2.2.57
[RR_1-bgp] graceful-restart
[RR_1-bgp] group iBGP internal
[RR_1-bgp] peer iBGP connect-interface LoopBack0
[RR_1-bgp] peer iBGP password cipher huawei@123
[RR_1-bgp] peer 2.2.2.9 as-number 64999
[RR_1-bgp] peer 2.2.2.9 group iBGP
[RR_1-bgp] peer 2.2.2.10 as-number 64999
[RR_1-bgp] peer 2.2.2.10 group iBGP
[RR_1-bgp] peer 2.2.2.55 as-number 64999
[RR_1-bgp] peer 2.2.2.55 group iBGP
[RR_1-bgp] ipv4-family unicast
[RR_1-bgp-af-ipv4] peer iBGP enable
[RR_1-bgp-af-ipv4] peer iBGP next-hop-local
[RR_1-bgp-af-ipv4] peer iBGP advertise-community
[RR_1-bgp-af-ipv4] peer 2.2.2.9 reflect-client
[RR_1-bgp-af-ipv4] peer 2.2.2.10 reflect-client
[RR_1-bgp-af-ipv4] peer 2.2.2.55 reflect-client
[RR_1-bgp-af-ipv4] quit
----End
# Create loopback 0 and configure an IPv4 address and an IPv6 address for it.
[Router_1] interface LoopBack 0
[Router_1-LoopBack0] ip address 2.2.2.11 255.255.255.255
[Router_1-LoopBack0] ipv6 enable
[Router_1-LoopBack0] ipv6 address 2001:F167::1/128
[Router_1-LoopBack0] quit
# Configure IPSec.
[Router_1] ipsec proposal 1
[Router_1-ipsec-proposal-1] encapsulation-mode transport
[Router_1-ipsec-proposal-1] transform ah
[Router_1-ipsec-proposal-1] ah authentication-algorithm md5
[Router_1-ipsec-proposal-1] quit
[Router_1] ipsec sa area0
[Router_1-ipsec-sa-area0] proposal 1
[Router_1-ipsec-sa-area0] sa spi inbound ah 256
[Router_1-ipsec-sa-area0] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff
[Router_1-ipsec-sa-area0] sa spi outbound ah 256
[Router_1-ipsec-sa-area0] sa authentication-hex outbound ah cipher
aabbccddeeff001100aabbccddeeff00
[Router_1-ipsec-sa-area0] quit
# Enable OSPFv2 and OSPFv3 on XGE0/0/1, set the network type to P2P, and set
the OSPF cost value to implement route backup.
[Router_1] interface XGigabitEthernet0/0/1
[Router_1-XGigabitEthernet0/0/1] ospf enable 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/1] ospf network-type p2p
[Router_1-XGigabitEthernet0/0/1] ospf cost 2000
[Router_1-XGigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/1] ospfv3 network-type p2p
[Router_1-XGigabitEthernet0/0/1] ospfv3 cost 2000
[Router_1-XGigabitEthernet0/0/1] quit
# Enable OSPFv2 and OSPFv3 on XGE0/0/2, set the network type to P2P, and set
the OSPF cost value to implement route backup.
[Router_1] interface XGigabitEthernet0/0/2
[Router_1-XGigabitEthernet0/0/2] ospf enable 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/2] ospf network-type p2p
[Router_1-XGigabitEthernet0/0/2] ospf cost 2050
[Router_1-XGigabitEthernet0/0/2] ospfv3 1 area 0.0.0.0
[Router_1-XGigabitEthernet0/0/2] ospfv3 network-type p2p
[Router_1-XGigabitEthernet0/0/2] ospfv3 cost 2050
[Router_1-XGigabitEthernet0/0/2] quit
Step 3 Configure BGP and BGP4+, and configure Router_1 to establish an IBGP peer
relationship with RR_1.
