Professional Documents
Culture Documents
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05
S3700-SI V100R006C05
S3700-EI V100R006C05
S3700-HI V200R001C00
S5710-C-LI V200R001C00
NOTE
This section uses the S2750 as an access switch (ACC1), S5700 as a core switch (CORE), and
an AR series router as an egress router (Router) as examples to demonstrate the
configuration procedure for small-sized campus networks.
NOTE
If the switch has a Mini USB port, you can connect your PC to the switch using a Mini
USB cable. For this configuration procedure, see the corresponding Configuration
Guide - Basic Configuration based on the version of the device.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 3-2 lists the communication parameters on the switch.
Stop bits 1
Data bit 8
3. Press Connect until the following information is displayed. Enter your new
password, and then re-enter it to confirm.
Login authentication
Username:
Password:
NOTE
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained
the access permission of the document, see Help on the website to find out how to
obtain it.
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
3. Configure Telnet.
[HUAWEI] telnet server enable //By default, the Telnet function is disabled.
[HUAWEI] telnet server-source -i vlanif 5 //In V200R020 and later versions, you must run this
command to configure the port for connecting to the server. Otherwise, Telnet is unavailable.
[HUAWEI] user-interface vty 0 4 //An administrator generally logs in to the switch through Telnet.
AAA authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //V200R006 and earlier versions support Telnet.
V200R007 and later versions support SSH by default. If the switch runs V200R007 or a later version,
run this command before logging to the switch using Telnet.
NOTE
Use of STelnet V2 to log in to the switch is recommended because the Telnet protocol
has security risks. For this configuration procedure, see the corresponding
Configuration Guide - Basic Configuration based on the version of the device.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Login authentication
3. Configure the interfaces on ACC1 that connect user devices so that user
devices can be added to the VLAN. Configure the interfaces as edge ports.
[ACC1] interface Ethernet 0/0/2 //Configure the interface connecting to PC1.
[ACC1-Ethernet0/0/2] port link-type access
[ACC1-Ethernet0/0/2] port default vlan 10
[ACC1-Ethernet0/0/2] stp edged-port enable
[ACC1-Ethernet0/0/2] quit
[ACC1] interface Ethernet 0/0/3 //Configure the interface connecting to PC2.
[ACC1-Ethernet0/0/3] port link-type access
[ACC1-Ethernet0/0/3] port default vlan 10
NOTE
To add all users connected to ACC1 to VLAN 10, you can add Eth-Trunk1 on CORE to
VLAN 10 as an Access interface and do not add interfaces on ACC1 to VLAN 10,
simplifying the configuration. This configuration ensures that all users connected to
Eth-Trunk1 belong to VLAN 10.
4. Configure the BPDU protection function to improve network stability.
[ACC1] stp bpdu-protection
4. After configuring the interfaces and VLANs, run the following commands to
view the configuration results. For details about the command output, see the
corresponding Command Reference based on the version of the device.
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 0012-3321-2212 32768 2 289 10111100
GigabitEthernet0/0/2 32768 0012-3321-2212 32768 3 289 10111100
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 0012-3321-2211 32768 2 289 10111100
GigabitEthernet0/0/2 32768 0012-3321-2211 32768 3 289 10111100
NOTE
In this section, a global address pool is configured. You can also configure an interface-
based address pool. For details on this process, see the corresponding Configuration Guide
- IP Service based on the version of the device.
1. Create a global address pool, configure the egress gateway and lease (the
default lease, one day, is used, so no command is executed), and allocate
fixed IP address 10.10.10.254 to the printer with MAC address a-b-c.
<CORE> system-view
[CORE] dhcp enable
[CORE] ip pool 10
[CORE-ip-pool-10] network 10.10.10.0 mask 24 //Specify the address pool range that is used to
allocate IP addresses to users in department A.
[CORE-ip-pool-10] gateway-list 10.10.10.1 //Configure the gateway address for users in
department A.
[CORE-ip-pool-10] static-bind ip-address 10.10.10.254 mac-address a-b-c //Allocate fixed IP
address to the printer.
[CORE-ip-pool-10] quit
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.1
Network : 10.10.10.0
Mask : 255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
NOTE
NOTE
After either of the preceding operations is performed, terminal PCs can rapidly
obtain IP addresses after they start.
Interface
2. Select one PC from each department to perform ping tests and verify whether
the two departments can communicate at Layer 3 through VLANIF interfaces.
Users in department A and department B communicate at Layer 3 through
VLANIF interfaces on CORE. If PC1 and PC3 can ping each other successfully,
users in the two departments can normally communicate at Layer 3 through
VLANIF interfaces. The ping command is similar to that in step 1.
3. Select one PC from each department to ping a public network address and
verify whether intranet users of the company can access the Internet
normally.
The following example uses department A. Generally, you can ping a public
network gateway address from PC1 to verify whether PC1 can access the
Internet. The public network gateway address is the IP address of the carrier
device to which the egress router connects. If the ping test succeeds, intranet
users can access the Internet normally. The ping command is similar to that in
step 1.
This section uses the S2750 as an access switch (ACC1), S5700 as a core switch (CORE), and
an AR series router as an egress router (Router) as examples to demonstrate the
configuration procedure for small- and mid-sized campus networks.
Configure Port type The Trunk port This configuration is for Trunk
interfaces connects to a and Access port setup. If a
and VLANs switch, and the Hybrid port setup is available on
Access port a switch, this port can connect
connects to a PC. to either a host or another
switch.
NOTE
If the switch has a Mini USB port, you can connect your PC to the switch using a Mini
USB cable. For this configuration procedure, see the corresponding Configuration
Guide - Basic Configuration based on the version of the device.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 3-3 lists the communication parameters on the switch.
Stop bits 1
Data bit 8
3. Press Connect until the following information is displayed. Enter your new
password, and then re-enter it to confirm.
Login authentication
Username:
Password:
NOTE
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained
the access permission of the document, see Help on the website to find out how to
obtain it.
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
[HUAWEI] user-interface vty 0 4 //An administrator generally logs in to the switch through Telnet.
AAA authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //V200R006 and earlier versions support Telnet.
V200R007 and later versions support SSH by default. If the switch runs V200R007 or a later version,
run this command before logging to the switch using Telnet.
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Configure the
user name and password for Telnet login. The user name is case-insensitive, whereas the password is
case-sensitive.
[HUAWEI-aaa] local-user admin privilege level 15 //Set the administrator account level to 15
(highest).
[HUAWEI-aaa] local-user admin service-type telnet
[HUAWEI-aaa] quit
NOTE
Use of STelnet V2 to log in to the switch is recommended because the Telnet protocol
has security risks. For this configuration procedure, see the corresponding
Configuration Guide - Basic Configuration based on the version of the device.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Login authentication
NOTE
To add all users connected to ACC1 to VLAN 10, you can add interfaces on CORE1 and
CORE2 that directly connect to ACC1 as Access interfaces and do not add interfaces on
ACC1 to VLAN 10, simplifying the configuration. This configuration ensures that all
users connected to Eth-Trunk1 belong to VLAN 10.
connecting to CORE2.
[Router-GigabitEthernet0/0/2] quit
1. Configure a default static route to the egress router and a backup static route
on CORE1 and CORE2, respectively.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 //Configure a default static route to the egress
router on CORE1.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.3.2 preference 70 //Configure a backup static route
to CORE2 on CORE1.
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.2.2
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.3.1 preference 70
2. On the egress router, configure a default static route to the carrier device.
[Router] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
3. On the egress router, configure primary and backup routes. The next hop of
the primary route is CORE1 and that of the backup route is CORE2.
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.1.1
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to department A with the next hop pointing to CORE2.
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.1.1
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to department B with the next hop pointing to CORE2.
1. Create VRRP groups 1 and 2 on CORE1 and CORE2. Set the priority of CORE1
to 120 and set the preemption delay to 20s so that CORE1 functions as the
master in VLANs 10 and 20.
[CORE1] interface Vlanif 10
[CORE1-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3 //Configure a virtual IP address for VRRP
group 1.
[CORE1-Vlanif10] vrrp vrid 1 priority 120 //Set the priority of CORE1 to 120.
[CORE1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20
[CORE1-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3 //Configure a virtual IP address for VRRP
group 2.
[CORE1-Vlanif20] vrrp vrid 2 priority 120
[CORE1-Vlanif20] vrrp vrid 2 preempt-mode timer delay 20
[CORE1-Vlanif20] quit
2. CORE2 uses the default priority and functions as the backup in VLANs 10 and
20.
[CORE2] interface Vlanif 10
[CORE2-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3
[CORE2-Vlanif10] quit
[CORE2] interface Vlanif 20
[CORE2-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3
[CORE2-Vlanif20] quit
NOTE
A physical loop exists between CORE1, CORE2, and ACC1, the actual links do not form
a loop, and STP is enabled on the switches (Sx7 series) by default. To prevent the loop
from affecting the VRRP master and backup status on CORE1 and CORE2, disable STP
on upstream interfaces of ACC1. The example below shows the configuration on ACC1.
[ACC1] interface GigabitEthernet 0/0/3
[ACC1-GigabitEthernet0/0/3] stp disable //Disable STP on the upstream interface GE0/0/3.
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface GigabitEthernet 0/0/4
[ACC1-GigabitEthernet0/0/4] stp disable
[ACC1-GigabitEthernet0/0/4] quit
If no loop exists on the network, you can also run the stp disable command
to disable STP on the access switch.
[ACC1] stp disable
Warning:The global STP state will be changed. Continue? [Y/N] y
Configure the egress router to allow intranet users to access the Internet.
1. Configure an ACL to allow users to access the Internet. The example below
allows users in VLANs 10 and 20 to access the Internet.
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255 //Allow users in VLAN 10 to
access the Internet.
[Router-acl-basic-2000] rule permit source 192.168.20.0 0.0.0.255 //Allow users in VLAN 20 to
access the Internet.
[Router-acl-basic-2000] rule permit source 172.16.1.0 0.0.0.255
[Router-acl-basic-2000] rule permit source 172.16.2.0 0.0.0.255
[Router-acl-basic-2000] quit
3. Configure DNS resolution. The carrier provides the DNS server address.
[Router] dns resolve
[Router] dns server 8.8.8.8
[Router] dns proxy enable
NOTE
● In this section, a global address pool is configured. You can also configure an interface-
based address pool. For details on this process, see the corresponding Configuration
Guide - IP Service based on the version of the device.
● To prevent IP address conflicts caused by an active/standby switchover in VRRP
networking, configure the active DHCP server to allocate the first half of all IP addresses
in the address pool and the standby DHCP server to allocate the second half.
1. Configure CORE1 as the active DHCP server to allocate IP addresses ranging
from 192.168.10.1 to 192.168.10.127.
<CORE1> system-view
[CORE1] dhcp enable
[CORE1] ip pool 10
[CORE1-ip-pool-10] gateway-list 192.168.10.3 //Configure the gateway address.
[CORE1-ip-pool-10] network 192.168.10.0 mask 24 //Configure the range of allocable IP
addresses.
[CORE1-ip-pool-10] excluded-ip-address 192.168.10.128 192.168.10.254 // Exclude IP addresses
ranging from 192.168.10.128 to 192.168.10.254.
[CORE1-ip-pool-10] lease day 0 hour 20 minute 0 //Configure the IP address lease.
[CORE1-ip-pool-10] dns-list 8.8.8.8 //Configure the DNS server address.
[CORE1-ip-pool-10] quit
2. Configure CORE2 as the standby DHCP server to allocate the second half of
all IP addresses in the address pool.
<CORE2> system-view
[CORE2] dhcp enable
[CORE2] ip pool 10
[CORE2-ip-pool-10] gateway-list 192.168.10.3
[CORE2-ip-pool-10] network 192.168.10.0 mask 24
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.1 192.168.10.2
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.4 192.168.10.127
[CORE2-ip-pool-10] lease day 0 hour 20 minute 0
[CORE2-ip-pool-10] dns-list 8.8.8.8
[CORE2-ip-pool-10] quit
The procedure of configuring dynamic IP address allocation in VLAN 20 is
similar to the preceding configuration procedure.
3. Configure users in department A to obtain IP addresses from the global
address pool.
[CORE1] interface vlanif 10
[CORE1-Vlanif10] dhcp select global //Configure users in department A to obtain IP addresses
from the global address pool.
[CORE1-Vlanif10] quit
[CORE2] interface vlanif 10
[CORE2-Vlanif10] dhcp select global
[CORE2-Vlanif10] quit
4. Run the display ip pool command to view the configuration and IP address
allocation in the global address pool 10.
[CORE1] display ip pool name 10
Pool-name : 10
Pool-No :0
Lease : 0 Days 20 Hours 0 Minutes
Domain-name : -
DNS-server0 : 8.8.8.8
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 192.168.10.3
Network : 192.168.10.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
192.168.10.1 192.168.10.254 253 1 125(0) 0 127
NOTE
NOTE
After either of the preceding operations is performed, terminal PCs can rapidly
obtain IP addresses after they start.
ACC1 matches packets received from VLAN 10 with dynamic binding entries
in the DHCP snooping binding table. If a packet matches an entry, ACC1
forwards the packet; otherwise, ACC1 discards the packet. To check packets
received from a specified user device instead of all user devices in the VLAN,
enable IPSG on the interface connecting to the device.
NOTE
NOTE
Devices on the intranet use static routes. If a link fails, the administrator needs to manually
configure a new static route, interrupting network services for a long time. Configuring a
dynamic routing protocol prevents this problem. If a link fails, the dynamic routing protocol
switches traffic forwarded through the faulty link to a normal link based on an algorithm.
After the faulty link recovers, the routing protocol switches traffic back to the link. OSPF
configuration is used in the example below.
2. On the egress router, delete the static route to the intranet and retain the
static route to the Internet.
[Router] undo ip route-static 192.168.10.0 24
[Router] undo ip route-static 192.168.20.0 24
If the link from CORE1 to the egress router fails, traffic is forwarded over the
interconnection link between CORE1 and CORE2 to CORE2, increasing traffic load and
imposing high stability and bandwidth requirements on the link. You can configure
association between VRRP and the interface status to implement fast active/standby
switchover upon an uplink or downlink failure. If you configure this function on the
upstream interface of the master in the VRRP group, the master lowers its priority to
implement an active/standby switchover when it detects that the upstream interface goes
Down.
# Configure association between VRRP and the status of the upstream interface
on CORE1 to monitor the uplink.
[CORE1] interface Vlanif 10
[CORE1-Vlanif10] vrrp vrid 1 track interface GigabitEthernet 0/0/7 reduced 100 //
Configure association between VRRP and the upstream interface status.
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20
[CORE1-Vlanif20] vrrp vrid 2 track interface GigabitEthernet 0/0/7 reduced 100
[CORE1-Vlanif20] quit
As service traffic increases, the link between CORE1 and the egress router has high
bandwidth utilization, whereas the link between CORE2 and the egress router is idle,
wasting resources and lowering reliability. To effectively use the two links, you can
configure load balancing on CORE1 and CORE2 so that CORE1 function as the master in
some VLANs while CORE2 function as the master in the other VLANs. The two links then
load balance traffic from all VLANs, effectively using network resources. Configure CORE1
to still function as the master in VLAN 10, and change the priority of CORE2 so that CORE2
functions as the master in VLAN 20.
2. Configure CORE2 as the master in VLAN 20 and set the preemption delay to
20s.
[CORE2] interface Vlanif 20
[CORE2-Vlanif20] vrrp vrid 2 priority 120
[CORE2-Vlanif20] vrrp vrid 2 preempt-mode timer delay 20
3. Configure association between VRRP and the status of the upstream interface
on CORE2 to monitor the uplink.
[CORE2-Vlanif20] vrrp vrid 2 track interface GigabitEthernet 0/0/7 reduced 100
[CORE2-Vlanif20] quit
2. In V200R005 and later versions, you can run the clear configuration this
command to restore the default configuration on an interface. The interface
will be shut down after the default configuration is restored. Run the undo
shutdown command to enable the interface.
# Set the system priority of CORE1 to 100 so that CORE1 becomes the Actor.
[CORE1] lacp priority 100
2. Configure rate limiting on LAN-side interfaces of the egress router to limit the
Internet access rate and download rate.
[Router] interface GigabitEthernet 0/0/1
[Router-GigabitEthernet0/0/1] qos car inbound acl 2222 cir 2048
[Router-GigabitEthernet0/0/1] qos car outbound acl 2222 cir 4096
[Router-GigabitEthernet0/0/1] quit
192.168.50.10 ftp
[Router-GigabitEthernet0/0/0] quit
Verify services
1. Select two PCs from two departments to perform ping tests and verify
whether the two departments can communicate at Layer 3 through VLANIF
interfaces.The following example uses two PCs (PC1 and PC2) in departments
A and B. The two PCs communicate at Layer 3 through CORE1 (or CORE2). If
they can ping each other successfully, Layer 3 interworking is normal.
<PC1> ping 192.168.20.254 // Assume that PC2 automatically obtains an IP address
192.168.20.254 through DHCP.
PING 192.168.20.254 data bytes, press CTRL_C to break
Reply from 192.168.20.254 : bytes=56 Sequence=1 ttl=253 time=62 ms
Reply from 192.168.20.254 : bytes=56 Sequence=2 ttl=253 time=16 ms
Reply from 192.168.20.254 : bytes=56 Sequence=3 ttl=253 time=62 ms
Reply from 192.168.20.254 : bytes=56 Sequence=4 ttl=253 time=94 ms
Reply from 192.168.20.254 : bytes=56 Sequence=5 ttl=253 time=63 ms
5 packet(s) received //PC1 can ping PC2 successfully, indicating that Layer 3 interworking
between PC1 and PC2 is normal.
2. Select two PCs within a department to perform ping tests and verify whether
Layer 2 interworking within the department is normal.
Users in department A communicate at Layer 2 through ACC1. If the two PCs
can ping each other successfully, users in department A can normally
communicate at Layer 2. The ping command is similar to that in step 1.
3. Select two PCs from two departments to ping a public IP address and verify
whether intranet users of the company can access the Internet normally.The
following example uses department A. Generally, you can ping a public
network gateway address from PC1 to verify whether PC1 can access the
Internet. The public network gateway address is the IP address of the carrier
device to which the egress router connects. If the ping test succeeds, intranet
users can access the Internet normally. The ping command is similar to that in
step 1.
This section uses an S series switch running V200R012 and an AR series router running
V200R010 as examples to demonstrate how to configure a medium-sized campus WLAN.
● A WLAN with SSID wlan-net is required so that users can access the Internet
from anywhere at any time.
● The S5720-LI that supports the PoE function can be deployed at the access
layer and connects to APs to provide wireless network access for STAs.
● The S5720-HI can be deployed as an AC at the aggregation layer to control
and manage STAs. The AC functions as a DHCP server to assign IP addresses
to APs.
● An AR series router can be deployed as the egress of the campus network.
The router functions as a DHCP server to assign IP addresses to STAs.
● VLANs in a VLAN pool can be configured as service VLANs. IP addresses are
assigned to STAs from the interface address pools corresponding to the VLANs
in the VLAN pool.
Various profiles are designed based on different functions and features of WLANs to help
users configure and maintain functions of WLANs. These profiles are called WLAN profiles.
The following figure shows the referencing relationships between WLAN profiles. By getting
to know the referencing relationships, you can easily grasp the configuration roadmap of
WLAN profiles and complete configurations.
NOTE
The S5720-HI supports both the NAC unified mode and common mode. Compared with the
NAC common mode, the NAC unified mode can be configured based on templates, making
the configuration clearer and configuration model easier to understand. Based on the
preceding advantages, you are advised to set the NAC mode to unified.
NOTE
In versions earlier than V200R007C00, after the NAC mode is switched, you need to
manually save the configuration file and restart the AC to make the new NAC mode
take effect. In V200R007C00 and later versions, after the NAC mode is switched, the
AC automatically saves the configuration file and restarts.
3.2.4.4.2 Configuring the AC So That the AC and APs Can Transmit CAPWAP
Packets
1. Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_A to VLAN 100 (management
VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] port-isolate enable
[Switch_A-GigabitEthernet0/0/3] quit
NOTE
In tunnel forwarding mode, APs encapsulate data packets over CAPWAP data tunnels
and send them to the AC, which then forwards these packets to the upper-layer
network. In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. The network between the AC and APs can permit packets only with
management VLAN tags to pass through, and does not permit packets with service
VLAN tags to pass through.
NOTE
NOTE
Configure an IP address for the DNS server as needed using either of the following
methods:
● In the interface address pool scenario, run the dhcp server dns-list ip-address
&<1-8> command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command
in the IP address pool view.
NOTE
In this example, the VLAN assignment algorithm is set to hash (default value). If the
default setting is retained, you do not need to run the assignment hash command.
Only VLAN 101 and VLAN 102 are added to the VLAN pool in this example. You can
add multiple VLANs to the VLAN pool using the same method. You also need to create
corresponding VLANIF interfaces, and configure IP addresses and interface address
pools.
4. Import APs offline on the AC and add the APs to the AP group ap-group1.
Assume that APs' MAC addresses are 00e0-fc76-e360 and 00e0-fc74-9640.
Configure names for the APs based on the APs' deployment locations, so that
you can know where the APs are deployed from their names. For example,
name the AP with MAC address 00e0-fc76-e360 as area_1 if it is deployed in
area 1.
NOTE
5. After the APs are powered on, run the display ap all command to check the
AP states. If the value of the State field displays nor, the APs have gone
online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:2S -
1 00e0-fc74-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:4S -
------------------------------------------------------------------------------------
Total: 2
NOTE
2. Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
3. Create VAP profile wlan-vap, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to this VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
4. Bind VAP profile wlan-vap to the AP group, and apply the profile to radio 0
and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan1 radio all
[AC-wlan-ap-group-ap-group1] quit
The automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these functions are disabled. The
channel and power configuration for the AP's radio 0 in this example is for reference only.
In actual scenarios, configure channels and power for AP radios based on country codes of
the APs and network planning results.
1. Disable the automatic channel and power calibration functions of the AP's
radio 0, and set a channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
2. Disable the automatic channel and power calibration functions of the AP's
radio 1 and set a channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
2. Connect STAs to the WLAN with SSID wlan-net and enter password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC.
The command output shows that the STAs are connected to the WLAN wlan-
net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 102 10.23.102.254
14cf-9202-13dc 1 area_2 0/1 2.4G 11n 3/34 -68 101 10.23.101.254
------------------------------------------------------------------------------
Total: 2 2.4G: 1 5G: 1
[AC-wlan-view] quit
[AC] quit
3.2.5 FAQs
Back up the configuration file before restoring factory settings; otherwise, all configuration
data will be deleted.
NOTE
The interface shuts down after interface configurations are cleared. To enable the interface
again, run the undo shutdown configuration.
If you forget your user name, see Configuring the Management IP Address and
Telnet to create a user name and reset the password.
recommended. In situations where users are primarily working from one location,
long-term leases are recommended.
Configuration method:
Run this command in the interface or interface address pool view: dhcp server
lease { day day [ hour hour [ minute minute ] ] | unlimited }
Run this command in the global address pool view: lease { day day [ hour hour
[ minute minute ] ] | unlimited }
Overview
After a PC is connected to a switch through a dedicated console cable, you can
perform login configurations and use the PC to manage the switch.
Logging in through a console port is a basic login mode and forms the basis of
other login modes such as Telnet and STelnet. When you log in to a switch for the
first time or if you cannot remotely log in to a switch, you can log in to the switch
through a console port.
Configuration Notes
● Prepare a console cable. If you use a laptop or a PC without a serial port,
prepare a USB to serial cable and install the driver stored on the CD-ROM
(delivered with the cable) according to instructions.
● Install the terminal emulation software on the PC. You can use the built-in
HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation
software is available, prepare the terminal emulation software. For details on
how to use terminal emulation software, see the related usage guide or
online help.
The following uses the command lines and outputs of the S7700 running V200R006C00 as an
example.
Networking Requirements
The IT maintenance department of a company purchases S series switches, which
are configured by network administrators. A network administrator usually logs in
to a new switch through a console port and then performs initial configurations.
As shown in Figure 3-1, the serial port of a PC is connected to the console port of
the Switch through a console cable. The user wants to log in to the Switch
through the console port and requires local authentication upon the next login. To
facilitate remote maintenance on the Switch, the user wants to configure the
Telnet function.
Figure 3-1 Networking diagram for configuring switch login through a console
port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure terminal emulation software, set the connected port and
communication parameters, and log in to the Switch.
2. Configure basic information for the Switch, including the date, time, time
zone, and name, to facilitate management.
3. Configure an authentication mode for the console user interface so that the
user is authenticated upon the next login through the console port.
4. Configure the management IP address and Telnet to facilitate remote
maintenance on the Switch.
Procedure
Step 1 Connect the DB9 female connector of the console cable to the serial port (COM)
on the PC, and connect the RJ45 connector to the console port on the switch, as
shown in Figure 3-2.
NOTE
● If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install
the driver stored on the CD-ROM (delivered with the cable) according to instructions,
connect the USB-DB9 female connector of the cable to the USB port on the PC, and
connect the RJ-45 connector to the console port on the switch.
● If the switch has two MPUs, you can log in to the switch through the console port on
either of the two MPUs.
Stop bits 1
Data bits 8
NOTE
The time zone varies depending on the location of a switch. Set the time zone based on the site
requirements. The following information is only for reference.
<HUAWEI> clock timezone BJ add 08:00:00 //BJ is the name of the time zone, and 08:00:00 indicates
that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26 //Set the current date and time. Before setting the
current time, check the time zone and set a correct time zone offset to ensure the correct local time.
<HUAWEI> system-view
[HUAWEI] sysname Switch //Set the switch name to Switch.
Step 4 Configure an authentication mode for the console user interface. (From V200R010
to V200R019, the default authentication mode for the console user interface is
AAA authentication. In V200R020 and later versions, the default authentication
mode for the console user interface is password authentication. The method of
changing the authentication mode is similar and is not provided here.)
# Set the authentication mode of the console interface to AAA, and create a local
user.
[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa //Set the authentication mode of the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 //Create a local
user named admin1234 and set its password to Helloworld@6789. Versions earlier than V200R003
support only the cipher keyword but do not support irreversible-cipher.
[Switch-aaa] local-user admin1234 privilege level 15 //Set the user level to 15.
[Switch-aaa] local-user admin1234 service-type terminal //Set the access type to terminal, that is,
console user.
[Switch-aaa] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
telnet server enable
telnet server-source -i Vlanif 10
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj
+,$>NP>63de|G~ws,9G%^%#
local-user admin123 privilege level 15
local-user admin123 service-type telnet
local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj
+,$>NP>63de|G~ws,9G%^%#
local-user admin1234 privilege level 15
local-user admin1234 service-type terminal
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 10
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound telnet
#
return
Related Content
Videos
3.3.1.2 Example for Configuring Telnet Login (Based on ACL Rules and
RADIUS Authentication)
Overview
Telnet login to a switch facilitates remote management and maintenance on the
switch so that you do not need to connect a terminal to each switch. By default,
you cannot log in to a switch using Telnet. You need to log in to a switch through
a console port and configure the Telnet function first. For details, see 3.3.1.1
Example for Configuring Switch Login Through a Console Port.
An Access Control List (ACL) is a packet filter that filters packets based on rules.
One or more rules describe the packet matching conditions, such as the source
address, destination address, and port number of packets. For packets that match
the ACL rules configured on a device, the device forwards or discards these
packets according to the policies used by the service module to which the ACL is
applied.
RADIUS uses the client/server model in distributed mode and protects a network
against unauthorized access. It is often used on networks that require high
security and remote user access control. After Telnet login based on RADIUS
authentication is configured, a switch sends the user name and password of a
login user to the RADIUS server. The RADIUS server then authenticates the user
and records the user operations, ensuring network security.
If ACLs and RADIUS authentication are both configured, packets matching ACL
rules reach an upper-layer module and then are authenticated in RADIUS mode
based on the user name and password. The Telnet login mode based on ACL rules
and RADIUS authentication therefore ensures network security.
Configuration Notes
● Telnet is an insecure protocol. Using STelnet V2 is recommended.
● Ensure that the user terminal has reachable routes to the switch and RADIUS
server.
● Ensure that the IP address, port number, and shared key of the RADIUS server
are configured correctly on the switch and are the same as those on the
RADIUS server.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user admin123@huawei.com (in the format of user name@domain
name) and password Example@123 have been configured.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an
example.
Networking Requirements
The network administrator requires remote management and maintenance on a
switch and high network security for protecting the network against unauthorized
access. To meet the requirements, configure Telnet login based on ACL rules and
RADIUS authentication.
As shown in Figure 3-3, the Switch has reachable routes to the administrator and
the RADIUS server. The IP address and port number of the RADIUS server are
10.2.1.1/24 and 1812 respectively.
Figure 3-3 Networking diagram for configuring Telnet login based on ACL rules
and RADIUS authentication
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet protocol so that users can log in to the Switch using
Telnet.
2. Configure an ACL rule to ensure that only users matching the ACL rule can
log in to the Switch.
3. Configure the RADIUS protocol to implement RADIUS authentication. After
the configuration is complete, you can use the user name and password
configured on the RADIUS server to log in to the Switch using Telnet, ensuring
user login security.
Procedure
Step 1 Configure Telnet login.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] telnet server enable //Enable Telnet.
[Switch] telnet server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[Switch] user-interface vty 0 14 //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 14
to AAA.
[Switch-ui-vty0-14] user privilege level 15 //Set the level of users in VTY 0 to VTY 14 to 15.
[Switch-ui-vty0-14] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the
undo radius-server user-name domain-included command to configure the Switch to
send packets carrying a user name without the domain name to the RADIUS server.
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the authentication scheme
sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
In the login interface, type the user name admin123 and password Example@123
as prompted and press Enter. Authentication succeeds, and you successfully log in
to the Switch using Telnet. (The following information is only for reference.)
Login authentication
Username:admin123
Password:
Info: The max number of VTY users is 8, and the number
of current VTY users on line is 2.
The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei.com admin
#
telnet server enable
telnet server-source -i Vlanif 10
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|
G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
rule 5 permit source 10.137.217.177 0
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
authentication-scheme sch1
radius-server 1
#
user-interface vty 0 14
acl 2008 inbound
authentication-mode aaa
user privilege level 15
protocol inbound telnet
#
return
Related Content
Videos
Overview
The Secure Shell (SSH) protocol implements secure remote login on insecure
networks, which ensures data integrity and reliability and guarantees secure data
transmission. STelnet, based on the SSH protocol, ensures information security and
provides powerful authentication function. STelnet protects a switch against
attacks such as IP spoofing. By default, you cannot log in to a switch using
STelnet. You need to log in to a switch using a console port or Telnet, and
configure the STelnet function and user interface parameters first.
RADIUS uses the client/server model in distributed mode and protects a network
against unauthorized access. It is often used on networks that require high
security and remote user access control. After STelnet login based on RADIUS
authentication is configured, a switch sends the user name and password of a
login user to the RADIUS server. The RADIUS server then authenticates the user
and records the user operations, ensuring network security.
Configuration Notes
● STelnet V1 is an insecure protocol. Using STelnet V2 is recommended.
● Ensure that the user terminal has SSH server login software installed before
configuring STelnet login. In this example, the third-party software PuTTY is
used as the SSH server login software.
● Ensure that the user terminal has reachable routes to the switch and RADIUS
server.
● Ensure that the IP address, port number, and shared key of the RADIUS server
are configured correctly on the switch and are the same as those on the
RADIUS server.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user admin123@huawei.com (in the format of user name@domain
name) and password Example@123 have been configured.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an
example.
Networking Requirements
The network administrator requires remote login to a switch and high network
security for protecting the network against unauthorized access. To meet the
requirements, configure STelnet login based on RADIUS authentication.
As shown in Figure 3-4, the Switch functions as the SSH server and has a
reachable route to the RADIUS server. The IP address and port number of the
RADIUS server are 10.2.1.1/24 and 1812 respectively.
Figure 3-4 Networking diagram for configuring STelnet login based on RADIUS
authentication
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server to implement secure data
exchange between the server and client.
2. Configure the STelnet protocol so that users can log in to the Switch using
STelnet.
3. Configure the RADIUS protocol to implement RADIUS authentication. After
the configuration is complete, you can use the user name and password
configured on the RADIUS server to log in to the Switch using STelnet,
ensuring user login security.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[HUAWEI] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-
type default password command to specify password authentication as the default
authentication mode of SSH users. After this configuration is complete, you do not need to
configure the authentication mode and service type for each SSH user, simplifying
configuration and improving efficiency.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared key of the RADIUS
server to Huawei@6789.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the
undo radius-server user-name domain-included command to configure the Switch to
send packets carrying a user name without the domain name to the RADIUS server.
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the authentication scheme
sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Click Open. In the login interface, type the user name admin123 and password
Example@123 as prompted and press Enter. Authentication succeeds, and you
successfully log in to the Switch using STelnet. (The following information is only
for reference.)
login as: admin123
password:
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei.com admin
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|
G~ws,9G%^%#
Related Content
Videos
3.3.1.4 Example for Configuring the Device as the Telnet Client to Log In to
Another Device
Networking Requirements
As shown in Figure 3-6, the PC and Client have reachable routes to each other;
Client and Server have reachable routes to each other. The user needs to manage
and maintain Server remotely. However, the PC cannot directly log in to Server
through Telnet because it has no reachable route to Server. The user can log in to
Client through Telnet, and then log in to Server from Client. To prevent
unauthorized devices from logging in to Server through Telnet, an ACL needs to be
configured to allow only the Telnet connection from Client to Server.
Figure 3-6 Networking diagram of configuring the device as the Telnet client to
log in to another device
NOTICE
The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is
recommended.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet authentication mode on Server.
2. Configure the login user information on Server.
3. Configure an ACL on Server to allow Client access.
4. Log in to Server from Client through Telnet.
Procedure
Step 1 Configure the Telnet authentication mode and password on Server.
<HUAWEI> system-view
[HUAWEI] sysname Server
[Server] telnet server enable //Enable Telnet.
[Server] telnet server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.2.1.1. Assume that the interface is Vlanif 10.
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] protocol inbound telnet
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit
NOTE
Login authentication
Username:admin1234
Password:
<Server>
----End
Configuration File
Server configuration file
#
sysname Server
#
telnet server enable
telnet server-source -i Vlanif 10
#
acl number 2000
rule 5 permit source 10.1.1.1 0
#
aaa
local-user admin1234 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/
xHryO-Y7m{=A>kWc.-q}>*$
local-user admin1234 privilege level 3
local-user admin1234 service-type telnet
#
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
user privilege level 15
protocol inbound telnet
#
return
3.3.1.5 Example for Configuring the Device as the STelnet Client to Log In to
Another Device
Networking Requirements
The enterprise requires that secure data exchange should be performed between
the server and client. As shown in Figure 3-7, two login users client001 and
client002 are configured and they use the password and DSA authentication
modes respectively to log in to the SSH server.
NOTICE
The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is
recommended.
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server to implement secure data
exchange between the server and client.
2. Configure different authentication modes for the SSH users client001 and
client002 on the SSH server.
3. Enable the STelnet service on the SSH server.
4. Configure the STelnet server type for the SSH users client001 and client002
on the SSH server.
5. Log in to the SSH server as the client001 and client002 users through
STelnet.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
# Generate a local key pair for Client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.
# Check the public key in the DSA key pair generated on the client.
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 2014-03-03 16:51:28-05:13
Key name: client002_Host
Key modulus : 2048
Key type: DSA encryption Key
Key fingerprint: c0:52:b0:37:4c:b2:64:d1:8f:ff:a1:42:87:09:8c:6f
=====================================================
Key code:
30820109 02820100 CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116 87B79B0C
5698C582 69A9F4D0 45ED0E53 AF2EDEC1 A09DF4BE 459E34B6 6697B85D 2191A00E
92F3A5E7 FB0E73E7 F0212432 E898D979 8EAA491E E2B69727 4B51A2BE CD86A144
16748D1E 4847A814 3FE50862 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074
B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B 8C2B1E03 98F1C09D 3AF2A69D
6867F930 DF992692 9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A C0A4CDB3
ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1 530CC2F5 697C4707 90829982 4339507F
F354FAF9 0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592 71D773E2 E76E8EEB
431FB60D 60ABC20B 0203 010001
The public key must be a hexadecimal string. If it is not a hexadecimal string, convert
it into a hexadecimal string in advance.
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 30820109
# Bind the DSA public key of the STelnet client to the SSH user client002 on
the SSH server.
[SSH Server] ssh user client002 assign dsa-key dsakey001
Step 4 Configure the STelnet service type for the client001 and client002 users.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Can
cel], Please select [R, D, Enter or Ctrl_C]:d
Enter password:
Enter the password. The following information indicates that you have logged in
successfully:
<SSH Server>
If the user view is displayed, you have logged in successfully. If the message
"Session is disconnected" is displayed, the login fails.
Step 6 Verify the configuration.
Run the display ssh server status command. You can see that the STelnet service
has been enabled. Run the display ssh user-information command. Information
about the configured SSH users is displayed.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version :2.0
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0
----End
Configuration File
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820109
02820100
CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116 87B79B0C 5698C582 69A9F4D0
45ED0E53 AF2EDEC1 A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7 FB0E73E7
F0212432 E898D979 8EAA491E E2B69727 4B51A2BE CD86A144 16748D1E 4847A814
3FE50862 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074 B839305A 7F7BCE2C
606F6C91 EA958B6D AC46C12B 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A C0A4CDB3 ADDAE853 DB86B9FA
DB13CCA9 D8CF6EC1 530CC2F5 697C4707 90829982 4339507F F354FAF9 0F9CD2C2
F7D6FF3D 901D700F F0588104 856B9592 71D773E2 E76E8EEB 431FB60D 60ABC20B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/
xHryO-Y7m{=A>kWc.-q}>*$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
#
return
3.3.1.6 Example for Configuring Switch Login Through the Web System
● For factory settings of web page files in versions earlier than V200R006, see
the following tables.
● In V200R006 and later versions (except V200R020C00 and later versions used
on SRUA and SRUB, such as S7700-V200R020C00SPC300-SRUA&B.cc), the
web page file has been integrated in the system software and loaded.
● In V200R020C00 and later versions, the system software used on SRUA and
SRUB does not integrate the web page file. To use the web function, obtain
the web page file, upload it to the root directory of the device storage, and
run the http server load filename command to load it.
Table 3-5 Factory settings of web page files for fixed switches
Product V100R006 V200R001 V200R002 V200R003 V200R005
Model C05
S2700-SI/ A web - - - -
S2700-EI page file is
saved in
the storage
medium,
but is not
loaded.
S2710-SI A web - - - -
page file is
saved in
the storage
medium,
but is not
loaded.
S3700-SI/ A web - - - -
S3700-EI page file is
saved in
the storage
medium,
but is not
loaded.
S3700-HI - The - - -
storage
medium
does not
contain a
web page
file.
S5710-C-LI - The - - -
storage
medium
does not
contain a
web page
file.
Table 3-6 Factory settings of web page files for modular switches
Product V200R001 V200R002 V200R003 V200R005
Model
NOTE
A hyphen (-) indicates that the version is not available for the model.
3.3.1.6.2 Example for Configuring Switch Login Through the Web System
(V200R001)
Overview
The web system uses the built-in web server on a switch to provide a GUI through
which users can perform switch management and maintenance. Users can log in
to the web system from terminals using HTTPS.
Configuration Notes
This example applies to V200R001 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700-EI running V200R001C00
as an example.
Networking Requirements
As shown in Figure 3-8, a switch functions as the HTTPS server. The user wants to
log in to the web system using HTTPS to manage and maintain the switch. The
user has obtained the server digital certificate 1_servercert_pem_dsa.pem and
private key file 1_serverkey_pem_dsa.pem from the CA.
Figure 3-8 Networking diagram for configuring switch login through the web
system
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a management IP address for remotely transferring files and
logging in to the switch through the web system.
2. Upload the required files to the HTTPS server through FTP, including the web
page file, server digital certificate, and private key file.
3. Load the web page file and digital certificate.
4. Bind an SSL policy and enable the HTTPS service.
5. Configure a web user and enter the web system login page.
NOTICE
Procedure
Step 1 Obtain the web page file.
The following methods are available:
● Obtain the web page file from a Huawei agent.
● Download the web page file from the Huawei enterprise technical support
website (http://support.huawei.com/enterprise). In V200R001, the web
page file is named in the format of product name-software version.web page
file version.web.zip.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed
on the website. If not, an exception may occur during file download. Download the file
again.
[HTTPS_Server] interface gigabitethernet 0/0/10 //In this example, GE0/0/10 is the physical interface
used for logging in to the switch through the web system on a PC. Select an interface based on actual
networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access //Set the interface type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10 //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit
Step 3 Upload the web page file and digital certificate to the HTTPS server through FTP.
# Configure the FTP function for the switch and information about an FTP user,
including the password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password cipher Helloworld@6789 //Set the login password to
Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP authorized directory to
flash:/.
[HTTPS_Server-aaa] quit
[HTTPS_Server] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page
file and digital certificate to the HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file and digital certificate to the HTTPS server from the PC.
ftp> put web.zip //Upload the web page file. The web.zip file is used as an example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
ftp> put 1_servercert_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_servercert_pem_dsa.pem
226 Transfer complete.
ftp: 1302 bytes sent in 2 Seconds 4.6Kbytes/sec.
ftp> put 1_serverkey_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_serverkey_pem_dsa.pem
226 Transfer complete.
ftp: 951 bytes sent in 1 Second 4.6Kbytes/sec.
# Run the dir command on the Switch to check whether the web page file and
digital certificate exist in the current storage directory.