# Start the BGP process and configure BGP peers.
[Router_1] bgp 64999
[Router_1-bgp] router-id 2.2.2.11
[Router_1-bgp] graceful-restart
[Router_1-bgp] group iBGP internal
[Router_1-bgp] peer iBGP connect-interface LoopBack0
[Router_1-bgp] peer iBGP password cipher huawei@123
[Router_1-bgp] peer 2.2.2.57 as-number 64999
[Router_1-bgp] peer 2.2.2.57 group iBGP
[Router_1-bgp] ipv4-family unicast
[Router_1-bgp-af-ipv4] peer iBGP enable
[Router_1-bgp-af-ipv4] peer iBGP next-hop-local
[Router_1-bgp-af-ipv4] peer iBGP advertise-community
[Router_1-bgp-af-ipv4] quit
Step 4 Configure EBGP on Router_1, and configure Router_1 to establish an EBGP peer
relationship with the user gateway at site A. The user gateway learns routes of site
A and imports the routes to the backbone area. In this manner, the two sites can
communicate with each other. Assume that Router_1 is connected to the user
gateway through XGE0/0/3.
# Configure an IP address for XGE0/0/3 and add XGE0/0/3 to a VLAN.
[Router_1] vlan 1101
[Router_1-vlan1101] quit
[Router_1] interface Vlanif 1101
[Router_1-Vlanif1101] ip address 101.1.1.2 255.255.255.0
[Router_1-Vlanif1101] ipv6 enable
[Router_1-Vlanif1101] ipv6 address 2000:101::1/64
[Router_1-Vlanif1101] quit
[Router_1] interface XGigabitEthernet0/0/3
[Router_1-XGigabitEthernet0/0/3] port link-type trunk
[Router_1-XGigabitEthernet0/0/3] port trunk allow-pass vlan 1101
[Router_1-XGigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[Router_1-XGigabitEthernet0/0/3] quit
# Configure EBGP peers. Assume that the IPv4 and IPv6 addresses of the user
gateway are 101.1.1.1 and 2000:101::2, respectively.
[Router_1] bgp 64999
[Router_1-bgp] peer 101.1.1.1 as-number 100
[Router_1-bgp] peer 2000:101::2 as-number 100
[Router_1-bgp] ipv6-family unicast
[Router_1-bgp-af-ipv6] peer 2000:101::2 enable
[Router_1-bgp-af-ipv6] quit
[Router_1-bgp] quit
----End
S12700E-4_P1 S12700E-4_P2
ospfv3 cost 1000 ospfv3 cost 1000
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 1000 ospf cost 1000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk2 interface Eth-Trunk2
description To_RR_1 description To_RR_1
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3900 port trunk allow-pass vlan 3940
mode lacp mode lacp
# #
interface XGigabitEthernet1/0/0 interface XGigabitEthernet1/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet2/0/0
eth-trunk 2 eth-trunk 1
# #
interface XGigabitEthernet2/0/0 interface XGigabitEthernet2/0/1
eth-trunk 1 eth-trunk 2
# #
interface XGigabitEthernet2/0/3 interface XGigabitEthernet2/0/3
undo portswitch undo portswitch
description To_Router_1 description To_Router_1
ipv6 enable ipv6 enable
ip address 1.1.1.129 255.255.255.252 ip address 1.1.1.133 255.255.255.252
ipv6 address 2001:0:0:20E::1/64 ipv6 address 2001:0:0:20F::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2050
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2050
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface LoopBack0 interface LoopBack0
ipv6 enable ipv6 enable
ip address 2.2.2.9 255.255.255.255 ip address 2.2.2.10 255.255.255.255
ipv6 address 2001::13/128 ipv6 address 2001::14/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
bgp 64999 bgp 64999
router-id 2.2.2.9 router-id 2.2.2.10
graceful-restart graceful-restart
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer iBGP password cipher %^%#eamS: peer iBGP password cipher %^%#eamS:
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^ 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
%# peer 2.2.2.57 as-number 64999
peer 2.2.2.57 as-number 64999 peer 2.2.2.57 group iBGP
peer 2.2.2.57 group iBGP peer 2001::17 as-number 64999
peer 2001::17 as-number 64999 peer 2001::17 group iBGP
peer 2001::17 group iBGP #
# ipv4-family unicast
ipv4-family unicast undo synchronization
undo synchronization peer iBGP enable
peer iBGP enable peer iBGP next-hop-local
peer iBGP next-hop-local peer iBGP advertise-community
peer iBGP advertise-community peer 2.2.2.57 enable
peer 2.2.2.57 enable peer 2.2.2.57 group iBGP
peer 2.2.2.57 group iBGP #
# ipv6-family unicast
ipv6-family unicast undo synchronization
undo synchronization peer iBGP enable
S12700E-4_P1 S12700E-4_P2
peer iBGP enable peer iBGP next-hop-local
peer iBGP next-hop-local peer iBGP advertise-community
peer iBGP advertise-community peer 2001::17 enable
peer 2001::17 enable peer 2001::17 group iBGP
peer 2001::17 group iBGP #
# ospf 1 router-id 2.2.2.10
ospf 1 router-id 2.2.2.9 bfd all-interfaces enable
bfd all-interfaces enable silent-interface all
silent-interface all undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk0 undo silent-interface Eth-Trunk1
undo silent-interface Eth-Trunk1 undo silent-interface Vlanif3940
undo silent-interface Vlanif3900 undo silent-interface XGigabitEthernet2/0/3
undo silent-interface XGigabitEthernet2/0/3 opaque-capability enable
opaque-capability enable graceful-restart
graceful-restart bandwidth-reference 1000000
bandwidth-reference 1000000 stub-router on-startup
stub-router on-startup area 0.0.0.0
area 0.0.0.0 authentication-mode md5 1 cipher %^
authentication-mode md5 1 cipher %^ %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T%^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y %#
%T%^%# #
# return
return
S12700E-4_P3 S12700E-4_P4
# #
sysname S12700E-4_P3 sysname S12700E-4_P4
# #
ipv6 ipv6
# #
vlan batch 3900 vlan batch 3940
# #
bfd bfd
# #
ipsec proposal 1 ipsec proposal 1
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa area0 ipsec sa area0
proposal 1 proposal 1
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 2.2.2.3 router-id 2.2.2.4
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
bfd all-interfaces enable bfd all-interfaces enable
ipsec sa area0 ipsec sa area0
# #
interface Vlanif3900 interface Vlanif3940
ipv6 enable ipv6 enable
ip address 1.1.4.1 255.255.255.252 ip address 1.1.4.5 255.255.255.252
ipv6 address 2001:0:0:330::1/64 ipv6 address 2001:0:0:430::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2000
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface Eth-Trunk0 interface Eth-Trunk0
undo portswitch undo portswitch
description To_S12700E-4_P4 description To_S12700E-4_P3
ipv6 enable ipv6 enable
ip address 1.1.1.9 255.255.255.252 ip address 1.1.1.10 255.255.255.252
ipv6 address 2001:0:0:208::1/64 ipv6 address 2001:0:0:208::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 500 ospfv3 cost 500
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 500 ospf cost 500
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk1 interface Eth-Trunk1
undo portswitch undo portswitch
description To_S12700E-4_P1 description To_S12700E-4_P2
ipv6 enable ipv6 enable
ip address 1.1.1.1 255.255.255.252 ip address 1.1.1.5 255.255.255.252
ipv6 address 2001:0:0:209::1/64 ipv6 address 2001:0:0:20B::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 1000 ospfv3 cost 1000
ospfv3 network-type p2p ospfv3 network-type p2p
S12700E-4_P3 S12700E-4_P4
ospf cost 1000 ospf cost 1000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
mode lacp mode lacp
# #
interface Eth-Trunk2 interface Eth-Trunk2
description To_RR_2 description To_RR_2
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3900 port trunk allow-pass vlan 3940
mode lacp mode lacp
# #
interface XGigabitEthernet1/0/0 interface XGigabitEthernet1/0/0
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet2/0/0
eth-trunk 2 eth-trunk 1
# #
interface XGigabitEthernet2/0/0 interface XGigabitEthernet2/0/1
eth-trunk 1 eth-trunk 2