NOTE
If the sizes of the web page file and digital certificate in the current storage directory on
the switch is different from those on the PC, an exception may occur during file transfer.
Upload the files again.
# Create the subdirectory security on the HTTPS server and copy the digital
certificate and private key file to the subdirectory.
<HTTPS_Server> mkdir security
<HTTPS_Server> copy 1_servercert_pem_dsa.pem security
Copy flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem?[Y/N]:y
100% complete
Info: Copied file flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem...Done.
<HTTPS_Server> copy 1_serverkey_pem_dsa.pem security
Copy flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem?[Y/N]:y
100% complete
Info: Copied file flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem...Done.
# Run the dir command in the security subdirectory to check the digital
certificate.
<HTTPS_Server> cd security
<HTTPS_Server> dir
Directory of flash:/security/
# After the preceding configurations are complete, run the display ssl policy
command on the HTTPS server to check detailed information about the loaded
digital certificate.
[HTTPS_Server] display ssl policy
Step 6 Configure a web user and enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and
press Enter. The web system login page is displayed, as shown in Figure 3-9.
You can log in to the web system using the Internet Explorer (6.0 or 8.0) or Firefox
(3.5) browsers. If the browser version or browser patch version is not within the
preceding ranges, the web page may be displayed incorrectly. Additionally, the
web browser used to log in to the web system must support JavaScript.
Enter the user name, password, and verification code. Click Login. The web system
home page is displayed.
Log in to the switch through the web system. The login succeeds.
Run the display http server command to view the SSL policy name and the
HTTPS server status.
[HTTPS_Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :0
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
aaa
local-user admin password cipher %$%$_h,hW_!nJ!2gXkH9v$X)+,#w%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password cipher %$%$jD,QKAhe{Yd9kD9Fqi#I+QH~%$%$
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 10
#
user-interface vty 0 14
authentication-mode aaa
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-
code 123456
#
return
3.3.1.6.3 Example for Configuring Switch Login Through the Web System
(V100R006C05&V200R002&V200R003)
Overview
The web system uses the built-in web server on a switch to provide a GUI through
which users can perform switch management and maintenance. Users can log in
to the web system from terminals using HTTPS.
Configuration Notes
This example applies to V100R006C05, V200R002, and V200R003 of all S series
switches.
NOTE
The following uses the command lines and outputs of the S5700-EI running V200R002C00
as an example.
Networking Requirements
As shown in Figure 3-10, a switch functions as the HTTPS server. The user wants
to log in to the web system using HTTPS to manage and maintain the switch.
Figure 3-10 Networking diagram for configuring switch login through the web
system
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
The web page file is delivered with a switch. For all switches in V100R006C05&V200R002
and S5700-10P-LI switches in V200R003C00, you need to load the web page file. Fixed
switches excluding S5700-10P-LI in V200R003 have loaded the web page file before
delivery. Step 2 can be skipped.
A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital certificate
can meet security requirements, you do not need to upload a digital certificate or manually
configure an SSL policy, simplifying configuration. The following configuration uses the
default SSL policy provided by the switch as an example.
Procedure
Step 1 Configure a management IP address.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10 //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route
based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is the physical interface
used for logging in to the switch through the web system on a PC. Select an interface based on actual
networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
● Run the dir command to view the name of the web page file carried by the switch.
● In V100R006C05, the web page file is named in the format of product name-software
version.web page file version.web.zip. In V200R002 and V200R003, the web page file is
named in the format of product name-software version.web page file version.web.7z.
[HTTPS_Server] http server load web.7z //Upload the web page file. The web.7z file is used as an
example here.
Step 4 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789 //Create a local user named
admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the access type to http, that is, web user.
[HTTPS_Server-aaa] quit
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password cipher %$%$+8;_RIkI680;]{;b/Vo&T/l>%$%$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
return
3.3.1.6.4 Example for Configuring Switch Login Through the Web System
(V200R005)
Overview
The web system uses the built-in web server on a switch to provide a GUI through
which users can perform switch management and maintenance. Users can log in
to the web system from terminals using HTTPS.
Configuration Notes
This example applies to V200R005 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700-HI running V200R005 as
an example.
Networking Requirements
As shown in Figure 3-12, a switch functions as the HTTPS server. The user wants
to log in to the web system using HTTPS to manage and maintain the switch.
Figure 3-12 Networking diagram for configuring switch login through the web
system
Configuration Roadmap
NOTE
A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital certificate
can meet security requirements, you do not need to upload a digital certificate or manually
configure an SSL policy, simplifying configuration. The following configuration uses the
default SSL policy provided by the switch as an example.
The system software of the following switch models in V200R005 has integrated
and loaded the web page file (including the EasyOperation and Classics editions).
You only need to configure a web user and enter the web system login page.
● Modular switch: all models
● Fixed switch: S2750, S5700-LI, S5700S-LI
The Classics web page file has been loaded on the S5700-SI, S5700-EI, S5710-EI,
S5700-HI, S5710-HI, and S6700-EI in V200R005, and has been loaded. To use the
Classics web system, you only need to configure a web user and enter the web
system login page. To use the EasyOperation web system, perform the
configuration based on the following roadmap:
1. Configure a management IP address for remotely transferring files and
logging in to the switch through the web system.
2. Upload the web page file to the HTTPS server through FTP.
3. Load the web page file.
4. Configure a web user and enter the web system login page.
NOTICE
Procedure
Step 1 Obtain the web page file.
The following methods are available:
● Obtain the web page file from a Huawei agent.
● Download the web page file from the Huawei enterprise technical support
website (http://support.huawei.com/enterprise).
– For a fixed switch, download the system software containing the web
page file.
– For a modular switch, download the web page file.
– In V200R005, the web page file is named in the format of product name-
software version.web page file version.web.7z.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed
on the website. If not, an exception may occur during file download. Download the file
again.
used for logging in to the switch through the web system on a PC. Select an interface based on actual
networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access //Set the interface type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10 //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit
Step 3 Upload the web page file to the HTTPS server through FTP.
# Configure the FTP function for the switch and information about an FTP user,
including the password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login
password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP authorized directory to
flash:/.
[HTTPS_Server-aaa] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page
file to the HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file to the HTTPS server from the PC.
ftp> put web.7z //Upload the web page file. The web.7z file is used as an example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
NOTE
If the size of the web page file in the current directory on the switch is different from that
on the PC, an exception may occur during file transfer. Upload the web page file again.
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Set the login
password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service type to HTTP.
[HTTPS_Server-aaa] quit
Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :0
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/
U`Ww%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@5d~9:M^ipCfL
\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
user-interface vty 0 14
authentication-mode aaa
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.
3.3.1.6.5 Example for Configuring Switch Login Through the Web System
(V200R006 and later versions)
Overview
The web system uses the built-in web server on a switch to provide a GUI through
which users can perform switch management and maintenance. Users can log in
to the web system from terminals using HTTPS.
The web system is available in EasyOperation and Classics versions.
● The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations.
● The Classics version inherits the web page style of Huawei switches and
provides comprehensive configuration and management functions.
NOTE
Configuration Notes
This example applies to V200R006 and later versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00
as an example.
Networking Requirements
As shown in Figure 3-14, a switch functions as the HTTPS server. The user wants
to log in to the web system using HTTPS to manage and maintain the switch.
Figure 3-14 Networking diagram for configuring switch login through the web
system
Configuration Roadmap
The configuration roadmap is as follows:
● The system software of the switch has integrated and loaded the web page
file. No manual configuration is required.
● A switch provides a default SSL policy and has a randomly generated self-
signed digital certificate in the web page file. If the default SSL policy and
self-signed digital certificate can meet security requirements, you do not need
to upload a digital certificate or manually configure an SSL policy, simplifying
configuration. The following configuration uses the default SSL policy
provided by the switch as an example.
● Configure a management IP address for logging in to the switch through the
web system.
● Configure a web user and enter the web system login page.
Procedure
Step 1 Configure a management IP address.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10 //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route
based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is the physical interface
used for logging in to the switch through the web system on a PC. Select an interface based on actual
networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
Step 3 Configure a web user and enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and
press Enter. The web system login page is displayed, as shown in Figure 3-15.
Table 3-7 lists browser versions required for login to a switch through the web
system. If the browser version or browser patch version is not within the preceding
ranges, the web page may not be properly displayed. Upgrade the browser and
browser patch. In addition, the browser must support JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO
or press Enter. The web system home page is displayed. The EasyOperation web
system is logged in by default.
Table 3-7 Mapping between the product version and browser version
Product Browser Version for Browser Version for Classic
Version EasyOperation Web System Web System
Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :0
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
HTTP server source address : 0.0.0.0 //This field displays HTTP server source interface in V200R020
and later versions.
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
vlan batch 10
#
aaa
local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/
U`Ww%#%#
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
return
Overview
You can log in to the switch using the console port, Telnet, or STelnet to manage
storage, directories, and local files. Only logged in users can manage the storage.
To transfer files, you can use FTP, TFTP, Secure Copy Protocol (SCP), or FTPS.
Configuration Notes
● Before logging in to the switch to manage files, complete the following task:
– Log in to the switch from a terminal.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
A user logs in to the Switch using the console port, Telnet, or STelnet from the PC,
and needs to perform the following operations on the files on the Switch:
● View the files and subdirectories in the current directory.
● Create the directory test. Copy the file vrpcfg.zip to test and rename the file
as backup.zip.
● View files in test.
Figure 3-16 Networking diagram for logging in to the switch to manage files
Procedure
Step 1 View the files and subdirectories in the current directory.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] quit
<Switch> dir
Directory of flash:/
Step 2 Create the directory test. Copy the file vrpcfg.zip to test and rename the file as
backup.zip.
# Create the directory test.
<Switch> mkdir test
Info: Create directory flash:/test......Done.
# Copy the file vrpcfg.zip to test and rename the file as backup.zip.
<Switch> copy vrpcfg.zip flash:/test/backup.zip //Set the target file name to backup.zip. If not
specified, the target file name is the same as the source file name.
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
# Access test.
<Switch> cd test
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
return
Overview
After a switch is configured as an FTP server, users can access the switch using the
FTP client software on the local terminals. Users can then manage files between
the switch and local terminals. The configuration for managing files using FTP is
simple, and FTP supports file transfer and file directory management.
FTP provides the authorization and authentication functions for managing files.
However, data is transferred in plaintext, which brings security risks.
FTP is applicable to file management when high network security is not required,
and is often used in version upgrades.
Configuration Notes
● Before managing files using FTP, complete the following tasks:
– Ensure that routes are reachable between the terminal and the switch.
– Ensure that FTP client software is installed on the terminal.
● FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or
FTPS is recommended.
● If the number of FTP users on the switch reaches the maximum value (5),
new authorized users cannot log in. To ensure that new FTP users successfully
log in to the switch, FTP users who have completed file operations need to
get offline.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
As shown in Figure 3-17, the PC connects to the switch, and the IP address of the
management network interface on the switch is 10.136.23.5. The switch needs to
be upgraded. The switch is required to function as the FTP server so that you can
upload the system software from the PC to the switch and back up the
configuration file to the PC.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FTP function for the switch and information about an FTP user,
including the user name and password, user level, service type, and
authorized directory.
2. Save the current configuration file on the switch.
3. Establish an FTP connection between the PC and the switch.
4. Upload the system software to the switch and back up the configuration file
of the switch to the PC.
Procedure
Step 1 Configure the FTP function for the switch and information about an FTP user.
<HUAWEI> system-view
[HUAWEI] sysname FTP_Server
[FTP_Server] ftp server enable //Enable the FTP server function.
[FTP_Server] ftp server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.136.23.5. Assume that the interface is Vlanif 10.
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 //Set the login
password to Helloworld@6789.
[FTP_Server-aaa] local-user admin1234 privilege level 15 //Set the user level to 15.
[FTP_Server-aaa] local-user admin1234 service-type ftp //Set the user service type to FTP.
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/ //Set the FTP service authorized directory to
flash:/.
[FTP_Server-aaa] quit
[FTP_Server] quit
Step 3 Establish an FTP connection between the PC and the switch. Enter the user name
admin1234 and password Helloworld@6789 and set the file transfer mode to
binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. The default mode is ASCII.
200 Type set to I.
ftp>
The ASCII mode is used to transfer text files, and the binary mode is used to
transfer programs including the system software (with the file name extension
of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database
files.
Step 4 Upload the system software to the switch and back up the configuration file of
the switch to the PC.
# Upload the system software to the switch.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for devicesoft.cc
226 Transfer complete.
ftp: 106616955 bytes sent in 151.05 Seconds 560.79Kbytes/sec.
NOTE
Before uploading and downloading files to the FTP server, determine the FTP working
directory on the FTP client. For example, the default FTP working directory on the Windows
XP operating system is the login user working directory (such as C:\Documents and
Settings\Administrator). This directory also stores the system software to be uploaded and
backup configuration file.
# Check whether the file vrpcfg.zip is stored in the FTP working directory on the
PC.
----End
Configuration Files
FTP_Server configuration file
#
sysname FTP_Server
#
FTP server enable
#
aaa
local-user admin1234 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H
$J<6@KTSL/J'\}I-%^%#
local-user admin1234 privilege level 15
local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
return
Related Content
Videos
Overview
After a switch is configured as an SFTP server, users can communicate with the
switch using SFTP. The SSH protocol can be used to ensure connection security.
SFTP implements data encryption and protects data integrity, ensuring high
security. Both SFTP and FTP configured for the switch.
SFTP is applicable to file management when high network security is required, and
is often used for downloading logs and backing up the configuration file.
Configuration Notes
● Before managing files using SFTP, complete the following tasks:
– Ensure that routes are reachable between the terminal and the switch.
– Ensure that SSH client software is installed on the terminal.
● SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
As shown in Figure 3-18, the PC connects to the switch, and the IP address of the
management network interface on the switch is 10.136.23.4. Files need to be
securely transferred between the PC and switch to prevent man-in-the-middle
attacks and some network attacks (such as DNS spoofing and IP spoofing).
Configure the switch as the SSH server to provide the SFTP service so that the SSH
server can authenticate the client and encrypt data in bidirectional mode to
ensure secure file transfer.
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server and enable the SFTP server
function to implement secure data exchange between the server and client.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
4. Use the third-party software OpenSSH to access the SSH server.
Procedure
Step 1 Generate a local key pair on the SSH server and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is
used.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH_Server] sftp server enable //Enable the SFTP server function.
[SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.136.23.4. Assume that the interface is Vlanif 10.
Step 3 Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password //Set the authentication mode to
password authentication.
[SSH_Server] ssh user client001 service-type sftp //Set the user service type to SFTP.
[SSH_Server] ssh user client001 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login
password to Helloworld@6789.
[SSH_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[SSH_Server-aaa] local-user client001 service-type SSH //Set the user service type to SSH.
[SSH_Server-aaa] quit
NOTE
Ensure that the OpenSSH version matches the operating system of the PC. Otherwise, you
may fail to access the switch using SFTP.
After the PC connects to the switch using the third-party software, enter the SFTP
view to perform file operations.
----End
Configuration Files
SSH_Server configuration file
#
sysname SSH_Server
#
aaa
local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H$J<6@KTSL/
J'\}I-%^%#
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 14
authentication-mode aaa
#
return
Overview
After a switch is configured as a TFTP client, it can access the remote TFTP server
to upload and download files on the TFTP server. When you access other devices
using TFTP, you do not need to enter the user name or password, simplifying
information exchange. TFTP has no authorization or authentication mechanism
and transfers data in plaintext, which brings security risks and is vulnerable to
network viruses and attacks. Exercise caution when using TFTP.
On a good-performance LAN in a lab, TFTP can be used for the system software
loading and upgrade.
Configuration Notes
● Before accessing files on the TFTP server, ensure that routes are reachable
between the switch and TFTP server.
● The switch can only function as a TFTP client.
● The TFTP mode supports only file transfer, but does not support interaction.
● TFTP has no authorization or authentication mechanism and transfers data in
plaintext, which brings security risks and is vulnerable to network viruses and
attacks.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
As shown in Figure 3-20, the remote server at IP address 10.1.1.1/24 functions as
the TFTP server. The switch at IP address 10.2.1.1/24 functions as the TFTP client
and has reachable routes to the TFTP server.
The switch needs to be upgraded. You need to download the system software
from the TFTP server to the switch and back up the current configuration file of
the switch to the TFTP server.
Figure 3-20 Networking diagram for accessing files on another device using TFTP
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload and download files on the switch using TFTP commands.
Procedure
Step 1 Run the TFTP software on the TFTP server and set the TFTP working directory. For
the detailed operations, see the help document of the third-party TFTP software.
Step 2 Upload and download files on the switch using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc //Download devicesoft.cc.
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please
wait...
|
TFTP: Downloading the file successfully.
106616955 byte(s) received in 722 second(s).
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip //Upload vrpcfg.zip.
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...
100%
TFTP: Uploading the file successfully.
7717 byte(s) sent in 1 second(s).
# Check whether the file vrpcfg.zip is stored in the working directory on the TFTP
server.
----End
Configuration Files
None
Overview
After a switch is configured as an FTP client, it can log in to the FTP server for
transferring files and managing files and directories on the FTP server. The
configuration for accessing other devices using FTP is simple, and FTP supports file
transfer and file directory management. FTP provides the authorization and
authentication functions for managing files. However, data is transferred in
plaintext, which brings security risks.
FTP is applicable to file transfer when high network security is not required, and is
often used for downloading the system software from the FTP server and backing
up the configuration file.
Configuration Notes
● Before accessing files on the FTP server, ensure that routes are reachable
between the switch and FTP server.
● FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or
FTPS is recommended.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
As shown in Figure 3-21, the remote server at IP address 10.1.1.1/24 functions as
the FTP server. The switch at IP address 10.2.1.1/24 functions as the FTP client and
has reachable routes to the FTP server.
The switch needs to be upgraded. You need to download the system software
from the FTP server to the switch and back up the current configuration file of the
switch to the FTP server.
Figure 3-21 Networking diagram for accessing files on another device using FTP
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the FTP software on the FTP server and configure an FTP user.
2. Establish an FTP connection between the switch and the FTP server.
3. Upload and download files on the switch using FTP commands.
Procedure
Step 1 Run the FTP software on the FTP server and configure an FTP user. For the
detailed operations, see the help document of the third-party FTP software.
Step 2 Establish an FTP connection between the switch and the FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
Step 3 Upload and download files on the switch using FTP commands.
[ftp] binary //Set the file transfer mode to binary. The default mode is ASCII.
[ftp] get devicesoft.cc //Download the system software on the FTP server to the switch.
[ftp] put vrpcfg.zip //Upload the backup configuration file on the switch to the FTP server.
[ftp] quit
The ASCII mode is used to transfer text files, and the binary mode is used to
transfer programs including the system software (with the file name extension
of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database
files.
# Check whether the file vrpcfg.zip is stored in the working directory on the FTP
server.
----End
Configuration Files
None
Overview
SFTP is an SSH-based secure file transfer protocol, which uses secure connections
for data transmission. After a switch is configured as an SFTP client, the remote
SFTP server can authenticate the client and encrypt data in bidirectional mode to
ensure secure file transfer and directory management.
SFTP is applicable to accessing files on other devices when high network security
is required, and is used for uploading and downloading logs.
Configuration Notes
● Before accessing files on the SSH server using SFTP, ensure that routes are
reachable between the switch and SSH server.
● SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.
● This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
Networking Requirements
As shown in Figure 3-22, the routes between the SSH server and clients client001
and client002 are reachable. A Huawei switch is used as the SSH server in this
example.
The clients client001 and client002 are required to connect to the SSH server in
password and DSA authentication modes respectively to ensure secure access to
files on the SSH server.
Figure 3-22 Networking diagram for accessing files on another device using SFTP
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server and enable the SFTP server
function to implement secure data exchange between the server and client.
2. Configure the clients client001 and client002 on the SSH server to log in to
the SSH server in password and DSA authentication modes, respectively.
3. Generate a local key pair on client002 and configure the generated DSA
public key on the SSH server, which implements authentication for the client
when a user logs in to the server from the client.
4. On the SSH server, enable client001 and client002 to log in to the SSH server
using SFTP and access the files.
Procedure
Step 1 On the SSH server, generate a local key pair and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used.
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.
[SSH Server] sftp server enable //Enable the SFTP server function. In V200R020 and later versions, you
must run the ssh server-source command to set the source interface of the server to the interface using
the IP address 10.1.1.1 so that the client can connect to the server through 10.1.1.1.
[SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
Info: Succeeded in starting the SFTP server.
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002 //Create an SSH user.
[SSH Server] ssh user client002 authentication-type dsa //Set the authentication mode to DSA
authentication.
[SSH Server] ssh user client002 service-type sftp //Set the user service type to SFTP.
[SSH Server] ssh user client002 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
Step 3 Generate a local key pair on client002 and configure the generated DSA public
key on the SSH server.
# Generate a local key pair on client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used.
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.
=====================================================
Key code:
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
AAB59973 9AB02185 856A881F 9197368B
92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
4EA0EE50 1FC6695D 03D68D51
9324E493
0214
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/
mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/
K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/
ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs
+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/
OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U4
2SkvxBhh7W+pMLesuDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/
LmeFNt
AEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/
6SRUuH5wf9hMf
LZzmb6ETrf8S5RZWVyZv3TKm3/
FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCo
otdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/
AOOu8jCp0l6vOUH4cniOONh6Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/
NneGPPMN
+A==
---- END SSH2 PUBLIC KEY ----
# Configure the generated DSA public key on the SSH server. The bold part in the
display command output indicates the generated DSA public key. Copy the key to
the SSH server.
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-code]30820322
[SSH Server-dsa-key-code]02820100
[SSH Server-dsa-key-code]DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
[SSH Server-dsa-key-code]8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
[SSH Server-dsa-key-code]EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
[SSH Server-dsa-key-code]60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
[SSH Server-dsa-key-code]A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
[SSH Server-dsa-key-code]AAB59973 9AB02185 856A881F 9197368B
92DBF684
[SSH Server-dsa-key-code]9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
[SSH Server-dsa-key-code]5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
[SSH Server-dsa-key-code]9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
[SSH Server-dsa-key-code]326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
[SSH Server-dsa-key-code]BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
[SSH Server-dsa-key-code]8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
[SSH Server-dsa-key-code]4EA0EE50 1FC6695D 03D68D51
9324E493
[SSH Server-dsa-key-code]0214
[SSH Server-dsa-key-code]C6C484E1 F0076B8A FCAD302B 98B50A3A
542ABEBB
[SSH Server-dsa-key-code]02820100
[SSH Server-dsa-key-code]3AC11746 EE959CBD 30F669C5 7E290BC4
7CB5BBFD
[SSH Server-dsa-key-code]96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
[SSH Server-dsa-key-code]21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
[SSH Server-dsa-key-code]5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4
[SSH Server-dsa-key-code]2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7
[SSH Server-dsa-key-code]4B6C59B4 6FE59A9F BE64F982 EC36A669
FF597FB7
[SSH Server-dsa-key-code]9A56E32E C15A0659 3D17C407 29F587C7
74959017
[SSH Server-dsa-key-code]62B08070 24564B2E E79C6E1D 86793548
76CC662A
[SSH Server-dsa-key-code]1D3DE1D1 2C79E102 C0B10E5C 9C4428B3
AEB93278
[SSH Server-dsa-key-code]26D4CDE5 189A93EA 531E0FF8 2199EF35
DF038976
[SSH Server-dsa-key-code]4538434F F39924F0 5BF17AC8 8E340991
B5EA0A62
[SSH Server-dsa-key-code]A915EE63 F660C092 360C5D2D 796AF230
DB7461F7
[SSH Server-dsa-key-code]C15B6DBA 65C9EFAB 247DB13D
4942E2FF
[SSH Server-dsa-key-code]02820100
[SSH Server-dsa-key-code]D7C6399A 86F7B38C 85168EF8 692BD9B4
01AA7BCD
[SSH Server-dsa-key-code]98559075 98039259 0C54818C 650A95C7
0A5250EB
[SSH Server-dsa-key-code]12124E5B C4123350 C190CC8B 4FFFD418
7E8F113F
[SSH Server-dsa-key-code]6C36AB4B A56D2D1D 2C874C75 8400DAFE
4BABF957
[SSH Server-dsa-key-code]4EDC8E7C DF5934DB 3AD717E5 50B1096B
C0B46DE5
[SSH Server-dsa-key-code]3FB508FA CB76FF1C 42CF7082 7DDEEB47
5C5C4F64
[SSH Server-dsa-key-code]B1C8815C 496AC1E0 04C10EDD FE849B76
6DA15B48
[SSH Server-dsa-key-code]0C9CF0B1 10BDDC08 41A65C28 8E21ADC6
48A93DF6
[SSH Server-dsa-key-code]14552C1F 76A401AE E06E482D 6582052E
5B11A678
[SSH Server-dsa-key-code]A467B38A B77C1C55 D367E253 FFA44841
FC38A462
[SSH Server-dsa-key-code]B9AC24E6 DAD01628 F09ED629 58F666C1
1DEF7BD0
[SSH Server-dsa-key-code]634C3D13 D75F2614 8CB49AFC 498A5195
F443CA4D
[SSH Server-dsa-key-code]C02FF228 A90D7593 AE46C5D0 4B224FEE
# Enable the first authentication function on the SSH clients upon the first login.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable //Enable the first authentication function on client001.
[client002] ssh client first-time enable //Enable the first authentication function on client002.
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D
Enter password:
sftp-client>
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D
sftp-client>
Run the display ssh server status command on the SSH server to check whether
the SFTP service is enabled. Run the display ssh user-information command to
check information about SSH users on the server.
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
AAB59973 9AB02185 856A881F 9197368B
92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
4EA0EE50 1FC6695D 03D68D51
9324E493
0214
C6C484E1 F0076B8A FCAD302B 98B50A3A
542ABEBB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4
7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4
NOTE
● Most laptops do not provide COM ports and can only be connected to devices
through USB ports. In this case, you need to purchase a USB-serial cable, directly
connect the COM female connector to the COM male connector of the console
communication cable delivered with the device, and connect the USB port of the
device to that of the PC. Then install the driver delivered with the USB-serial cable
on the PC or download a USB-to-RS232 driver from the Internet.
2. Start the terminal emulation software on your PC, create a connection, select
the connected COM port, and set communication parameters. Communication
parameter settings on the terminal emulation software must be the same as
the default settings on the switch, which are: 9600 bit/s baud rate, 8 data bits,
1 stop bit, no parity check, and no flow control.
3. Enter the user name and password.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to
find out how to obtain it.
4. Configure a management IP address for the switch to make the switch and PC
reside on the same network segment, so that the switch and PC can ping
each other.
<HUAWEI> system-view
[HUAWEI] interface vlanif 1
[HUAWEI-vlanif1] ip address 10.10.1.1 24 //10.10.1.1/24 is the IP address configured for the
VLANIF interface. You can configure the interface IP address based on the actual situation. Ensure
that the interface IP address is on the same network segment as the PC.
[HUAWEI-vlanif1] quit
2. Check whether the system software and patch file are successfully loaded.
<HUAWEI> dir flash: //Check whether the size of the loaded file is the same as that of the file on
the PC. If not, delete the file and load it again.
Directory of flash:/
3. Specify the system software and patch for next startup of the switch.
<HUAWEI> startup system-software S5720-HI-V200R010C00SPC600.cc //Set the system software
for next startup.
<HUAWEI> startup patch S5720-HI-V200R010SPH013.pat //Set the patch for next startup.
NOTE
If the switch is a modular switch with two MPUs, run the following command in the user
view to set the system software and patch to be used by the standby MPU.
● copy S5720-HI-V200R010C00SPC600.cc slave#flash:
● startup system-software S5720-HI-V200R010C00SPC600.cc slave-board
● startup patch S5720-HI-V200R010SPH013.pat slave-board
4. Check the configuration for next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/defaultdevicesoft.cc
Startup system software: flash:/defaultdevicesoft.cc
Next startup system software: flash:/S5720-HI-V200R010C00SPC600.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: flash:/patch.pat
Next startup patch package: flash:/S5720-HI-V200R010SPH013.pat
NOTE
If the system software of the switch is damaged and you cannot restart the switch, you can use
the BootLoad program to modify the system software, configuration files, and patch files, and
configure the switch to start with the specified files. This implements the system software
restoration and rollback of the switch. For detailed operations, see Configuration Guide - Basic
Configuration Guide - BootLoad Menu Operation.
Recommendations
NOTE
The following recommendations are provided based on the positioning of fixed switch models. If
customers have special requirements, it is recommended to deploy high-end devices at a lower
network layer; it is not recommended to deploy low-end devices at a higher network layer. For
example, it is recommended to deploy aggregation switches at the access layer rather than to
deploy access switches at the aggregation layer.
To ensure stack reliability and bandwidth, you are advised to do as follows:
● Ensure that each member device connects to the core device through an uplink port. This
connection prevents upstream traffic forwarding from being affected when any member
device fails.
● When using multiple devices to set up a stack, ensure the same stack bandwidth between
any two devices. Otherwise, the bandwidth of the stack system is the minimum stack
bandwidth.
Ring topology ● High reliability: The first and last Member switches
If a stack link member switches are located near
fails, the need to be one another.
topology connected by a
changes from physical link, so
ring to chain, this topology is
and the stack not applicable to
can still long-distance
function stacking.
normally.
● High link
bandwidth
efficiency: Data
can be
forwarded
along the
shortest path.
Figure 3-28 Only one logical stack port between two member devices
Figure 3-29 Two logical stack ports between two member devices
When using two devices to set up a stack, you are advised to do as follows:
● If the devices provide no more than 28 ports, use the networking with only
one logical stack port. Otherwise, use the back-to-back networking.
● If more member devices need to be added to the stack in the future, use the
back-to-back networking, which will require minimum modification to the
existing system.
● Connect at least two stack cables between the two devices to ensure
reliability.
Feature Limitations
Version restrictions:
● When multiple switches set up a stack, member switches will synchronize the
running version of the master switch. If a member switch does not support
this running version, it will restart repeatedly.
● In V200R009C00, if MPLS-incapable S5720-EIs exist in a stack, this stack
cannot have MPLS enabled. If member devices in a stack are running MPLS
services, adding MPLS-incapable S5720-EIs to the stack is not allowed.
● An S5720-HI supports the stacking function since V200R009C00. When a
member device in a stack is faulty and fails to restart for three consecutive
times, the device attempts to roll back to a version earlier than V200R009C00
for restart. When the device restarts successfully after rolling back to a version
earlier than V200R009C00, a multi-active situation may occur because the
version earlier than V200R009C00 does not support the stacking function. To
prevent this situation, you are advised to delete the system software earlier
than V200R009C00 from member devices when using S5720-HIs to set up a
stack.
● When two stack member devices use ports on S7Q02001 and ES5D21Q02Q00
cards, respectively, to set up a stack, ensure that the device versions are the
same. Otherwise, the stack ports cannot go Up.
MAD specifications:
● You can configure a maximum of eight direct detection links for each member
switch in a stack.
● You can configure the relay mode on a maximum of four Eth-Trunks in a
stack.
● In V200R008C00 and earlier versions, you can configure a maximum of 64
Eth-Trunks on a relay agent to provide the relay function for multiple stacks.
This restriction does not apply to versions later than V200R008C00.
After multiple switches form a stack, the following features cannot be
configured in the stack:
● Y.1731 one- and two-way frame delay measurement
● N:1 VLAN Mapping
● IPv6 over IPv4 tunnel
● IPv4 over IPv6 tunnel
● E-Trunk
When you establish a stack on the switches that support both stack card
connection and service port connection, such as S5720-C-EI, note the
following:
● All member switches must use the same stack connection mode.
● When a member switch has stack cards installed and the service port stack
configuration, the switch uses the service port connection mode to establish a
stack. It does not use the stack card connection mode even though a stack
fails to be established in service port connection mode and stack cards are
connected correctly.
● A switch uses the stack card connection mode to establish a stack only when
it has no service port stack configuration.
● If a switch is currently using the stack card connection mode, perform the
service port stack configuration on the switch before changing the stack
connection mode to service port connection. After the service port stack
configuration is complete, the switch uses the service port connection mode
when restarting.
● If a switch using the stack card connection mode has service port
configuration, a smooth upgrade cannot be performed on the switch.
● If a switch is currently using the service port connection mode, correctly
connect stack cards and stack cables and clear the existing service port stack
configuration before changing the stack connection mode to stack card
connection. You can use the reset stack-port configuration command to
clear the existing service port stack configuration.
● When changing service port connection to stack card connection, you are
advised to remove the cables connected to service ports to prevent loops.
Deployment Recommendations
● Connect a stack to other network devices using an Eth-Trunk and add one
port of each member switch to the Eth-Trunk.
● When a stack connects to access devices, configure ports directly connected to
terminals as STP edge ports to prevent STP re-calculation when the ports
alternate between Up and Down states. This configuration ensures normal
traffic forwarding.
3.4.1.3 Example for Setting Up a Stack Using Stack Cards (V200R001 and
Later Versions)
Networking Requirements
A new enterprise network needs to provide sufficient ports for access devices, and
the network structure should be simple to facilitate configuration and
management.
As shown in Figure 3-30, SwitchA, SwitchB, and SwitchC need to set up a stack in
a ring topology and connect to SwitchD through an inter-device Eth-Trunk.
SwitchA, SwitchB, and SwitchC are the master, standby, and slave switches
respectively, with stack IDs of 0, 1, and 2 and stack priorities of 200, 100, and 100.
As the three switches function as one logical device on the network, the number
of ports is increased and network management and maintenance are simplified.
In this example, S5700-EIs set up a stack.
Configuration Roadmap
1. Power off SwitchA, SwitchB, and SwitchC, install an ES5D00ETPC00 stack card
on each switch, and then power on the three switches.
NOTE
● The ES5D00ETPC00 stack card does not support hot swap. You need to power off a
switch before installing the stack card on the switch.
● You can perform software configurations only after installing a stack card on the
switch.
2. Enable the stacking function.
3. Configure stack IDs and stack priorities for member switches to facilitate
device management and identification.
4. Power off SwitchA, SwitchB, and SwitchC, connect physical member ports
using PCIe cables, and then power on the three switches.
5. Configure an inter-device Eth-Trunk to increase reliability and uplink
bandwidth.
6. Configure multi-active detection (MAD) in relay mode to ensure network
availability when the stack splits. The stack split detection mechanism is
called dual-active detection (DAD) in V200R002 and earlier versions and MAD
in later versions.
Procedure
Step 1 Turn off power supplies of SwitchA, SwitchB, and SwitchC, install an
ES5D00ETPC00 stack card on each switch, and then power on the three switches.
Step 3 Configure stack IDs and stack priorities. The default stack ID is 0, and the default
stack priority is 100.
[SwitchA] stack slot 0 priority 200 //Set the stack priority of the master switch to 200, which is larger
than those of other member switches, and use the default stack ID 0.
[SwitchB] stack slot 0 renumber 1 //Use the default stack priority 100 and set the stack ID to 1.
[SwitchC] stack slot 0 renumber 2 //Use the default stack priority 100 and set the stack ID to 2.
Step 4 Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using PCIe cables as shown in Figure 3-31, and then power on the
three switches.
NOTE
● Run the save command to save the configurations before you power off the switches.
● STACK 1 port of one switch must be connected to STACK 2 port of another switch.
Otherwise, the stack cannot be set up.
● To ensure that a stack can be set up successfully, you are advised to perform operations
in the following sequence. First, power on the switch that you want to specify as the
master switch. In this example, SwitchA becomes the master switch after you complete
the following operations.
1. Power off SwitchA, SwitchB, and SwitchC.
2. Connect SwitchA and SwitchB with a stack cable.
3. Power on and start SwitchA and then power on SwitchB.
4. Check whether SwitchA and SwitchB set up a stack successfully. For details, see step
5.
5. Connect SwitchC to SwitchB and SwitchA using stack cables and then power on
SwitchC.
6. Check whether SwitchA, SwitchB, and SwitchC set up a stack successfully. For details,
see step 5.
Press the MODE button on any member switch to change the mode status
indicator to the stack mode.
● If the mode status indicators on all the member switches change to the stack
mode, the stack is set up successfully.
● If the mode status indicator on any member switch does not change to the
stack mode, the stack is not set up.
NOTE
● The S5700-EI, S5700-SI, and S5710-C-LI use the same mode status indicator to show the
stack and speed modes. After you press the MODE button, the indicator is steady red and off
after 45 seconds, indicating that the switch enters the stack mode.
● The S5720-EI has an independent stack mode indicator (STCK indicator). After you press the
MODE button, the indicator is steady green or blinking and off after 45 seconds, indicating
that the switch enters the stack mode.
Log in to the stack to check whether the number of member switches in the stack
is the same as the actual value and whether the stack topology is the same as the
actual hardware connection.
<SwitchA> system-view
[SwitchA] sysname Stack
[Stack] display stack
Stack mode: Card
Stack topology type: Ring
Stack system MAC: xxxx-xxxx-xxx5
MAC switch delay time: 10 min
Stack reserved vlan : 4093
Slot of the active management port: 0
Slot Role Mac address Priority Device type
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx5 200 S5728C-EI
1 Standby xxxx-xxxx-xxx1 100 S5728C-EI
2 Slave xxxx-xxxx-xxx2 100 S5728C-EI
# Create an Eth-Trunk in the stack and configure uplink physical ports as Eth-
Trunk member ports.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] trunkport gigabitethernet 0/0/5
[Stack-Eth-Trunk10] trunkport gigabitethernet 1/0/5
[Stack-Eth-Trunk10] trunkport gigabitethernet 2/0/5
[Stack-Eth-Trunk10] quit
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/1
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/2
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/3
[SwitchD-Eth-Trunk10] quit
Step 8 Configure MAD in relay mode and configure SwitchD as the relay agent.
# In the stack, configure MAD in relay mode on the inter-device Eth-Trunk.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] mad detect mode relay //This command is used in versions later than V200R002.
The command used in V200R002 and earlier versions is dual-active detect mode relay.
[Stack-Eth-Trunk10] return
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
mad detect mode relay
#
interface GigabitEthernet0/0/5
eth-trunk 10
#
interface GigabitEthernet1/0/5
eth-trunk 10
#
interface GigabitEthernet2/0/5
eth-trunk 10
#
return
Overview
When S2710-SI, S2700-EI, S3700-SI, and S3700-EI switches set up stacks using
service ports, you do not need to manually configure stack ports. After the
switches are correctly connected using stack cables, a stack can be set up
automatically.
Networking Requirements
A new enterprise network needs to provide sufficient ports for access devices, and
the network structure should be simple to facilitate configuration and
management.
As shown in Figure 3-32, SwitchA, SwitchB, and SwitchC need to set up a stack in
a ring topology and connect to SwitchD through an inter-device Eth-Trunk.
SwitchA, SwitchB, and SwitchC are the master, standby, and slave switches
respectively, with stack IDs of 0, 1, and 2 and stack priorities of 200, 100, and 100.
As the three switches function as one logical device on the network, the number
of ports is increased and network management and maintenance are simplified.
In this example, S3700-EIs set up a stack.
Configuration Roadmap
1. The stacking function is enabled by default on the S3700-EI. Therefore, these
switches can set up a stack immediately after they are connected using stack
cables, without additional configuration. To facilitate device management and
identification, configure device names, stack IDs, and stack priorities for stack
member switches.
2. Power off SwitchA, SwitchB, and SwitchC, connect physical member ports
using SFP stack cables, and then power on the three switches.
3. Configure an inter-device Eth-Trunk to increase reliability and uplink
bandwidth.
Procedure
Step 1 Configure device names to differentiate devices.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
Step 2 Configure stack IDs and stack priorities. The default stack ID is 0, and the default
stack priority is 100.
[SwitchA] stack slot 0 priority 200 //Set the stack priority of the master switch to 200, which is larger
than those of other member switches, and use the default stack ID 0.
[SwitchB] stack slot 0 renumber 1 //Use the default stack priority 100 and set the stack ID to 1.
[SwitchC] stack slot 0 renumber 2 //Use the default stack priority 100 and set the stack ID to 2.
Step 3 Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using SFP stack cables as shown in Figure 3-33, and then power on
the three switches.
NOTE
● Run the save command to save the configurations before you power off the switches.
● To ensure that a stack can be set up successfully, you are advised to perform operations
in the following sequence. To specify a member switch as the master switch, power on
that switch first. In this example, SwitchA becomes the master switch after you
complete the following operations.
1. Power off SwitchA, SwitchB, and SwitchC.
2. Connect SwitchA and SwitchB with a stack cable.
3. Power on and start SwitchA and then power on SwitchB.
4. Check whether SwitchA and SwitchB set up a stack successfully. For details, see step
4.
5. Connect SwitchC to SwitchB and SwitchA using stack cables and then power on
SwitchC.
6. Check whether SwitchA, SwitchB, and SwitchC set up a stack successfully. For details,
see step 4.
<SwitchA> system-view
[SwitchA] sysname Stack
[Stack] display stack
Stack topology type: Ring
Stack system MAC: xxxx-xxxx-xxx8
MAC switch delay time: never
Stack reserved vlanid : 4093
Slot Role Mac address Priority Device type
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx8 200 S3728TP-EI
1 Standby xxxx-xxxx-xxx1 100 S3728TP-EI
2 Slave xxxx-xxxx-xxx5 100 S3728TP-EI
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport ethernet 0/0/1
[SwitchD-Eth-Trunk10] trunkport ethernet 0/0/2
[SwitchD-Eth-Trunk10] trunkport ethernet 0/0/3
[SwitchD-Eth-Trunk10] return
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
#
interface Ethernet0/0/5
eth-trunk 10
#
interface Ethernet1/0/5
eth-trunk 10
#
interface Ethernet2/0/5
eth-trunk 10
#
return
Overview
Service port connection allows member switches to be connected using service
ports, without requiring dedicated stack cards.
To improve stack efficiency and reduce manual configuration, since V200R011C10,
switches can set up a stack using dedicated stack cables. Service port connections
are classified into ordinary and dedicated cable connections based on cable types.
● Ordinary cable connection: Switches use optical cables, network cables, and
high-speed cables to set up a stack.
● Dedicated cable connection: Switches use dedicated stack cables to set up a
stack. The two ends of a dedicated stack cable are the master end with the
Master tag and the slave end without any tag. The device connected to the
master end of a dedicated stack cable assumes the master role and the device
connected to the slave end assumes the slave role only after you perform
operations as required.
Networking Requirements
A new enterprise network needs to provide sufficient ports for access devices, and
the network structure should be simple to facilitate configuration and
management.
As shown in Figure 3-34, SwitchA, SwitchB, and SwitchC need to set up a stack in
a ring topology and connect to SwitchD through an inter-device Eth-Trunk.
SwitchA, SwitchB, and SwitchC are the master, standby, and slave switches
respectively, with stack IDs of 0, 1, and 2 and stack priorities of 200, 100, and 100.
As the three switches function as one logical device on the network, the number
of ports is increased and network management and maintenance are simplified.
In this example, S5700-LIs set up a stack.
Configuration Roadmap
1. Configure logical stack ports and add physical member ports to the
corresponding logical stack ports to enable packet forwarding between
member switches.
2. Configure stack IDs and stack priorities for member switches to facilitate
device management and identification.
3. Power off SwitchA, SwitchB, and SwitchC, connect physical member ports
using SFP+ stack cables, and then power on the three switches.
4. Configure an inter-device Eth-Trunk to increase reliability and uplink
bandwidth.
5. Configure dual-active detection (DAD) in relay mode to ensure network
availability when the stack splits.
Procedure
Step 1 Configure logical stack ports and add physical member ports to them.
NOTE
Interface stack-port 0/1 of one switch must be connected to interface stack-port 0/2 of
another switch. Otherwise, the stack cannot be set up.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stack port interface gigabitethernet 0/0/27 enable
[SwitchA] stack port interface gigabitethernet 0/0/28 enable
[SwitchA] interface stack-port 0/1
[SwitchA-stack-port0/1] port member-group interface gigabitethernet 0/0/27
[SwitchA-stack-port0/1] quit
[SwitchA] interface stack-port 0/2
[SwitchA-stack-port0/2] port member-group interface gigabitethernet 0/0/28
[SwitchA-stack-port0/2] quit
Step 2 Configure stack IDs and stack priorities. The default stack ID is 0, and the default
stack priority is 100.
[SwitchA] stack slot 0 priority 200 //Set the stack priority of the master switch to 200, which is larger
than those of other member switches, and use the default stack ID 0.
[SwitchB] stack slot 0 renumber 1 //Use the default stack priority 100 and set the stack ID to 1.
[SwitchC] stack slot 0 renumber 2 //Use the default stack priority 100 and set the stack ID to 2.
Step 3 Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using SFP+ stack cables as shown in Figure 3-35, and then power
on the three switches.
NOTE
● Run the save command to save the configurations before you power off the switches.
● To ensure that a stack can be set up successfully, you are advised to perform operations
in the following sequence. To specify a member switch as the master switch, power on
that switch first. In this example, SwitchA becomes the master switch after you
complete the following operations.
1. Power off SwitchA, SwitchB, and SwitchC.
2. Connect SwitchA and SwitchB with a stack cable.
3. Power on and start SwitchA and then power on SwitchB.
4. Check whether SwitchA and SwitchB set up a stack successfully. For details, see step
4.
5. Connect SwitchC to SwitchB and SwitchA using stack cables and then power on
SwitchC.
6. Check whether SwitchA, SwitchB, and SwitchC set up a stack successfully. For details,
see step 4.
● The S6700-EI uses the mode status indicator to show the stack and speed modes. After you
press the MODE button, the indicator is steady red and off after 45 seconds, indicating that
the switch enters the stack mode.
● The S5700-LI and S5710-EI have an independent stack mode indicator (STCK indicator).
After you press the MODE button, the indicator is steady green or blinking and off after 45
seconds, indicating that the switch enters the stack mode.
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/1
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/2
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/3
[SwitchD-Eth-Trunk10] quit
Step 7 Configure DAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure DAD in relay mode on the inter-device Eth-Trunk.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] dual-active detect mode relay
[Stack-Eth-Trunk10] return
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
dual-active detect mode relay
#
interface GigabitEthernet0/0/5
eth-trunk 10
#
interface GigabitEthernet1/0/5
eth-trunk 10
#
interface GigabitEthernet2/0/5
eth-trunk 10
#
return
● SwitchD configuration file
#
sysname SwitchD
#
interface Eth-Trunk10
dual-active relay
#
interface GigabitEthernet0/0/1
eth-trunk 10
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return
3.4.1.6 Example for Setting Up a Stack Using Service Ports (V200R003 and
Later Versions)
Overview
Service port connection allows member switches to be connected using service
ports, without requiring dedicated stack cards.
To improve stack efficiency and reduce manual configuration, since V200R011C10,
switches can set up a stack using dedicated stack cables. Service port connections
are classified into ordinary and dedicated cable connections based on cable types.
● Ordinary cable connection: Switches use optical cables, network cables, and
high-speed cables to set up a stack.
● Dedicated cable connection: Switches use dedicated stack cables to set up a
stack. The two ends of a dedicated stack cable are the master end with the
Master tag and the slave end without any tag. The device connected to the
master end of a dedicated stack cable assumes the master role and the device
connected to the slave end assumes the slave role only after you perform
operations as required.
Networking Requirements
A new enterprise network needs to provide sufficient ports for access devices, and
the network structure should be simple to facilitate configuration and
management.
As shown in Figure 3-36, SwitchA, SwitchB, and SwitchC need to set up a stack in
a ring topology and connect to SwitchD through an inter-device Eth-Trunk.
SwitchA, SwitchB, and SwitchC are the master, standby, and slave switches
respectively, with stack IDs of 0, 1, and 2 and stack priorities of 200, 100, and 100.
As the three switches function as one logical device on the network, the number
of ports is increased and network management and maintenance are simplified.
In this example, S5700-28X-LI-AC set up a stack.
Configuration Roadmap
1. Configure logical stack ports and add physical member ports to the
corresponding logical stack ports to enable packet forwarding between
member switches.
2. Configure stack IDs and stack priorities for member switches to facilitate
device management and identification.
3. Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using SFP+ stack cables, and then power on the three switches.
4. Configure an inter-device Eth-Trunk to increase reliability and uplink
bandwidth.
5. Configure multi-active detection (MAD) in relay mode to ensure network
availability when the stack splits.
Procedure
Step 1 Configure logical stack ports and add physical member ports to them.
NOTE
Interface stack-port 0/1 of one switch must be connected to interface stack-port 0/2 of
another switch. Otherwise, the stack cannot be set up.
Step 2 Configure stack IDs and stack priorities. The default stack ID is 0, and the default
stack priority is 100.
[SwitchA] stack slot 0 priority 200 //Set the stack priority of the master switch to 200, which is larger
than those of other member switches, and use the default stack ID 0.
[SwitchB] stack slot 0 renumber 1 //Use the default stack priority 100 and set the stack ID to 1.
[SwitchC] stack slot 0 renumber 2 //Use the default stack priority 100 and set the stack ID to 2.
Step 3 Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using SFP+ stack cables as shown in Figure 3-37, and then power
on the three switches.
NOTE
● Run the save command to save the configurations before you power off the switches.
● To ensure that a stack can be set up successfully, you are advised to perform operations
in the following sequence. To specify a member switch as the master switch, power on
that switch first. In this example, SwitchA becomes the master switch after you
complete the following operations.
1. Power off SwitchA, SwitchB, and SwitchC.
2. Connect SwitchA and SwitchB with a stack cable.
3. Power on and start SwitchA and then power on SwitchB.
4. Check whether SwitchA and SwitchB set up a stack successfully. For details, see step
4.
5. Connect SwitchC to SwitchB and SwitchA using stack cables and then power on
SwitchC.
6. Check whether SwitchA, SwitchB, and SwitchC set up a stack successfully. For details,
see step 4.
NOTE
● The S5700-SI, S5700-EI, S5700-HI, S6700-EI, S5710-C-LI use the same mode status indicator
to show the stack and speed modes. After you press the MODE button, the indicator is
steady red and off after 45 seconds, indicating that the switch enters the stack mode.
● The S5732-H, S6730-S, S6730S-S, S6720-HI, S6730-H, and S6730S-H have an independent
stack master/slave indicator to show the MST. If the indicator is off, the switch is not a stack
master. If the indicator is steady green, the switch is a stack master or standalone switch.
● Other models have an independent stack mode indicator (STCK indicator). After you press
the MODE button, the indicator is steady green or blinking and off after 45 seconds,
indicating that the switch enters the stack mode.
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/1
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/2
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/3
[SwitchD-Eth-Trunk10] quit
Step 7 Configure MAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure MAD in relay mode on the inter-device Eth-Trunk.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] mad detect mode relay
[Stack-Eth-Trunk10] return
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
mad detect mode relay
#
interface GigabitEthernet0/0/5
eth-trunk 10
#
interface GigabitEthernet1/0/5
eth-trunk 10
#
interface GigabitEthernet2/0/5
eth-trunk 10
#
return
Overview
Service port connection allows member switches to be connected using service
ports, without requiring dedicated stack cards.
To improve stack efficiency and reduce manual configuration, since V200R011C10,
switches can set up a stack using dedicated stack cables. Service port connections
are classified into ordinary and dedicated cable connections based on cable types.
● Ordinary cable connection: Switches use optical cables, network cables, and
high-speed cables to set up a stack.
● Dedicated cable connection: Switches use dedicated stack cables to set up a
stack. The two ends of a dedicated stack cable are the master end with the
Master tag and the slave end without any tag. The device connected to the
master end of a dedicated stack cable assumes the master role and the device
connected to the slave end assumes the slave role only after you perform
operations as required.
Precautions
● Connect member switches using dedicated stack cables based on the
following rules:
– Connect the switches in sequence from top to bottom.
– Ensure that all logical stack ports of the top switch are connected to the
master ends of cables, all logical stack ports of the bottom switch are
connected to the slave ends of cables, and two logical stack ports of the
intermediate switch are connected to the master and slave ends
respectively.
– After the switches have been connected using dedicated stack cables,
they automatically set up a stack and their stack IDs as well as stack
roles are automatically assigned.
– If the switches are not connected in a ring topology, you only need to
ensure that logical stack port 1 of the local switch is connected to logical
stack port 2 of the remote switch. In this situation, these switches can set
up a stack, but their master and standby roles and stack IDs are
randomly generated.
● Ensure that there are no service configurations on the ports that have
dedicated stack cables connected. Otherwise, these ports cannot
automatically become stack ports and the switches cannot set up a stack.
– On ASs in an SVF system, ensure that there are no other configurations
except the shutdown and stp root-protection command configurations
on ports.
– On other switches, ensure that there are no other configurations except
the shutdown command configuration on ports.
● If logical stack port numbers have been manually configured before dedicated
stack cables are connected, the configured port numbers still take effect after
the cables are connected. You need to connect these ports based on the
configured port numbers. If logical stack port numbers are not manually
configured, corresponding logical stack port numbers will be automatically
generated after dedicated stack cables are connected. To view logical stack
ports of ports supporting dedicated stack cables and master as well as slave
ends of the cables connected to these ports, run the display stack port auto-
cable-info command.
Networking Requirements
An enterprise network needs to provide sufficient ports for access devices, and the
network structure should be simple to facilitate configuration and management.
As shown in Figure 3-38, Switches A to C set up a stack in a ring topology and
connect to SwitchD through an inter-chassis Eth-Trunk. To reduce the
configuration, Switches A to C set up a stack using dedicated stack cables. In the
stack, SwitchA needs to function as the master switch, Switch B as the standby
switch, and SwitchC as the slave switch.
This example describes how to use S5720-28P-PWR-LI-AC switches to set up a
stack.
Configuration Roadmap
1. Power off SwitchA, SwitchB, and SwitchC to ensure security.
2. Connect the switches using dedicated stack cables based on dedicated stack
cable connection rules.
3. Power on these switches in the following sequence to ensure that SwitchA,
SwitchB, and SwitchC become the master switch, standby switch, and slave
switch respectively.
4. Save the stack configuration automatically generated for dedicated cable
stacking to the flash memory. This ensures that the stack configuration still
takes effect when these cables are removed or other cables are connected.
5. Configure an inter-chassis Eth-Trunk to increase reliability and uplink
bandwidth.
6. Configure multi-active detection in relay mode to ensure network availability
when the stack splits.
Procedure
Step 1 Power off SwitchA, SwitchB, and SwitchC.
Step 2 Power off SwitchA, SwitchB, and SwitchC and then connect them using dedicated
stack cables as shown in Figure 3-39.
NOTE
● Logical stack port 1 of the local switch must be connected to logical stack port 2 of the
adjacent switch. Otherwise, these switches cannot set up a stack.
● All logical stack ports of SwitchA must be connected to the master ends of dedicated stack
cables, and all logical stack ports of SwitchC must be connected to the slave ends of these
cables.
The preceding power-on sequence can guarantee only roles of these switches but
not their slot IDs. The following assumes that SwitchA, SwitchB, and SwitchC use
automatically generated slot IDs 0, 1, and 2 respectively.
Press the mode switching (MODE) button on any member switch to change the
mode status indicator to the stack mode.
● If the mode status indicators on all member switches change to the stack
mode, a stack has been set up successfully.
● If the mode status indicator on any member switch does not change to the
stack mode, a stack has not been set up.
NOTE
● The S5700-SI, S5700-EI, S5700-HI, S6700-EI, S5710-C-LI use the same mode status indicator
to show the stack and speed modes. After you press the MODE button, the indicator is
steady red and off after 45 seconds, indicating that the switch enters the stack mode.
● The S5732-H, S6730-S, S6730S-S, S6720-HI, S6730-H, and S6730S-H have an independent
stack master/slave indicator to show the MST. If the indicator is off, the switch is not a stack
master. If the indicator is steady green, the switch is a stack master or standalone switch.
● Other models have an independent stack mode indicator (STCK indicator). After you press
the MODE button, the indicator is steady green or blinking and off after 45 seconds,
indicating that the switch enters the stack mode.
Step 5 Save the stack configuration that is automatically generated for dedicated cable
stacking to the flash memory.
# After verifying that a stack has been set up, save the stack configuration that is
automatically generated for dedicated cable stacking to the flash memory.
[Stack] save stack configuration
Warning: This operation will save all stack configurations to flash. Are you sure you want to continue? [Y/
N]:y
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/1
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/2
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/3
[SwitchD-Eth-Trunk10] quit
Step 8 Configure MAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure MAD in relay mode on the inter-chassis Eth-Trunk.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] mad detect mode relay
[Stack-Eth-Trunk10] return
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
d. After the configuration is complete, check whether SwitchC has the same
stack configuration as SwitchA. If so, power off SwitchC.
e. (Optional) To prevent OSPF, BGP, or LDP flapping during an master/
backup switchover in a stack, configure graceful restart (GR) for the
corresponding protocol. For details, see the configuration guide of the
corresponding protocol.
f. Run the display stack command to check whether SwitchA is the master
switch. If so, run the slave switchover command to perform an active/
standby switchover in the stack. If not, go to the next step.
<HUAWEI> display switchover state //Check whether the active/standby switchover
conditions are met.
Slot 0 HA FSM State(master): realtime or routine backup. //The switchover can be performed
only in this state.
Slot 1 HA FSM State(slave): receiving realtime or routine data.
<HUAWEI> system-view
[HUAWEI] slave switchover enable //Enable the active/standby switchover.
[HUAWEI] slave switchover //Perform an active/standby switchover.
Warning: This operation will switch the slave board to the master board. Continue? [Y/N]:y
After an active/standby switchover is performed, the master switch will
restart. After the switch restarts and joins the stack again, go to the next
step. To check whether the switch has joined the stack again, run the
display stack command.
g. Power off and remove SwitchA.
h. Install SwitchC and connect cables to its service ports, stack ports, and
ports that have dual-active detection (DAD) configured.
i. Power on SwitchC so that SwitchC joins the stack as a new member. Run
the display stack command to check whether SwitchC can set up a stack
with SwitchB.
j. After SwitchC and SwitchB set up a stack, run the display stack
configuration and display stack port commands to check the stack
configuration and interface status. Ensure that the stack configuration is
the same as that used before the device replacement and that interfaces
become Up normally.
k. After confirming all services are normal, run the save command to save
the stack configuration.
l. If the current master and standby switches are different from those
before the device replacement, perform an active/standby switchover.
● Replace one member switch in a stack of three or more member switches
(in a ring topology).
In a stack set up by three or more member switches in a ring topology, the
device replacement procedure is similar to that in a stack of two member
switches. For details, see Replace one member switch in a stack of two
member switches.
● Replace one member switch in a stack of three or more member switches
(in a chain topology).
In a stack set up by three or more member switches in a chain topology, the
replacement procedure of edge switches on both ends is similar to that in a
stack of two member switches. For details, see Replace one member switch
in a stack of two member switches. To replace an intermediate switch,
change the stack connection topology to the ring topology and then replace
the switch according to Replace one member switch in a stack of two
member switches. The procedure is as follows:
a. On edge switches on both ends, create a logical stack port and add
member ports into the logical stack port, and then connect these ports
using cables.
<HUAWEI> system-view
[HUAWEI] interface stack-port 1/1 //Create a logical stack port.
[HUAWEI-stack-port1/1] port interface gigabitethernet 1/0/46 enable //Add a member
port to the logical stack port.
After cables are connected, run the display stack command to check
whether the stack connection topology is changed to the ring topology.
b. After the stack connection topology changes to ring topology, replace the
switch according to Replace one member switch in a stack of two
member switches.
c. To restore the stack connection topology to chain topology after the
replacement, remove the stack cables connected in step 1.
Networking Requirements
In Figure 3-40, the stack IDs of stack members are 3, 1, and 2 from top to bottom.
These stack IDs need to be planned again based on the location to facilitate
device management.
Check information about the stack members with the stack IDs.
The stack IDs need to be changed according to the following rules: After the
change, check whether the change is correct based on the MAC addresses of the
devices.
● Slot 3 → Slot 1
● Slot 1 → Slot 2
● Slot 2 → Slot 3
NOTE
To change the stack IDs, you need to restart the devices, which interrupts services. Therefore,
perform this operation in a specified period.
Procedure
Step 1 Shut down the uplink and downlink ports of the stack to isolate the stack from
the network.
<Stack> system-view
[Stack] interface gigabitethernet 3/0/8
[Stack-GigabitEthernet3/0/8] shutdown
[Stack-GigabitEthernet3/0/8] quit
[Stack] interface gigabitethernet 1/0/9
[Stack-GigabitEthernet1/0/9] shutdown
[Stack-GigabitEthernet1/0/9] quit
[Stack] interface gigabitethernet 2/0/5
[Stack-GigabitEthernet2/0/5] shutdown
[Stack-GigabitEthernet2/0/5] quit
[Stack] interface gigabitethernet 3/0/6
[Stack-GigabitEthernet3/0/6] shutdown
[Stack-GigabitEthernet3/0/6] quit
Step 2 After the stack IDs are changed, the configurations of the interfaces with the
original stack IDs will be lost. Therefore, you need to perform the same
configurations on the new interfaces before changing the stack IDs.
For example: The configurations of the interfaces with the original stack IDs are as
follows:
#
interface GigabitEthernet3/0/6
description ToPC
port link-type access
port default vlan 10
#
interface GigabitEthernet3/0/8
eth-trunk 10
#
interface GigabitEthernet1/0/9
eth-trunk 10
#
interface GigabitEthernet2/0/5
description ToIPPhone-01
Step 3 Change the stack IDs, save the configurations, and restart the switches.
[Stack] stack slot 3 renumber 1
Info: The assigned slot ID already exists in the stack system.
Warning: All the configurations related to the slot ID will be lost after the slot ID is
modified.
Do not frequently modify the slot ID because it will make the stack split. Continue? [Y/
N]:y
Info: Stack configuration has been changed, and the device needs to restart to make the configuration
effective.
[Stack] stack slot 1 renumber 2
Info: The assigned slot ID already exists in the stack system.
Warning: All the configurations related to the slot ID will be lost after the slot ID is
modified.
Do not frequently modify the slot ID because it will make the stack split. Continue? [Y/
N]:y
Info: Stack configuration has been changed, and the device needs to restart to make the configuration
effective.
[Stack] stack slot 2 renumber 3
Info: The assigned slot ID already exists in the stack system.
Warning: All the configurations related to the slot ID will be lost after the slot ID is
modified.
Do not frequently modify the slot ID because it will make the stack split. Continue? [Y/
N]:y
Info: Stack configuration has been changed, and the device needs to restart to make the configuration
effective.
[Stack] quit
<Stack> save
The current configuration will be written to flash:/vrpcfg.zip.
Are you sure to continue?[Y/N]y
Now saving the current configuration to the slot 3.........
Save the configuration successfully.
Now saving the current configuration to the slot 1.
Save the configuration successfully.
Now saving the current configuration to the slot 2.
Save the configuration successfully.
<Stack> reboot
Info: The system is now comparing the configuration, please wait...................
Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save
diagnostic-information'.
System will reboot! Continue?[Y/N]:y
Step 4 After the restart is complete, check whether the stack status, stack IDs, and
interface configurations are correct. If the configurations on the interfaces are
incorrect, reconfigure the interfaces.
Step 5 If the configurations are correct, enable the uplink and downlink ports of the
stack.
<Stack> system-view
[Stack] interface gigabitethernet 1/0/8
[Stack-GigabitEthernet1/0/8] undo shutdown
[Stack-GigabitEthernet1/0/8] quit
[Stack] interface gigabitethernet 2/0/9
[Stack-GigabitEthernet2/0/9] undo shutdown
[Stack-GigabitEthernet2/0/9] quit
[Stack] interface gigabitethernet 3/0/5
[Stack-GigabitEthernet3/0/5] undo shutdown
[Stack-GigabitEthernet3/0/5] quit
[Stack] interface gigabitethernet 1/0/6
[Stack-GigabitEthernet1/0/6] undo shutdown
[Stack-GigabitEthernet1/0/6] quit
----End
3.4.2.1.2 Software and Hardware Support for S7700 CSS Card Clustering
Table 3-12 Software and Hardware Support for S7706&S7706 PoE&S7712 CSS
Card Clustering
Device Model ● S7706
● S7706 PoE
● S7712
Number of CSS 2 2
Cards
Supported by
Each Chassis
License No
Required
3.4.2.1.3 Software and Hardware Support for S9700 CSS Card Clustering
CSS Card and CSS card: EH1D2VS08000 (Eight ports on a CSS card are
Installation Slot divided into two groups, each of which must have at least
one cable connected.)
Installation slot: subcard slot of EH1D2SRUC000
CSS card and MPU models are abbreviated to VS08 and SRUC respectively.
Number of CSS 2
Cards
Supported by
Each Chassis
Hardware ● Two S9706s, one S9706 and one S9712, or two S9712s
Configuration can set up a CSS.
● Switches to set up a CSS must have both active and
standby MPUs installed, and the two MPUs must have
stack cards installed.
License No
Required
3.4.2.1.4 Software and Hardware Support for S7700 Service Port Clustering
NOTE
● Only two S7706 switches, two S7706 PoE switches, two S7712 switches, one S7706 and
one S7706 PoE, one S7706 and one S7712, or one S7706 PoE and one S7712 can set up
a CSS.
● SRUs in the same chassis must be the same model. To set up a stack, the local and
remote chassis must use SRUs of the same model, use SRUA and SRUB respectively, or
use SRUH and SRUE respectively, or use SRUH1 and SRUE respectively, or use SRUH1
and SRUE1 respectively, or use SRUH and SRUE1 respectively, or use SRUE and SRUE1
respectively, or use SRUH and SRUH1 respectively(both chassis must run V200R010C00
or a later version).
● Each chassis can have at most two LPUs for CSS connection. It is recommended that you
use the same type of LPUs in a chassis for CSS connection. The two chassis must use the
same type of ports for CSS connection, for example, 10GE SFP+ optical ports.
● Each LPU allows only one logical CSS port. Each logical CSS port supports a maximum
of 32 physical member ports.
● Some ports on an LPU can function as CSS ports, while other ports on the LPU function
as service ports.
● A CSS can be set up as long as a logical CSS port has one CSS member port in Up state.
● Ports do not support the CSS function after being split.
● S7700 service port clustering is not under license control.
● LSS7C06HX6 ● 1 m and 3 m
S0 QSFP28 high-
● LSS7C06HX6 speed cable
E0 ● QSFP28 optical
● LSS7C02BX6 module and
E0 (100GE fiber
ports) ● 10 m QSFP28
AOC cable
3.4.2.1.5 Software and Hardware Support for S9700 Service Port Clustering
Device ● S9706
Model ● S9712
Hardware ● Only two S9706 switches, two S9712 switches, or one S9706
Configuratio and one S9712 can set up a CSS.
n ● MPUs in one chassis must be the same model. MPUs in the
local and peer chassis can be different models but are
recommended to be the same model.
● Each chassis can have at most two LPUs for CSS connection.
It is recommended that you use the same type of LPUs in a
chassis for CSS connection. The two chassis must use the
same type of ports for CSS connection, for example, 10GE
SFP+ optical ports.
● Each LPU allows only one logical CSS port. Each logical CSS
port supports a maximum of 32 physical member ports.
● Some ports on an LPU can function as CSS ports, while other
ports on the LPU function as service ports.
● A CSS can be set up as long as a logical CSS port has one CSS
member port in Up state.
License No
Required
3.4.2.2 Example for Setting Up a CSS of Two Member Switches Using CSS
Cards
Overview of CSS
A Cluster Switch System (CSS), also called a cluster, is a logical switch consisting
of two clustering-capable switches. It provides high forwarding performance and
high network reliability and scalability, while simplifying network management.
● High reliability: Member switches in a CSS work in redundancy mode. Link
redundancy can also be implemented between member switches through link
aggregation.
● High scalability: Switches can set up a CSS to increase the number of ports,
bandwidth, and packet processing capabilities.
● Simplified configuration and management: After two switches set up a CSS,
they are virtualized into one device. You can log in to the CSS from either
member switch to configure and manage the entire CSS.
In CSS card connection mode, member switches are connected using CSS cards on
MPUs and cluster cables. Compared with the service port connection mode, the
CSS card connection mode does not occupy common service ports, is easy to
configure, ensures high stability and low latency, but has higher hardware
requirements.
After a CSS is set up, you are advised to perform the following configurations:
● To simplify network configuration, increase uplink bandwidth, and improve
reliability, configure inter-device Eth-Trunks in the CSS, connect downstream
devices to the CSS in dual-homing mode, and add uplink and downlink ports
of the CSS to the Eth-Trunks.
● Configure the multi-active detection (MAD) function in the CSS. Two member
switches in a CSS use the same IP address and MAC address (CSS system MAC
address). Therefore, after the CSS splits, two CSSs using the same IP address
and MAC address exist. To prevent this situation, a mechanism is required to
check for IP address and MAC address conflicts after a split. MAD is a CSS
split detection protocol that provides split detection, multi-active handling,
and fault recovery mechanisms when a CSS splits due to a link failure. This
minimizes the impact of a CSS split on services.
MAD can be implemented in direct or relay mode, but these modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for
a CSS when an inter-device Eth-Trunk is configured in the CSS. The direct
mode occupies additional ports, and these ports can only be used for MAD
after being connected using common cables. In contrast to the direct mode,
the relay mode does not occupy additional ports.
Guidelines
● After two switches set up a CSS, the following features cannot be configured
in the CSS:
Networking Requirements
An enterprise needs to build a network that has a reliable core layer and simple
structure to facilitate configuration and management.
To meet requirements of the enterprise, core switches SwitchA and SwitchB set up
a CSS in CSS card connection mode. SwitchA is the master switch, and SwitchB is
the standby switch. Figure 3-41 shows the network topology. Aggregation
switches connect to the CSS through Eth-Trunks, and the CSS connects to the
upstream network through an Eth-Trunk. In this example, the core switches are
the S9706 switches.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Install hardware modules.
The following describes only the rule for connecting cluster cables between two
member switches. If you also need to install MPUs and CSS cards and learn about
installation details, see the Switch Cluster Setup Guide.
Select the required connection diagram based on the device model and CSS card
model to connect cluster cables.
NOTE
Follow these rules when connecting VSTSA CSS cards: Each VSTSA CSS card has four ports.
All ports with the same port number and color must be connected, as shown in the
preceding figure. For example, port 1 in blue on the left chassis must be connected to port
1 in blue on the right chassis.
The CSS set up using VSTSA CSS cards allows at most one faulty cluster cable.
NOTE
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Retain the default CSS connection mode
(CSS card connection) and the default CSS ID 1, and set the CSS priority to 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css priority 100
# Configure the CSS function on SwitchB. Retain the default CSS connection mode
(CSS card connection), and set the CSS ID to 2 and CSS priority to 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css id 2
[SwitchB] set css priority 10
NOTE
After the configuration is complete, run the display css status saved command to check
the CSS configuration.
The MASTER indicator on a CSS card of SwitchA is steady on, indicating that the
MPU with the CSS card installed is the active MPU of the CSS and SwitchA is the
master switch.
The MASTER indicators on the CSS cards of SwitchB are off, indicating that
SwitchB is the standby switch.
# Log in to the CSS through the console port on any MPU to check whether the
CSS has been set up successfully. In versions earlier than V200R005C00, you must
log in to the CSS through the console port on the active MPU.
<SwitchA> display device
Chassis 1 (Master Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present - Unregistered - NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
Chassis 2 (Standby Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
The command output shows the card status of both member switches, indicating
that the CSS has been set up successfully.
# Check whether CSS links are normal.
<SwitchA> display css channel
Chassis 1 || Chassis 2
================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/7 0/12 -- 1/7/0/1(UP 10G) ---||--- 2/7/0/1(UP 10G) -- 2/7 0/12
2 1/7 0/16 -- 1/7/0/2(UP 10G) ---||--- 2/7/0/2(UP 10G) -- 2/7 0/16
3 1/7 0/13 -- 1/7/0/3(UP 10G) ---||--- 2/7/0/3(UP 10G) -- 2/7 0/13
4 1/7 0/17 -- 1/7/0/4(UP 10G) ---||--- 2/7/0/4(UP 10G) -- 2/7 0/17
5 1/7 0/14 -- 1/7/0/5(UP 10G) ---||--- 2/8/0/5(UP 10G) -- 2/8 0/14
6 1/7 0/18 -- 1/7/0/6(UP 10G) ---||--- 2/8/0/6(UP 10G) -- 2/8 0/18
7 1/7 0/15 -- 1/7/0/7(UP 10G) ---||--- 2/8/0/7(UP 10G) -- 2/8 0/15
8 1/7 0/19 -- 1/7/0/8(UP 10G) ---||--- 2/8/0/8(UP 10G) -- 2/8 0/19
9 1/8 0/12 -- 1/8/0/1(UP 10G) ---||--- 2/8/0/1(UP 10G) -- 2/8 0/12
10 1/8 0/16 -- 1/8/0/2(UP 10G) ---||--- 2/8/0/2(UP 10G) -- 2/8 0/16
11 1/8 0/13 -- 1/8/0/3(UP 10G) ---||--- 2/8/0/3(UP 10G) -- 2/8 0/13
12 1/8 0/17 -- 1/8/0/4(UP 10G) ---||--- 2/8/0/4(UP 10G) -- 2/8 0/17
13 1/8 0/14 -- 1/8/0/5(UP 10G) ---||--- 2/7/0/5(UP 10G) -- 2/7 0/14
14 1/8 0/18 -- 1/8/0/6(UP 10G) ---||--- 2/7/0/6(UP 10G) -- 2/7 0/18
15 1/8 0/15 -- 1/8/0/7(UP 10G) ---||--- 2/7/0/7(UP 10G) -- 2/7 0/15
16 1/8 0/19 -- 1/8/0/8(UP 10G) ---||--- 2/7/0/8(UP 10G) -- 2/7 0/19
The command output shows that all the CSS links are Up, indicating that the CSS
has been set up successfully.
Step 5 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
<SwitchA> system-view
[SwitchA] sysname CSS //Rename the CSS.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
[CSS] interface gigabitethernet 2/1/0/4
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10
[CSS-GigabitEthernet2/1/0/4] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to
SwitchC to the Eth-Trunk.
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 20
[CSS-GigabitEthernet1/1/0/3] quit
[CSS] interface gigabitethernet 2/1/0/5
[CSS-GigabitEthernet2/1/0/5] eth-trunk 20
[CSS-GigabitEthernet2/1/0/5] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to
SwitchD to the Eth-Trunk.
[CSS] interface eth-trunk 30
[CSS-Eth-Trunk30] quit
[CSS] interface gigabitethernet 1/1/0/5
[CSS-GigabitEthernet1/1/0/5] eth-trunk 30
[CSS-GigabitEthernet1/1/0/5] quit
[CSS] interface gigabitethernet 2/1/0/3
[CSS-GigabitEthernet2/1/0/3] eth-trunk 30
[CSS-GigabitEthernet2/1/0/3] return
Step 6 Configure the MAD function. The following procedure configures MAD in relay
mode and configures SwitchC as the relay agent using the commands applicable
to V200R003C00 and later versions.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] mad detect mode relay //In V200R002C00 and earlier versions, the command is
dual-active detect mode relay.
[CSS-Eth-Trunk20] quit
[CSS] quit
----End
Configuration Files
● CSS configuration file
#
sysname CSS
#
interface Eth-Trunk10
#
interface Eth-Trunk20
mad detect mode relay
#
interface Eth-Trunk30
#
interface GigabitEthernet1/1/0/3
eth-trunk 20
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet1/1/0/5
eth-trunk 30
#
interface GigabitEthernet2/1/0/3
eth-trunk 30
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/5
eth-trunk 20
#
return
● SwitchC configuration file
#
sysname SwitchC
#
interface Eth-Trunk20
mad relay
#
interface GigabitEthernet1/0/1
eth-trunk 20
#
interface GigabitEthernet1/0/2
eth-trunk 20
#
return
● SwitchD configuration file
#
sysname SwitchD
#
interface Eth-Trunk30
#
interface GigabitEthernet1/0/1
eth-trunk 30
#
interface GigabitEthernet1/0/2
eth-trunk 30
#
return
● SwitchE configuration file
#
sysname SwitchE
#
interface Eth-Trunk10
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
return
Related Information
Tool
CSS Assistant
Overview of CSS
A Cluster Switch System (CSS), also called a cluster, is a logical switch consisting
of two clustering-capable switches. It provides high forwarding performance and
high network reliability and scalability, while simplifying network management.
● High reliability: Member switches in a CSS work in redundancy mode. Link
redundancy can also be implemented between member switches through link
aggregation.
● High scalability: Switches can set up a CSS to increase the number of ports,
bandwidth, and packet processing capabilities.
● Simplified configuration and management: After two switches set up a CSS,
they are virtualized into one device. You can log in to the CSS from either
member switch to configure and manage the entire CSS.
In service port connection mode, member switches are connected using service
ports, without a need for CSS cards. The service ports must be configured as
physical member ports of logical CSS ports. Figure 3-44 shows physical member
ports and logical CSS ports in a CSS.
Compared with the CSS card connection mode, the service port connection mode
is more flexible but is complex to configure and needs to occupy service ports on
LPUs.
After a CSS is set up, you are advised to perform the following configurations:
● To simplify network configuration, increase uplink bandwidth, and improve
reliability, configure inter-device Eth-Trunks in the CSS, connect downstream
devices to the CSS in dual-homing mode, and add uplink and downlink ports
of the CSS to the Eth-Trunks.
● Configure the multi-active detection (MAD) function in the CSS. Two member
switches in a CSS use the same IP address and MAC address (CSS system MAC
address). Therefore, after the CSS splits, two CSSs using the same IP address
and MAC address exist. To prevent this situation, a mechanism is required to
check for IP address and MAC address conflicts after a split. MAD is a CSS
split detection protocol that provides split detection, multi-active handling,
and fault recovery mechanisms when a CSS splits due to a link failure. This
minimizes the impact of a CSS split on services.
MAD can be implemented in direct or relay mode, but these modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for
a CSS when an inter-device Eth-Trunk is configured in the CSS. The direct
mode occupies additional ports, and these ports can only be used for MAD
after being connected using common cables. In contrast to the direct mode,
the relay mode does not occupy additional ports.
Guidelines
● When switches using SRUAs, SRUBs, SRUCs, and SRUDs set up a CSS in
service port clustering mode, the system software file (system startup
package) must be saved in the CF card. If it is saved in the flash memory, the
CSS cannot be set up in service port clustering mode.
● After two switches set up a CSS, the following features cannot be configured
in the CSS:
– Synchronous Ethernet clock
– Precision Time Protocol (PTP) (IEEE 1588)
● When configuring MAD, focus on the differences in the command syntax
between V200R002C00 and V200R003C00 (and later versions). In
V200R002C00, the split detection function is called dual-active detection
(DAD).
● Regardless of how many MAD links exist, ports of the standby switch will be
shut down and no longer forward service packets as long as the CSS splits.
Networking Requirements
An enterprise needs to build a network that has a reliable core layer and simple
structure to facilitate configuration and management and reduce deployment
costs.
To meet requirements of the enterprise, core switches SwitchA and SwitchB set up
a CSS in service port connection mode. SwitchA is the master switch, and SwitchB
is the standby switch. Figure 3-45 shows the network topology. Aggregation
switches connect to the CSS through Eth-Trunks, and the CSS connects to the
upstream network through an Eth-Trunk. In this example, the core switches are
the S9706 switches.
Configuration Roadmap
The configuration roadmap is as follows:
1. Install LPUs on SwitchA and SwitchB, and connect cluster cables. Connect four
service ports on two LPUs of each switch to improve bandwidth and reliability.
2. Set the CSS connection mode on SwitchA and SwitchB and set their CSS IDs to
1 and 2 and CSS priorities to 100 and 10 respectively. These configurations
ensure that SwitchA has a higher probability to become the master switch.
3. Configure two logical CSS ports on each of SwitchA and SwitchB and add two
physical member ports to each logical CSS port.
4. Enable the CSS function on SwitchA and then on SwitchB to ensure that
SwitchA becomes the master switch.
5. Check whether a CSS is set up successfully.
6. Configure uplink and downlink Eth-Trunks for the CSS to improve forwarding
bandwidth and reliability.
7. Configure MAD to minimize the impact of a CSS split on the network.
Procedure
Step 1 Install hardware modules.
The following describes only the rule for connecting cluster cables between two
member switches. If you also need to install LPUs and learn about installation
details, see the Switch Cluster Setup Guide.
Connect cluster cables according to the connection rule shown in Figure 3-46.
NOTE
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Configure the service port connection
mode, set the CSS priority to 100, and retain the default CSS ID 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css mode lpu
[SwitchA] set css priority 100
# Configure the CSS function on SwitchB. Configure the service port connection
mode, and set the CSS ID to 2 and CSS priority to 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode lpu
[SwitchB] set css id 2
[SwitchB] set css priority 10
NOTE
After the configuration is complete, run the display css status saved command to check
the CSS configuration.
NOTE
After the configuration is complete, run the display css css-port saved command to check
whether the ports are Up.
---------------------------------------
1 - EH1D2X12SSA0 Present PowerOn Registered Normal NA
2 - EH1D2X12SSA0 Present PowerOn Registered Normal NA
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
The command output shows the card status of both member switches, indicating
that the CSS has been set up successfully.
# Check whether the CSS link topology is the same as the actual hardware
connection.
<SwitchA> display css channel all
CSS link-down-delay: 500ms
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/1/0/1 XGigabitEthernet2/1/0/1 2/1
2 1/1 XGigabitEthernet1/1/0/2 XGigabitEthernet2/1/0/2 2/1
3 1/2 XGigabitEthernet1/2/0/1 XGigabitEthernet2/2/0/1 2/2
4 1/2 XGigabitEthernet1/2/0/2 XGigabitEthernet2/2/0/2 2/2
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 2/1 XGigabitEthernet2/1/0/1 XGigabitEthernet1/1/0/1 1/1
2 2/1 XGigabitEthernet2/1/0/2 XGigabitEthernet1/1/0/2 1/1
3 2/2 XGigabitEthernet2/2/0/1 XGigabitEthernet1/2/0/1 1/2
4 2/2 XGigabitEthernet2/2/0/2 XGigabitEthernet1/2/0/2 1/2
The command output shows that the CSS link topology is the same as the actual
hardware connection, indicating that the CSS has been set up successfully.
Step 6 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
<SwitchA> system-view
[SwitchA] sysname CSS //Rename the CSS.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface xgigabitethernet 1/3/0/4
[CSS-XGigabitEthernet1/3/0/4] eth-trunk 10
[CSS-XGigabitEthernet1/3/0/4] quit
[CSS] interface xgigabitethernet 2/3/0/4
[CSS-XGigabitEthernet2/3/0/4] eth-trunk 10
[CSS-XGigabitEthernet2/3/0/4] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to
SwitchC to the Eth-Trunk.
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/4/0/3
[CSS-GigabitEthernet1/4/0/3] eth-trunk 20
[CSS-GigabitEthernet1/4/0/3] quit
[CSS] interface gigabitethernet 2/4/0/5
[CSS-GigabitEthernet2/4/0/5] eth-trunk 20
[CSS-GigabitEthernet2/4/0/5] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to
SwitchD to the Eth-Trunk.