# #
interface XGigabitEthernet2/0/3 interface XGigabitEthernet2/0/3
undo portswitch undo portswitch
description To_Router_2 description To_Router_2
ipv6 enable ipv6 enable
ip address 1.1.1.121 255.255.255.252 ip address 1.1.1.125 255.255.255.252
ipv6 address 2001:0:0:20C::1/64 ipv6 address 2001:0:0:20D::1/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2050
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2050
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface LoopBack0 interface LoopBack0
ipv6 enable ipv6 enable
ip address 2.2.2.3 255.255.255.255 ip address 2.2.2.4 255.255.255.255
ipv6 address 2001::11/128 ipv6 address 2001::12/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
bgp 64999 bgp 64999
router-id 2.2.2.3 router-id 2.2.2.4
graceful-restart graceful-restart
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer iBGP password cipher %^%#eamS: peer iBGP password cipher %^%#eamS:
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%# 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
peer 2.2.2.55 as-number 64999 peer 2.2.2.55 as-number 64999
peer 2.2.2.55 group iBGP peer 2.2.2.55 group iBGP
peer 2001::15 as-number 64999 peer 2001::15 as-number 64999
peer 2001::15 group iBGP peer 2001::15 group iBGP
# #
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2.2.2.55 enable peer 2.2.2.55 enable
peer 2.2.2.55 group iBGP peer 2.2.2.55 group iBGP
# #
ipv6-family unicast ipv6-family unicast
undo synchronization undo synchronization
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
S12700E-4_P3 S12700E-4_P4
peer 2001::15 enable peer 2001::15 enable
peer 2001::15 group iBGP peer 2001::15 group iBGP
# #
ospf 1 router-id 2.2.2.3 ospf 1 router-id 2.2.2.4
bfd all-interfaces enable bfd all-interfaces enable
silent-interface all silent-interface all
undo silent-interface Eth-Trunk0 undo silent-interface Eth-Trunk0
undo silent-interface Eth-Trunk1 undo silent-interface Eth-Trunk1
undo silent-interface Vlanif3900 undo silent-interface Vlanif3940
undo silent-interface XGigabitEthernet2/0/3 undo silent-interface XGigabitEthernet2/0/3
opaque-capability enable opaque-capability enable
graceful-restart graceful-restart
bandwidth-reference 1000000 bandwidth-reference 1000000
stub-router on-startup stub-router on-startup
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^ authentication-mode md5 1 cipher %^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T
%^%# %^%#
# #
return return
RR_1 RR_2
# #
sysname RR_1 sysname RR_2
# #
ipv6 ipv6
# #
vlan batch 3900 3940 vlan batch 3900 3940
# #
ipsec proposal 1 ipsec proposal 1
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa area0 ipsec sa area0
proposal 1 proposal 1
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 2.2.2.57 router-id 2.2.2.55
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
ipsec sa area0 ipsec sa area0
# #
interface Vlanif3900 interface Vlanif3900
ipv6 enable ipv6 enable
ip address 1.1.2.2 255.255.255.252 ip address 1.1.4.2 255.255.255.252
ipv6 address 2001:0:0:3B0::2/64 ipv6 address 2001:0:0:330::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2000
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface Vlanif3940 interface Vlanif3940
ipv6 enable ipv6 enable
ip address 1.1.2.6 255.255.255.252 ip address 1.1.4.6 255.255.255.252
ipv6 address 2001:0:0:3D0::2/64 ipv6 address 2001:0:0:430::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2000
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface Eth-Trunk0 interface Eth-Trunk0
description To_S12700E-4_P1 description To_S12700E-4_P3
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3900 port trunk allow-pass vlan 3900
mode lacp mode lacp
# #
interface Eth-Trunk1 interface Eth-Trunk1
description To_S12700E-4_P2 description To_S12700E-4_P4