The command output shows information about member ports in Eth-Trunk 10.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Step 7 Configure the MAD function. The following procedure configures MAD in relay
mode and configures SwitchC as the relay agent using the commands applicable
to V200R003C00 and later versions.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] mad detect mode relay //In V200R002C00, the command is dual-active detect
mode relay.
[CSS-Eth-Trunk20] quit
[CSS] quit
----End
Configuration Files
● CSS configuration file
#
sysname CSS
#
interface Eth-Trunk10
#
interface Eth-Trunk20
mad detect mode relay
#
interface Eth-Trunk30
#
interface GigabitEthernet1/4/0/3
eth-trunk 20
#
interface XGigabitEthernet1/3/0/4
eth-trunk 10
#
interface GigabitEthernet1/4/0/5
eth-trunk 30
#
interface GigabitEthernet2/4/0/3
eth-trunk 30
#
interface XGigabitEthernet2/3/0/4
eth-trunk 10
#
interface GigabitEthernet2/4/0/5
eth-trunk 20
#
return
Related Information
Tool
CSS Assistant
Networking Requirements
Two modular switches at the aggregation layer use VRRP and STP to implement
gateway backup. To simplify the configuration, the two modular switches need to
be combined into a logical CSS.
In Figure 3-47, S1 and S2 at the aggregation layer are two standalone switches
and need to be combined into a CSS to simplify configuration and facilitate
maintenance and management.
When two standalone devices are combined into a CSS, major configuration
changes include:
● The VRRP gateway backup protocol deployed at the aggregation layer is not
required and its configuration needs to be deleted.
● The STP loop prevention protocol deployed at the access layer is not required
and its configuration needs to be deleted.
● The links at the access, aggregation, and core layers are changed to Eth-
Trunks, and related interface configurations need to be changed, including
basic VLAN configuration, QoS configuration, and ACL configuration.
Guidelines
● This operation applies to CSS card clustering and service port clustering.
Before combining two standalone switches into a CSS, ensure that the
hardware and software of the two switches meet CSS requirements. For CSS
card clustering, CSS cards and cluster cables have been prepared. For service
port clustering, service cards that support service port clustering and cluster
cables have been prepared.
● After the CSS function is enabled on a standalone switch, configurations on
the interfaces of the switch will be lost. Therefore, back up the configuration
file before enabling the CSS function.
● The following procedure provides only the related configurations. Whether
other configurations need to be changed depends on the actual networking.
Procedure
Step 1 In the original networking, traffic at the access layer is load-balanced among
multiple links through STP and VRRP. In Figure 3-48, some traffic is forwarded
through S1 and some traffic is forwarded through S2.
Step 2 Manually shut down the uplink and downlink ports of S2 to change the STP and
VRRP status so that S2 is isolated from the network and all traffic is forwarded
through S1, as shown in Figure 3-49.
Figure 3-49 Traffic forwarding after an STP and VRRP status switchover
Step 3 Back up the configuration file of S2. After the CSS function is enabled on a
standalone switch, the interface number format on the switch is changed from
slot ID/subcard ID/port number to stack member ID/slot ID/subcard ID/port
number, and the configurations on the interfaces of the switch are lost.
Step 4 Change S2 to the CSS state.
● Procedure for configuring service port clustering
a. Power off S2, install service cards, and power on S2.
b. Configure the CSS connection mode and CSS priority on S2.
<S2> system-view
[S2] set css mode lpu
[S2] set css priority 200 // Set the CSS priority to 200 to make S2 become the CSS master. The
default CSS priority is 1.
[S2] display css status saved // Check whether the configuration is correct.
Current Id Saved Id CSS Enable CSS Mode Priority Master
Force
------------------------------------------------------------------------------
c. Configure service ports as CSS ports. For example, configure service ports
XGE1/0/1, XGE1/0/2, XGE2/0/1, and XGE2/0/2 as CSS ports.
[S2] interface css-port 1
[S2-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet 1/0/2 enable
[S2-css-port1] quit
[S2] interface css-port 2
[S2-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet 2/0/2 enable
[S2-css-port2] quit
Step 5 Change the configuration of S2, which has been changed to a single-chassis
cluster CSS-1. Alternatively, change the configuration after S1 and S2 are
combined into a CSS. Changing the configuration of S2 before S1 and S2 are
combined into a CSS can reduce the traffic loss.
Step 8 Change S1 to the CSS state. After S1 is added to CSS-1, S1 uses the configuration
file of CSS-1.
● Procedure for configuring service port clustering
a. Power off S1, install service cards, connect the cluster cables between S1
and CSS-1, and power on S1.
b. Configure the cluster connection mode and CSS ID and retain the default
CSS priority 1 on S1.
<S1> system-view
[S1] set css mode lpu
[S1] set css id 2
[S1] display css status saved // Check whether the configuration is correct.
Current Id Saved Id CSS Enable CSS Mode Priority Master
Force
------------------------------------------------------------------------------
1 2 Off LPU 1 On
c. Configure service ports as CSS ports. For example, configure service ports
XGE1/0/1, XGE1/0/2, XGE2/0/1, and XGE2/0/2 as CSS ports.
[S1] interface css-port 1
[S1-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet 1/0/2 enable
[S1-css-port1] quit
[S1] interface css-port 2
[S1-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet 2/0/2 enable
[S1-css-port2] quit
Step 10 Change the configurations of CSS-2 and add interfaces of CSS-2 to Eth-Trunks.
1. Add uplink ports XGE2/4/0/1 and XGE2/4/0/2 of CSS-2 to Eth-Trunks.
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] trunkport xgigabitethernet2/4/0/1
[CSS-Eth-Trunk20] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] trunkport xgigabitethernet2/4/0/2
[CSS-Eth-Trunk10] quit
2. Change the configurations of devices at the core layer and access layer and
bind physical ports to Eth-Trunks. The procedure is similar to the preceding
procedure.
Step 11 Run the undo shutdown command to disable the interfaces of CSS-2 and check
whether Layer 2 and Layer 3 forwarding between CSS-2 and devices at the core
layer and access layer is normal. In this case, S1 and S2 have been combined into
a CSS, as shown in Figure 3-53.
----End
NOTE
● When the parent version is earlier than V200R011C10, the AS version must be the same
as the parent version. Otherwise, this AS cannot go online. For example, if the parent
version is V200R010C00, the AS version must also be V200R010C00. When the parent
version is V200R011C10 or later, the parent version and AS version can be different, but
the parent version must be higher than or the same as the AS version and the AS
version must also be V200R011C10 or later. Table1 describes the version mapping
between parent and AS. Table2 describes supported Parent and AS switch models in
different software versions.
● APs must use the software version matching that of the parent. For details, see "WLAN
Service Configuration - Licensing Requirements and Limitations for WLAN" in the
Configuration Guide - WLAN-AC.
● To check AP device types supported by the parent by default, run the display ap-type
all command on the parent.
V200R007C00 V200R007C00
V200R008C00 V200R008C00
V200R009C00 V200R009C00
V200R010C00 V200R010C00
V200R011C10 V200R011C10
Figure 3-55 Networking in which the parent and ASs are directly connected
on a wired campus network
Figure 3-56 Networking in which the parent and ASs are connected across an
intermediate network on a wired campus network
Figure 3-57 Networking in which the parent and ASs&APs are directly
connected on a wired and wireless converged campus network
Figure 3-58 Networking in which the parent and ASs&APs are connected
across an intermediate network on a wired and wireless converged campus
network
Configure the SVF An SVF system supports two forwarding modes: centralized
forwarding mode. forwarding and distributed forwarding.
● In centralized forwarding mode, traffic forwarded by the
local AS and forwarded between ASs is sent to the
parent for forwarding.
● In distributed forwarding mode, an AS directly forwards
local traffic and the parent forwards traffic between
ASs.
NOTE
● In centralized forwarding mode, ports of the ASs connected to
the same fabric port of the parent are isolated and so cannot
communicate at Layer 2, and need to have proxy ARP in the
corresponding VLAN configured using the arp-proxy inner-
sub-vlan-proxy enable command to communicate at Layer 3.
● In centralized forwarding mode, after an AS goes offline, traffic
of its attached network cannot be forwarded by the parent and
will be interrupted.
● In distributed forwarding mode, after an AS goes offline, in
versions earlier than V200R012C00, downlink ports of the AS
are automatically shut down. As a result, traffic of the AS
attached network will be interrupted. In V200R012C00 and
later versions, downlink ports of the AS will not be shut down,
and traffic of the AS attached network will be forwarded as
usual.
By default, the forwarding mode of an SVF system is
distributed forwarding.
Function Description
fabric
port.
, delete
the
existing
configurat
ion before
reconfigur
ing them.
● In
V200R019
and later
versions,
multiple
configurat
ions of
this
command
can be
generated
regardless
of
whether
the VLAN,
IP address,
and MAC
address
are the
same. You
do not
need to
delete the
existing
configurat
ion. If the
newly
configured
VLAN is
the same
as the
existing
one, the IP
address
and MAC
address in
the
original
configurat
ion are
replaced
with the
newly
configured
IP address
and MAC
address. If
the newly
configured
VLAN is
different
from the
existing
one, a
new
configurat
ion is
generated.
Table 3-15 Commands not supported in the user view and diagnostic view of
ASs
Command View
● Commands that are supported in other views are used for service diagnosis
and fault location. In V200R009 and earlier versions, the uni-mng diag-mode
enable command must be executed first to enable the diagnostic mode.
acl 4000-4997
undo acl
4000-4997
● These commands vary depending on the AS device type. For details, see the
command reference of these devices.
● In independent mode, configuring some commands may cause an AS's failure
to go online. To prevent this problem, some commands listed in the following
table are not supported. If an unsupported command is executed on an AS, an
error message is displayed.
Function Command
Function Command
Function Command
S5720-HI 32 600
S6720-EI, S6720S-EI, 32 0
S6730-S, S6730S-S
5. Select the required networking scenario. Table 3-18 lists the recommended
scenarios.
Figure 3-60 shows an ideal SVF networking. It has the following characteristics:
1. The parent is a CSS of two member devices.
2. Each Level-1 AS is dual-homed to two member devices of the parent through
uplink ports.
3. When an AS is a stack of multiple member devices, each member device is
connected to its upstream device through at least one link.
4. ASs are connected to upstream devices through uplink optical ports or uplink
combo ports.
5. APs are single-homed to ASs.
This SVF networking has the following advantages:
1. A failure of a single link between two devices affects only the bandwidth but
not services.
2. An AS performs multi-active detection (MAD), and its upstream device
functions as the MAD relay agent. When the AS splits as a stack, it can work
with the upstream device to perform MAD without affecting the system
stability.
Implementing the ideal SVF networking may fail because of restrictions such as
the distance between devices and cabling difficulties. You need to identify these
networking restrictions in advance and take appropriate measures. The following
provides suggestions on SVF deployment in different situations:
1. If the parent is a standalone device:
a. Deploy two MPUs on the parent to ensure reliability.
b. Connect each AS to the parent using at least two links and ensure that
the links are connected to at least two different LPUs of the parent.
2. If a level-1 AS cannot be dual-homed to the parent:
– Use a standalone device as a level-1 AS. If the AS needs to be a stack,
deploy member devices in the same physical location and ensure stack
Determining ASs
Select level-1 and level-2 ASs according to the following requirements:
1. ASs can connect to the parent only through uplink ports, and uplink ports of
most ASs are optical ports. Therefore, when an SVF system has two levels of
ASs, use ASs with downlink optical ports as level-1 ASs. Otherwise, you need
to use copper modules to ensure the connectivity between level-1 and level-2
ASs.
2. When services in an SVF system are similar, use ASs of the same type so that
faulty ASs can be replaced.
Select ASs according to hardware characteristics and the following table to meet
different networking requirements.
Determining APs
You need to select APs that are supported by the parent. First, use the following
methods to check whether the AP types are supported by the parent:
● (Recommended) Run the display ap-type all command on the parent to
check the AP types currently supported.
● Check the version mapping of the device model for the parent to check the
AP types supported by the parent.
Configuration Method
In an SVF system, two AS service configuration modes are available: centralized
mode and independent mode. The two modes cannot be used on the same AS.
In centralized mode, all service configurations for ASs are performed on the
parent. Therefore, which services can be configured on ASs depends on the
services that can be configured on the parent, but not depend on the services
supported by a standalone access switch.
Profile- Create service profiles and specified device and port groups on the
based parent, bind the service profiles to the device and port groups, and
configura then run the commit as { name as-name | all } command to deliver
tion AS service configurations. If multiple ASs or ports in an SVF system
need the same configurations, you can add these ASs or ports to the
same group for batch configuration. In this manner, the
configuration efficiency is improved.
Configuration Roadmap
1. Determine the services to be configured for an AS.
2. Determine the configuration method based on 3.4.3.1.3 SVF Service
Deployment Limitations. For example, you need to configure SNMP on an
AS. According to "Service Configuration Supported on an AS", you determine
that SNMP can be configured only in independent mode.
3. Configure services based on the configuration method. Figure 3-61 illustrates
the process of delivering configurations from the parent to AS ports using
service profiles.
When configuring services for ASs through port groups, you only need to
focus on user ports on ASs. Whether services of fabric ports need to be
manually configured depends on networking scenarios:
– When the parent is directly connected to ASs, service configurations of
fabric ports on the parent and ASs will be automatically generated
according to service configurations of user ports.
– When the parent is connected to ASs across an intermediate network,
you need to configure services for the fabric port of the parent.
● In V200R009 and earlier versions, user ports on each AS can have a maximum
of 1 default VLAN, 1 voice VLAN, and 16 allowed VLANs. In V200R010 and
later versions, user ports on each AS can have a maximum of 1 default VLAN,
1 voice VLAN, and 32 allowed VLANs.
In an SVF system shown in Figure 3-62, the parent functions as the access control
authentication point of all users, and so services of the authentication server only
need to be configured on the parent once, simplifying deployment. The access
control enforcement points of all users are deployed on ASs. To ensure security,
users who fail authentication cannot access ASs.
An SVF system supports three access user authentication modes: MAC, 802.1X,
and Portal. Table 3-22 lists the characteristics and application scenarios of the
three authentication modes.
Attack on the ARP attack with fixed source The CPU usage of the
control plane MAC address parent becomes high, and
traffic of some users is
ARP attack with fixed source interrupted.
IP address
Attack on the ARP Miss attack with fixed The parent has a high CPU
forwarding plane source IP address usage and cannot learn ARP
entries.
Attack ARP Miss Configure rate limiting for ARP Miss packets on the
on the attack with parent to limit the packets based on the source IP
forwardi fixed source address.
ng plane IP address
Precautions
● The Super Virtual Fabric (SVF) function on a parent is license controlled. The
license only enables the SVF function but does not control SVF service
specifications and only needs to be loaded on the parent.
● After the SVF function is enabled, switches do not support the In-Service
Software Upgrade (ISSU) function.
● When the parent version is earlier than V200R011C10, the AS version must be
the same as the parent version. Otherwise, this AS cannot go online. For
example, if the parent version is V200R010C00, the AS version must also be
V200R010C00.
● When the parent version is V200R011C10 or later, the parent version and AS
version can be different, but the parent version must be higher than or the
same as the AS version and the AS version must also be V200R011C10 or
later.
● When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these
interfaces must use GE instead of XGE optical modules.
● All member ports of the Eth-Trunk bound to the fabric port that connects the
parent to an AS must be located on X series cards or on non-X series cards.
Otherwise, an access point (AP) cannot connect to the SVF system.
● If an AS is a stack set up using service ports, the AS must join an SVF system
after having the stacking function configured. This limitation does not apply
to an AS that is a stack set up using stack cards.
● When a cluster switch system (CSS) functioning as the parent is faulty:
– If one member switch in the CSS is faulty, the SVF function is not
affected.
– If the CSS splits but two member switches are working normally, the SVF
function becomes unavailable because ASs do not know which switch is
the parent. In this situation, you are advised to configure the dual-active
detection (DAD) function.
Networking Requirements
A new campus network has a large number of wired and wireless access devices.
The widely distributed access devices complicate management and configuration
of the access layer. Unified management and configuration of wired and wireless
access devices is required to reduce the management cost.
In this example, complete the following operations on access devices:
● Configure the administrator user name and password for access devices.
● Assign VLANs to ports of access devices.
● Set the user access authentication mode to 802.1X authentication.
As shown in Figure 3-63, two aggregation switches (SwitchA and SwitchB) set up
a Cluster Switching System (CSS) to improve reliability and function as the parent
to connect to multiple ASs and APs. Multiple active detection (MAD) in direct
mode must be configured on the parent to avoid conflicts when the CSS splits.
In this example, two S7700s function as the parent, an S5700-28P-PWR-LI
functions as a level-1 AS, an S2750-28TP-EI functions as a level-2 AS, and an
AP5010DN-AGN functions as an AP.
Data Plan
Item Data Description
Ports that connect the GE1/1/0/1 and Add the two ports to
parent to AS1 GE2/1/0/1 Eth-Trunk1 and bind
them to Fabric-port 1.
Ports that connect the GE1/1/0/2 and Add the two ports to
parent to AS2 GE2/1/0/2 Eth-Trunk2 and bind
them to Fabric-port 2.
Ports that connect the GE1/1/0/3 and Add the two ports to
parent to AS3 GE2/1/0/3 Eth-Trunk3 and bind
them to Fabric-port 3.
Ports that connect AS1 GE0/0/23 and GE0/0/24 Add the two ports to
to AS4 Eth-Trunk4 and bind
them to Fabric-port 4.
Ports that connect AS3 GE0/0/23 and GE0/0/24 Add the two ports to
to AS5 Eth-Trunk5 and bind
them to Fabric-port 5.
Configuration Roadmap
1. Configure SwitchA and SwitchB in the parent to set up a CSS using CSS cards
and configure MAD in direct mode to ensure high reliability of the SVF
system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including AS names (optional),
authentication mode, and fabric ports that connect the parent to level-1 ASs
and level-1 ASs to level-2 ASs.
4. Connect level-1 ASs to the parent and level-2 ASs using cables.
5. Configure service profiles and bind them to ASs.
6. Configure the downlink port (GE0/0/24) that connects AS2 to the AP,
configure AP access parameters, power on the AP, and connect the AP and
AS2 using cables to ensure that the AP can connect to the SVF system.
7. Log in to ASs to check the service configurations of the ASs.
Procedure
Step 1 Configure SwitchA and SwitchB in the parent to set up a CSS.
# Set the CSS connection mode, CSS ID, and CSS priority to CSS card connection,
1, and 100 for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css mode css-card
[SwitchA] set css id 1
[SwitchA] set css priority 100
# Set the CSS connection mode, CSS ID, and CSS priority to CSS card connection,
2, and 10 for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
Step 2 Configure the management VLAN in the SVF system and enable the SVF function
on the parent.
[SwitchA] vlan batch 11
[SwitchA] dhcp enable
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 192.168.11.1 24
[SwitchA-Vlanif11] dhcp select interface
[SwitchA-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[SwitchA-Vlanif11] quit
[SwitchA] capwap source interface vlanif 11
[SwitchA] stp mode rstp
[SwitchA] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
NOTE
● If you do not perform this step, the system will generate AS device information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you need to perform this step, ensure that the configured model and mac-address
parameters are consistent with the actual AS information. The value of mac-address must
be the AS management MAC address or system MAC address. To view the AS management
MAC address, run the display as access configuration command on the AS. If the
management MAC displays --, the value of mac-address is the system MAC address. If the
configured parameters are inconsistent with the actual AS information, the AS cannot go
online.
[SwitchA-um] as name as1 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0011
[SwitchA-um-as-as1] quit
[SwitchA-um] as name as2 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0022
[SwitchA-um-as-as2] quit
[SwitchA-um] as name as3 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0033
[SwitchA-um-as-as3] quit
[SwitchA-um] as name as4 model S2750-28TP-EI-AC mac-address 00e0-fc00-0044
[SwitchA-um-as-as4] quit
[SwitchA-um] as name as5 model S2750-28TP-EI-AC mac-address 00e0-fc00-0055
[SwitchA-um-as-as5] quit
# Configure the fabric ports that connect AS1 to AS4 and AS3 to AS5.
[SwitchA] uni-mng
[SwitchA-um] as name as1
Step 4 Run the reset saved-configuration command to clear the configurations of ASs,
restart the ASs, and then connect level-1 ASs to the parent and level-2 ASs using
cables. Subsequently, an SVF system is set up.
NOTE
● Before restarting an AS, check whether the port that connects this AS to the parent is a
downlink port. You can run the display port connection-type access all command on this
AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port before
restarting this AS. Otherwise, this AS cannot go online.
● Before connecting an AS to the parent, ensure that the AS has no configuration file and no
input on the console port.
# After connecting cables, run the display as all command to check whether ASs
have connected to the SVF system.
[SwitchA] display as all
Total: 5, Normal: 5, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 00e0-fc00-0011 192.168.11.254 normal as1
1 S5700-P-LI 00e0-fc00-0022 192.168.11.253 normal as2
2 S5700-P-LI 00e0-fc00-0033 192.168.11.252 normal as3
3 S2750-EI 00e0-fc00-0044 192.168.11.251 normal as4
4 S2750-EI 00e0-fc00-0055 192.168.11.250 normal as5
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS
has connected to the SVF system.
# Run the display uni-mng topology information command to view SVF
topology information.
[SwitchA] display uni-mng topology information
The topology information of uni-mng network:
<-->: direct link <??>: indirect link
T: Trunk ID *: independent AS
------------------------------------------------------------------------------
Local MAC Hop Local Port T || T Peer Port Peer MAC
------------------------------------------------------------------------------
00e0-fc00-1100 0 GE1/1/0/1 1 <-->0 GE0/0/27 00e0-fc00-0011
00e0-fc00-1100 0 GE2/1/0/1 1 <-->0 GE0/0/28 00e0-fc00-0011
00e0-fc00-1100 0 GE1/1/0/2 2 <-->0 GE0/0/27 00e0-fc00-0022
00e0-fc00-1100 0 GE2/1/0/2 2 <-->0 GE0/0/28 00e0-fc00-0022
00e0-fc00-1100 0 GE1/1/0/3 3 <-->0 GE0/0/27 00e0-fc00-0033
00e0-fc00-1100 0 GE2/1/0/3 3 <-->0 GE0/0/28 00e0-fc00-0033
00e0-fc00-0011 1 GE0/0/23 4 <-->0 GE0/0/1 00e0-fc00-0044
00e0-fc00-0011 1 GE0/0/24 4 <-->0 GE0/0/2 00e0-fc00-0044
00e0-fc00-0033 1 GE0/0/23 5 <-->0 GE0/0/1 00e0-fc00-0055
00e0-fc00-0033 1 GE0/0/24 5 <-->0 GE0/0/2 00e0-fc00-0055
------------------------------------------------------------------------------
Total items displayed : 10
When the Commit/Execute Result field in the command output displays Success/
Success for an AS, the configurations in service profiles have been delivered to the
AS.
# Configure an AP ID.
[SwitchA] wlan
[SwitchA-wlan-view] ap id 1 ap-type ap5010dn-agn mac 00e0-fc00-0005
[SwitchA-wlan-ap-1] quit
# Power on the AP and connect the AP to AS2 using cables. Then run the display
ap all command to check whether the AP has connected to the SVF system.
Step 7 Log in to ASs to check the service configurations of the ASs. The following uses
the login to AS1 as example.
# Run the attach as name as-name command on the parent to log in to AS1 and
check whether the configured login user name and password are correct.
[SwitchA] uni-mng
[SwitchA-um] attach as name as1
Info: Connecting to the remote AS now. Use the quit command to return to the user view.
Trying 192.168.11.254 ...
Press CTRL+K to abort
Connected to 192.168.11.254 ...
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
NOTE
----End
Configuration Summary
1. When setting up a CSS for a parent, use the CSS card or service port
connection mode according to networking requirements. This example uses
the CSS card connection.
2. You can configure service profiles and bind them to ASs before or after the
ASs connect to the SVF system. The AS service configuration mode includes
the pre-configured and non-pre-configured modes depending on the time
services are configured. Whatever configuration mode you use, you must run
the commit as { name as-name | all } command to commit the configuration
after completing it.
– Pre-configured mode: Before ASs connect to the SVF system, pre-
configure service profiles, bind them to the ASs, save the configuration on
the parent, and then run the commit as { name as-name | all }
command to commit the configuration. When the ASs connect to the SVF
system, configurations in the service profiles are automatically delivered
to the ASs.
– Non-pre-configured mode: After ASs connect to the SVF system,
configure service profiles, bind them to the ASs, and then run the
commit as { name as-name | all } command to commit the
configuration so that configurations in the service profiles can be
delivered to the ASs.
3. After the SVF function is enabled, the Spanning Tree Protocol (STP) and Link
Layer Discovery Protocol (LLDP) functions are enabled globally on the parent.
Pay attention to the following points when using the STP and LLDP functions
in an SVF system:
– You can disable the STP and LLDP functions only on ports, not globally.
– Do not disable the LLDP function on member ports of a fabric port, ports
connected to APs, and AP uplink ports. Otherwise, the SVF topology will
become abnormal.
4. After the SVF function is enabled, the parent will change STP to Rapid
Spanning Tree Protocol (RSTP) and set the priority of instance 0 to 28762
using the stp instance 0 priority 28672 command. Note that the priority of
instance 0 cannot be set to a value greater than 28672. After the SVF function
is disabled, the default priority of instance 0 is restored. When the SVF
function is enabled or disabled, STP recalculates the port roles and changes
the port status. Traffic on the ports will be interrupted temporarily.
5. The MAD relay function is automatically enabled on the Eth-Trunk to which a
downlink fabric port is bound, and the MAD function is automatically enabled
on the Eth-Trunk to which an uplink fabric port is bound to perform MAD in
an AS that is a stack. When the standby switch in the AS is removed, MAD
cannot be performed because the standby switch restarts automatically
without saving the configuration.
6. To prevent the SVF function from being affected, do not perform MIB
operations to modify the configuration automatically generated in an SVF
system, for example, the configuration of STP, LLDP, and Eth-Trunk to which a
fabric port is bound.
7. If an AP has connected to the parent before the SVF function is enabled, the
parent cannot collect topology information about the AP after the uni-mng
command is used to enable the SVF function. You need to run the commit
{ all | ap ap-id } command in the WLAN view to commit the AP configuration.
Subsequently, the parent can collect topology information about the AP. From
V200R011C10, WLAN configurations are automatically delivered, without the
need of running the commit all command.
8. On the parent, there may be a delay in displaying the output of some
commands executed on ASs, including the patch delete all and patch load
filename all [ active | run ] commands.
9. In an SVF system, the maximum frame length allowed by ports cannot be
configured on an AS. Therefore, the maximum frame length (including the
CRC field) is the default value. The default value varies with the AS, for
details, see the jumboframe enable command.
10. Internal attacks of a management VLAN will cause ASs to disconnect from
the SVF system. You need to error down the attacked ports or remove the
ports from the management VLAN after identifying the attack source.
11. After an AS disconnects from the SVF system, in versions earlier than
V200R012C00, all downlink ports of the AS will be error down. In
V200R012C00 and later versions, to ensure that downlink networks of the AS
can communicate with each other, downlink ports of the AS will not be error
down.
12. Configured Control and Provisioning of Wireless Access Points (CAPWAP)
tunnel parameters apply to the SVF system. To ensure that the CAPWAP
tunnel of the SVF system works normally, you are advised to retain the
default CAPWAP tunnel parameters.
13. When an AS is an S5700-10P-LI, S5700-10P-PWR-LI-AC, S2720-EI
(V200R009C00 and V200R010C00) or S2750-EI, and the assign forward-
mode ipv4-hardware command has been executed in the system view to
enable Layer 3 hardware forwarding for IPv4 packets before the AS connects
to the SVF system:
– The AS cannot negotiate to connect to the SVF system if the AS directly
connects to the parent.
– Configuring a management VLAN is not allowed if the AS connects to the
parent across a network.
You need to start the AS in standalone mode and then run the undo assign
forward-mode command in the system view to disable Layer 3 hardware
forwarding for IPv4 packets.
14. In the SVF system, network access rights available before users pass network
admission control (NAC) authentication can be authorized through
authentication-free rules instead of a user control list (UCL) group.
15. SVF does not support built-in Portal servers.
stp root-protection
authentication control-point open
authentication dot1x
mode lacp
loop-detection disable
mad relay
#
interface GigabitEthernet1/1/0/1
eth-trunk 1
#
interface GigabitEthernet1/1/0/2
eth-trunk 2
#
interface GigabitEthernet1/1/0/3
eth-trunk 3
#
interface GigabitEthernet1/2/0/1
mad detect mode direct
#
interface GigabitEthernet2/1/0/1
eth-trunk 1
#
interface GigabitEthernet2/1/0/2
eth-trunk 2
#
interface GigabitEthernet2/1/0/3
eth-trunk 3
#
interface GigabitEthernet2/2/0/1
mad detect mode direct
#
capwap source interface vlanif11
#
wlan
wlan ap lldp enable
ap-auth-mode no-auth
ap id 1 type-id 30 mac 00e0-fc00-0005 sn 2102355547W0E3000316
wlan work-group default
#
as-auth
whitelist mac-address 00e0-fc00-0011
whitelist mac-address 00e0-fc00-0022
whitelist mac-address 00e0-fc00-0033
whitelist mac-address 00e0-fc00-0044
whitelist mac-address 00e0-fc00-0055
#
uni-mng
as name as1 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0011 //Check whether the
configurations of ASs and ports connected to ASs are correct.
down-direction fabric-port 4 member-group interface Eth-Trunk 4
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/24
as name as2 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0022
as name as3 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0033
down-direction fabric-port 5 member-group interface Eth-Trunk 5
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/24
as name as4 model S2750-28TP-EI-AC mac-address 00e0-fc00-0044
as name as5 model S2750-28TP-EI-AC mac-address 00e0-fc00-0055
interface fabric-port 1
port member-group interface Eth-Trunk 1
interface fabric-port 2
port member-group interface Eth-Trunk 2
interface fabric-port 3
port member-group interface Eth-Trunk 3
as-admin-profile name admin_profile //Check the administrator profile configuration.
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile_1 //Check the network basic profile configuration.
user-vlan 10
Precautions
● The Super Virtual Fabric (SVF) function on a parent is license controlled. The
license only enables the SVF function but does not control SVF service
specifications and only needs to be loaded on the parent.
● The SVF function is mutually exclusive with the web initial login mode,
EasyDeploy, USB-based deployment, and NETCONF functions.
● When the parent version is earlier than V200R011C10, the AS version must be
the same as the parent version. Otherwise, this AS cannot go online. For
example, if the parent version is V200R010C00, the AS version must also be
V200R010C00.
● When the parent version is V200R011C10 or later, the parent version and AS
version can be different, but the parent version must be higher than or the
same as the AS version and the AS version must also be V200R011C10 or
later.
● When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these
interfaces must use GE instead of XGE optical modules.
● If an AS is a stack set up using service ports, the AS must join an SVF system
after having the stacking function configured. This limitation does not apply
to an AS that is a stack set up using stack cards.
● When a cluster switch system (CSS) functioning as the parent is faulty:
– If one member switch in the CSS is faulty, the SVF function is not
affected.
– If the CSS splits but two member switches are working normally, the SVF
function becomes unavailable because ASs do not know which switch is
the parent. In this situation, you are advised to configure the dual-active
detection (DAD) function.
Networking Requirements
A new campus network has a large number of wired access devices. The widely
distributed access devices complicate management and configuration of the
access layer. Unified management and configuration of wired access devices is
required to reduce the management cost.
In this example, complete the following operations on access devices:
● Configure the administrator user name and password for access devices.
● Assign VLANs to ports of access devices.
● Set the user access authentication mode to 802.1X authentication.
As shown in Figure 3-64, two aggregation switches (SwitchA and SwitchB) set up
a stack to improve reliability and function as the parent to connect to multiple
ASs. Multiple active detection (MAD) in direct mode must be configured on the
parent to avoid conflicts when the stack splits.
In this example, the parent is S6720S-26Q-EI-24S, and ASs are S5700S-28P-LI.
Data plan
Item Data Description
Ports that connect the XGE0/0/1 and XGE1/0/1 Add the two ports to
parent to AS1 Eth-Trunk1 and bind
them to Fabric-port 1.
Ports that connect the XGE0/0/2 and XGE1/0/2 Add the two ports to
parent to AS2 Eth-Trunk2 and bind
them to Fabric-port 2.
Ports that connect the XGE0/0/3 and XGE1/0/3 Add the two ports to
parent to AS3 Eth-Trunk3 and bind
them to Fabric-port 3.
Configuration Roadmap
1. Set up a stack between the parent switches using the service port connection
mode. Then set the stack working mode to parent and configure MAD in
direct mode to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including AS names (optional),
authentication mode, and fabric ports that connect the parent to ASs.
4. Connect ASs to the parent using cables.
5. Configure service profiles and bind them to ASs.
6. Log in to ASs to check the service configurations of the ASs.
Procedure
Step 1 Set up a stack between the two switches used as the parent. Set the stack working
mode to parent and configure MAD in direct mode.
# Configure service ports 40GE0/0/1 and 40GE0/0/2 of SwitchA as physical
member ports and add them to the logical stack ports.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface stack-port 0/1
[SwitchA-stack-port0/1] port interface 40ge 0/0/1 enable
[SwitchA-stack-port0/1] quit
[SwitchA] interface stack-port 0/2
[SwitchA-stack-port0/2] port interface 40ge 0/0/2 enable
[SwitchA-stack-port0/2] quit
[SwitchB-stack-port0/1] quit
[SwitchB] interface stack-port 0/2
[SwitchB-stack-port0/2] port interface 40ge 0/0/2 enable
[SwitchB-stack-port0/2] quit
# Power off SwitchA and SwitchB, connect the physical member ports with QSFP+
copper ports, and then power on the switches. Connect the member port of logical
stack port 1 on one switch to the member port of logical stack port 2 on the other
switch.
# Log in to the stack and configure it to work in parent mode.
NOTE
<SwitchA> system-view
[SwitchA] as-mode disable
Warning: Switching the AS mode will clear current configuration and reboot the system. Continue? [Y/N]:y
Step 2 Configure the management VLAN in the SVF system and enable the SVF function
on the parent.
[SwitchA] vlan batch 11
[SwitchA] dhcp enable
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 192.168.11.1 24
[SwitchA-Vlanif11] dhcp select interface
[SwitchA-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[SwitchA-Vlanif11] quit
[SwitchA] capwap source interface vlanif 11
[SwitchA] stp mode rstp
[SwitchA] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
NOTE
● If you do not perform this step, the system will generate AS device information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you need to perform this step, ensure that the configured model and mac-address
parameters are consistent with the actual AS information. The value of mac-address must
be the AS management MAC address or system MAC address. To view the AS management
MAC address, run the display as access configuration command on the AS. If the
management MAC displays --, the value of mac-address is the system MAC address. If the
configured parameters are inconsistent with the actual AS information, the AS cannot go
online.
[SwitchA-um] as name as1 model S5700S-28P-LI-AC mac-address 00e0-fc00-0011
[SwitchA-um-as-as1] quit
[SwitchA-um] as name as2 model S5700S-28P-LI-AC mac-address 00e0-fc00-0022
[SwitchA-um-as-as2] quit
[SwitchA-um] as name as3 model S5700S-28P-LI-AC mac-address 00e0-fc00-0033
[SwitchA-um-as-as3] quit
[SwitchA] as-auth
[SwitchA-as-auth] undo auth-mode
[SwitchA-as-auth] whitelist mac-address 00e0-fc00-0011
[SwitchA-as-auth] whitelist mac-address 00e0-fc00-0022
[SwitchA-as-auth] whitelist mac-address 00e0-fc00-0033
[SwitchA-as-auth] quit
Step 4 Run the reset saved-configuration command to clear the configurations of ASs,
restart the ASs, and then connect ASs to the parent using cables. Subsequently, an
SVF system is set up.
NOTE
● Before restarting an AS, check whether the port that connects this AS to the parent is a
downlink port. You can run the display port connection-type access all command on this
AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port before
restarting this AS. Otherwise, this AS cannot go online.
● Before connecting an AS to the parent, ensure that the AS has no configuration file and no
input on the console port.
# After connecting cables, run the display as all command to check whether ASs
have connected to the SVF system.
[SwitchA] display as all
Total: 3, Normal: 3, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700S-P-LI 00e0-fc00-0011 192.168.11.254 normal as1
1 S5700S-P-LI 00e0-fc00-0022 192.168.11.253 normal as2
2 S5700S-P-LI 00e0-fc00-0033 192.168.11.252 normal as3
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS
has connected to the SVF system.
Startup patch : --
Next startup system-software : --
Next startup patch : --
Download system-software : --
Download version : --
Download patch : --
Method : --
Upgrading phase : --
Last operation result : --
Error reason : --
Last operation time : --
----------------------------------------------------------------------------
AS name : as2
Work status : NO-UPGRADE
Startup system-software : flash:/s5700s-p-li.cc
Startup version : V200R009C00
Startup patch : --
Next startup system-software : --
Next startup patch : --
Download system-software : --
Download version : --
Download patch : --
Method : --
Upgrading phase : --
Last operation result : --
Error reason : --
Last operation time : --
----------------------------------------------------------------------------
AS name : as3
Work status : NO-UPGRADE
Startup system-software : flash:/s5700s-p-li.cc
Startup version : V200R009C00
Startup patch : --
Next startup system-software : --
Next startup patch : --
Download system-software : --
Download version : --
Download patch : --
Method : --
Upgrading phase : --
Last operation result : --
Error reason : --
Last operation time : --
----------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/
Success for an AS, the configurations in service profiles have been delivered to the
AS.
Step 6 Log in to ASs to check the service configurations of the ASs. The following uses
the login to AS1 as example.
# Run the attach as name as-name command on the parent to log in to AS1 and
check whether the configured login user name and password are correct.
[SwitchA-um] attach as name as1
Info: Connecting to the remote AS now. Use the quit command to return to the user view.
Trying 192.168.11.254 ...
Press CTRL+K to abort
Connected to 192.168.11.254 ...
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2016-03-25 22:31:18+00:00.
<HUAWEI>
----End
Configuration Summary
1. You can configure service profiles and bind them to ASs before or after the
ASs connect to the SVF system. The AS service configuration mode includes
the pre-configured and non-pre-configured modes depending on the time
services are configured. Whatever configuration mode you use, you must run
the commit as { name as-name | all } command to commit the configuration
after completing it.
– Pre-configured mode: Before ASs connect to the SVF system, pre-
configure service profiles, bind them to the ASs, save the configuration on
the parent, and then run the commit as { name as-name | all }
command to commit the configuration. When the ASs connect to the SVF
system, configurations in the service profiles are automatically delivered
to the ASs.
– Non-pre-configured mode: After ASs connect to the SVF system,
configure service profiles, bind them to the ASs, and then run the
commit as { name as-name | all } command to commit the
configuration so that configurations in the service profiles can be
delivered to the ASs.
2. After the SVF function is enabled, the Spanning Tree Protocol (STP) and Link
Layer Discovery Protocol (LLDP) functions are enabled globally on the parent.
Pay attention to the following points when using the STP and LLDP functions
in an SVF system:
– You can disable the STP and LLDP functions only on ports, not globally.
– Do not disable the LLDP function on member ports of a fabric port.
Otherwise, the SVF topology will become abnormal.
3. After the SVF function is enabled, the parent will change STP to Rapid
Spanning Tree Protocol (RSTP) and set the priority of instance 0 to 28762
using the stp instance 0 priority 28672 command. Note that the priority of
instance 0 cannot be set to a value greater than 28672. After the SVF function
is disabled, the default priority of instance 0 is restored. When the SVF
function is enabled or disabled, STP recalculates the port roles and changes
the port status. Traffic on the ports will be interrupted temporarily.
4. The MAD relay function is automatically enabled on the Eth-Trunk to which a
downlink fabric port is bound, and the MAD function is automatically enabled
on the Eth-Trunk to which an uplink fabric port is bound to perform MAD in
an AS that is a stack. When the standby switch in the AS is removed, MAD
cannot be performed because the standby switch restarts automatically
without saving the configuration.
5. To prevent the SVF function from being affected, do not perform MIB
operations to modify the configuration automatically generated in an SVF
system, for example, the configuration of STP, LLDP, and Eth-Trunk to which a
fabric port is bound.
6. On the parent, there may be a delay in displaying the output of some
commands executed on ASs, including the patch delete all and patch load
filename all [ active | run ] commands.
7. In an SVF system, the maximum frame length allowed by ports cannot be
configured on an AS. Therefore, the maximum frame length is the default
value 9216 (including the CRC field).
8. Internal attacks of a management VLAN will cause ASs to disconnect from
the SVF system. You need to error down the attacked ports or remove the
ports from the management VLAN after identifying the attack source.
9. After an AS disconnects from the SVF system, in versions earlier than
V200R012C00, all downlink ports of the AS will be error down. In
V200R012C00 and later versions, to ensure that downlink networks of the AS
can communicate with each other, downlink ports of the AS will not be error
down.
10. Configured Control and Provisioning of Wireless Access Points (CAPWAP)
tunnel parameters apply to the SVF system. To ensure that the CAPWAP
tunnel of the SVF system works normally, you are advised to retain the
default CAPWAP tunnel parameters.
11. In the SVF system, network access rights available before users pass network
admission control (NAC) authentication can be authorized through
authentication-free rules instead of a user control list (UCL) group.