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3940 port trunk allow-pass vlan 3940
mode lacp mode lacp
# #
interface XGigabitEthernet1/0/0 interface XGigabitEthernet4/0/0
RR_1 RR_2
eth-trunk 0 eth-trunk 0
# #
interface XGigabitEthernet1/0/1 interface XGigabitEthernet4/0/1
eth-trunk 1 eth-trunk 1
# #
interface LoopBack0 interface LoopBack0
ipv6 enable ipv6 enable
ip address 2.2.2.57 255.255.255.255 ip address 2.2.2.55 255.255.255.255
ipv6 address 2001::17/128 ipv6 address 2001::15/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
bgp 64999 bgp 64999
router-id 2.2.2.57 router-id 2.2.2.55
graceful-restart graceful-restart
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer iBGP password cipher %^%#eamS: peer iBGP password cipher %^%#eamS:
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%# 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
peer 2.2.2.9 as-number 64999 peer 2.2.2.3 as-number 64999
peer 2.2.2.9 group iBGP peer 2.2.2.3 group iBGP
peer 2.2.2.10 as-number 64999 peer 2.2.2.4 as-number 64999
peer 2.2.2.10 group iBGP peer 2.2.2.4 group iBGP
peer 2.2.2.55 as-number 64999 peer 2.2.2.57 as-number 64999
peer 2.2.2.55 group iBGP peer 2.2.2.57 group iBGP
peer 2001::13 as-number 64999 peer 2001::11 as-number 64999
peer 2001::13 group iBGP peer 2001::11 group iBGP
peer 2001::14 as-number 64999 peer 2001::12 as-number 64999
peer 2001::14 group iBGP peer 2001::12 group iBGP
peer 2001::15 as-number 64999 peer 2001::17 as-number 64999
peer 2001::15 group iBGP peer 2001::17 group iBGP
# #
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2.2.2.9 enable peer 2.2.2.3 enable
peer 2.2.2.9 group iBGP peer 2.2.2.3 group iBGP
peer 2.2.2.9 reflect-client peer 2.2.2.3 reflect-client
peer 2.2.2.10 enable peer 2.2.2.4 enable
peer 2.2.2.10 group iBGP peer 2.2.2.4 group iBGP
peer 2.2.2.10 reflect-client peer 2.2.2.4 reflect-client
peer 2.2.2.55 enable peer 2.2.2.57 enable
peer 2.2.2.55 group iBGP peer 2.2.2.57 group iBGP
peer 2.2.2.55 reflect-client peer 2.2.2.57 reflect-client
# #
ipv6-family unicast ipv6-family unicast
undo synchronization undo synchronization
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2001::13 group iBGP peer 2001::11 group iBGP
peer 2001::13 reflect-client peer 2001::11 reflect-client
peer 2001::14 group iBGP peer 2001::12 group iBGP
peer 2001::14 reflect-client peer 2001::12 reflect-client
peer 2001::15 group iBGP peer 2001::17 group iBGP
peer 2001::15 reflect-client peer 2001::17 reflect-client
# #
ospf 1 router-id 2.2.2.57 ospf 1 router-id 2.2.2.55
opaque-capability enable opaque-capability enable
graceful-restart graceful-restart
bandwidth-reference 1000000 bandwidth-reference 1000000
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^ authentication-mode md5 1 cipher %^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T
RR_1 RR_2
%^%# %^%#
# #
return return
Router_1 Router_2
# #
sysname Router_1 sysname Router_2
# #
ipv6 ipv6
# #
vlan batch 1101 vlan batch 1101
# #
ipsec proposal 1 ipsec proposal 1
encapsulation-mode transport encapsulation-mode transport
transform ah transform ah
ah authentication-algorithm md5 ah authentication-algorithm md5
# #
ipsec sa area0 ipsec sa area0
proposal 1 proposal 1
sa spi inbound ah 256 sa spi inbound ah 256
sa authentication-hex inbound ah cipher %^ sa authentication-hex inbound ah cipher %^
%#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q, %#Hs`fE9Kd_92D<#M^CGDSwqjQFrgB~@q,
\&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%# \&NzzsD,xF>0UP%>5+H&q6Vj8ilG%^%#
sa spi outbound ah 256 sa spi outbound ah 256
sa authentication-hex outbound ah cipher %^ sa authentication-hex outbound ah cipher %^
%#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt! %#"sFYHYf[9Mz|GW;ko4d<`%DjK-OBR$^<Dt!
Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%# Hx#FYZ:oDR:\BEGkIsK$LtsnQ%^%#
# #
ospfv3 1 ospfv3 1
router-id 2.2.2.11 router-id 2.2.2.1
bandwidth-reference 1000000 bandwidth-reference 1000000
graceful-restart graceful-restart
ipsec sa area0 ipsec sa area0
# #
interface Vlanif1101 interface Vlanif1101
ipv6 enable ipv6 enable
ip address 101.1.1.2 255.255.255.0 ip address 100.1.1.2 255.255.255.0
ipv6 address 2000:101::1/64 ipv6 address 1000:101::1/64
# #
interface XGigabitEthernet0/0/1 interface XGigabitEthernet0/0/1
undo portswitch undo portswitch
description To_S12700E-4_P1 description To_S12700E-4_P3
ipv6 enable ipv6 enable
ip address 1.1.1.130 255.255.255.252 ip address 1.1.1.122 255.255.255.252
ipv6 address 2001:0:0:20E::2/64 ipv6 address 2001:0:0:20C::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2000 ospfv3 cost 2000
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2000 ospf cost 2000
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface XGigabitEthernet0/0/2 interface XGigabitEthernet0/0/2
undo portswitch undo portswitch
description To_S12700E-4_P2 description To_S12700E-4_P4
ipv6 enable ipv6 enable
ip address 1.1.1.134 255.255.255.252 ip address 1.1.1.126 255.255.255.252
ipv6 address 2001:0:0:20F::2/64 ipv6 address 2001:0:0:20D::2/64
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospfv3 cost 2050 ospfv3 cost 2050
ospfv3 network-type p2p ospfv3 network-type p2p
ospf cost 2050 ospf cost 2050
ospf network-type p2p ospf network-type p2p
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
interface XGigabitEthernet0/0/3 interface XGigabitEthernet0/0/3
port link-type trunk port link-type trunk
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 1101 port trunk allow-pass vlan 1101
# #
interface LoopBack0 interface LoopBack0
Router_1 Router_2
ipv6 enable ipv6 enable
ip address 2.2.2.11 255.255.255.255 ip address 2.2.2.1 255.255.255.255
ipv6 address 2001:F167::1/128 ipv6 address 2001:F168::1/128
ospfv3 1 area 0.0.0.0 ospfv3 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 ospf enable 1 area 0.0.0.0
# #
bgp 64999 bgp 64999
router-id 2.2.2.11 router-id 2.2.2.1
graceful-restart graceful-restart
peer 101.1.1.1 as-number 100 peer 100.1.1.2 as-number 100
peer 2000:101::2 as-number 100 peer 2000:101::3 as-number 100
group iBGP internal group iBGP internal
peer iBGP connect-interface LoopBack0 peer iBGP connect-interface LoopBack0
peer iBGP password cipher %^%#eamS: peer iBGP password cipher %^%#eamS:
6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%# 6P:FG1Jkg5p=Ak<YL#qV1u(DG*amm6,^@gN%^%#
peer 2.2.2.57 as-number 64999 peer 2.2.2.55 as-number 64999
peer 2.2.2.57 group iBGP peer 2.2.2.55 group iBGP
peer 2001::17 as-number 64999 peer 2001::15 as-number 64999
peer 2001::17 group iBGP peer 2001::15 group iBGP
# #
ipv4-family unicast ipv4-family unicast
undo synchronization undo synchronization
peer 101.1.1.1 enable peer 101.1.1.2 enable
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2.2.2.57 enable peer 2.2.2.55 enable
peer 2.2.2.57 group iBGP peer 2.2.2.55 group iBGP
# #
ipv6-family unicast ipv6-family unicast
undo synchronization undo synchronization
peer 2000:101::2 enable peer 2000:101::3 enable
peer iBGP enable peer iBGP enable
peer iBGP next-hop-local peer iBGP next-hop-local
peer iBGP advertise-community peer iBGP advertise-community
peer 2001::17 enable peer 2001::15 enable
peer 2001::17 group iBGP peer 2001::15 group iBGP
# #
ospf 1 router-id 2.2.2.11 ospf 1 router-id 2.2.2.1
opaque-capability enable opaque-capability enable
graceful-restart graceful-restart
bandwidth-reference 1000000 bandwidth-reference 1000000
area 0.0.0.0 area 0.0.0.0
authentication-mode md5 1 cipher %^ authentication-mode md5 1 cipher %^
%#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T %#}dVz9bd0`BHT+QJv0y.8~2{JTr1&/@T.l`5k+Y%T
%^%# %^%#
# #
return return