12. SVF does not support built-in Portal servers.
port-group name port_group //Check whether the port group has been bound to service profiles
and whether ports connected to ASs have been added to the port group.
network-basic-profile basic_profile
user-access-profile access_profile
as name as1 interface GigabitEthernet 0/0/1 to 0/0/24
as name as2 interface GigabitEthernet 0/0/1 to 0/0/24
as name as3 interface GigabitEthernet 0/0/1 to 0/0/24
#
dot1x-access-profile name 1
#
return
In centralized mode, all service configurations for ASs are performed on the
parent. Therefore, which services can be configured on ASs depends on the
services that can be configured on the parent, but not depend on the services
supported by a standalone access switch.
Method Description
Profile- Create service profiles and specified device and port groups on the
based parent, bind the service profiles to the device and port groups, and
configura then run the commit as { name as-name | all } command to deliver
tion AS service configurations. If multiple ASs or ports in an SVF system
need the same configurations, you can add these ASs or ports to the
same group for batch configuration. In this manner, the
configuration efficiency is improved.
Precautions
● Not all services can be configured on an AS. For the services that can be
configured on an AS, see 3.4.3.1.3 SVF Service Deployment Limitations.
● In versions earlier than V200R020C00, you do not need to configure an AS
administrator before configuring services for an AS in centralized mode. In
V200R020C00 and later versions, before configuring services for an AS in
centralized mode, configure an AS administrator and deliver the configuration
to the AS.
● Before configuring services for an AS, ensure that the AS has gone online.
● In this example, services for ASs are configured in centralized mode.
Networking Requirements
As shown in Figure 3-65, to facilitate management and configuration of a new
campus network, devices at the access, aggregation, and core layers have set up
an SVF system. In this system, two core switches set up a CSS and function as the
parent, aggregation switches function as level-1 ASs, and access switches function
as level-2 ASs. The gateway is deployed on the parent. You need to perform the
following operations on the parent to configure services for ASs:
● Configure the administrator user name and password for each AS.
● Add interfaces on each AS to VLANs.
● Connect an access switch to a server using an Eth-Trunk.
● Set the authentication mode for PCs and printers to MAC address
authentication.
● Configure traffic suppression, traffic rate limiting, and port security for ASs to
improve security.
● Configure descriptions for AS interfaces to identify the interface usage.
In this example, the S7700 functions as the parent, the S5700-28P-PWR-LI
functions as a level-1 AS, and the S2750-28TP-EI functions as a level-2 AS.
Data Plan
Item Data Description
Configuration Roadmap
1. Configure the user name and password of the AS administrator in an AS
administrator profile.
2. Create an Eth-Trunk interface for a level-2 AS to connect to a server and add
physical interfaces to this Eth-Trunk interface.
3. Configure a description for each interface to identify the interface usage.
4. Configure VLANs on ASs in batches.
5. Add interfaces to VLANs using network basic profiles.
6. Configure traffic suppression and traffic rate limiting in a network enhanced
profile.
7. Configure port security in a network enhanced profile and set the maximum
number of secure MAC addresses that can be learned on an interface.
8. Configure the user authentication mode in a user access profile.
Procedure
NOTE
After the configuration is complete, run the commit as { name as-name | all } command in
the uni-mng view to commit the configuration so that the configuration can be delivered to
ASs and take effect.
1. Run the display as all command to check whether each AS has gone online.
If the value of State of an AS is normal, the AS goes online normally.
<HUAWEI> display as all
Total: 4, Normal: 4, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 00e0-fc00-0011 192.168.11.254 normal as1
1 S5700-P-LI 00e0-fc00-0022 192.168.11.253 normal as2
2 S5700-P-LI 00e0-fc00-0033 192.168.11.252 normal as3
3 S2750-EI 00e0-fc00-0044 192.168.11.251 normal as4
4 S2750-EI 00e0-fc00-0055 192.168.11.250 normal as5
# Configure port groups and bind a network basic profile to each port group.
[Parent-um] port-group name port_group_1 // Create a port group.
[Parent-um-portgroup-port_group_1] as name as4 interface gigabitethernet 0/0/2 // Add the port
on AS 4 to the port group.
[Parent-um-portgroup-port_group_1] network-basic-profile basic_profile_1 // Bind the network
basic profile basic_profile_1 to this port group.
[Parent-um-portgroup-port_group_1] quit
[Parent-um] port-group name port_group_2
[Parent-um-portgroup-port_group_2] as name as4 interface gigabitethernet 0/0/3
[Parent-um-portgroup-port_group_2] network-basic-profile basic_profile_2
[Parent-um-portgroup-port_group_2] quit
[Parent-um] port-group name port_group_3
[Parent-um-portgroup-port_group_3] as name as5 interface eth-trunk 10
[Parent-um-portgroup-port_group_3] network-basic-profile basic_profile_3
[Parent-um-portgroup-port_group_3] quit
[Parent-um] port-group name port_group_4
[Parent-um-portgroup-port_group_4] as name as5 interface gigabitethernet 0/0/4
[Parent-um-portgroup-port_group_4] network-basic-profile basic_profile_4
[Parent-um-portgroup-port_group_4] quit
10. Log in to ASs to check their service configurations. The following uses AS 4 as
an example.
# On the parent, run the attach as name as-name command to log in to AS
4. You can run the quit command to log out the AS after a successful login.
[Parent-um] attach as name as4
Info: Connecting to the remote AS now. Use the quit command to return to the user
view.
Trying 192.168.11.72 ...
Press CTRL+K to abort
Connected to 192.168.11.72 ...
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 1 11 20 30 40 50
stp root-protection
stp edged-port disable
mode lacp
mad relay
#
interface GigabitEthernet1/1/0/1
eth-trunk 1
#
interface GigabitEthernet1/1/0/2
eth-trunk 2
#
interface GigabitEthernet1/1/0/3
eth-trunk 3
#
interface GigabitEthernet1/2/0/1
mad detect mode direct
#
interface GigabitEthernet2/1/0/1
eth-trunk 1
#
interface GigabitEthernet2/1/0/2
eth-trunk 2
#
interface GigabitEthernet2/1/0/3
eth-trunk 3
#
interface GigabitEthernet2/2/0/1
mad detect mode direct
#
capwap source interface vlanif11
#
as-auth
whitelist mac-address 00e0-fc00-0011
whitelist mac-address 00e0-fc00-0022
whitelist mac-address 00e0-fc00-0033
whitelist mac-address 00e0-fc00-0044
whitelist mac-address 00e0-fc00-0055
#
uni-mng
as name as1 model S5700-28P-PWR-LI mac-address 00e0-fc00-0011
down-direction fabric-port 4 member-group interface Eth-Trunk 4
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/24
as name as2 model S5700-28P-PWR-LI mac-address 00e0-fc00-0022
as name as3 model S5700-28P-PWR-LI mac-address 00e0-fc00-0033
down-direction fabric-port 5 member-group interface Eth-Trunk 5
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/24
as name as4 model S2750-28TP-EI mac-address 00e0-fc00-0044
as name as5 model S2750-28TP-EI mac-address 00e0-fc00-0055
uni eth-trunk 10
port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/2
port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/3
direct-command view GigabitEthernet 0/0/2 command description connect-to-pc1
direct-command view GigabitEthernet 0/0/3 command description connect-to-pc2
direct-command view Eth-Trunk 10 command description connect-to-server
direct-command view GigabitEthernet 0/0/4 command description connect-to-printer
direct-command view GigabitEthernet 0/0/4 command port-security max-mac-num 5
interface fabric-port 1
port member-group interface Eth-Trunk 1
interface fabric-port 2
port member-group interface Eth-Trunk 2
interface fabric-port 3
port member-group interface Eth-Trunk 3
as service-vlan authorization 20 30 40 50
as-admin-profile name admin_profile
Configuration Notes
● Usage restrictions:
– The electrical and optical interfaces of a combo interface are multiplexed.
The optical interface cannot have a copper module installed.
– When a combo interface works in auto mode and the combo optical
interface has an optical module installed, the combo interface works as
an optical interface after the device restarts.
– You can configure the working mode of the combo interface based on
the remote interface type. If the local combo electrical interface is
connected to a remote electrical interface, configure the combo interface
to work in copper mode. If the local combo optical interface is connected
to a remote optical interface, configure the combo interface to work in
fiber mode. If the local combo interface is configured to work in a
different mode from the remote interface, the two interfaces cannot
communicate.
● This example applies to switches that support the combo interface.
Networking Requirements
As shown in Figure 3-66, PC1, PC2, and PC3 connect to GE1/0/1, GE1/0/2 and
GE1/0/3 of the Switch respectively. The Switch connects to the Internet through
the combo interface GE1/0/4. You can configure the working mode of the combo
interface based on the remote interface type. In this example, the remote interface
at the Internet side is an electrical interface.
Figure 3-66 Networking diagram for configuring the working mode of a combo
interface
Configuration Roadmap
The configuration roadmap is as follows:
● Configure the combo interface to work as an electrical interface. This
configuration ensures that the combo interface's working mode does not
change when the transmission medium changes, for example, a GE optical
module is installed.
Procedure
Step 1 Configure the combo interface GE1/0/4 to work as an electrical interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] combo-port copper //Configure the combo interface to work as an
electrical interface. By default, the combo interface's working mode is auto.
[Switch-GigabitEthernet1/0/4] quit
Configuration File
Switch configuration file
#
sysname Switch
#
interface GigabitEthernet1/0/4
combo-port copper
#
return
● Full-duplex mode: An interface in this mode can send and receive data
simultaneously. The maximum throughput in full-duplex mode is theoretically
double that in half-duplex mode. There is no limit on the transmission
distance in this mode.
You can configure the rate and duplex mode of an Ethernet interface working in
either auto-negotiation or non-auto-negotiation mode.
● In auto-negotiation mode, interfaces at both ends of a link negotiate the rate
and duplex mode. If the negotiation succeeds, the two interfaces use the
same duplex mode and rate. The auto-negotiation function takes effect only
when both the connected devices support it. If the remote device does not
support auto-negotiation or uses a different auto-negotiation mode, the
connected interfaces may be Down.
● You can configure the local interface to work in non-auto-negotiation mode
and manually configure the interface rate and duplex mode in the following
situations:
The remote device does not support auto-negotiation.
After auto-negotiation is configured, the local and remote devices cannot
communicate.
After auto-negotiation is configured, the physical link between the local and
remote devices is connected, but many error packets are generated or packet
loss occurs.
Configuration Notes
● Usage restrictions
– Ethernet interfaces at both ends of a link must work in the same auto-
negotiation mode. Otherwise, the interfaces may be Down.
– When the working rate of a GE electrical interface is 1000 Mbit/s, the
interface supports only the full-duplex mode and does not need to
negotiate the duplex mode with the remote interface.
– Interfaces at both ends of a link must use the same rate and duplex
mode.
Networking Requirements
As shown in Figure 3-67, Server1, Server2, and Server3 form a server cluster and
connect to GE1/0/1, GE1/0/2, and GE1/0/3 of the Switch respectively. The Switch
connects to the Internet through GE1/0/4.
Due to limitations of network adapters on the servers, GE1/0/1, GE1/0/2, and
GE1/0/3 can only work in half-duplex mode after negotiating with connected
server interfaces. As a result, packet loss occurs when the service traffic volume is
high. In addition, the rate is negotiated to 1000 Mbit/s for GE1/0/1, GE1/0/2, and
GE1/0/3. When the three servers concurrently send data at the rate of 1000
Mbit/s, the outbound interface GE1/0/4 will be congested. Users require that
packet loss and congestion do not occur.
Figure 3-67 Networking diagram for configuring the rate and duplex mode in
non-auto-negotiation mode
Configuration Roadmap
The configuration roadmap is as follows:
● Configure the switch interfaces to work in non-auto-negotiation mode to
prevent the interface rate from being affected by the network adapter rate on
the servers.
● Set the duplex mode to full-duplex for the interfaces working in non-auto-
negotiation mode to avoid packet loss.
● Set the rate to 100 Mbit/s for the interfaces working in non-auto-negotiation
mode to avoid congestion on the outbound interface.
Procedure
Step 1 Create a port group and add GE1/0/1, GE1/0/2, and GE1/0/3 to the port group.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] port-group portgroup1 //Create a permanent port group portgroup1.
[Switch-port-group-portgroup1] group-member GE1/0/1 to GE1/0/3 //Add GE1/0/1,GE1/0/2, and
GE1/0/3 to portgroup1.
NOTE
After a configuration command is executed in the port group view, the device will deliver
the configuration to each port in the port group and display the configuration of each port.
The command output shows that the interface works in non-negotiation mode,
the rate is 100 Mbit/s, and the duplex mode is full-duplex.
Similarly, run the display interface gigabitethernet 1/0/2 and display interface
gigabitethernet 1/0/3 commands on GE1/0/2 and GE1/0/3 respectively to check
interface working information.
----End
Configuration File
Switch configuration file
#
sysname Switch
#
interface GigabitEthernet1/0/1
undo negotiation auto
speed 100
#
interface GigabitEthernet1/0/2
undo negotiation auto
speed 100
#
interface GigabitEthernet1/0/3
undo negotiation auto
speed 100
#
port-group portgroup1
group-member GigabitEthernet1/0/1
group-member GigabitEthernet1/0/2
group-member GigabitEthernet1/0/3
#
return
Overview
Due to hardware restrictions of interface cards, some Ethernet interfaces work in
only Layer 2 or Layer 3 mode, whereas other Ethernet interfaces can work in both
Layer 2 and Layer 3 modes.
Configuration Notes
● By default, an Ethernet interface works in Layer 2 mode and belongs to VLAN
1. An interface is not removed from VLAN 1 immediately after being switched
to Layer 3 mode. It is removed from VLAN 1 only when Layer 3 protocols are
Up.
● You can configure Layer 2 and Layer 3 modes of an Ethernet interface in the
Ethernet interface view or system view. If the configurations in the two views
differ, the latest configuration takes effect.
● The minimum interval between running the portswitch and undo portswitch
commands is 30 seconds. That is, after changing the mode of an Ethernet
interface, wait at least 30 seconds before changing the mode again.
● If service configurations (such as the port link-type trunk configuration) exist
on an interface, clear all service configurations before switching the interface
between Layer 2 and Layer 3 modes. The mode switching configuration takes
effect on an interface when only attribute configurations (such as shutdown
and description configurations) exist on the interface.
● On switches running V200R003 and earlier versions, IP addresses cannot be
assigned to Ethernet interfaces in Layer 3 mode.
● This example applies to the following products and versions:
– S5700-EI: V200R005C00&C01
– S5700-HI: V200R001C00, V200R002C00, V200R003C00,
V200R005C00&C01
– S5710-EI: V200R002C00, V200R003C00, V200R005C00
– S6700-EI: V200R005C00&C01
– S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H,
S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
Networking Requirements
As shown in Figure 3-68, PC1, PC2, PC3, and PC4 are on four network segments,
and SwitchB, SwitchC, SwitchD, and SwitchE are access switches for these four
network segments, respectively. It is required that four physical Ethernet interfaces
on SwitchA be configured as gateway interfaces for these four network segments.
Figure 3-68 Networking diagram for configuring the rate and duplex mode in
non-auto-negotiation mode
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Change interfaces to Layer 3 mode.
Step 3 Run the display interface gigabitethernet 1/0/1 command in any view to check
the interface working mode.
[SwitchA] display interface gigabitethernet 1/0/1
...
Description:
Route Port,The Maximum Frame Length is 9216
Internet Address is 10.10.1.1/24
...
If Switch Port is displayed, the interface works in Layer 2 mode. If Route Port is
displayed, the interface works in Layer 3 mode. The preceding command output
shows that the interface works in Layer 3 mode.
----End
Configuration File
SwitchA configuration file
#
sysname SwitchA
#
interface GigabitEthernet1/0/1
undo portswitch
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo portswitch
ip address 10.10.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo portswitch
ip address 10.10.3.1 255.255.255.0
#
interface GigabitEthernet1/0/4
undo portswitch
ip address 10.10.4.1 255.255.255.0
#
return
Follow-up Procedure
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Configuration Notes
● This example applies to all versions of all S series switches.
● Do not add both the uplink and downlink interfaces to the same port
isolation group unless required. Otherwise, the uplink and downlink interfaces
cannot communicate.
● S series switches support Layer 2 isolation and Layer 3 interworking.
● All S series chassis switches support Layer 2 and Layer 3 isolation. S series box
switches support Layer 2 and Layer 3 isolation excluding the S2700-SI and
S2700-EI running V100R006C05 and the S2720-EI, S5720-LI, S6720-LI,
S6720S-LI, S5710-C-LI, and S5720S-LI running V200R001 and later versions.
Networking Requirements
An R&D office of a company contains employees from the company, partner
company A, and partner company B. As shown in Figure 3-69, PC1 and PC2 are
used by two employees from partner companies A and B respectively, and PC3 is
used by an R&D employee from the company. The requirements are as follows:
● VLAN resources need to be saved.
● Employees from partner companies A and B cannot communicate with each
other.
● Employees from partner companies A and B can communicate with the
company's employees.
Configuration Roadmap
The configuration roadmap is as follows:
1. Add interfaces to a VLAN.
2. Add the interfaces to a port isolation group to implement Layer 2 isolation
between these interfaces. The default port isolation mode is Layer 2 isolation
and Layer 3 interworking.
Procedure
Step 1 Configure port isolation.
# Configure port isolation on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Set the interface type of GE1/0/1 to access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add GE1/0/1 to VLAN 10.
[Switch-GigabitEthernet1/0/1] port-isolate enable //By default, the interface is added to port isolation
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet1/0/1] quit
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet1/0/2] quit
----End
Configuration File
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
port-isolate enable group 1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
port-isolate enable group 1
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
#
return
Related Content
Videos
Overview
MAC address entries are automatically generated when the switch learns the
source MAC addresses of packets. Static MAC address entries are manually
configured.
If a large number of static MAC address entries are manually configured, network
maintenance can be difficult. You can enable port security to dynamically bind
MAC addresses to interfaces.
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-70, the server connects to the switch through GE1/0/2. To prevent the
switch from broadcasting packets destined for the server, the static MAC address
entry of the server needs to be configured on the switch. This ensures that the
switch unicasts packets destined for the server through GE1/0/2. The MAC address
of the PC is statically bound to GE1/0/1 to ensure secure communication between
the PC and server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN on the switch and add an interface to the VLAN to implement
Layer 2 forwarding.
2. Configure the static MAC address entry of the server on the switch.
3. Configure the static MAC address entry of the PC on the switch.
Procedure
Step 1 Create VLAN 2 on the switch and add GE1/0/1 and GE1/0/2to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 //Create VLAN 2.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //The interface connected to the PC must be the
access interface. The default link type of an interface is not access, so you need to manually configure the
access interface.
[Switch-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to that of GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 2
[Switch-GigabitEthernet1/0/2] quit
Step 2 Configure the static MAC address entry of the server on the switch.
[Switch] mac-address static xxxx-xxxx-xxx4 gigabitethernet 1/0/2 vlan 2
Step 3 Configure the static MAC address entry of the PC on the switch.
[Switch] mac-address static xxxx-xxxx-xxx2 gigabitethernet 1/0/1 vlan 2
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
mac-address static xxxx-xxxx-xxx2 GigabitEthernet1/0/1 vlan 2
mac-address static xxxx-xxxx-xxx4 GigabitEthernet1/0/2 vlan 2
#
return
Overview
Blackhole MAC address entries can be used to prevent attacks from unauthorized
users. The switch discards packets from or destined to blackhole MAC addresses.
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-71, the switch receives a packet from an unauthorized PC
whose MAC address is 0005-0005-0005 and belongs to VLAN 3. This MAC address
can be configured as a blackhole MAC address to filter packets from the
unauthorized user.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address to block packets from this MAC address.
Procedure
Step 1 Configure a blackhole MAC address entry.
<HUAWEI> system-view
[HUAWEI] sysname Switch
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole xxxx-xxxx-xxx5 vlan 3
#
return
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting in a VLAN can limit the number of MAC address entries on
multiple interfaces in a VLAN.
Configuration Notes
● After the port-security enable command is configured on an interface, MAC
address limiting cannot take effect on the interface. Do not configure port
security and MAC address limiting on the same interface simultaneously.
● This example applies to all versions of all S series switches.
● After the number of learned MAC address entries reaches the limit, SA cards
of S series and F series cards of chassis devices and box devices (excluding the
S5720-EI) cannot discard packets with nonexistent source MAC addresses.
Networking Requirements
In Figure 3-72, user network 1 is connected to GE1/0/1 of the switch through
LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and
GE1/0/1 and GE1/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address limiting in a VLAN to prevent MAC address attacks
and control the number of access users.
Procedure
Step 1 Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to VLAN 2.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to the configuration of
GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch-GigabitEthernet1/0/2] quit
Step 2 Configure the following MAC address limiting rule in VLAN 2: A maximum of 100
MAC addresses can be learned. When the number of learned MAC address entries
reaches the limit, the device forwards the packets with new source MAC address
entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward //The default action taken for packets in
different versions is different. You are advised to manually configure the action. For fixed switches, the
action parameter can be set in the VLAN view only on the S5720-EI. On other fixed switches, the forward
action is used in the VLAN view by default, and the action parameter does not need to be set. The alarm
function is enabled by default, so you do not need to configure the alarm function manually.
[Switch-vlan2] quit
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.
Configuration Notes
● After port-security enable is configured on an interface, MAC address
limiting cannot be configured on the interface.
● This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-73, user network 1 and user network 2 connect to the switch through
the LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user
network 2 belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC
address limiting can be configured on GE1/0/1 to control the number of access
users.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
Step 2 Configure the switch to learn a maximum of 100 MAC address entries on GE1/0/1.
When the number of learned MAC address entries reaches the limit, the switch
discards the packets with new source MAC address entries and generates an
alarm.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The default action taken for
packets in different versions is different. You are advised to manually specify the action. The alarm function
is enabled by default, so you do not need to specify it manually.
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
mac-limit maximum 100
#
return
Cards are classified into cards with and without Eth-Trunk specification extension,
as described in Table 3-28.
Extensible EE series
FC series
SC series
X series
ET1D2X48SEC0 and EH1D2X48SEC0 in the
EC series
Non-extensible BC series
EA series
ED series
FA series
SA series
EC1series
EA1series
EC series (excluding the ET1D2X48SEC0
and EH1D2X48SEC0)
Table 3-29 Hash modes of cards in a slot before and after card replacement
Replaced Card Hash Mode New Card Hash
of the Mode of
Replaced the
Card New
Card
● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– When interfaces on the FC series, SC series, EE series, ET1D2X48SEC0, or
EH1D2X48SEC0 card, card without Eth-Trunk specification extension, and
X series card working in normal mode form an inter-card Eth-Trunk, first
run the unknown-unicast load-balance command to set the load
balancing mode of unknown unicast packets to lbid. After the inter-card
Eth-Trunk is created, the load balancing mode of unknown unicast
packets cannot be changed.
– If interfaces on the card with Eth-Trunk specification extension in normal
mode or card without Eth-Trunk specification extension are added to the
same Eth-Trunk with interfaces on the card with Eth-Trunk specification
extension in advanced mode, load balancing of the Eth-Trunk is uneven,
packet loss or excess packets may occur for non-known unicast traffic,
and the alarm IFPDT_1.3.6.1.4.1.2011.5.25.157.2.211
hwNotSameBoardInTrunk is triggered.
The index is the internal number that the switch allocates to each Eth-Trunk, and
is different from the Eth-Trunk ID. If the configured number of Eth-Trunks
supported by the switch is larger than 128 and many Eth-Trunks are created on
the switch, the index larger than 127 may be occupied. The card without Eth-
Trunk specification extension can only use the index of 127 or smaller, the system
checks the index and limits its registration. If the non-registered card without
Eth-Trunk specification extension is reserved, this card cannot be registered even
if the switch restarts.
– You can run the display reset-reason command to check the registration
failure cause. The system displays the message "This LPU only supports
the trunks with index 127 or smaller than 127.". If the card without Eth-
Trunk specification extension must be used, you must delete the Eth-
Trunk with the index larger than 127.
● Card replacement
Table 3-30 lists the hash modes of cards in a slot before and after card
replacement.
Table 3-30 Hash modes of cards in a slot before and after card replacement
● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– If a switch functions as a WLAN AC, X series cards are used and APs are
connected to the switch through an inter-card Eth-Trunk on the user side,
and non-X series cards are used on the network side, the actual Eth-Trunk
specifications cannot reach those configured using this command and
may be as low as half of the configured specifications.
– The card without Eth-Trunk specification extension and the card with Eth-
Trunk specification extension working in normal mode do not support
Eth-Trunk specification extensions. If the switch that is configured with
Eth-Trunk specification extensions is equipped with these cards, a
maximum of eight Eth-Trunk member interfaces are allowed on these
cards.
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.
In manual mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. In this mode, LACP is not required. If a high link
bandwidth between two directly connected devices is required but the remote
device does not support LACP, you can use the manual mode. The manual mode
can increase bandwidth, enhance reliability, and implement load balancing.
In manual mode, all active links forward data and load balance traffic.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
● This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-74, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.
Configuration Roadmap
The configuration roadmap is as follows:
3. Set the load balancing mode to ensure that traffic is load balanced between
member interfaces of the Eth-Trunk and enhance reliability.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the
Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchB-Eth-Trunk1] quit
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] load-balance src-dst-mac //Configure load balancing based on the source and
destination MAC addresses on Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.
If a high link bandwidth between two directly connected devices is required and
devices support LACP, the LACP mode is recommended. The LACP mode increases
bandwidth, improves reliability, implements load balancing, enhances Eth-Trunk
fault tolerance, and provides backup.
In LACP mode, some links are active links and other links are backup links. All the
active links participate in data forwarding. If an active link becomes faulty, a
backup link is selected to replace the faulty link. That is, the number of links
participating in data forwarding remains unchanged.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
● This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-75, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB. The link between SwitchA and SwitchB is required to provide high
bandwidth to implement inter-VLAN communication. Link aggregation in LACP
mode is configured on SwitchA and SwitchB to improve the bandwidth and
reliability. The following requirements must be met:
Figure 3-75 Networking diagram for configuring link aggregation in LACP mode
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to
implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor so that the Partner
selects active interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve
reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces
with higher priorities are selected as active interfaces.
6. Create VLANs and add interfaces to the VLANs.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode.
The configuration of SwitchB is similar to that of SwitchA, and is not mentioned
here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] mode lacp //Configure link aggregation in LACP mode.
[SwitchA-Eth-Trunk1] quit
Step 3 Set the LACP system priority of SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100 //The default LACP system priority is 32768. Change the LACP priority of
SwitchA to be higher than that of SwitchB so that SwitchA functions as the Actor.
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] max active-linknumber 2 //The default upper threshold for the number of active
interfaces in the LAG is 8. Change the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] quit
Step 5 Set the LACP system priority and determine active links on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/1 to 100 so that GE1/0/1 serves as the active interface.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/2 to 100 so that GE1/0/2 serves as the active interface.
[SwitchA-GigabitEthernet1/0/2] quit
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
GigabitEthernet1/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
GigabitEthernet1/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
[SwitchB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1 Selected 1GE 32768 6145 2609 11111100 1
GigabitEthernet1/0/2 Selected 1GE 32768 6146 2609 11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609 11110000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
GigabitEthernet1/0/2 100 00e0-fca8-0417 100 6146 2865 11111100
GigabitEthernet1/0/3 100 00e0-fca8-0417 32768 6147 2865 11100000
The preceding information shows that the LACP system priority of SwitchA is 100
and is higher than the LACP system priority of SwitchB. GigabitEthernet1/0/1 and
GigabitEthernet1/0/2 are active interfaces and are in Selected state.
GigabitEthernet1/0/3 is in Unselect state. In addition, load balancing and
redundancy are implemented.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp
max active-linknumber 2
#
interface GigabitEthernet1/0/1
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/2
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
Overview
Enhanced Trunk (E-Trunk) is an extension to LACP (a link aggregation protocol for
a single device) and implements link aggregation among multiple devices. E-Trunk
achieves device-level link reliability but not card-level link reliability.
When a CE is dual-homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be
configured to protect the links between the CE and PEs and implement backup
between PEs. If no E-Trunk is configured, a CE can be connected to only one PE
using an Eth-Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate
with the PE. After the E-Trunk is used, the CE can be dual-homed to two PEs to
implement backup.
Configuration Notes
● Devices must use link aggregation in LACP mode.
● In Figure 3-76, the E-Trunk configuration on PE1 and PE2 must be the same.
The Eth-Trunks between PE1 and CE1 and between PE2 and CE1 must use the
same rate and duplex mode (key values must be the same) and join the same
E-Trunk. After the Eth-Trunks are added to the E-Trunk, ensure that the LACP
priorities and system IDs of PE1 and PE2 are the same. On CE1, interfaces
directly connected to PE1 and PE2 must be added to the same Eth-Trunk. The
Eth-Trunk can have a different Eth-Trunk ID from that on the PEs. For
example, the CE is configured with Eth-Trunk 20, while both PEs are
configured with Eth-Trunk 10.
● You must specify an IP address (loopback address recommended) for each PE
to ensure Layer 3 connectivity. Ensure that the peer IP address of a PE is the
local IP address of the other PE.
● The E-Trunk must be bound to a BFD session.
● You must set the same protocol packet password for PE1 and PE2.
● This example applies to the following products:
– S5700-HI, S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5731-H,
S5731S-H, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-
Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate with the PE.
After an E-Trunk is configured, the CE can be dual-homed to PEs. E-Trunk achieves
device-level link reliability but not card-level link reliability.
In Figure 3-76, CE1 is connected to PE1 and PE2 using two Eth-Trunks in LACP
mode and is dual-homed to a VPLS network.
Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or
the Eth-Trunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To
prevent service interruption, configure an E-Trunk on PE1 and PE2. When
communication between CE1 and PE1 fails, traffic is switched to PE2 so that CE1
can communicate with CE2 through PE2. When PE1 or the Eth-Trunk between CE1
and PE1 recovers, traffic is switched back to PE1.
The E-Trunk implements backup of link aggregation groups (LAGs) between PE1
and PE2 and therefore improves network reliability.
PE1 GigabitEthernet1/0 - -
/1
- GigabitEthernet1/0 - -
/2
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0 - -
/1
- GigabitEthernet1/0 - -
/2
- Loopback1 - 2.2.2.9/32
- GigabitEthernet1/0 GigabitEthernet1/0 -
/3 /3.1
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0 - -
/1
- GigabitEthernet1/0 - -
/2
- GigabitEthernet1/0 - -
/3
- GigabitEthernet1/0 - -
/4
CE2 GigabitEthernet1/0 - -
/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an E-Trunk.
– Create Eth-Trunks in LACP mode between CE1 and PE1 and between CE1
and PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks in LACP
mode to the E-Trunk.
– Set E-Trunk parameters:
▪ E-Trunk priority
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure
3-76. Configure a routing protocol on the backbone network to implement the
interworking between devices. OSPF is used in this example.
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP
routes to each other's Loopback1 interface, and can ping one another. Run the
display ip routing-table command on PE1, PE2, and PE3 to determine whether
the PEs have learned the routes to one another.
NOTE
● The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
● When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback
addresses.
Step 2 Configure Eth-Trunks in LACP mode on user-side switch CE1, PE1, and PE2, and
add member interfaces to the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20 //Create Eth-Trunk 20 and enter the view of Eth-Trunk 20.
[CE1-Eth-Trunk20] port link-type trunk //Set the link type of the interface to trunk.
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10 //Add Eth-Trunk 20 to VLAN 10.
[CE1-Eth-Trunk20] mode lacp //Configure Eth-Trunk 20 to work in LACP mode.
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 //Add GE1/0/1 to GE1/0/4 to Eth-Trunk20.
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE1-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE2-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
[PE2-Eth-Trunk10] quit
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, time
multiplier for detecting hello packets, interval at which hello packets are sent, and
local and remote IP addresses.
# Configure PE1.
[PE1] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE1] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1 to 00E0-FC00-0000.
[PE1] e-trunk 1 //Enter the view of E-Trunk 1.
[PE1-e-trunk-1] priority 10 //Set the priority of E-Trunk 1 to 10.
[PE1-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE1-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 //Set the remote IP address to 2.2.2.9 and
local IP address to 1.1.1.9.
[PE1-e-trunk-1] quit
# Configure PE2.
[PE2] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE2-e-trunk-1] quit
[PE2] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE2] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1 to 00E0-FC00-0000.
[PE2] e-trunk 1 //Enter the view of E-Trunk 1.
[PE2-e-trunk-1] priority 20 //Set the priority of E-Trunk 1 to 20.
[PE2-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE2-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 //Set the remote IP address to 1.1.1.9 and
local IP address to 2.2.2.9.
[PE2-e-trunk-1] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
[PE2-Eth-Trunk10] quit
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 //Set the LSR ID to 1.1.1.9.
[PE1] mpls //Enable global MPLS.
[PE1-mpls] quit
[PE1] mpls ldp //Enable global LDP.
[PE1-mpls-ldp] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] mpls //Enable MPLS on an interface.
[PE1-Vlanif100] mpls ldp //Enable LDP on an interface.
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 //Set the LSR ID to 2.2.2.9.
[PE2] mpls //Enable global MPLS.
[PE2-mpls] quit
[PE2] mpls ldp //Enable global LDP.
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls //Enable MPLS on an interface.
[PE2-Vlanif200] mpls ldp //Enable LDP on an interface.
[PE2-Vlanif200] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.9 //Set the LSR ID to 3.3.3.9.
[PE3] mpls //Enable global MPLS.
[PE3-mpls] quit
[PE3] mpls ldp //Enable global LDP.
[PE3-mpls-ldp] quit
[PE3] interface vlanif 100
[PE3-Vlanif100] mpls //Enable MPLS on an interface.
[PE3-Vlanif100] mpls ldp //Enable LDP on an interface.
[PE3-Vlanif100] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] mpls //Enable MPLS on an interface.
[PE3-Vlanif200] mpls ldp //Enable LDP on an interface.
[PE3-Vlanif200] quit
After the configuration is complete, run the display mpls ldp session
command on PEs to determine whether the status of the remote LDP peer
relationship is Operational. This indicates that remote LDP sessions are set
up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn //Enable global MPLS L2VPN.
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn //Enable global MPLS L2VPN.
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn //Enable global MPLS L2VPN.
[PE3-l2vpn] quit
3. Create a VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling
protocol in the VSI.
# Configure PE1.
[PE1] vsi ldp1 static //Create a VSI named ldp1 and configure static member discovery.
[PE1-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE1-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE1-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2] vsi ldp1 static //Create a VSI named ldp1 and configure static member discovery.
[PE2-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE2-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE2-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE2-vsi-ldp1-ldp] quit
[PE2-vsi-ldp1] quit
# Configure PE3.
[PE3] vsi ldp1 static //Create a VSI named ldp1 and configure static member discovery.
[PE3-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE3-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE3-vsi-ldp1-ldp] peer 1.1.1.9 //Set the peer address of the VSI to 1.1.1.9.
[PE3-vsi-ldp1-ldp] peer 2.2.2.9 //Set the peer address of the VSI to 2.2.2.9.
[PE3-vsi-ldp1-ldp] quit
[PE3-vsi-ldp1] quit
4. Configure Eth-Trunk sub-interfaces on PE1 and PE2, and bind the VSI to the
Eth-Trunk sub-interfaces.
# Configure PE1.
[PE1] vcmp role silent
[PE1] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE1-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE2-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE2-Eth-Trunk10.1] quit
The preceding information shows that the E-Trunk priority on PE1 is 10, and
the E-Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-
Trunk status is Backup. Device backup is implemented.
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Eth-Trunk20
port link-type trunk
port trunk allow-pass vlan 10
mode lacp
#
interface GigabitEthernet1/0/1
eth-trunk 20
#
interface GigabitEthernet1/0/2
eth-trunk 20
#
interface GigabitEthernet1/0/3
eth-trunk 20
#
interface GigabitEthernet1/0/4
eth-trunk 20
#
return
● PE1 configuration file
#
sysname PE1
#
vcmp role silent
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
interface Eth-Trunk10
port link-type trunk
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
Overview
In a CSS or stack, an Eth-Trunk is configured as the outbound interface of traffic to
ensure reliable transmission. Member interfaces of the Eth-Trunk are located on
different chassis. When devices in the CSS or stack forward traffic, the Eth-Trunk
may select an inter-chassis member interface based on a hash algorithm. The
cable bandwidth between devices in the CSS or stack is limited, so inter-chassis
traffic forwarding occupies bandwidth resources between devices, lowering traffic
forwarding efficiency. To address this issue, you can enable an Eth-Trunk to
preferentially forward local traffic.
Configuration Notes
● If active interfaces of an Eth-Trunk on the local device have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk to preferentially
forward local traffic. This improves traffic forwarding efficiency and increases
bandwidth capacity between devices in the CSS.
● If active interfaces of an Eth-Trunk on the local device do not have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk not to
preferentially forward local traffic. In this case, some traffic on the local
device is forwarded through member interfaces of an Eth-Trunk on another
device, preventing packet loss.
● This example applies to the following products and versions:
– S2720-EI, S2750-EI: For the applicable versions, see TableTable 3-1.
– S2730S-S: For the applicable versions, see TableTable 3-1.
– S5710-X-LI, S5720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H: For the applicable versions, see TableTable 3-1.
– S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-HI,
S6730-H, S6730S-H, S6730-S, S6730S-S: For the applicable versions, see
TableTable 3-1.
– S5700-LI, S5700-HI, S5710-EI, S6700-EI: running V200R003C00 and later
versions.
– S5700S-LI: running V200R008C00 and later versions.
NOTE
Networking Requirements
On the network shown in Figure 3-77, CSS technology is used to increase the
total capacity of switches. Switch3 and Switch4 are connected through stack
cables to form a logical switch. To implement backup between switches and
improve reliability, physical interfaces on the two switches are added to an Eth-
Trunk. In normal situations, traffic from VLAN 2 and VLAN 3 is forwarded through
GE1/0/1 and GE1/0/2 respectively. This increases bandwidth capacity between
switches and reduces traffic forwarding efficiency.
To ensure that traffic from VLAN 2 is forwarded through GE1/0/1 and traffic from
VLAN 3 is forwarded through GE1/0/2, you can configure the Eth-Trunk to
preferentially forward local traffic.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic.
4. Add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Create an Eth-Trunk and configure the ID of a VLAN from which packets can pass
through the Eth-Trunk.
# Configure the CSS.
<HUAWEI> system-view
[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[CSS-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[CSS-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to allow all VLANs.
[CSS-Eth-Trunk10] quit
Step 3 Configure the Eth-Trunk on devices in the CSS to preferentially forward local
traffic.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable //Enable Eth-Trunk 10 to preferentially forward local traffic.
[CSS-Eth-Trunk10] quit
NOTE
By default, an Eth-Trunk is enabled to preferentially forward local traffic. If you run the
local-preference enable command, the system displays the message "Error: The local
preferential forwarding mode has been configured."
----End
Configuration Files
● CSS configuration file
#
sysname CSS
#
vlan batch 2 3
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/1/0/3
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet2/1/0/3
port link-type trunk
port trunk allow-pass vlan 3
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
return
● PE configuration file
#
sysname PE
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
return
When the master detects that the uplink interface fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
packets. After the backup receives the VRRP packets, it detects that the priority in
the VRRP packets is lower than its priority and switches to the master. This ensures
correct traffic forwarding.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● A VRRP group can be associated with a maximum of eight interfaces.
Association between a VRRP group and the interface status cannot be
configured on the device as the IP address owner.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI,
S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I,
S5735S-H, S5736-S, S5735-S, S500, S5735S-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
As shown in Figure 3-78, the user hosts are dual-homed to SwitchA and SwitchB
through the switch. The requirements are as follows:
● The hosts use SwitchA as the default gateway to connect to the Internet.
When SwitchA or the downlink/uplink fails, SwitchB functions as the gateway
to implement gateway backup.
● The bandwidth of the link between SwitchA and SwitchB is increased to
implement link backup and improve link reliability.
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 3-78 Networking of association between VRRP and the interface status
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2
isolation and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to
the Eth-Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority
for SwitchA so that SwitchA functions as the master to forward traffic, and set
the preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so
that SwitchB functions as the backup.
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group
can detect the fault of the master and perform an active/standby switchover
immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and
the preemption delay to 20s.
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchA-Vlanif11] vrrp vrid 1 priority 120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay 20 //The device in a VRRP
group uses the immediate preemption mode by default. Change the preemption delay of the master to
prevent traffic interruptions when the master and backup frequently preempt the bandwidth on an
unstable network.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 100 //Associate the VRRP
group with the uplink interface. Set the decreased priority to ensure that the priority of the backup is higher
than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/2 reduced 100 //Associate the VRRP
group with the downlink interface. Set the decreased priority to ensure that the priority of the backup is
higher than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp advertise send-mode 301 //Specify VLAN 301 where
VRRP packets are transmitted to save the network bandwidth.
[SwitchA-Vlanif11] quit
[SwitchA] interface vlanif 12
[SwitchA-Vlanif12] vrrp vrid 2 virtual-ip 10.1.2.1
[SwitchA-Vlanif12] vrrp vrid 2 priority 120
[SwitchA-Vlanif12] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif12] vrrp advertise send-mode 302
[SwitchA-Vlanif12] quit
[SwitchA] interface vlanif 13
[SwitchA-Vlanif13] vrrp vrid 3 virtual-ip 10.1.3.1
[SwitchA-Vlanif13] vrrp vrid 3 priority 120
[SwitchA-Vlanif13] vrrp vrid 3 preempt-mode timer delay 20
[SwitchA-Vlanif13] vrrp vrid 3 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif13] vrrp vrid 3 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif13] vrrp advertise send-mode 303
[SwitchA-Vlanif13] quit
[SwitchA] interface vlanif 14
[SwitchA-Vlanif14] vrrp vrid 4 virtual-ip 10.1.4.1
[SwitchA-Vlanif14] vrrp vrid 4 priority 120
[SwitchA-Vlanif14] vrrp vrid 4 preempt-mode timer delay 20
[SwitchA-Vlanif14] vrrp vrid 4 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif14] vrrp vrid 4 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif14] vrrp advertise send-mode 304
[SwitchA-Vlanif14] quit
[SwitchA] interface vlanif 15
[SwitchA-Vlanif15] vrrp vrid 5 virtual-ip 10.1.5.1
[SwitchA-Vlanif15] vrrp vrid 5 priority 120
[SwitchA-Vlanif15] vrrp vrid 5 preempt-mode timer delay 20
[SwitchA-Vlanif15] vrrp vrid 5 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif15] vrrp vrid 5 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif15] vrrp advertise send-mode 305
[SwitchA-Vlanif15] quit
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit
[SwitchB] interface vlanif 12
[SwitchB-Vlanif12] vrrp vrid 2 virtual-ip 10.1.2.1
[SwitchB-Vlanif12] vrrp advertise send-mode 302
[SwitchB-Vlanif12] quit
[SwitchB] interface vlanif 13
[SwitchB-Vlanif13] vrrp vrid 3 virtual-ip 10.1.3.1
[SwitchB-Vlanif13] vrrp advertise send-mode 303
[SwitchB-Vlanif13] quit
# Run the display vrrp command on SwitchB. You can see that SwitchB is the
backup. VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA is restored as the master and SwitchB is restored as the backup, and
the associated interface is in Up state.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable #
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
access-vlan 117 to 132 302
vlan 13
aggregate-vlan
access-vlan 133 to 148 303
vlan 14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 1 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
vrrp vrid 2 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 2 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 20
vrrp vrid 3 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 3 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 303
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.4.1
vrrp vrid 4 priority 120
vrrp vrid 4 preempt-mode timer delay 20
vrrp vrid 4 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 4 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 304
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.5.1
vrrp vrid 5 priority 120
vrrp vrid 5 preempt-mode timer delay 20
vrrp vrid 5 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 5 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 305
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301 to 305
mode lacp
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 400
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 180
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable #
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
access-vlan 117 to 132 302
vlan 13
aggregate-vlan
access-vlan 133 to 148 303
vlan 14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp advertise send-mode 303
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.4.1
vrrp advertise send-mode 304
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.5.1
vrrp advertise send-mode 305
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301 to 305
mode lacp
#
interface GigabitEthernet1/0/1
#
stp disable #
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11 to 15 101 to 180
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11 to 15 101 to 180
#
return
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Table 3-31 compares
different VLAN assignment modes.
respon
se
time.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-79, the switch of an enterprise connects to many users, and users
accessing the same service connect to the enterprise network through different
devices. To ensure communication security and prevent broadcast storms, the
enterprise requires that users using the same service communicate with each
other and users accessing different services be isolated. You can configure
interface-based VLAN assignment on the switch so that the switch adds interfaces
connected to users using the same service to the same VLAN. Users in different
VLANs cannot communicate with each other at Layer 2, and users in the same
VLAN can communicate with each other.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces that connect users to VLANs to isolate Layer
2 traffic of different services.
2. Configure link types of interfaces between SwitchA and SwitchB and VLANs
allowed by interfaces so that users accessing the same service can
communicate with each other through SwitchA and SwitchB.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA and add interfaces that are connected to
users to VLANs. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //The interface connected to the access device must
be the access interface. The default link type of an interface is not access, so you need to manually
configure the access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3 //Add GE1/0/2 to VLAN 3.
[SwitchA-GigabitEthernet1/0/2] quit
Step 2 Configure the link type of the interface on SwitchA that is connected to SwitchB
and VLAN allowed by the interface. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
User1 and User2 are on the same network segment, for example,
192.168.100.0/24; User3 and User4 are on the same network segment, for
example, 192.168.200.0/24.
User1 and User2 can ping each other, but cannot ping User3 or User4. User3 and
User4 can ping each other, but cannot ping User1 or User2.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Related Content
Support Community
● VLAN Assignment
● VLAN Basics
Videos
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on
interfaces. A network administrator preconfigures a PVID for each interface on a
switch. When an untagged frame arrives at an interface, the switch adds the PVID
of the interface to the frame. Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 3 switch, the
access switch can be used as the gateway of PCs to simplify the configuration of
the aggregation switch.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-80, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. SW2 functions as the
gateway of PC1 and PC2, and SW3 is used as the gateway of PC3. Static routes are
configured on switches so that PCs can communicate with each other and can be
connected to the router.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure SW2.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW3 //Change the device name to SW3.
[SW3] vlan batch 4 //Create VLAN 4.
[SW1] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 //Configure a static route. Packets with the
destination IP address of 192.168.2.0/24 are forwarded to the next hop address of 192.168.5.2. The next hop
address is the IP address of the VLANIF interface connected to SW2.
[SW1] ip route-static 192.168.3.0 255.255.255.0 192.168.5.2 //Configure a static route. Packets with the
destination IP address of 192.168.3.0/24 are forwarded to the next hop address of 192.168.5.2. The next hop
address is the IP address of the VLANIF interface connected to SW2.
[SW1] ip route-static 192.168.4.0 255.255.255.0 192.168.5.3 //Configure a static route. Packets with the
destination IP address of 192.168.4.0/24 are forwarded to the next hop address of 192.168.5.3. The next hop
address is the IP address of the VLANIF interface connected to SW3.
# Configure a default route so that PCs can communicate with the router.
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.5.4 //The IP address is the IP address of the interface
connected to SW1.
----End
Configuration Files
SW1 configuration file
#
sysname SW1
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
In typical hierarchical networking, when the access switch is a Layer 2 switch, the
aggregation switch can be used as the gateway of PCs. The configuration of the
access switch is simplified, and PCs access the external network through one
outbound interface, thereby facilitating maintenance and management.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-81, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. No configuration is
performed on SW3, and SW3 functions as the hub and is plug-and-play. SW1
functions as the gateway of PC1, PC2, and PC3 so that PCs can communicate with
each other and can be connected to the router.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure SW2.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
PC1, PC2, and PC3 can access each other, and they can communicate with the
router.
----End
Configuration Files
SW1 configuration file
#
sysname SW1
#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 4
#
return
Overview
MAC address-based VLAN assignment applies to small-scale networks where user
terminals often change physical locations but their NICs seldom change, for
example, mobile computers.
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Table 3-32 compares
different VLAN assignment modes.
respon
se
time.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-82, GE1/0/1 interfaces on SwitchA and SwitchB connect to two
conference rooms, respectively. Laptop1 and Laptop2 are portal computers used in
the two conferences rooms. Laptop1 and Laptop2 belong to two departments,
which belong to VLAN 100 and VLAN 200, respectively. Regardless of which
conference room in which Laptop1 and Laptop2 are used, Laptop1 and Laptop2
are required to access the servers of their respective departments (Server1 and
Server2, respectively). The MAC addresses of Laptop1 and Laptop2 are 00e0-
fcef-00c0 and 00e0-fcef-00c1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on SwitchA and SwitchB and add interfaces to VLANs to
implement Layer 2 connectivity.
2. Configure MAC address-based VLAN assignment on SwitchA and SwitchB.
3. Configure transparent transmission of VLAN tagged-packets on the switch so
that Laptop1 and Laptop2 can access Server1 and Server2 of their respective
departments.
Procedure
Step 1 Configure SwitchA. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 //Create VLAN 100 and VLAN 200.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk //The link type of interfaces connecting switches
must be trunk. The default link type of an interface is not trunk, so you need to manually configure the
trunk interface.
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 //Add GE1/0/2 to VLAN 100 and
VLAN 200.
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 00e0-fcef-00c0 //Packets with the MAC address of 00e0-
fcef-00c0 are transmitted in VLAN 100.
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] mac-vlan mac-address 00e0-fcef-00c1 //Packets with the MAC address of 00e0-
fcef-00c1 are transmitted in VLAN 200.
[SwitchA-vlan200] quit
Step 2 Configure the switch. The configurations of GE1/0/2, GE1/0/3, and GE1/0/4 are
similar to the configuration of GE1/0/1, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200 //Add GE1/0/1 to VLAN 100 and VLAN
200.
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200
mac-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
vlan 100
mac-vlan mac-address 00e0-fcef-00c0 priority 0
vlan 200
mac-vlan mac-address 00e0-fcef-00c1 priority 0
#
return
respon
se
time.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-83, an enterprise has multiple services, including IPTV, VoIP, and
Internet access. Each service uses a different IP subnet. To facilitate management,
the company requires that packets of the same service be transmitted in the same
VLAN and packets of different services in different VLANs. The switch receives
packets of multiple services such as data, IPTV, and voice services, and user devices
of these services use IP addresses on different IP subnets. The switch needs to
assign VLANs to packets of different services so that the router can transmit
packets with different VLAN IDs to different servers.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP
subnet-based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with
VLANs so that the switch determines VLANs based on source IP addresses or
network segments of packets.
Procedure
Step 1 Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200 300 //Create VLAN100, VLAN 200, and VLAN 300 in a batch.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0 priority 3
vlan 300
ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0 priority 4
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200 300
#
return
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.
VLANIF interfaces are the most commonly used for inter-VLAN communication
due to their simple configurations. However, a VLANIF interface needs to be
configured for each VLAN and each VLANIF interface requires an IP address, which
wastes IP addresses.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.
Configuration Notes
● The default gateway address of hosts in a VLAN must be the IP address of the
VLANIF interface that corresponds to the VLAN.
● This example applies to all versions of all switches.
Networking Requirements
Different user hosts of an enterprise transmit the same service, and are located on
different network segments. User hosts transmitting the same service belong to
different VLANs and need to communicate.
In Figure 3-84, User1 and User2 access the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine the VLANs to which users belong.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces
to implement Layer 3 connectivity.
Procedure
Step 1 Configure the switch.
# Create VLANs, and configure interfaces on the switch connected to user hosts as
access interfaces and add them to VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
Related Content
Support Community
VLAN Communication
Videos
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.
Configuration Notes
● Only E series cards, X series cards, F series cards, SC cards among S series of
the S7700&S9700 support the termination sub-interface. For details, see the
card classification in Hardware Description.
X1E cards among X series support the termination sub-interface in
V200R007C00 and later versions.
● For Layer 2 interfaces, only hybrid and trunk interfaces support termination
sub-interfaces.
● The VLAN IDs terminated by a sub-interface cannot be created in the system
view or be displayed.
● When IP packets need to be sent out from the termination sub-interface and
there is no corresponding ARP entry on the device. If ARP broadcast is not
enabled on the termination sub-interface through the command arp
broadcast enable, the system does not send or forward broadcast ARP
packets to learn ARP entries. In this case, the IP packets are discarded directly.
● This example applies to all versions of the modular switches.
Networking Requirements
In Figure 3-85, Host A and Host B belong to the R&D department, and Host C and
Host D belong to the quality department. The two departments are connected
through a Layer 2 switch, and require Layer 2 isolation and Layer 3 connectivity.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure Layer 2 switch SwitchA.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA //Change the device name to SwitchA for easy identification.
[SwitchA] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Overview
In addition to configuring an IP address for a VLANIF interface, you need to
configure a static route or a dynamic routing protocol when PCs on different
network segments across several switches need to communicate. This is because
only a direct route is generated for the VLANIF interface's IP address on the switch
and a VLANIF interface can only impalement interworking between PCs on
different network segments through one switch.
Static routes can be easily configured and have low requirements on the system.
They are applicable to simple, stable, and small-scale networks. However, static
routes cannot automatically adapt to changes in the network topology, and
manual intervention is required.
With routing algorithms, dynamic routing protocols can automatically adapt to
changes in the network topology. They are applicable to the network where some
Layer 3 devices are deployed. The configurations of dynamic routes are complex.
Dynamic routes have higher requirements on the system than static ones and
consume more network and system resources.
Configuration Notes
This example applies to all versions of all switches.
Networking Requirements
In Figure 3-86, to ensure security and facilitate management, an enterprise
assigns a VLAN for a server. The user device belongs to VLAN 10, and the server
belongs to VLAN 20. Access, aggregation, and core switches are deployed between
the user and server. Access switches are layer 2 switches, and aggregation and
core switches are Layer 3 switches. The user and server need to communicate with
each other due to service requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based VLAN assignment to implement Layer 2
communication.
2. Configure VLANIF 10 on the aggregation switch AGG and configure an IP
address for VLANIF 10 as the gateway address of the user; configure VLANIF
20 on the core switch CORE and configure an IP address for VLANIF 20 as the
gateway address of the server.
3. On the aggregation switch AGG, configure a static route from AGG to the
network segment of VLANIF 20; on the core switch CORE, configure a static
route from CORE to the network segment of VLANIF 10. The communication
across network segments is therefore implemented.
Procedure
Step 1 Configure the access switch ACC1.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname ACC1 //Change the device name to ACC1 for easy identification.
[ACC1] vlan batch 10 //Create VLAN 10 in a batch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname ACC2 //Change the device name to ACC2.
[ACC2] vlan batch 20 //Create VLAN 20 in a batch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname AGG //Change the device name to AGG.
[AGG] vlan batch 10 30 //Create VLAN 10 and VLAN 30 in a batch.
[AGG] ip route-static 192.168.1.0 255.255.255.0 10.10.30.2 //Configure a static route. The packets with
the destination IP address of 192.168.1.0/24 are forwarded to the IP address 10.10.30.2 of VLANIF 30 on the
core switch.
# Configure a static route so that the server and PC can access each other.
[CORE] ip route-static 10.1.1.0 255.255.255.0 10.10.30.1 //Configure a static route. The packets with the
destination IP address of 10.1.1.0/24 are forwarded to the IP address 10.10.30.1 of VLANIF 30 on the
aggregation switch.
----End
Configuration Files
ACC1 configuration file
#
sysname ACC1
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
#
ip route-static 10.1.1.0 255.255.255.0 10.10.30.1
#
return
Super-VLAN Overview
Super-VLAN, also called VLAN aggregation, reduces the number of required IP
addresses, isolates broadcast storms, and controls Layer 2 access on interfaces. A
super-VLAN can be associated with multiple sub-VLANs, which are isolated at
Layer 2. All sub-VLANs use the IP address of the corresponding VLANIF interface
for the super-VLAN to implement Layer 3 connectivity with an external network,
thereby reducing the number of IP addresses required.
The super-VLAN applies to scenarios where many users and VLANs exist, IP
addresses of devices in many VLANs are on the same network segment, and inter-
VLAN Layer 2 isolation needs to be implemented. Inter-VLAN proxy ARP can be
enabled to implement inter-VLAN communication. For example, this can be used
in hotels and residential buildings requiring broadband access. A room or
household is assigned a VLAN and isolated. An IP network segment cannot be
allocated to each VLAN because IP addresses are finite and there are many VLANs.
The VLANs can only share an IP network segment. Assume that the IP network
segment of VLAN 10 is 10.10.10.0/24. A household may use only one or two IP
addresses; however, over 200 IP addresses are consumed. Super-VLAN technology
allows users in VLANs 11 to 100 to share the IP network segment of 10.10.10.0/24,
thereby reducing the number of IP addresses required.
Configuration Notes
● VLAN 1 cannot be configured as a super-VLAN.
● No physical interface can be added to a VLAN configured as a super-VLAN.
● This example applies to the following products:
– S2752EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-EI, S5700-SI, S5700-HI, S5710-EI, S5720-EI, S5720-SI, S5720S-SI,
S5720I-SI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H,
S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I
– S6700-EI, S6720-EI, S6720S-EI, S6720-SI, S6720S-SI, S6720-HI, S6730-H,
S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
In Figure 3-87, a company has many departments on the same network segment.
To improve service security, the company assigns different departments to
different VLANs. VLAN 2 and VLAN 3 belong to different departments. Each
department wants to access the Internet, and PCs in different departments need
to communicate.
Configuration Roadmap
Configure VLAN aggregation on SwitchB to add VLANs of different departments
to a super-VLAN so that PCs in different departments can access the Internet
using the super-VLAN. Deploy proxy ARP in the super-VLAN so that PCs in
different departments can communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces on SwitchA and
SwitchB to transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so
that PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure SwitchA.
# Add GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 to VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 to 3
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add the interface to VLAN 2.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 2
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add the interface to VLAN 3.
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type access
[SwitchA-GigabitEthernet1/0/4] port default vlan 3
[SwitchA-GigabitEthernet1/0/4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access
the Internet using super-VLAN 4.
[SwitchB] interface vlanif 4
[SwitchB-Vlanif4] ip address 10.1.1.1 24
[SwitchB-Vlanif4] quit
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the
IP address for connecting SwitchB and the router.
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.10.1.1 24
[SwitchB-Vlanif10] quit
# Configure a static route to the router on SwitchB so that users can access the
Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2
to the router interface. See the router configuration manual.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
3.6.3.10 Example for Configuring MUX VLAN to Isolate Users in the Same
VLAN
Configuration Notes
● The VLAN ID assigned to a principal VLAN cannot be used to configure the
super-VLAN or sub-VLAN. Additionally, it is not recommended that this VLAN
ID be used to configure VLAN mapping and VLAN stacking.
● The VLAN ID assigned to a group or separate VLAN cannot be used to
configure a VLANIF interface, super-VLAN, or sub-VLAN. Additionally, it is not
Networking Requirements
All employees of an enterprise can access servers on the enterprise network. The
enterprise allows some employees to communicate but isolates other employees.
In Figure 3-88, Switch1 is deployed at the aggregation layer and used as the
gateway for downstream hosts. Switch2, Switch3, Switch4, Switch5, and Switch6
are access switches. Their GE1/0/1 interfaces connect to downstream hosts, and
their GE1/0/2 interfaces connect to Switch1. You can configure MUX VLAN on
Switch1. This reduces the number of VLAN IDs on the enterprise network and
facilitates network management.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the principal VLAN and a VLANIF interface. The IP address of the
VLANIF interface is used as the gateway IP address for downstream hosts and
servers.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to VLANs and enable the MUX VLAN function on the
interfaces.
5. Add interfaces of access switches to VLANs.
Procedure
Step 1 Enable the MUX VLAN function on Switch1.
# On Switch1, create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for
VLAN 2. The IP address of the VLANIF interface is used as the gateway IP address
for downstream hosts and servers.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure the group VLAN and separate VLAN of the MUX VLAN on Switch1.
[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3 //Configure VLAN 3 as the group VLAN.
[Switch1-vlan2] subordinate separate 4 //Configure VLAN 4 as the separate VLAN.
[Switch1-vlan2] quit
# Add interfaces to the VLANs on Switch1 and enable the MUX VLAN function on
interfaces.
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2 //In V200R003C00 and earlier versions, you
do not need to specify the VLAN. An interface can only join the MUX VLAN or Separate VLAN, or a group
VLAN.
[Switch1-GigabitEthernet1/0/2] quit
[Switch1] interface gigabitethernet 1/0/3
[Switch1-GigabitEthernet1/0/3] port link-type trunk
[Switch1-GigabitEthernet1/0/3] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/3] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/3] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] port link-type trunk
[Switch1-GigabitEthernet1/0/4] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/4] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/4] quit
[Switch1] interface gigabitethernet 1/0/5
[Switch1-GigabitEthernet1/0/5] port link-type trunk
[Switch1-GigabitEthernet1/0/5] port trunk allow-pass vlan 4
[Switch1-GigabitEthernet1/0/5] port mux-vlan enable vlan 4
[Switch1-GigabitEthernet1/0/5] quit
[Switch1] interface gigabitethernet 1/0/6
[Switch1-GigabitEthernet1/0/6] port link-type trunk
Step 2 Configure interfaces of access switches and add them to VLANs. The
configurations of Switch3, Switch4, Switch5, and Switch6 are similar to the
configuration of Switch2, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan batch 2
[Switch2] interface gigabitethernet 1/0/1
[Switch2-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch2-GigabitEthernet1/0/1] port default vlan 2
[Switch2-GigabitEthernet1/0/1] quit
[Switch2] interface gigabitethernet 1/0/2
[Switch2-GigabitEthernet1/0/2] port link-type trunk
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 //Configure the link type of the interface as
trunk.
[Switch2-GigabitEthernet1/0/2] quit
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
port mux-vlan enable vlan 2
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
#
sysname Switch2
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return
#
sysname Switch3
#
vlan batch 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return
#
sysname Switch4
#
vlan batch 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return
#
sysname Switch5
#
vlan batch 4
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 4
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 4
#
return
#
sysname Switch6
#
vlan batch 4
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 4
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 4
#
return
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q
tag to 802.1Q tagged packets. It allows services in a private VLAN to be
transparently transmitted over a public network.
Basic QinQ, also called QinQ tunneling, is performed on interfaces. When an
interface enabled with basic QinQ receives a packet, the device adds the default
VLAN tag of its interface to the packet. If the received packet is tagged, it has
double VLAN tags. If the received packet is untagged, it has the default VLAN tag
of the interface.
When too many VLANs are required, you can configure basic QinQ. Basic QinQ, by
adding an outer tag, expands VLAN space and solves the VLAN shortage problem.
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-89, a network has two enterprises: enterprise 1 and
enterprise 2. Both enterprises have two branches. Enterprise 1 and enterprise 2
networks connect to SwitchA and SwitchB, respectively, of the ISP network. In
addition, there are non-Huawei devices on the public network and the TPID in the
outer VLAN tag is 0x9100.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure
connected interfaces as QinQ interfaces, and add the interfaces to VLANs so
that different VLAN tags are added to packets of different services.
2. Add interfaces of SwitchA and SwitchB that are connected to the public
network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed
to pass through.
3. Configure the TPID in the outer VLAN tag on interfaces of SwitchA and
SwitchB that are connected to the public network so that SwitchA and
SwitchB can communicate with non-Huawei devices.
Procedure
Step 1 Create VLANs.
# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the
default VLAN of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN
200. VLAN 100 and VLAN 200 are added to outer tags. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
[SwitchA-GigabitEthernet1/0/1] port default vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
[SwitchA-GigabitEthernet1/0/2] port default vlan 200
[SwitchA-GigabitEthernet1/0/2] quit
# Add GE1/0/3 on Switch A to VLAN 100 and VLAN 200. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet1/0/3] quit
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet1/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet1/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
Related Content
Videos
Configuring QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q
tag to 802.1Q tagged packets. It allows services in a private VLAN to be
transparently transmitted over a public network.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
● Before configuring selective QinQ on a fixed switch, you must run the qinq
vlan-translation enable command to enable VLAN translation.
● You are advised to configure selective QinQ on a hybrid interface. Selective
QinQ can take effect on the interface only in the inbound direction.
● The outer VLAN must be created before Selective QinQ is performed.
● When an interface configured with VLAN stacking needs to remove the outer
tag from outgoing frames, the interface must join the VLAN specified by
stack-vlan in untagged mode. If the outer VLAN does not need to be
removed, the interface must join the VLAN specified by stack-vlan in tagged
mode.
● The device configured with selective QinQ can add only one outer VLAN tag
to a frame with an inner VLAN tag on an interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
● VLAN mapping (for example, port vlan-mapping vlan 20 map-vlan 20)
must be configured to map the VLAN to itself from which single-tagged
packets need to be transparently transmitted after selective QinQ is
configured on the following cards and devices:
– ES0D0G24SA00, ES0D0G24CA00, EH1D2G24SSA0, and EH1D2S24CSA0
cards
– S5700-EI, S3700-EI, and S3700-SI
● This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-90, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP
phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces and add interfaces to VLANs on SwitchA
and SwitchB.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
When a fixed switch is used, you must run the qinq vlan-translation enable command in the
interface view to enable VLAN translation.
untagged mode.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag
as VLAN 100 and add VLAN 2 in the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag
as VLAN 300 and add VLAN 3 in the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/1] quit
If the configurations on SwitchA and SwitchB are correct, you can obtain the
following information:
● PCs can communicate with each other through the ISP network.
● VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
port vlan-stacking vlan 300 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
#
sysname SwitchB
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
port vlan-stacking vlan 300 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Related Content
Videos
Configuring QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q
tag to 802.1Q tagged packets. It allows services in a private VLAN to be
transparently transmitted over a public network.
Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can
provide differentiated services based on service types.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
Networking Requirements
As shown in Figure 3-91, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network. Flow-
based selective QinQ can be configured to meet the requirement.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and
SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
from VLANs 100 to 200.
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
from VLANs 300 to 400.
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1 //Configure a traffic policy named name1.
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
from VLANs 100 to 200.
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
from VLANs 300 to 400.
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchB-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name1 //Configure a traffic policy named name1.
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policies to interfaces on SwitchA and SwitchB to implement
selective QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
traffic classifier name2 operator or precedence 10
if-match vlan-id 300 to 400
#
traffic behavior name1
permit
nest top-most vlan-id 2
traffic behavior name2
permit
nest top-most vlan-id 3
#
traffic policy name1 match-order config
classifier name1 behavior name1
classifier name2 behavior name2
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
traffic-policy name1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Overview
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and
communication services may be interrupted. The Spanning Tree Protocol (STP) is
used to solve these problems. STP prevents loops. Devices running STP discover
loops on the network by exchanging information with each other, and block some
ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table
3-34 compares STP, RSTP, and MSTP.
Configuration Notes
● This example applies to all versions of all S series switches.
● The ports connected to terminals do not participate in STP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the primary
link and the others are backup links. Loops may occur, causing broadcast storms
or rendering the MAC address table unstable.
After a network designer deploys a network, STP can be deployed on the network
to prevent loops. When loops exist on a network, STP blocks a port to eliminate
the loops. In Figure 3-92, SwitchA, SwitchB, SwitchC, and SwitchD running STP
exchange STP BPDUs to discover loops on the network and block ports to prune
the network into a loop-free tree network. STP prevents infinite looping of packets
to ensure packet processing capabilities of switches.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the switching devices on the ring network to work in STP mode.
2. Configure the root bridge and secondary root bridge.
3. Configure the path cost of a port so that the port can be blocked.
4. Enable STP to eliminate loops.
Procedure
Step 1 Configure basic STP functions.
1. Configure the switching devices on the ring network to work in STP mode.
# Configure SwitchA to work in STP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode stp
3. Configure the path cost of a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
# Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
– Enable STP globally on devices.
# Enable STP globally on SwitchA.
[SwitchA] stp enable
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return
● SwitchB configuration file
#
sysname SwitchB
#
stp mode stp
stp bpdu-protection
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/2
stp edged-port enable
#
return
● SwitchC configuration file
#
sysname SwitchC
#
stp mode stp
stp bpdu-protection
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/1
stp instance 0 cost 20000
#
interface GigabitEthernet1/0/2
stp edged-port enable
#
return
● SwitchD configuration file
#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
stp pathcost-standard legacy
#
return
Related Content
Videos
Configuring STP to Prevent Loops
Overview
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and
communication services may be interrupted. The Spanning Tree Protocol (STP) is
used to solve these problems. STP prevents loops. Devices running STP discover
loops on the network by exchanging information with each other, and block some
ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table
3-35 compares STP, RSTP, and MSTP.
Configuration Notes
● This example applies to all versions of all S series switches.
● The ports connected to terminals do not participate in RSTP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the primary
link and the others are backup links. Loops may occur, causing broadcast storms
or rendering the MAC address table unstable.
After a network designer deploys a network, RSTP can be deployed on the
network to prevent loops. When loops exist on a network, RSTP blocks a port to
eliminate the loops. In Figure 3-93, SwitchA, SwitchB, SwitchC, and SwitchD
running RSTP exchange RSTP BPDUs to discover loops on the network and block
ports to prune the network into a loop-free tree network. RSTP prevents infinite
looping of packets to ensure packet processing capabilities of switches.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic RSTP functions on switching devices of the ring network.
a. Configure the switching devices on the ring network to work in RSTP
mode.
b. Configure the root bridge and secondary root bridge.
c. Configure the path cost of a port so that the port can be blocked.
d. Enable RSTP to eliminate loops.
2. Enable protection functions to protect devices or links. For example, enable
root protection on the designed port of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the switching devices on the ring network to work in RSTP mode.
# Configure SwitchA to work in RSTP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode rstp
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] stp mode rstp
# Configure SwitchC to work in RSTP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] stp mode rstp
# Configure SwitchD to work in RSTP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] stp mode rstp
2. Configure the root bridge and secondary root bridge.
# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.
[SwitchD] stp root secondary
3. Configure the path cost of a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
# Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchC] stp pathcost-standard legacy
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
# Configure SwitchD to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchD] stp pathcost-standard legacy
4. Enable RSTP to eliminate loops.
– Configure the ports connected to PCs as edge ports.
# Configure GigabitEthernet1/0/2 on SwitchB as an edge port.
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp edged-port enable
[SwitchB-GigabitEthernet1/0/2] quit
(Optional) Configure BPDU protection on SwitchB.
[SwitchB] stp bpdu-protection
# Configure GigabitEthernet1/0/2 on SwitchC as an edge port.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
[SwitchC-GigabitEthernet1/0/2] quit
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
– Enable RSTP globally on devices.
# Enable RSTP on SwitchA.
[SwitchA] stp enable
Step 2 Enable protection functions. The following uses root protection on the designated
port of the root bridge as an example.
# Configure root protection on GigabitEthernet1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
stp mode rstp
stp instance 0 root primary
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/1
stp root-protection
#
interface GigabitEthernet1/0/2
stp root-protection
#
return
● SwitchB configuration file
#
sysname SwitchB
#
stp mode rstp
stp bpdu-protection
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/2
stp edged-port enable
#
return
● SwitchC configuration file
#
sysname SwitchC
#
stp mode rstp
stp bpdu-protection
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/1
stp instance 0 cost 20000
#
interface GigabitEthernet1/0/2
stp edged-port enable
#
return
● SwitchD configuration file
#
sysname SwitchD
#
stp mode rstp
stp instance 0 root secondary
stp pathcost-standard legacy
#
return
Related Content
Videos
Overview
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and
communication services may be interrupted. The Spanning Tree Protocol (STP) is
used to solve these problems. STP prevents loops. Devices running STP discover
loops on the network by exchanging information with each other, and block some
ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table
3-36 compares STP, RSTP, and MSTP.
Configuration Notes
● This example applies to all versions of all S series switches.
● The ports connected to terminals do not participate in MSTP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the primary
link and the others are backup links. Loops may occur, causing broadcast storms
or rendering the MAC address table unstable. MSTP can be used to prevent loops.
MSTP blocks redundant links and prunes a network into a tree topology free from
loops.
In Figure 3-94, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. MSTP uses
multiple instances to implement load balancing of traffic in VLANs 2 to 10 and
VLANs 11 to 20. The VLAN mapping table that defines the mapping between
VLANs and MSTIs can be used.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP functions on switching devices of the ring network.
2. Enable protection functions to protect devices or links. For example, enable
root protection on the designed port of the root bridge in each MSTI.
NOTE
When the link between the root bridge and secondary root bridge goes Down, the port
enabled with root protection becomes Discarding because root protection takes effect.
To improve reliability, you are advised to bind the link between the root bridge and
secondary root bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD (access switches) in the
MST region RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region of root bridge SwitchA in MSTI 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchA-mst-region] quit
# Configure an MST region of root bridge SwitchB in MSTI 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchB-mst-region] quit
# Configure an MST region of SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchC-mst-region] quit
# Configure an MST region of SwitchD.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchD-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchD-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchD-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchD-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.
# Run the display stp brief command on SwitchA to view the port status and
protection type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 Eth-Trunk1 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is
blocked in MSTI 2 and is the designated port in MSTI 1.
# Run the display stp interface brief command on SwitchD. The following
information is displayed:
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is
blocked in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
Related Content
Videos
Configuring MSTP to Prevent Loops
Overview
When VRRP is deployed on a network, multiple devices transmit services
simultaneously. Each virtual device consists of one master and several backups. If
Configuration Notes
● The ports connected to terminals do not participate in MSTP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S2730S-S
– S3700-EI, S3700-HI
– S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI,
S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-L-I, S5735-L1,
S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I, S5735S-H,
S5736-S, S5735-S, S500, S5735S-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
In Figure 3-95, hosts connect to the network through SwitchC. SwitchC is dual-
homed to SwitchA and SwitchB and connects to the Internet. Redundant links are
deployed for access backup. The use of redundant links, however, may produce
loops, causing broadcast storms and rendering the MAC address table unstable.
It is required that network loops be prevented when redundant links are deployed,
traffic be switched to another link when one link is disconnected, and network
bandwidth be effectively used.
MSTP can be configured on the network. MSTP blocks redundant links and prunes
a network into a tree topology free from loops. VRRP can be configured on
SwitchA and SwitchB. HostA connects to the Internet with SwitchA as the default
gateway and SwitchB as the backup gateway; HostB connects to the Internet with
SwitchB as the default gateway and SwitchA as the backup gateway. This setting
implements reliability and traffic load balancing.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP functions on switching devices of the ring network.
a. Configure an MST region and create multi-instance, and map VLAN 2 to
MSTI 1 and VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and secondary root bridge in each MST region.
c. Configure the path cost of a port in each MSTI so that the port can be
blocked.
d. Enable MSTP to prevent loops.
In this example, SwitchA and SwitchB need to support VRRP and OSPF. For details
about the models supporting VRRP and OSPF, see the documentation.
5. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create
MSTI 1 and MSTI 2.
# Configure an MST region on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration //Enter the MST region view.
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] stp region-configuration //Enter the MST region view.
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.
– Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
# Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.
# Run the display stp brief command on SwitchA to view the port status and
protection type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 GigabitEthernet1/0/2 ROOT FORWARDING NONE
In MSTI 1, GE1/0/2 and GE1/0/1 on SwitchA are designed ports because SwitchA is
the root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and GE1/0/2 is
the root port.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
[SwitchB] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 GigabitEthernet1/0/2 ROOT FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
In MSTI 2, GE1/0/1 and GE1/0/2 on SwitchB are designed ports because SwitchB is
the root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and GE1/0/2 is
the root port.
# Run the display stp interface brief command on SwitchC. The displayed
information is as follows:
[SwitchC] display stp interface gigabitethernet 1/0/1 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
2 GigabitEthernet1/0/1 ALTE DISCARDING NONE
[SwitchC] display stp interface gigabitethernet 1/0/4 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/4 ALTE DISCARDING NONE
1 GigabitEthernet1/0/4 ALTE DISCARDING NONE
2 GigabitEthernet1/0/4 ROOT FORWARDING NONE
GE1/0/1 on SwitchC is the root port in MSTI 1 and is blocked in MSTI 2. GE1/0/4
on SwitchC is blocked in MSTI 1 and is the designated port in MSTI 2.
Step 5 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
For details, see the configuration files.
[SwitchA] vlan batch 4
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 4
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.2.102 24
[SwitchA-Vlanif2] quit
[SwitchA] interface vlanif 3
[SwitchA-Vlanif3] ip address 10.1.3.102 24
[SwitchA-Vlanif3] quit
[SwitchA] interface vlanif 4
[SwitchA-Vlanif4] ip address 10.1.4.102 24
[SwitchA-Vlanif4] quit
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB] interface vlanif 3
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
[SwitchB-Vlanif3] vrrp vrid 2 priority 120 //Set the priority of VRRP group 2 to 120.
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption delay of VRRP group 2
to 20s.
[SwitchB-Vlanif3] quit
[SwitchA] interface vlanif 3
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
[SwitchA-Vlanif3] quit
Master IP : 10.1.3.103
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# After the configuration is complete, run the display vrrp command on SwitchB.
The following output shows that SwitchB is the backup in VRRP group 1 and the
master in VRRP group 2.
[SwitchB] display vrrp
Vlanif2 | Virtual Router 1
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp instance 1 root primary
stp instance 2 root secondary
stp bpdu-protection
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp root-protection
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 4
stp edged-port enable
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp instance 1 root secondary
stp instance 2 root primary
stp bpdu-protection
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp root-protection
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5
stp edged-port enable
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return
3.6.5.5 Example for Configuring a Single RRPP Ring with a Single Instance
Overview
In most situations, the ring network topology is applied to MANs and enterprise
networks to improve network reliability. When a fault occurs on a node or on a
link between nodes, data services are switched to the standby link to ensure
service continuity. However, broadcast storms may occur on a ring network.
Many protocols can prevent broadcast storms on ring networks. However, if a fault
occurs on a ring network, it takes time for the devices to switch data services to
the standby link. If the convergence time is too long, services are interrupted.
To shorten the convergence time and eliminate the impact of network scale on
convergence time, Huawei developed the Rapid Ring Protection Protocol (RRPP).
Compared with other Ethernet ring technologies, RRPP has the following
advantages:
● RRPP is suitable for networks composed of many network nodes because the
number of nodes does not affect convergence time.
● RRPP prevents broadcast storms caused by data loops when an Ethernet ring
is complete.
● When a link on an Ethernet ring network fails, the standby link can rapidly
restore the communication among the Ethernet ring network nodes.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
● This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-96, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and to implement
fast convergence to rapidly restore communication between nodes in the ring
when the ring fails. You can enable RRPP on SwitchA, SwitchB, and SwitchC to
meet this requirement.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an RRPP domain and its control VLAN.
2. Map VLANs from which data needs to pass through in the RRPP ring to
instance 1, including data VLANs 100 to 300 and control VLANs 20 and 21
(VLAN 21 is the sub-control VLAN generated by the device).
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and
configure SwitchA, SwitchB, and SwitchC as nodes in ring 1 in domain 1.
Configure SwitchA as the master node in ring 1 and configure SwitchB and
SwitchC as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major control VLAN and a
sub-control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is
one greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
Step 2 Map instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] vlan batch 100 to 300
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300 //Add the major control VLAN, sub-control VLAN,
and data VLANs to instance 1.
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces,
configure the interfaces to allow VLANs 100 to 300 to pass through, and disable
STP on the interfaces.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 2/0/1
secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchA-rrpp-domain-region1] quit
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
port gigabitethernet 2/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] rrpp enable
After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration. The display on
SwitchA is used as an example.
# Run the display rrpp brief command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring :1
Ring Level :0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
Relevant Information
Video
Configure RRPP
Overview
Generally, a metro Ethernet network uses two-layer rings:
● One layer is the aggregation layer between aggregation devices PE-AGGs, for
example, RRPP domain 1 in Figure 3-97.
● The other layer is the access layer between PE-AGGs and UPEs, for example,
RRPP domain 2 and RRPP domain 3 in Figure 3-97.
In Figure 3-97, intersecting RRPP rings can be used. RRPP rings are configured at
aggregation and access layers, and the two layers are connected through tangent
RRPP rings.
Two tangent rings cannot belong to the same RRPP domain. The tangent point of
the two tangent rings belongs to two RRPP domains, and the major node can be
located in the tangent point.
When there are multiple tangent RRPP rings, a fault on a ring does not affect
other domains and the convergence process of RRPP rings in a domain is the same
as that of a single ring.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
● This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-97, the network is required to prevent loops when the ring is complete
and to implement fast convergence to rapidly restore communication between
nodes in the ring when the ring fails. RRPP can meet this requirement. RRPP
supports multiple rings. You can configure RRPP rings at the aggregation and
access layers. The two rings are tangent, simplifying the network configuration.
SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE in Figure 3-98 correspond to
UPE1, UPE2, PE-AGG3, PE-AGG2, and PE-AGG1 in Figure 3-97, respectively. Figure
3-98 is used as an example to describe how to configure tangent RRPP rings with
a single instance.
Configuration Roadmap
The configuration roadmap is as follows:
1. Map the VLANs that need to pass through ring 1 to instance 1, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
Map the VLANs that need to pass through ring 2 to instance 2, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
2. Create RRPP domains, control VLANs and configure protected VLANs for
configuring RRPP rings.
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. Create RRPP rings in RRPP domains.
a. Configure SwitchA, SwitchB, and SwitchC to be in ring 2 of RRPP domain
2.
b. Configure SwitchC, SwitchD, and SwitchE to be in ring 1 of RRPP domain
1.
c. Configure SwitchA as the master node in ring 2, and configure SwitchB
and SwitchC as transit nodes in ring 2.
d. Configure SwitchE as the master node in ring 1, and configure SwitchC
and SwitchD as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Configure instance 2 and map it to the data VLANs and control VLANs allowed by
the RRPP interface.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs of the
RRPP domains.
# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and
SwitchD are similar to the configuration of SwitchE, and are not mentioned here.
For details, see the configuration files.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10 //Each RRPP domain has a major control VLAN and a sub-
control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is one
greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
protected instance of the RRPP domain.
[SwitchE-rrpp-domain-region1] quit
Step 3 Configure the interfaces to be added to RRPP rings as trunk interfaces and disable
STP on the interfaces.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and
SwitchE are similar to the configuration of SwitchA, and are not mentioned here.
For details, see the configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
# Configure SwitchC as a transit node in ring 1 and specify the primary and
secondary interfaces.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
secondary-port gigabitethernet 1/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
# Configure SwitchD as a transit node in ring 1 and specify the primary and
secondary interfaces.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
secondary-port gigabitethernet 1/0/2 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/1 GigabitEthernet1/0/2 Yes
Domain Index : 2
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
2 0 T GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
RRPP Ring :1
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: UP
RRPP Ring :2
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-configuration
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode master primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 2 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-configuration
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 2 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 to 11 20 to 21
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 to 11
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/1 secondary-port GigabitEthernet1/0/2
level 0
ring 1 enable
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
#
return
Relevant Information
Video
Configure RRPP
Overview
RRPP snooping notifies a VPLS network of changes in an RRPP ring. After RRPP
snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can
transparently transmit RRPP packets, detect changes in the RRPP ring, and update
forwarding entries. This ensures that traffic can be rapidly switched to a non-
blocking path.
In Figure 3-99, UPEs constitute an RRPP ring and connect to the VPLS network
where NPEs are located. NPEs are connected through a PW, so they cannot serve
as RRPP nodes to respond to RRPP packets. As a result, the VPLS network cannot
detect changes to the RRPP ring status. When the RRPP ring topology changes,
each node on the VPLS network forwards downstream data according to the MAC
address table generated before the RRPP ring topology changes. Consequently, the
downstream traffic cannot be forwarded
You can enable RRPP snooping on the sub-interface or VLANIF interface of NPED
and associate the interface with VSIs on the local device. When the RRPP ring is
faulty, NPED on the VPLS network deletes forwarding entries of VSIs (including
the associated VSIs) on the local node and forwarding entries of NPEB to re-learn
forwarding entries. This ensures that traffic can be switched to a normal path and
downstream traffic can be properly forwarded.
Configuration Notes
● RRPP and RRPP snooping cannot be configured on the same interface.
● SA series cards and XGE interfaces connected to ET1D2IPS0S00,
ET1D2FW00S00, ET1D2FW00S01, ET1D2FW00S02, and ACU2 cards do not
support RRPP snooping. In earlier versions of V200R007C00, X1E series cards
do not support RRPP snooping.
● This example applies to the following products:
– S5700-HI, S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5731-H,
S5731S-H, S5731-S, S5731S-S, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730S-S, S6730-H, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Relevant Information
Video
Configure RRPP
Networking Requirements
In Figure 3-100, SwitchA, SwitchB, SwitchC, and SwitchD constitute an RRPP ring.
The network is required to prevent loops when the ring is complete and to
implement fast convergence to rapidly restore communication between nodes in
the ring when the ring fails. The VPLS network can transparently transmit RRPP
packets, detect RRPP ring status changes, and update forwarding entries so that
traffic can be rapidly switched to a normal path according to the ring status.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VPLS network.
2. Configure an RRPP ring to prevent loops and implement fast convergence
when a device fails.
3. Enable RRPP snooping so that the VPLS network can transparently transmit
RRPP packets and detect RRPP ring status change.
4. Associate interfaces with VSIs so that SwitchC and SwitchD on the VPLS
network can delete the MAC address tables of their VSIs when a fault occurs
on the RRPP ring network.
NOTE
Procedure
Step 1 Configure VPLS. SwitchC is used as an example. The configuration of SwitchD is
similar to the configuration of SwitchC, and is not mentioned here. For details, see
the configuration files.
NOTE
# Configure SwitchB as a transit node in ring 1 (major ring) and specify the
primary and secondary interfaces.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-
port gigabitethernet 1/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring :1
Ring Level :0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active : Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: BLOCKED
The preceding information shows that VSI 20 and VLAN 20 are associated
with GE2/0/0.20.
# Check information about other VSIs associated with GE2/0/0.20 on SwitchC.
[SwitchC] display rrpp snooping vsi interface gigabitethernet 2/0/0.20
Port VsiName
---------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI10
GigabitEthernet2/0/0.20 VSI20
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 to 21
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet1/0/1 secondary-port GigabitEthernet1/0/2
level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
return
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
return
● SwitchC configuration file
#
sysname SwitchC
#
interface GigabitEthernet2/0/0
undo portswitch
#
interface GigabitEthernet2/0/0.10
dot1q termination vid 10
l2 binding vsi VSI10
#
interface GigabitEthernet2/0/0.20
dot1q termination vid 20
l2 binding vsi VSI20
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
● SwitchD configuration file
#
sysname SwitchD
#
interface GigabitEthernet2/0/0
undo portswitch
#
interface GigabitEthernet2/0/0.10
dot1q termination vid 10
l2 binding vsi VSI10
#
interface GigabitEthernet2/0/0.20
dot1q termination vid 20
l2 binding vsi VSI20
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and
communication services may be interrupted. To block redundant links and ensure
that they can be restored immediately to resume communication when a link fault
occurs on a ring network, you can deploy SEP and MSTP on the ring network.
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
Company A needs to deploy multiple Layer 2 access devices. In Figure 3-101,
Layer 2 switching devices form a ring at the access layer, and Layer 3 devices form
a ring at the aggregation layer. The aggregation layer uses MSTP to eliminate
redundant links. Company A requires that services be rapidly switched to prevent
traffic interruption when a link at the access layer fails.
You can deploy multiple Layer 2 devices in a ring and configure SEP to meet the
following requirements of company A:
● When there is no faulty link on the ring network, SEP can eliminate loops.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network. After receiving a
topology change notification from a lower-layer network, a device on an
upper-layer network sends a TC packet to instruct other devices to delete
original MAC addresses and learn new MAC addresses. This ensures nonstop
traffic forwarding.
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on
edge devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1
and LSW2 connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located,
specify the interface in the middle of the SEP segment as the interface to
block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-
layer network running MSTP can be notified of topology changes in the
SEP segment.
2. Configure basic MSTP functions.
a. Add PE1 to PE4, LSW1, and LSW2 to the MST region RG1.
b. Create VLANs on PE1 to PE4, LSW1, and LSW2 and add interfaces on the
STP ring to the VLANs.
c. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE and LSW1 to LSW3.
NOTE
PE1 and PE2 are aggregation switches, PE3 is the root bridge, PE4 is the secondary root bridge,
LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
# Configure access switch LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add access switch LSW1 to LSW3 to SEP segment 1 and configure interface
roles.
NOTE
# Set the priority of aggregation switch PE4 to 4096 in MSTI 0 to ensure that
aggregation switch PE4 functions as the secondary root bridge.
[PE4] stp root secondary
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.
# Enable BFD on NPE2 and configure a BFD session between NPE1 and NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1 bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a static BFD
session to monitor the link of the VRRP group.
[NPE2-bfd-session-npe1] discriminator local 2
[NPE2-bfd-session-npe1] discriminator remote 1
[NPE2-bfd-session-npe1] commit
[NPE2-bfd-session-npe1] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
Use the display on NPE1 as an example.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
[NPE2-bfd-session-npe1] process-interface-status sub-if
[NPE2-bfd-session-npe1] commit
[NPE2-bfd-session-npe1] quit
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
Use the display on NPE1 as an example.
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.10
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 10
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Config track link-bfd down-number : 0
Step 6 Configure the Layer 2 forwarding function on the user-side switch CE and access
switch LSW1 to LSW3.
The configuration details are not mentioned here. For details, see configuration
files in this example.
Step 7 Verify the configuration.
After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface
fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.10
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Config track link-bfd down-number : 0
----End
Configuration Files
● LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
● LSW2 configuration file
#
sysname LSW2
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
tc-notify stp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor secondary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
● LSW3 configuration file
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan vlan 100
#
return
● PE1 configuration file
#
sysname PE1
#
vlan batch 100
#
stp region-configuration
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100
#
return
● PE2 configuration file
#
sysname PE2
#
vlan batch 100
#
stp region-configuration
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100
#
return
● PE3 configuration file
#
sysname PE3
#
vlan batch 100
#
stp instance 0 root primary
#
stp region-configuration
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100 200
#
return
● PE4 configuration file
#
sysname PE4
#
vlan batch 100
#
stp instance 0 root secondary
#
stp region-configuration
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100 200
#
return
● NPE1 configuration file
#
sysname NPE1
#
vlan batch 100
#
bfd
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0
● CE configuration file
#
sysname CE
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
return
Related Content
Videos
Configuring SEP
Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and
Configuration Notes
This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-102, Layer 2 switching devices at access and aggregation layers
constitute a ring network and connect to the core layer. The aggregation layer
uses RRPP to eliminate redundant links, and the access layer uses SEP.
● When there is no faulty link on the ring network, SEP can eliminate loops on
the Ethernet network.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network.
After receiving a topology change notification from a lower-layer network, a
device on an upper-layer network sends a TC packet to instruct other devices
to delete original MAC addresses and learn new MAC addresses. This ensures
nonstop traffic forwarding.
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SEP functions.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure
VLAN 10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. On the device where the primary edge interface is located, specify the
mode in which an interface is blocked.
d. Configure a SEP preemption mode to ensure that the specified blocked
interface takes effect when the fault is rectified.
e. Configure the topology change notification function so that the upper-
layer network running RRPP can be notified of topology changes in the
SEP segment.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN
on PE1 to PE4, and configure the protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on
the major ring, and configure primary and secondary interfaces of the
master node.
c. Create VLANs on PE1 to PE4 and add interfaces on the RRPP ring to the
VLANs.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
NOTE
PEs are aggregation switches, LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 and configure VLAN 10 as the control VLAN of SEP
segment 1.
# Configure aggregation switch PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] sep segment 1 //Create SEP segment 1.
[PE1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.
NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add aggregation switch PE1, aggregation switch PE2, and access switch LSW1
to LSW3 to SEP segment 1 and configure interface roles.
NOTE
After the configuration is complete, run the display sep topology command
on aggregation switch PE1 to check the topology of the SEP segment. The
command output shows that the blocked interface is one of the two
interfaces on the link that last completes neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
LSW1 GE1/0/2 common forwarding 3
LSW3 GE1/0/2 common forwarding 4
LSW3 GE1/0/1 common forwarding 5
LSW2 GE1/0/2 common forwarding 6
LSW2 GE1/0/1 common forwarding 7
PE2 GE1/0/1 secondary discarding 8
After the configuration is complete, perform the following operations to verify the
configuration. Aggregation switch PE1 is used as an example.
● Run the display sep topology command on aggregation switch PE1 to check
the topology of the SEP segment.
The command output shows that GE1/0/2 of access switch LSW3 is in
discarding state and other interfaces are in forwarding state.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
LSW1 GE1/0/2 common forwarding 3
LSW3 GE1/0/2 common discarding 4
LSW3 GE1/0/1 common forwarding 5
LSW2 GE1/0/2 common forwarding 6
LSW2 GE1/0/1 common forwarding 7
PE2 GE1/0/1 secondary forwarding 8
● Run the display sep interface verbose command on aggregation switch PE1
to check detailed information about interfaces in the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
[PE1-mst-region] quit
[PE1] rrpp domain 1 //Create RRPP domain 1.
[PE1-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
# Configure aggregation switch PE2.
[PE2] stp region-configuration //Enter the MST region view.
[PE2-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100 to MSTI 1.
[PE2-mst-region] active region-configuration //Activate MST region configuration.
[PE2-mst-region] quit
[PE2] rrpp domain 1 //Create RRPP domain 1.
[PE2-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE2-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
# Configure aggregation switch PE3.
[PE3] stp region-configuration //Enter the MST region view.
[PE3-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100 to MSTI 1.
[PE3-mst-region] active region-configuration //Activate MST region configuration.
[PE3-mst-region] quit
[PE3] rrpp domain 1 //Create RRPP domain 1.
[PE3-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE3-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
# Configure aggregation switch PE4.
[PE4] stp region-configuration //Enter the MST region view.
[PE4-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100 to MSTI 1.
[PE4-mst-region] active region-configuration //Activate MST region configuration.
[PE4-mst-region] quit
[PE4] rrpp domain 1 //Create RRPP domain 1.
[PE4-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE4-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
NOTE
The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration file
after the control VLAN is created.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On aggregation switch PE1, create VLAN 100 and add GE1/0/1, GE1/0/2,
and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
# On aggregation switch PE2, create VLAN 100 and add GE1/0/1, GE1/0/2,
and GE1/0/3 to VLAN 100.
After the configuration is complete, run the display rrpp brief or display rrpp
verbose domain command. Aggregation switch PE1 is used as an example.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP
domain 1. VLANs mapping Instance1 are protected VLANs. Aggregation switch
PE1 is the master node in Complete state. The primary interface is GE1/0/2 and
the secondary interface is GE1/0/3.
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.
# Configure aggregation switch PE3.
[PE3] vlan batch 100 200
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE3-GigabitEthernet1/0/2] port link-type trunk
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
[PE3-GigabitEthernet1/0/2] quit
[PE3] interface gigabitethernet 1/0/3
[PE3-GigabitEthernet1/0/3] stp disable //Disable STP.
[PE3-GigabitEthernet1/0/3] port link-type trunk
[PE3-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
[PE3-GigabitEthernet1/0/3] quit
# Enable BFD on NPE2 and configure a BFD session between NPE1 and NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1 bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a static BFD
session to monitor the link of the VRRP group.
[NPE2-bfd-session-npe1] discriminator local 2
[NPE2-bfd-session-npe1] discriminator remote 1
[NPE2-bfd-session-npe1] commit
[NPE2-bfd-session-npe1] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
Use the display on NPE1 as an example.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
[NPE2-bfd-session-npe1] process-interface-status sub-if
[NPE2-bfd-session-npe1] commit
[NPE2-bfd-session-npe1] quit
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
Use the display on NPE1 as an example.
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.10
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 10
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Step 6 Configure Layer 2 forwarding on the user-side switch CE, access switch LSW1 to
LSW3, and aggregation switch PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration
files in this example.
Step 7 Verify the configuration.
After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface
fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.10
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
----End
Configuration Files
● LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
return
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● PE1 configuration file
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
● PE2 configuration file
#
sysname PE2
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1 edge secondary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
#
return
● PE4 configuration file
#
sysname PE4
#
vlan batch 5 to 6 100 200
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port GigabitEthernet 1/0/2
level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass 100 200
stp disable
#
return
● NPE1 configuration file
#
sysname NPE1
#
vlan batch 100
#
bfd
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.10
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 10
vrrp vrid 1 track bfd-session 1 peer
#
bfd npe2 bind peer-ip default-ip interface GigabitEthernet1/0/1
discriminator local 1
discriminator remote 2
process-interface-status sub-if
commit
#
return
● NPE2 configuration file
#
sysname NPE2
#
vlan batch 100
#
bfd
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.10
vrrp vrid 1 track bfd-session 2 peer
#
bfd npe1 bind peer-ip default-ip interface GigabitEthernet1/0/1
discriminator local 2
discriminator remote 1
process-interface-status sub-if
commit
#
return
● CE configuration file
#
sysname CE1
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
return
Overview
VLAN-based Spanning Tree (VBST) constructs a spanning tree in each VLAN so
that traffic from different VLANs can be forwarded through different spanning
trees. VBST is a Huawei proprietary that is equivalent to the Spanning Tree
Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) running in each VLAN.
Spanning trees in different VLANs are independent of each other.
Currently, the three standard spanning tree protocols are STP, RSTP, and Multiple
Spanning Tree Protocol (MSTP). STP and RSTP cannot implement VLAN-based
load balancing, because all the VLANs on a LAN share a spanning tree and
packets in all VLANs are forwarded along this spanning tree. In addition, the
blocked link does not carry any traffic, which wastes bandwidth and may prevent
some VLANs from forwarding packets. MSTP is generally preferred because it is
compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and
maintain, whereas the configuration of MSTP multi-instance and multi-process is
complex and requires in-depth knowledge.
To address this issue, Huawei developed VBST. VBST constructs a spanning tree in
each VLAN so that traffic from different VLANs is load balanced along different
spanning trees. In addition, VBST is easy to configure and maintain.
Configuration Notes
This example applies to all models of V200R005C00 and later versions.
When configuring VBST on the switch, pay attention to the following points:
● When HVRP is enabled on a modular switch, do not change the STP mode to
VBST.
● When VBST is enabled on a ring network, VBST immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect
spanning tree calculation, and changes of these parameters may cause
network flapping. To ensure fast and stable spanning tree calculation, perform
basic configurations on the switch and interfaces before enabling VBST.
● If the protected instance has been configured in a SEP segment or ERPS ring
but the mapping between protected instances and VLANs is not configured,
VBST cannot be enabled.
● VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS,
RRPP, SEP, or Smart Link.
● If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the
switch, you must delete the mapping before changing the STP working mode
to VBST.
● If stp vpls-subinterface enable has been configured on the switch, you must
run the undo stp vpls-subinterface enable command on the interface before
changing the STP working mode to VBST.
● If the device has been configured as the root bridge or secondary root bridge,
run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to
disable the root bridge or secondary root bridge function and run the stp vlan
{ vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority command to change the
device priority.
● When the number of MSTIs that are dynamically specified exceeds the
number of protected VLANs, STP is disabled in a created VLAN in the
configuration file, for example, stp vlan 100 disable.
● To prevent frequent network flapping, ensure that the values of Hello time,
Forward Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) >= Max Age
– Max Age >= 2 x (Hello Time + 1.0 second)
● It is recommended that fast convergence in normal mode be used. If the fast
mode is used, frequently deleting ARP entries may result in 100% CPU usage
of the MPU and LPU. As a result, packet processing expires and network
flapping occurs.
● After all ports are configured as edge ports and BPDU filter ports in the
system view, none of ports on the switch send BPDUs or negotiate the VBST
status with directly connected ports on the peer device. All ports are in
forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when you configure a port as an edge port and BPDU
filter port.
● After a port is configured as an edge port and BPDU filter port in the
interface view, the port does not process or send BPDUs. The port cannot
negotiate the VBST status with the directly connected port on the peer device.
Exercise caution when you configure a port as an edge port and BPDU filter
port.
Networking Requirements
In Figure 3-103, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches). SwitchC transmits traffic from VLAN
10 and VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A ring
network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic
from different VLANs be load balanced to improve link use efficiency.
Configuration Roadmap
VBST can be used to eliminate loops between the access layer and aggregation
layer and ensures that service traffic in each VLAN is correctly forwarded. In
addition, traffic from different VLANs can be load balanced. The configuration
roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD.
Perform the following operations so that a spanning tree shown in Figure
3-103 is formed through calculation:
– Configure SwitchA and SwitchB as the root bridge and secondary root
bridge of VLAN 10 respectively, configure SwitchA and SwitchB as the
root bridge and secondary root bridge of VLAN 20 respectively, and
configure SwitchB and SwitchA as the root bridge and secondary root
bridge of VLAN 30 respectively.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20
so that GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20.
Set a larger path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30
so that GE1/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports
to reduce VBST topology calculation and improve topology convergence.
Procedure
Step 1 Configure Layer 2 forwarding on switches of the ring network.
● Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on access switch SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on access switch SwitchD.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 20 30
● Add ports connected to the ring to VLANs.
# Add GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
[SwitchA-GigabitEthernet1/0/1] quit
# Add GE1/0/2 on SwitchA to VLAN 20 and VLAN 30.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an
example. Set the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation
method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN
20.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchC-GigabitEthernet1/0/2] quit
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN
30.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000
[SwitchD-GigabitEthernet1/0/2] quit
By default, all ports join VLAN 1 and VBST is enabled in VLAN 1. To reduce
spanning tree calculation, disable VBST in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete ports from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA.
[SwitchA] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchB.
[SwitchB] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchC.
[SwitchC] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchD.
[SwitchD] stp vlan 1 disable
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchA from VLAN 1.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/3] quit
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet1/0/3] quit
# Delete GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface gigabitethernet 1/0/3
[SwitchC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/3] quit
# Delete GE1/0/2, and GE1/0/3 on SwitchD from VLAN 1.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface gigabitethernet 1/0/3
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] quit
– Enable VBST globally.
# Enable VBST on SwitchA globally.
[SwitchA] stp enable
# Enable VBST on SwitchB globally.
[SwitchB] stp enable
# Enable VBST on SwitchC globally.
[SwitchC] stp enable
The preceding information shows that SwitchA is selected as the root bridge in
VLAN 10 and GE1/0/1 and GE1/0/3 are selected as designated ports in
FORWARDING state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to check
the port status.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and
traffic in VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning
trees to implement load balancing.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
stp vlan 1 disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
stp vlan 10 20 cost 2000000
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 20
stp edged-port enable
#
return
● SwitchD configuration file
#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
stp vlan 1 disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
stp vlan 20 30 cost 2000000
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 30
stp edged-port enable
#
return
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● This example applies to all versions of the modular switches.
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked
port of LDT.
Networking Requirements
In Figure 3-104, a new branch network of an enterprise connects to the
aggregation switch Switch, and VLANs 10 to 20 are deployed on the branch
network. Loops occur due to incorrect connections or configurations. As a result,
communication on the Switch and uplink network is affected.
It is required that the Switch should immediately detect loops on the new branch
network to prevent the impact of loops on the Switch and uplink network.
Figure 3-104 Networking for configuring LDT to detect loops on the downstream
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable LDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so
that loops on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can
immediately shut down the interface where a loop is detected. This prevents
the impact of the loop on the Switch and uplink network.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable //Enable LDT globally.
The command output shows that LDT is enabled in VLANs 10 to 20 and the
Shutdown action is taken on GE1/0/1 in VLAN 10, indicating that loops are
detected in VLAN 10.
NOTE
After loops are detected in one or more VLANs, the system shuts down the involved
interface and loops are removed. In this case, LDT may be unable to detect all VLANs where
loops occur.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent trap enable feature-name LDTTRAP
#
return
3.6.6.2 Example for Configuring LDT to Detect Loops on the Local Network
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● This example applies to all versions of the modular switches.
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked
port of LDT.
Networking Requirements
In Figure 3-105, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass
through. Because employees often move, the network topology changes
frequently. Connections or configurations may be incorrect due to misoperations.
As a result, loops may occur in VLANs 10 to 20.
Loops cause broadcast storms and affect device and network communication. It is
required that loops be detected and eliminated in VLANs in a timely manner to
prevent broadcast storms.
Figure 3-105 Networking for configuring LDT to detect loops on the local network
Configuration Roadmap
Loops need to be detected in VLANs 10 to 20. Because there are more than eight
VLANs, you can configure LDT to detect loops and configure an action after loops
are detected to prevent broadcast storms. All VLANs share a link. To prevent loop
removal in a VLAN from affecting data forwarding in other VLANs, configure the
Quitvlan action. The configuration roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs
10 to 20.
2. Configure an action to be taken after a loop is detected on GE1/0/0 and
GE2/0/0, and set the recovery time so that the Switch can immediately take
the preconfigured action on the interface to prevent broadcast storms after a
loop is detected. In addition, the Switch can restore the interface after the
loop is eliminated.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable //Enable LDT globally.
Quitvlan Quitvlan 30 19
Normal Quitvlan 30 20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Quitvlan Quitvlan 30 13
Quitvlan Quitvlan 30 14
Quitvlan Quitvlan 30 15
Normal Quitvlan 30 16
Quitvlan Quitvlan 30 17
Quitvlan Quitvlan 30 18
Normal Quitvlan 30 19
Quitvlan Quitvlan 30 20
The VLANs that an interface is removed from are uncertain, but the interface will be
removed from all VLANs where loops occur.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and
connections between devices are corrected), check whether GE1/0/0 and
GE2/0/0 are restored.
[Switch] display loop-detection interface gigabitethernet 1/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Normal Quitvlan 30 13
Normal Quitvlan 30 14
Normal Quitvlan 30 15
Normal Quitvlan 30 16
Normal Quitvlan 30 17
Normal Quitvlan 30 18
Normal Quitvlan 30 19
Normal Quitvlan 30 20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Normal Quitvlan 30 13
Normal Quitvlan 30 14
Normal Quitvlan 30 15
Normal Quitvlan 30 16
Normal Quitvlan 30 17
Normal Quitvlan 30 18
Normal Quitvlan 30 19
Normal Quitvlan 30 20
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent trap enable feature-name LDTTRAP
#
return
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loopback detection (LBDT) periodically sends LBDT packets on an interface to
check whether the packets return to the local device (receive and transmit
interfaces can be different), and determines whether loops occur on the interface,
local network, or downstream network.
● If LBDT packets are received and sent by the same interface, a loopback
occurs on the interface or a loop occurs on the network connected to the
interface.
● If LBDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface or device.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LBDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured
recovery time expires, the system attempts to restore the problematic interface. If
the device receives no LBDT packets from the problematic interface within the
next recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● This example applies to all versions of all S series switches.
● In V200R008C00 and earlier versions, LBDT does not take effect in dynamic
VLANs. In V200R008C00 and later versions, the LBDT-enabled switch can
detect loops in dynamic VLANs, but the Quitvlan action is invalid for dynamic
VLANs.
● LBDT needs to send a large number of LBDT packets to detect loops,
occupying system resources. Therefore, disable LBDT if loops do not need to
be detected.
● In versions earlier than V200R019C00, LBDT cannot be configured on an Eth-
Trunk or its member interfaces. In V200R019C00 and later versions, LBDT can
be configured on an Eth-Trunk but cannot be configured on its member
interfaces.
● Manual LBDT can be configured on a maximum of 128 Eth-Trunks.
● An interface can send LBDT packets with the specified VLAN tag only when
the specified VLAN has been created.
● LBDT can detect loops in a maximum of 32 VLANs.
● When the PVID of the interface in the loop is the detected VLAN ID or the
interface joins the detected VLAN in untagged mode, VLAN tags of LBDT
packets are removed. As a result, the packet priority changes and the system
may fail to detect loops.
● When the Quitvlan action is used, the configuration file remains unchanged.
● The LBDT action and MAC address flapping action affect each other, and
cannot be configured simultaneously.
● The Quitvlan action of LBDT conflicts with dynamic removal from VLANs (for
example, GVRP and HVRP), and cannot be configured simultaneously.
● The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked
port of LBDT.
● On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
Networking Requirements
In Figure 3-106, aggregation switch SwitchA on an enterprise network connects to
access switch SwitchB. To prevent loopbacks on a TX-RX interface (GE1/0/0)
because optical fibers are connected incorrectly or the interface is damaged by
high voltage, SwitchA is required to detect loopbacks on GE1/0/0. Furthermore, it
is required that the interface be blocked to reduce the impact of the loopback on
the network when a loopback is detected, and the interface be restored after the
loopback is removed.
Configuration Roadmap
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on
GE1/0/0 of SwitchA. The configuration roadmap is as follows:
Procedure
Step 1 Enable LBDT on an interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable //Enable LBDT on the interface.
[SwitchA-GigabitEthernet1/0/0] quit
Step 2 Configure an action to be taken after a loop is detected and set the recovery time.
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block //Configure the Block action to be taken
after a loop is detected.
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30 //Set the recovery delay to 30s.
[SwitchA-GigabitEthernet1/0/0] quit
----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block
NORMAL
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block
NORMAL
----------------------------------------------------------------------------------
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
interface GigabitEthernet1/0/0
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LBDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured
recovery time expires, the system attempts to restore the problematic interface. If
the device receives no LBDT packets from the problematic interface within the
next recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● This example applies to all versions of all S series switches.
● In V200R008C00 and earlier versions, LBDT does not take effect in dynamic
VLANs. In V200R008C00 and later versions, the LBDT-enabled switch can
detect loops in dynamic VLANs, but the Quitvlan action is invalid for dynamic
VLANs.
Networking Requirements
In Figure 3-107, a new department of an enterprise connects to the aggregation
switch Switch. This department belongs to VLAN 100. Loops occur due to incorrect
connections or configurations. As a result, communication on the Switch and
uplink network is affected.
It is required that the Switch should detect loops on the new network to prevent
the impact of loops on the Switch and connected network.
Figure 3-107 Networking for configuring LBDT to detect loops on the downstream
network
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] quit
----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 shutdown
NORMAL
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect packet vlan 100
loopback-detect enable
#
return
3.6.6.5 Example for Configuring LBDT to Detect Loops on the Local Network
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loopback detection (LBDT) periodically sends LBDT packets on an interface to
check whether the packets return to the local device (receive and transmit
interfaces can be different), and determines whether loops occur on the interface,
local network, or downstream network.
● If LBDT packets are received and sent by the same interface, a loopback
occurs on the interface or a loop occurs on the network connected to the
interface.
● If LBDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface or device.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LBDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured
recovery time expires, the system attempts to restore the problematic interface. If
the device receives no LBDT packets from the problematic interface within the
next recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● This example applies to all versions of all S series switches.
● In V200R008C00 and earlier versions, LBDT does not take effect in dynamic
VLANs. In V200R008C00 and later versions, the LBDT-enabled switch can
detect loops in dynamic VLANs, but the Quitvlan action is invalid for dynamic
VLANs.
Networking Requirements
In Figure 3-108, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes
frequently. Loops occur due to incorrect connections or configurations during the
change. As a result, broadcast storms occur and affect communication of the
Switch and entire network.
The requirements are as follows:
● The Switch detects loops.
● When a loop exists, the interface is blocked to reduce the impact of the loop
on the Switch and network.
● When the loop is eliminated, the interface can be restored.
Figure 3-108 Networking for configuring LBDT to detect loops on the local
network
Configuration Roadmap
To detect loops on the network where the Switch is deployed, configure LBDT on
GE1/0/1 and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent
by the Switch will be discarded by other switches on the network. As a result, the
packets cannot be sent back to the Switch, and LBDT fails. Therefore, LBDT is
configured in a specified VLAN. The configuration roadmap is as follows:
1. Enable LBDT on interfaces and configure the Switch to detect loops in VLAN
100 to implement LBDT on the network where the Switch is located.
2. Configure an action to be taken after a loop is detected and set the recovery
time. After a loop is detected, the Switch blocks the interface to reduce the
impact of the loop on the network. After a loop is eliminated, the interface
can be restored.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on interfaces.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect enable //Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/2] quit
100.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/2] loopback-detect packet vlan 100 //Enable LBDT to detect loops in VLAN
100.
[Switch-GigabitEthernet1/0/2] quit
Step 3 Configure an action to be taken after a loop is detected and set the recovery time.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect action block //Configure the Block action to be taken
after a loop is detected.
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect action block //Configure the Block action to be taken
after a loop is detected.
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet1/0/2] quit
----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback detected)
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
return
Overview
Static ARP allows a network administrator to create fixed mappings between IP
and MAC addresses.
Dynamic ARP can leave networks vulnerable to ARP spoofs or attacks (when
malicious devices send falsified ARP messages to link an attacker's MAC address
with the IP address of a legitimate device). As a result, ARP entries may be
incorrectly learned. However, if a static ARP entry is configured on a device, the
device can communicate with the peer device using only the specified MAC
address. Network attackers cannot modify the mapping between the IP and MAC
addresses using ARP packets, ensuring communication between the two devices.
Configuration Notes
● The number of static ARP entries configured on the device cannot exceed the
maximum number of static ARP entries on the device. You can run the
display arp statistics all command to check the number of existing ARP
entries on the device.
● This example applies to all versions of all S series switches.
NOTE
Networking Requirements
As shown in Figure 3-109, the Switch connects different departments of an
enterprise. The departments are added to different VLANs. Fixed IP addresses have
been manually assigned to the file backup server and hosts in the president's
office, and dynamic IP addresses have been assigned to hosts in other
departments using DHCP. Hosts in the marketing department can access the
Internet and are often attacked by ARP packets. Attackers attack the Switch and
modify dynamic ARP entries on the Switch. As a result, communication between
hosts in the president's office and external devices is interrupted and hosts in
departments fail to access the file backup server. The company requires that static
ARP entries be configured on the Switch so that hosts in the president's office can
communicate with external devices and hosts in departments can access the file
backup server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static ARP entries for hosts in the president's office on the Switch to
prevent ARP entries of the hosts in the president's office from being modified
by ARP attack packets.
2. Configure a static ARP entry for the file backup server on the Switch to
prevent the ARP entry of the file backup server from being modified by ARP
attack packets.
Procedure
Step 1 Create VLANs on the Switch and configure an IP address for each interface.
# Create VLAN 10, add the interfaces to VLAN 10, and configure an IP address for
VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface vlanif 10
# Configure GE1/0/2 as the primary interface and configure an IP address for it.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] undo portswitch
[Switch-GigabitEthernet1/0/2] ip address 10.164.10.10 24
[Switch-GigabitEthernet1/0/2] quit
# Configure GE1/0/3 as the primary interface and configure an IP address for it.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] undo portswitch
[Switch-GigabitEthernet1/0/3] ip address 10.164.20.1 24
[Switch-GigabitEthernet1/0/3] quit
NOTE
If the Switch does not support the configuration that uses the undo portswitch command
to configure an interface as the primary interface and then configures an IP address for it,
configure the interface as a VLANIF interface and then configure an IP address for it.
# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for
example, using the IP address 10.164.2.100/24 and Windows 7 operating system)
in the marketing department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.1
Pinging 10.164.10.1 with 32 bytes of data:
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for
example, using the IP address 10.164.3.100/24 and Windows 7 operating system)
in the R&D department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.1
Pinging 10.164.10.1 with 32 bytes of data:
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
Reply from 10.164.10.1: bytes=32 time=1ms TTL=125
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
undo portswitch
ip address 10.164.10.10 255.255.255.0
#
interface GigabitEthernet1/0/3
undo portswitch
ip address 10.164.20.1 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface GigabitEthernet1/0/1
arp static 10.164.10.1 00e0-fc02-1234 interface GigabitEthernet1/0/2
#
return
Overview
When an enterprise network is divided into subnets, two subnets may belong to
the same network segment but different physical networks. These two subnets are
isolated by the switch. You can modify the routing information about the hosts on
the network, so that the data packets destined for other subnets are sent to the
gateway connected to different subnets and then forwarded by the gateway to the
destination. However, to implement this solution, you must configure routes for all
hosts on the subnets. This complicates management and maintenance.
Deploying routed proxy ARP on the gateway can effectively solve the
management and maintenance problems in subnet division. Routed proxy ARP
allows the communication between the hosts whose IP addresses belong to the
same network segment but different physical networks. In addition, the default
gateway does not need to be configured on the hosts, facilitating management
and maintenance.
Configuration Notes
After routed proxy ARP is enabled on the device, reduce the aging time of ARP
entries on hosts. In this way, the invalid ARP entries do not take effect as soon as
possible, reducing the number of packets that are sent to but cannot be forwarded
by the switch.
This example applies to the following products:
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S2700-EI, S2710-SI, S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-LI, S5710-EI, S5710-HI,
S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI,
S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H,
S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-110, branch A and branch B of the enterprise are located in
different cities and their host IP addresses belong to the same network segment
172.16.0.0/16. There are reachable routes between Switch_1 connected to branch
A and Switch_2 connected to branch B. Branch A and branch B belong to different
broadcast domains; therefore, they cannot communicate on a LAN. Hosts in the
branches are not configured with default gateway addresses, so they cannot
communicate across network segments. The enterprise requires that branch A and
branch B communicate without changing the host configurations.
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the interface connecting Switch_1 and branch A to VLAN 10 and add the
interface connecting Switch_2 and branch B to VLAN 20.
2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to
allow the two branches to communicate.
Procedure
Step 1 Create VLANs, add interfaces to VLANs, and configure IP addresses for the
interfaces.
# Configure Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type access
[Switch_1-GigabitEthernet1/0/1] port default vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 172.16.1.1 24
# Configure Switch_2.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 20
[Switch_2] interface gigabitethernet 1/0/1
[Switch_2-GigabitEthernet1/0/1] port link-type access
[Switch_2-GigabitEthernet1/0/1] port default vlan 20
[Switch_2-GigabitEthernet1/0/1] quit
[Switch_2] interface vlanif 20
[Switch_2-Vlanif20] ip address 172.16.2.1 24
# Configure Switch_2.
[Switch_2-Vlanif20] arp-proxy enable //Configure routed proxy ARP
[Switch_2-Vlanif20] quit
# Check ARP entries of VLANIF 10 on Switch_1. The command output shows the
MAC address mapping the IP address of VLANIF 10.
[Switch_1] display arp interface vlanif 10
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
172.16.1.1 00e0-fc12-3456 I- Vlanif10
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:0 Interface:1
# Check the ARP table on Host_1. The command output shows that the MAC
address mapping the IP address of Host_2 is the MAC address of VLANIF 10 on
Switch_1, indicating that Host_1 and Host_2 can communicate with each other
through ARP proxy.
C:\Documents and Settings\Administrator> arp -a
Interface: 172.16.1.2 --- 0xd
Internet Address Physical Address Type
172.16.2.2 00e0-fc12-3456 dynamic
...
----End
Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 10
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
return
3.7.2.1 Example for Configuring the Device as a DHCP Server (Based on the
Interface Address Pool)
The Dynamic Host Configuration Protocol (DHCP) uses the client/server mode to
dynamically configure and uniformly manage network parameters for users. The
DHCP server uses an address pool to assign network parameters such as IP
addresses to the users. The global address pool or an interface address pool can
be used.
The configuration of an interface address pool is simple, which can be used only
when the users and DHCP server belong to the same network segment and the
server can only assign network parameters to the users on the interface. It is
applicable to small networks with a limited number of devices and controllable
configuration and maintenance workload. After the DHCP server function based
on the interface address pool is configured on the user gateway, the hosts and
mobile terminals on the interface can automatically obtain network parameters
such as IP addresses, without manual configuration and modification.
Compared with an interface address pool, the global address pool can be applied
to large networks. The DHCP server function based on the global address pool
should be configured on a core device, or an exclusive DHCP server be used to
assign network parameters such as IP addresses. The user gateway only needs to
be enabled with the DHCP relay function. For details, see 3.7.2.4 Example for
Configuring the Device as a DHCP Relay (on the Same Network).
Configuration Notes
This example applies to the following products:
● V200R009C00 and later versions: S2720-EI
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI,
S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-111, an enterprise divides two network segments for office
terminals: 10.1.1.0/24 for employees with fixed office terminals and 10.1.2.0/24 for
employees on business trips to temporarily access the network. The enterprise
requires that DHCP be used to assign IP addresses to employees with fixed office
terminals and employees on business trips. A PC (DHCP Client_1) requires fixed IP
address 10.1.1.100/24 to meet service requirements.
Figure 3-111 Networking diagram for configuring the device as a DHCP server
Configuration Roadmap
The configuration roadmap is as follows:
Configure the DHCP server function on the Switch to dynamically assign IP
addresses to the terminals on the two network segments. Configure the IP address
lease to 30 days for the employees with fixed office terminals on 10.1.1.0/24 and
one day for the employees on business trips on 10.1.2.0/24 to temporarily access
the network.
NOTE
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Enable the DHCP service. By default, the service is disabled.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dhcp enable
Step 5 Enable the device to save DHCP data to the storage device. If a fault occurs on the
device, you can run the dhcp server database recover command after the system
restarts to restore DHCP data from files on the storage device.
[Switch] dhcp server database enable
Run the display ip pool command on the Switch to check the configuration of
VLANIF 10 and VLANIF 11. For example, the enterprise has 100 employees with
fixed office terminals and 3 employees on business trips.
[Switch] display ip pool interface vlanif10
Pool-name : Vlanif10
Pool-No :0
Lease : 30 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :100
Idle :153 Expired :0
Conflict :0 Disable :0
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 3 250(0) 0 0
-------------------------------------------------------------------------------
Windows IP Configuration
Windows IP Configuration
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
dhcp server database enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
dhcp server lease day 30 hour 0 minute 0
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 11
#
return
3.7.2.2 Example for Configuring a Device as the DHCP Server (Based on the
Global Address Pool)
Configuration Notes
This example applies to the following products:
● V200R009C00 and later versions: S2720-EI
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI,
S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-112, an enterprise has two offices, to save network
resources, the switch functions as the DHCP server to allocate IP addresses to
hosts in the two offices. Hosts in office 1 are on the network segment 10.1.1.0/25
and are added to VLAN 10, the lease of IP addresses for these hosts is ten days;
hosts in office 2 are on the network segment 10.1.1.128/25 and are added to
VLAN 11, the lease of IP addresses for these hosts is two days.
Figure 3-112 Networking diagram for configuring a device as the DHCP server
Configuration Roadmap
The configuration roadmap is as follows:
Configure the switch as the DHCP server to dynamically allocate IP addresses and
the DNS server address to hosts in the two offices. PCs on the network segment
10.1.1.0/25 are for employees in office 1 and obtain IP addresses with a lease of
ten days. PCs on the network segment 10.1.1.128/25 are for employees in office 2
and obtain IP addresses with a lease of two days.
Procedure
Step 1 Enable the DHCP service.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dhcp enable
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.126 125 2 123(0) 0 0
-------------------------------------------------------------------------------
# Run the display ip pool name pool2 command on the switch to view IP address
allocation in the global address pool pool2. The Used field displays the number of
allocated IP addresses. The following uses the command output in V200R011C10
as an example.
[Switch] display ip pool name pool2
Pool-name : pool2
Pool-No :1
Lease : 2 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 10.1.2.3
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.129
Network : 10.1.1.128
Mask : 255.255.255.128
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :125 Used :2
Idle :123 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.129 10.1.1.254 125 2 123(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.2.3
#
ip pool pool2
gateway-list 10.1.1.129
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.2.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif11
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 11
port hybrid untagged vlan 11
#
return
Configuration Notes
This example applies to the following products:
● V200R009C00 and later versions: S2720-EI
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI,
S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-113, the IP phone and PCs are devices in an office area. To
uniformly manage devices and reduce manual configuration costs, the
administrator needs to configure hosts to dynamically obtain IP addresses through
DHCP. PCs are fixed terminals in the duty room. They need to always be online
and use domain names to access network devices. In addition to obtaining an IP
address dynamically, the PCs require an unlimited IP address lease and need to
obtain information about the DNS server. The IP phone uses a fixed IP address
10.1.1.4/24 and its MAC address is 00e0-fc12-3456. In addition to obtaining an IP
address, the IP phone needs to dynamically obtain the startup configuration file.
The startup configuration file configuration.ini is stored on the FTP server. The
routes between the FTP server and IP phone must be reachable. The gateway
address of the PCs and IP phone is 10.1.1.1/24.
Figure 3-113 Networking diagram for configuring a device as the DHCP server
Configuration Roadmap
1. Create a DHCP Option template on SwitchA. In the DHCP Option template
view, configure the startup configuration file for the static client IP phone, and
specify the IP address of the FTP server for the IP phone.
2. Create a global address pool on SwitchA. In the global address pool view,
configure the IP address lease and information about the DNS server for the
dynamic client PCs. Bind an IP address and the DHCP Option template to the
MAC address of the static client IP phone. In this way, the DHCP server can
allocate different network parameters to dynamic and static clients.
Procedure
Step 1 Create a VLAN and configure an IP address for the VLANIF interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.1 255.255.255.0
[SwitchA-Vlanif10] quit
Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the
startup configuration file for the static client IP phone, and specify the IP address
of the file server for the IP phone.
[SwitchA] dhcp option template template1
[SwitchA-dhcp-option-template-template1] gateway-list 10.1.1.1
[SwitchA-dhcp-option-template-template1] bootfile configuration.ini
[SwitchA-dhcp-option-template-template1] next-server 10.1.1.3
[SwitchA-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway
address, IP address lease, and IP address of the DNS server for the PCs. Allocate a
fixed IP address to the IP phone and configure the startup configuration file.
[SwitchA] ip pool pool1
[SwitchA-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-pool1] dns-list 10.1.1.2
[SwitchA-ip-pool-pool1] gateway-list 10.1.1.1
[SwitchA-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[SwitchA-ip-pool-pool1] lease unlimited
[SwitchA-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address 00e0-fc12-3456 option-template
template1
[SwitchA-ip-pool-pool1] quit
Step 6 Enable the device to save DHCP data to the storage device. If a fault occurs on the
device, you can run the dhcp server database recover command after the system
restarts to restore DHCP data from files on the storage device.
[SwitchA] dhcp server database enable
Lease : unlimited
Domain-name :-
DNS-server0 : 10.1.1.2
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :1
Idle :250 Expired :0
Conflict :0 Disabled :2
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 249(0) 0 2
-------------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on SwitchA
to view the DHCP Option template configuration.
[SwitchA] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp server database enable
#
dhcp option template template1
gateway-list 10.1.1.1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address 00e0-fc12-3456 option-template template1
lease unlimited
dns-list 10.1.1.2
#
interface Vlanif10
3.7.2.4 Example for Configuring the Device as a DHCP Relay (on the Same
Network)
Configuration Notes
This example applies to the following products:
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI,
S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI,
S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-114, an enterprise deploys the DHCP server on the core
switch. The DHCP server and terminals in the enterprise belong to different
network segments. The enterprise requires that the DHCP server should
dynamically assign IP addresses to the terminals.
Figure 3-114 Networking diagram for configuring the device as a DHCP relay
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP relay on SwitchA (user gateway) to forward DHCP
packets between the terminals and DHCP server.
2. On SwitchB, configure the DHCP server based on the global address pool so
that the DHCP server can assign IP addresses from the global address pool to
the terminals.
NOTE
Use a Huawei S series switch as an example for the DHCP server (SwitchB).
On the LSW, configure the interface link type and VLAN to implement Layer 2 communication.
Procedure
Step 1 Configure the DHCP relay on SwitchA.
# Add the interface to the VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type access
[SwitchA-GigabitEthernet0/0/2] port default vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.20.1 24
[SwitchA-Vlanif200] quit
Step 2 Configure the DHCP server function based on the global address pool on SwitchB.
# Enable the DHCP service. By default, the service is disabled.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] dhcp enable
# Create an address pool and configure the attributes. The default lease (one day)
is used and does not need to be configured.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 10.10.20.0 mask 24 //Configure the network segment and mask of the
global address pool.
[SwitchB-ip-pool-pool1] gateway-list 10.10.20.1 //Configure the gateway address assigned to the
terminals.
[SwitchB-ip-pool-pool1] quit
# Run the display ip pool command on SwitchB to check the IP address allocation
of pool1. For example, the enterprise has 100 terminals. The following uses the
command output in V200R011C10 as an example.
[SwitchB] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.10.20.1
Network : 10.10.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :1
Idle :252 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.10.20.1 10.10.20.254 253 1 252(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.10.20.1 255.255.255.0
3.7.2.5 Example for Configuring the Device as a DHCP Relay (Across a GRE
Tunnel)
The DHCP relay function applies to large networks with many sparsely-distributed
user gateways. To reduce the maintenance workload, the network administrator
does not want to configure the DHCP server function on each aggregation switch
(user gateway) and requires that the DHCP server function be configured on a
core device or an exclusive DHCP server be deployed in the server area. In this
case, the aggregation switches functioning as the user gateways need to be
configured with the DHCP relay function to implement exchange of DHCP packets
between the DHCP server and clients.
The DHCP relay and DHCP server can be deployed across a VPN (such as GRE or
MPLS L3VPN) network. A GRE tunnel is used as an example to describe how to
configure a DHCP relay.
Configuration Notes
This example applies to the following products:
● S5710-EI, S5720-EI, S5700-HI, S5710-HI, S5720-HI, S5730-HI, S5731-H, S5731-
S, S5731S-S, S5731S-H, S5732-H
● S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S,
S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-115, an enterprise deploys its headquarters and branch in
different areas. A GRE tunnel is deployed between the headquarters and branch to
enable them to communicate. To facilitate unified management, the enterprise
administrator deploys the DHCP server on Switch_1 in the headquarters to assign
IP addresses to the terminals in the headquarters and branch. The network
segments 10.1.1.0/24 and 10.2.1.0/24 are planned for the headquarters and
branch respectively.
Figure 3-115 Networking diagram for configuring the device as a DHCP relay
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Use a Huawei S series switch as an example for the DHCP server (Switch_1).
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Configure an IP address for each physical interface on Switch_1 through Switch_3.
# Configure Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10 30
[Switch_1] interface gigabitethernet 1/0/0
[Switch_1-GigabitEthernet1/0/0] port link-type trunk
[Switch_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/0] quit
[Switch_1] interface gigabitethernet 2/0/0
[Switch_1-GigabitEthernet2/0/0] port link-type trunk
[Switch_1-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[Switch_1-GigabitEthernet2/0/0] quit
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 10.20.1.1 24
[Switch_1-Vlanif10] quit
[Switch_1] interface vlanif 30
[Switch_1-Vlanif30] ip address 10.1.1.1 24
[Switch_1-Vlanif30] quit
# Configure Switch_2.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 10 20
[Switch_2] interface gigabitethernet 1/0/0
[Switch_2-GigabitEthernet1/0/0] port link-type trunk
[Switch_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[Switch_2-GigabitEthernet1/0/0] quit
[Switch_2] interface gigabitethernet 2/0/0
[Switch_2-GigabitEthernet2/0/0] port link-type trunk
[Switch_2-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[Switch_2-GigabitEthernet2/0/0] quit
[Switch_2] interface vlanif 10
[Switch_2-Vlanif10] ip address 10.20.1.2 24
[Switch_2-Vlanif10] quit
[Switch_2] interface vlanif 20
# Configure Switch_3.
<HUAWEI> system-view
[HUAWEI] sysname Switch_3
[Switch_3] vlan batch 20 30
[Switch_3] interface gigabitethernet 1/0/0
[Switch_3-GigabitEthernet1/0/0] port link-type trunk
[Switch_3-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[Switch_3-GigabitEthernet1/0/0] quit
[Switch_3] interface gigabitethernet 2/0/0
[Switch_3-GigabitEthernet2/0/0] port link-type trunk
[Switch_3-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[Switch_3-GigabitEthernet2/0/0] quit
[Switch_3] interface vlanif 20
[Switch_3-Vlanif20] ip address 10.30.1.2 24
[Switch_3-Vlanif20] quit
[Switch_3] interface vlanif 30
[Switch_3-Vlanif30] ip address 10.2.1.1 24
[Switch_3-Vlanif30] quit
# Configure Switch_2.
[Switch_2] ospf 1
[Switch_2-ospf-1] area 0
[Switch_2-ospf-1-area-0.0.0.0] network 10.20.1.0 0.0.0.255
[Switch_2-ospf-1-area-0.0.0.0] network 10.30.1.0 0.0.0.255
[Switch_2-ospf-1-area-0.0.0.0] quit
[Switch_2-ospf-1] quit
# Configure Switch_3.
[Switch_3] ospf 1
[Switch_3-ospf-1] area 0
[Switch_3-ospf-1-area-0.0.0.0] network 10.30.1.0 0.0.0.255
[Switch_3-ospf-1-area-0.0.0.0] quit
[Switch_3-ospf-1] quit
# Configure Switch_3.
# Configure the DHCP relay function on VLANIF 30 and specifies the DHCP server
address for the relay.
[Switch_3] interface vlanif 30
[Switch_3-Vlanif30] dhcp select relay //Enable the DHCP relay function. By default, the function is
disabled.
[Switch_3-Vlanif30] dhcp relay server-ip 10.1.1.1 //Configure the DHCP server IP address for the DHCP
relay agent.
[Switch_3-Vlanif30] quit
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.2.1.1 10.2.1.254 253 50 203(0) 0 0
-------------------------------------------------------------------------------
[Switch_1] display ip pool name pool2
Pool-name : pool2
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :50
Idle :203 Expired :0
Conflict :0 Disable :0
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
● Configuration file of Switch_1
#
sysname Switch_1
#
vlan batch 10 30
#
dhcp enable
#
ip pool pool1
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
ip pool pool2
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.20.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface Tunnel1
ip address 10.40.1.1 255.255.255.0
tunnel-protocol gre
source 10.20.1.1
destination 10.30.1.2
#
ospf 1
area 0.0.0.0
network 10.20.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1
#
return
#
sysname Switch_3
#
vlan batch 20 30
#
dhcp enable
#
interface Vlanif20
ip address 10.30.1.2 255.255.255.0
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.1.1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface Tunnel1
ip address 10.40.1.2 255.255.255.0
tunnel-protocol gre
source 10.30.1.2
destination 10.20.1.1
#
ospf 1
area 0.0.0.0
network 10.30.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#
return
Configuration Notes
This example applies to:
● Chassis switches: V200R005 and later versions
● Fixed switches: V100R006 and later versions
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-116, Switch_1 functions as the DHCP client to dynamically
obtain information including the IP address, DNS server address, and gateway
address from the DHCP server (Switch_2).
Figure 3-116 Networking diagram for configuring a device as the DHCP server
Configuration Roadmap
1. Configure Switch_1 as the DHCP client to dynamically obtain the IP address
from a DHCP server.
2. Configure Switch_2 as the DHCP server to dynamically allocate network
parameters including IP addresses to Switch_1.
Procedure
Step 1 Configure Switch_1 as the DHCP client.
# Create VLAN 10, and add GE1/0/1 to VLAN 10.
<HUAWEI> system-view [HUAWEI] sysname Switch_1
[Switch_1] vlan 10
[Switch_1-vlan10] quit
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type trunk
[Switch_1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
Step 2 Create a global address pool on Switch_2 and set corresponding attributes.
1. Enable the DHCP service.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] dhcp enable
[Switch_2] vlan 10
[Switch_2-vlan10] quit
[Switch_2] interface gigabitethernet 1/0/1
[Switch_2-GigabitEthernet1/0/1] port link-type trunk
[Switch_2-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_2-GigabitEthernet1/0/1] quit
# After VLANIF 10 obtains an IP address, run the display dhcp client command
on Switch_1 to view the status of the DHCP client on VLANIF 10. The following
uses the command output in V200R011C10 as an example.
[Switch_1] display dhcp client
DHCP client lease information on interface Vlanif10 :
Current machine state : Bound
Internet address assigned via : DHCP
Physical address : xxxx-xxxx-xxxx
IP address : 192.168.1.162
Subnet mask : 255.255.255.0
Gateway ip address : 192.168.1.126
DHCP server : 192.168.1.1
Lease obtained at : 2017-06-23 14:52:40
Lease expires at : 2017-06-24 14:52:40
Lease renews at : 2017-06-24 02:52:40
Lease rebinds at : 2017-06-24 11:52:40
DNS : 192.168.1.2
# On Switch_2, run the display ip pool name pool1 command to view IP address
allocation in the address pool. The Used field displays the number of used IP
addresses in the address pool. The following uses the command output in
V200R011C10 as an example.
[Switch_2] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 : 192.168.1.2
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 192.168.1.126
Network : 192.168.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :1
Idle :251 Expired :0
Conflict :0 Disabled :1
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 251(0) 0 1
-------------------------------------------------------------------------------
----End
Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 10
#
interface Vlanif10
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
3.7.2.7 Example for Configuring DHCP Servers Based on the Global Address
Pool on the Same Network Segment in VRRP Networking
Configuration Notes
This example applies to the following products:
● V200R011C10 and later versions: S2720-EI
● S3700-EI, S3700-HI
● S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-
L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S500, S5735-S, S5735S-
S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-117, a host in an enterprise is dual-homed to SwitchA and
SwitchB through Switch. SwitchA functions as the master DHCP server to allocate
IP addresses to the host. If the master DHCP server fails, a backup DHCP server
must allocate an IP address to the host.
Figure 3-117 Networking diagram for configuring a device as the DHCP server
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure network-layer connectivity among devices.
NOTE
Information about the address pool on the master DHCP server cannot be backed up to a
backup DHCP server in real time. To prevent IP address conflicts after a master/backup
switchover, ensure that the address pool ranges on the master and backup DHCP servers
are exclusive to one another.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-1] gateway-list 10.1.1.111
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.129 10.1.1.254
[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit
# Create VRRP group 1 on SwitchB, set the priority of SwitchB in the VRRP group
to 100 (default), and configure clients to obtain IP addresses from a global
address pool.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchB-Vlanif100] dhcp select global
[SwitchB-Vlanif100] quit
# Disable STP on GE1/0/3 of Switch, and set the path cost of GE1/0/1 to 20000.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] stp disable
[Switch-GigabitEthernet1/0/3] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] stp cost 20000
[Switch-GigabitEthernet1/0/1] quit
# Run the display ip pool command on SwitchA and SwitchB. The command
output shows that SwitchA, but not SwitchB, successfully allocated an IP address
to the client. The following uses the command output in V200R011C10 as an
example.
[SwitchA] display ip pool
-------------------------------------------------------------------------------
Pool-name :1
Pool-No :0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :1
Idle :125 Expired :0
Conflict :0 Disable :127
IP address Statistic
Total :253
Used :1 Idle :125
Expired :0 Conflict :0 Disable :127
[SwitchB] display ip pool
-------------------------------------------------------------------------------
Pool-name :1
Pool-No :0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :0
Idle :125 Expired :0
Conflict :0 Disable :128
IP address Statistic
Total :253
Used :0 Idle :125
Expired :0 Conflict :0 Disable :128
# Run the display vrrp command on SwitchA and SwitchB. The command output
shows that SwitchA is Initialize and SwitchB is Master in the VRRP group.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Initialize
Virtual IP : 10.1.1.111
Master IP : 0.0.0.0
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 0
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.129
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
# Run the display ip pool command on SwitchB to view the address pool
configuration.
[SwitchB] display ip pool
Pool-name :1
Pool-No :0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :1
IP address Statistic
Total :253
Used :1 Idle :124
Expired :0 Conflict :0 Disabled :128
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
dhcp enable
#
ip pool 1
gateway-list 10.1.1.111
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.1
excluded-ip-address 10.1.1.129 10.1.1.254
lease day 10 hour 0 minute 0
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
dhcp select global
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
Solution Overview
With the rapid development of IPTV services, the IPTV platform needs to provide
services to a growing number of users, who in turn raise increasingly high
requirements on the reliability of the IPTV live broadcast service. IPTV is a type of
video service, which means that end users have extremely high requirements on
service continuity. Therefore, service continuity must be ensured during routine
maintenance as well as in key event assurance and major version upgrade
assurance.
Figure 3-118 shows the networking diagram of the broadcast and television
network in a region. To ensure the quality of live TV, the live streams sent by the
broadcast and television multicast source server must be first forwarded to the
MRF transcoding server for transcoding and then forwarded by the transcoding
server to receivers. The transcoding server is connected to the IPTV network
through two switches that form a dual-node cluster on the ring network, thereby
improving network reliability.
● Normal forwarding path for multicast streams sent by the multicast source
server: Core -> PE1 -> LSW1 -> CDN -> Transcoding server
● Normal forwarding path for multicast streams transcoded by the transcoding
server: Transcoding server -> CDN -> LSW1 -> PE1 -> AGG -> ACC1 and ACC2
● Normal forwarding path for unicast streams sent from the recording server to
a receiver: Recording server -> CDN -> LSW1 -> PE1 -> AGG -> ACC1 or ACC2
Figure 3-118 Video traffic forwarding path in the scenario when the CDN server is
connected to two switches that form a dual-node cluster on a ring network
Configuration Notes
In this example, Core, PE1, and PE2 are modular switches, and the other devices
are fixed switches. All S series switch models can be used in this example.
Networking Requirements
Figure 3-119 shows the IPTV network diagram in a region. A receiver can watch
live TV programs and catch-up TV programs. The network requirements are as
follows:
● Multicast live streams sent by the multicast source server are first forwarded
to the CDN server for transcoding and recording and then forwarded to
receivers.
● Receivers can also order catch-up TV programs in unicast mode.
● Layer 3 multicast, L2/L3 mixed multicast, and IGMP snooping are deployed to
forward multicast traffic.
● OSPF is used to implement traffic forwarding at Layer 3. LSW1 and LSW2
establish neighbor relationships with PE1 and PE2 respectively in area 1 of
OSPF process 1. Core establishes neighbor relationships with PE1 and PE2 in
area 0 of OSPF process 1.
● MSTP is deployed between CDN, LSW1, and LSW2 to prevent loops; VRRP is
deployed on LSW1 and LSW2 to improve network reliability.
● To ensure access security, traffic policies are configured on LSW1 and LSW2 to
restrict the access of multicast source servers.
Figure 3-119 Basic IPTV networking in the scenario when the CDN server is
connected to two switches that form a dual-node cluster on a ring network
Data Plan
Item Description
Item Description
LoopBack0: 1.1.1.3 -
LoopBack0: 1.1.1.1 -
LoopBack0: 1.1.1.2 -
LoopBack0: 1.1.1.4 -
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs.
2. Configure MSTP to prevent loops.
3. Configure an IP address for each VLANIF interface.
4. Configure VRRP to implement gateway redundancy.
5. Configure OSPF to implement Layer 3 interworking.
6. Configure Layer 3 multicast.
7. Configure IGMP snooping to enable Layer 2 multicast.
8. Configure traffic policies to control the access of multicast sources.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create a VLAN on ACC1 and add related interfaces to the VLAN.
<HUAWEI> system-view
[HUAWEI] sysname ACC1
[ACC1] vlan batch 33
[ACC1] interface gigabitethernet 0/0/1
[ACC1-GigabitEthernet0/0/1] description ACC1***to***AGG
[ACC1-GigabitEthernet0/0/1] port link-type trunk
[ACC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 33
[ACC1-GigabitEthernet0/0/1] quit
[ACC1] interface gigabitethernet 0/0/2
[ACC1-GigabitEthernet0/0/2] port link-type access
[ACC1-GigabitEthernet0/0/2] port default vlan 33
[ACC1-GigabitEthernet0/0/2] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 33
[ACC1-GigabitEthernet0/0/3] quit
Step 2 Configure MSTP. LSW1, LSW2, and CDN form a Layer 2 loop, so MSTP is used to
break the loop.
# Configure an MSTP region on LSW1 and enable MSTP.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name IPTV
[LSW1-mst-region] instance 1 vlan 530
[LSW1-mst-region] instance 2 vlan 88 301 400
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
[Core] ospf 1
[Core-ospf-1] area 0
[Core-ospf-1-area-0.0.0.0] quit
[Core-ospf-1] quit
[Core] interface gigabitethernet 1/0/1
[Core-GigabitEthernet1/0/1] ospf enable 1 area 0.0.0.0
[Core-GigabitEthernet1/0/1] quit
[Core] interface gigabitethernet 1/0/2
[Core-GigabitEthernet1/0/2] ospf enable 1 area 0.0.0.0
[Core-GigabitEthernet1/0/2] quit
[Core] interface gigabitethernet 1/0/3
[Core-GigabitEthernet1/0/3] ospf enable 1 area 0.0.0.0
[Core-GigabitEthernet1/0/3] quit
[Core] interface LoopBack0
[Core-LoopBack0] ospf enable 1 area 0.0.0.0
[Core-LoopBack0] quit
# Configure OSPF on AGG, and change the cost of the related interface for route
backup.
[AGG] ospf 1
[AGG-ospf-1] area 0
[AGG-ospf-1-area-0.0.0.0] quit
[AGG-ospf-1] quit
[AGG] interface vlanif 11
[AGG-Vlanif11] ospf enable 1 area 0.0.0.0
[AGG-Vlanif11] quit
[AGG] interface vlanif 22
[AGG-Vlanif22] ospf cost 10000
[AGG-Vlanif22] ospf enable 1 area 0.0.0.0
[AGG-Vlanif22] quit
[AGG] interface vlanif 33
[AGG-Vlanif33] ospf enable 1 area 0.0.0.0
[AGG-Vlanif33] quit
[AGG] interface vlanif 34
[AGG-Vlanif34] ospf enable 1 area 0.0.0.0
[AGG-Vlanif34] quit
[AGG] interface LoopBack0
[AGG-LoopBack0] ospf enable 1 area 0.0.0.0
[AGG-LoopBack0] quit
[Core-pim] quit
[Core] interface gigabitethernet 1/0/1
[Core-GigabitEthernet1/0/1] pim sm
[Core-GigabitEthernet1/0/1] quit
[Core] interface gigabitethernet 1/0/2
[Core-GigabitEthernet1/0/2] pim sm
[Core-GigabitEthernet1/0/2] quit
[Core] interface gigabitethernet 1/0/3
[Core-GigabitEthernet1/0/3] pim sm
[Core-GigabitEthernet1/0/3] quit
[LSW1-vlan301] quit
[LSW1] vlan 530
[LSW1-vlan530] igmp-snooping enable
[LSW1-vlan530] quit
[LSW2-behavior-IPTV_Service_IN] quit
[LSW2] traffic behavior IPTV_Multicast_Remark
[LSW2-behavior-IPTV_Multicast_Remark] permit
[LSW2-behavior-IPTV_Multicast_Remark] remark dscp af41
[LSW2-behavior-IPTV_Multicast_Remark] quit
[LSW2] traffic policy IPTV_Service_IN
[LSW2-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[LSW2-trafficpolicy-IPTV_Service_IN] quit
[LSW2] traffic policy IPTV_Multicast_Remark
[LSW2-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior
IPTV_Multicast_Remark
[LSW2-trafficpolicy-IPTV_Multicast_Remark] quit
[LSW2] interface gigabitethernet 0/0/1
[LSW2-GigabitEthernet0/0/1] traffic-policy IPTV_Service_IN inbound
[LSW2-GigabitEthernet0/0/1] quit
[LSW2] interface gigabitethernet 0/0/2
[LSW2-GigabitEthernet0/0/2] traffic-policy IPTV_Multicast_Remark inbound
[LSW2-GigabitEthernet0/0/2] quit
# After users send IGMP Report messages, ACC1 and ACC2 can generate
information about multicast group member ports correctly.
[ACC1]display igmp-snooping port-info
--------------------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
--------------------------------------------------------------------------------
VLAN 33, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
[ACC2] display igmp-snooping port-info
--------------------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
--------------------------------------------------------------------------------
VLAN 34, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
# After the multicast source sends a multicast packet and the decoding server
sends a join message, LSW1 and PE1 can generate the multicast routing entry
correctly.
[LSW1] display pim routing-table
VPN-Instance: public net
Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.0.0.1)
RP: 1.1.1.1
Protocol: pim-sm, Flag: WC
UpTime: 00:06:50
Upstream interface: Vlanif10
Upstream neighbor: 10.1.1.1
RPF prime neighbor: 10.1.1.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif530
Protocol: igmp, UpTime: 00:01:42, Expires: -
[PE1] display pim routing-table
VPN-Instance: public net
Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.0.0.1)
RP: 1.1.1.1 (local)
Protocol: pim-sm, Flag: WC
UpTime: 00:12:46
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif10
Protocol: pim-sm, UpTime: 00:08:59, Expires: 00:02:31
----End
Configuration Files
● Core configuration file
#
sysname Core
#
multicast routing-enable
#
interface GigabitEthernet1/0/1
undo portswitch
description Core***to***Sever
ip address 66.1.1.3 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
undo portswitch
description Core***to***PE2
#
interface Vlanif22
description to***PE2
ip address 22.1.1.8 255.255.255.0
pim sm
ospf cost 10000
ospf enable 1 area 0.0.0.0
#
interface Vlanif33
description to***ACC1
ip address 33.1.1.8 255.255.255.0
pim sm
igmp enable
ospf enable 1 area 0.0.0.0
#
interface Vlanif34
description to***ACC2
ip address 34.1.1.8 255.255.255.0
pim sm
igmp enable
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet0/0/1
description AGG***to***ACC1
port link-type trunk
port trunk allow-pass vlan 33
#
interface GigabitEthernet0/0/2
description AGG***to***ACC2
port link-type trunk
port trunk allow-pass vlan 34
#
interface GigabitEthernet0/0/4
description AGG***to***PE1
port link-type trunk
port trunk allow-pass vlan 11
#
interface GigabitEthernet0/0/5
description AGG***to***PE2
port link-type trunk
port trunk allow-pass vlan 22
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
Figure 3-120 shows the networking diagram of the broadcast and television
network in a region. To ensure the quality of live TV, the live streams sent by the
broadcast and television multicast source server must be first forwarded to the
MRF transcoding server for transcoding and then forwarded by the transcoding
server to receivers. The transcoding server is connected to a switch stack system,
which connects to PE devices of the IPTV network through Eth-Trunk. This
improves network reliability.
● Normal forwarding path for multicast streams sent by the multicast source
server: Core -> PE1 -> Stack -> CDN -> Transcoding server
● Normal forwarding path for multicast streams transcoded by the transcoding
server: Transcoding server -> CDN -> Stack -> PE1 -> AGG -> ACC1 and ACC2
● Normal forwarding path for unicast streams sent from the recording server to
a receiver: Recording server -> CDN -> Stack -> PE1 -> AGG -> ACC1 or ACC2
Figure 3-120 Video traffic forwarding path in the scenario when the transcoding
server is connected to a switch stack system that connects to PE devices of the
IPTV network through Eth-Trunk
Configuration Notes
In this example, Core, PE1, and PE2 are modular switches, and the other devices
are fixed switches. All S series switch models can be used in this example.
Networking Requirements
Figure 3-121 shows the IPTV network diagram in a region. A receiver can watch
live TV programs and catch-up TV programs. The network requirements are as
follows:
● Multicast live streams sent by the multicast source server are first forwarded
to the CDN server for transcoding and recording and then forwarded to
receivers.
● Receivers can also order catch-up TV programs in unicast mode.
● Layer 3 multicast, L2/L3 mixed multicast, and IGMP snooping are deployed to
forward multicast traffic.
● OSPF is used to implement traffic forwarding at Layer 3. The switch stack
system (named Stack) establishes neighbor relationships with PE1 and PE2 in
area 1 of OSPF process 1. Core establishes neighbor relationships with PE1
and PE2 in area 0 of OSPF process 1.
● To ensure access security, traffic policies are configured on Stack to restrict
the access of multicast source servers.
Figure 3-121 Basic IPTV networking in the scenario when the transcoding server is
connected to a switch stack system that connects to PE devices of the IPTV
network through Eth-Trunk
Data Plan
LoopBack0: 1.1.1.3 -
LoopBack0: 1.1.1.1 -
LoopBack0: 1.1.1.2 -
LoopBack0: 1.1.1.4 -
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs.
2. Configure an IP address for each VLANIF interface.
3. Configure OSPF to implement Layer 3 interworking.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Configure OSPF on AGG, and change the cost of the related interface for route
backup.
[AGG] ospf 1
[AGG-ospf-1] area 0
[AGG-ospf-1-area-0.0.0.0] quit
[AGG-ospf-1] quit
[AGG] interface vlanif 11
[AGG-Vlanif11] ospf enable 1 area 0.0.0.0
[AGG-Vlanif11] quit
[AGG] interface vlanif 22
[AGG-Vlanif22] ospf cost 10000
[AGG-Vlanif22] ospf enable 1 area 0.0.0.0
[AGG-Vlanif22] quit
[AGG] interface vlanif 33
[AGG-Vlanif33] ospf enable 1 area 0.0.0.0
[AGG-Vlanif33] quit
[AGG] interface vlanif 34
[AGG-Vlanif34] ospf enable 1 area 0.0.0.0
[AGG-Vlanif34] quit
[AGG] interface LoopBack0
[AGG-LoopBack0] ospf enable 1 area 0.0.0.0
[AGG-LoopBack0] quit
[Stack-Vlanif10] quit
[Stack] interface vlanif 301
[Stack-Vlanif301] pim sm
[Stack-Vlanif301] quit
[Stack] interface vlanif 400
[Stack-Vlanif400] pim sm
[Stack-Vlanif400] quit
[Stack-Vlanif400] igmp enable
[Stack] interface vlanif 530
[Stack-Vlanif530] pim sm
[Stack-Vlanif530] igmp enable //The interface is connected to the decoding server, so IGMP needs to be
enabled on the interface.
[Stack-Vlanif530] quit
[Stack-trafficpolicy-IPTV_Multicast_Remark] quit
[Stack] interface Eth
[Stack] interface eth-trunk2
[Stack-Eth-Trunk2] traffic-policy IPTV_Service_IN inbound
[Stack-Eth-Trunk2] quit
[Stack] interface eth-trunk3
[Stack-Eth-Trunk3] traffic-policy IPTV_Service_IN inbound
[Stack-Eth-Trunk3] quit
[Stack] interface eth-trunk1
[Stack-Eth-Trunk1] traffic-policy IPTV_Multicast_Remark inbound
[Stack-Eth-Trunk1] quit
# After users send IGMP Report messages, ACC1 and ACC2 can generate
information about multicast group member ports correctly.
[ACC1] display igmp-snooping port-info
--------------------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
--------------------------------------------------------------------------------
VLAN 33, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
[ACC2] display igmp-snooping port-info
--------------------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
--------------------------------------------------------------------------------
VLAN 34, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
# After the multicast source sends a multicast packet and the decoding server
sends a join message, Stack and PE1 can generate the multicast routing entry
correctly.
[Stack] display pim routing-table
VPN-Instance: public net
Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.0.0.1)
RP: 1.1.1.1
Protocol: pim-sm, Flag: WC
UpTime: 02:41:03
Upstream interface: Vlanif10
Upstream neighbor: 10.1.1.1
RPF prime neighbor: 10.1.1.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif530
Protocol: igmp, UpTime: 02:41:03, Expires: -
[PE1] display pim routing-table
(*, 225.0.0.1)
RP: 1.1.1.1 (local)
Protocol: pim-sm, Flag: WC
UpTime: 02:39:32
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif10
Protocol: pim-sm, UpTime: 02:39:32, Expires: 00:02:58
----End
Configuration Files
● Core configuration file
#
sysname Core
#
multicast routing-enable
#
interface GigabitEthernet1/0/1
undo portswitch
description Core***to***Sever
ip address 66.1.1.3 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
undo portswitch
description Core***to***PE2
ip address 20.1.1.3 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
undo portswitch
description Core***to***PE1
ip address 12.1.1.2 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 1.1.1.3 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
interface Vlanif301
description LSW1***to***LSW2
ip address 31.1.1.1 255.255.255.0
pim sm
ospf network-type p2p
ospf timer hello 1
#
interface Vlanif400
description to***MRF IN
ip address 4.1.1.2 255.255.255.0
vrrp vrid 40 virtual-ip 4.1.1.10
vrrp vrid 40 priority 120
pim sm
igmp enable
#
interface Vlanif530
description to***MRF OUT
ip address 5.1.1.2 255.255.255.0
vrrp vrid 53 virtual-ip 5.1.1.10
vrrp vrid 53 priority 120
pim sm
igmp enable
#
interface Eth-Trunk1
description Stack***to***CDN
port link-type trunk
port trunk allow-pass vlan 88 301 400 530
traffic-policy IPTV_Multicast_Remark inbound
#
interface Eth-Trunk2
description Stack***to***PE1
port link-type access
port default vlan 10
traffic-policy IPTV_Service_IN inbound
#
interface Eth-Trunk3
description Stack***to***PE2
port link-type access
port default vlan 21
traffic-policy IPTV_Service_IN inbound
#
interface GigabitEthernet0/0/1
eth-trunk1
#
interface GigabitEthernet0/0/6
eth-trunk2
#
interface GigabitEthernet0/0/8
eth-trunk3
#
interface GigabitEthernet1/0/1
eth-trunk1
#
interface GigabitEthernet1/0/6
eth-trunk2
#
interface GigabitEthernet1/0/8
eth-trunk3
#
ospf 1 router-id 192.168.1.1
default-route-advertise
silent-interface Vlanif88
silent-interface Vlanif530
silent-interface Vlanif400
area 0.0.0.1
network 10.1.1.0 0.0.0.255
network 31.1.1.0 0.0.0.255
network 88.1.1.0 0.0.0.255
network 5.1.1.0 0.0.0.255
nssa
#
pim
static-rp 1.1.1.1
#
return
Static routes are generally suitable for simple networks. However, they can be
used on complex networks to improve network performance and ensure
bandwidth for important applications.
Configuration Notes
● Communication between two devices is bidirectional, so reachable routes
must be available in both directions. To enable two devices to communicate
through static routes, configure a static route on the local device and then
configure a return route on the peer device.
● If an enterprise network has two egresses, two equal-cost static routes can be
configured for load balancing. In this case, two non-equal-cost static routes
can be configured for active/standby backup. When the active link is faulty,
traffic is switched from the active link to the standby link.
● This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-122, hosts on different network segments are connected
using several switches. Every two hosts on different network segments can
communicate with each other without using dynamic routing protocols.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to
VLANIF interfaces so that neighboring devices can communicate with each
other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static
routes or default static routes on each Switch so that hosts on different
network segments can communicate with each other.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
#
return
Relevant Information
Video
Static routes are generally suitable for simple networks. However, they can be
used on complex networks to improve network performance and ensure
bandwidth for important applications.
Configuration Notes
● Communication between two devices is bidirectional, so reachable routes
must be available in both directions. To enable two devices to communicate
through static routes, configure a static route on the local device and then
configure a return route on the peer device.
● If an enterprise network has two egresses, two equal-cost static routes can be
configured for load balancing. In this case, two non-equal-cost static routes
can be configured for active/standby backup. When the active link is faulty,
traffic is switched from the active link to the standby link.
● This example applies to the following products:
– S3700-SI, S3700-EI, S3700-HI
– S5700-SI, S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI,
S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H,
S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I,
S5735S-H, S5736-S
– S6700-EI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
On the network shown in Figure 3-123, PC1 and PC2 are connected through four
switches. Data traffic can be transmitted from PC1 to PC2 through two links: PC1-
>SwitchA->SwitchB->SwitchC->PC2 and PC1->SwitchA->SwitchD->SwitchC->PC2.
To improve link efficiency, users want to implement load balancing between the
two links. That is, traffic from PC1 to PC2 is evenly balanced between the two
links. When faults occur on one of the two links, traffic is automatically switched
to the other link.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure IP address and default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchB.
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1
# Configure SwitchB.
[SwitchB] ip route-static 10.1.1.0 24 192.168.12.1
# Configure SwitchD.
[SwitchD] ip route-static 10.1.1.0 24 192.168.14.1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 100 400
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 400
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2
#
return
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
Configuration Notes
● Communication between two devices is bidirectional, so reachable routes
must be available in both directions. To enable two devices to communicate
through static routes, configure a static route on the local device and then
configure a return route on the peer device.
● If an enterprise network has two egresses, two equal-cost static routes can be
configured for load balancing. In this case, two non-equal-cost static routes
can be configured for active/standby backup. When the active link is faulty,
traffic is switched from the active link to the standby link.
● This example applies to all versions of all S series switches.
Networking Requirements
On the network shown in Figure 3-124, PC1 and PC2 are connected through four
switches. Data traffic of PC1 can reach PC2 through two links: PC1->SwitchA-
>SwitchB->SwitchC->PC2 and PC1->SwitchA->SwitchD->SwitchC->PC2. To improve
reliability, users want to implement backup between the two links. That is, traffic
from PC1 to PC2 is first transmitted through the link that passes through SwitchB.
When faults occur on this link, traffic is automatically switched to the link that
passes through SwitchD.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure IP address and default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchB.
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1
Step 4 Configure static routes from PC2 to PC1 and ensure that the active and standby
links in two directions are the same.
# On SwitchC, configure two static routes with different priorities. The next hop of
one route points to SwitchB, and that of the other route points to SwitchD.
Subsequently, data traffic is first forwarded to SwitchB. When faults occur on the
link that passes through SwitchB, traffic is automatically switched to SwitchD.
[SwitchC] ip route-static 10.1.1.0 24 192.168.23.1
[SwitchC] ip route-static 10.1.1.0 24 192.168.34.2 preference 70
# Configure SwitchB.
[SwitchB] ip route-static 10.1.1.0 24 192.168.12.1
# Configure SwitchD.
[SwitchD] ip route-static 10.1.1.0 24 192.168.14.1
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 192.168.12.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h13m13s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000001
RelayNextHop: 0.0.0.0 Interface: Vlanif100
TunnelID: 0x0 Flags: RD
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 192.168.14.2 Neighbour: 0.0.0.0
State: Inactive Adv Relied Age: 00h00m45s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000002
RelayNextHop: 0.0.0.0 Interface: Vlanif400
TunnelID: 0x0 Flags: R
The IP routing table on SwitchA contains only one active route to network
segment 10.1.2.0/24. Normally, data traffic from PC1 to PC2 is transmitted
through the link that passes through SwitchB. Detailed information about the IP
routing table on SwitchA shows two routes to network segment 10.1.2.0/24: one
Active route that passes through SwitchB and the other Inactive route that passes
through SwitchD. When faults occur on the active link, the Inactive route will
become active to take over the traffic. This implements link backup.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 100 400
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
ip route-static 10.1.1.0 255.255.255.0 192.168.34.2 preference 70
#
return
Relevant Information
Video
BFD for IPv4 static routes is adaptable to link changes but both ends of the link
must support BFD. If either end of a link does not support BFD, NQA for IPv4
static routes can be configured. When an NQA test instance detects a link fault, it
instructs the routing management module to delete the associated static route
from the IP routing table. Then service traffic switches to a route without any link
fault to prevent lengthy service interruptions.
Configuration Notes
● The NQA function of the switch is license controlled. If the license is
unavailable, NQA commands can be run, but the NQA function does not take
effect.
● Applicable products and versions: V200R003C00 and later versions
Networking Requirements
As shown in Figure 3-125, SwitchA on a company network is connected to two
egress routers (RouterA and RouterB) through two default static routes to
implement load balancing. The company wants to deploy a link failure detection
mechanism for the default static routes, so that traffic can be switched from a
faulty link to the other functioning link promptly to prevent services from being
interrupted.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Configuration Roadmap
1. Create VLANs, add interfaces to the VLANs, and configure IP addresses for
VLANIF interfaces, so that neighboring devices can communicate with each
other.
Procedure
Step 1 On SwitchA, create VLANs and add interfaces to them.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 300
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[SwitchA-GigabitEthernet1/0/3] quit
Step 4 Configure default static routes and bind them to the NQA test instances.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 track nqa user test1
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.20.1 track nqa user test2
Completion:failed and Lost packet ratio: 100 % in the command output show
that the link between SwitchA and RouterB is faulty.
# Check the routing table. Only the default static route to RouterA is available.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
Relevant Information
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
Static routes are easy to configure and therefore widely used on networks with
simple structures. Unlike dynamic routing protocols, static routes do not have a
dedicated detection mechanism. If a fault occurs, static routes cannot detect the
fault, and the network administrator must delete the corresponding static route.
This delays the link switchover and may cause lengthy service interruptions. IP
networks are being used more often to carry multiple services such as voice and
video services. These services pose high requirements on network reliability, and
fast fault detection and processing. EFM for IPv4 static routes can be configured to
provide the detection mechanism for static routes so that they can detect the link
quality changes in real time and switch services immediately.
Configuration Notes
● By default, EFM is disabled globally and on interfaces.
● After EFM OAM is enabled on an interface, the interface starts to send OAM
PDUs to perform the point-to-point EFM link detection. EFM link detection
can be implemented between two interfaces only after EFM OAM is enabled
on the peer interface.
● Applicable products and versions: switches of all models.
Networking Requirements
As shown in Figure 3-126, SwitchA connects to the NMS across a network
segment through SwitchB. SwitchA and SwitchB need to detect the link quality in
real time. When the link between them becomes faulty, the corresponding static
route is deleted from the IP routing table. Then traffic switches from the faulty
link to a normal route to improve network reliability.
Figure 3-126 Networking for configuring EFM for a static IPv4 route
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable EFM OAM globally and on interfaces of SwitchA and SwitchB to
implement real-time link quality detection.
2. Configure a static route from SwitchA to the NMS and bind it to the EFM
state to associate the static route with EFM. When a link where the static
route resides becomes faulty, traffic switches to a route without link faults.
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
# Configure SwitchA. The configuration of SwitchB is similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
# Check the IP routing table on SwitchA. The IP routing table contains the static
route.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
# Run the display efm session all command on SwitchA. The command output
shows that the EFM OAM protocol state is discovery, indicating that the interface
is in OAM discovery state.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 discovery --
# Check the IP routing table on SwitchA. The IP routing table does not contain the
static route 192.168.2.0/24. This is because the static route is bound to the EFM
state. After EFM OAM detects a link fault, it rapidly notifies SwitchA that the static
route is unavailable.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 4 Routes : 4
# Run the display efm session all command on SwitchA. The command output
shows that the EFM OAM protocol state is detect, indicating that the interface is
in handshake state again.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static
route 192.168.2.0/24 again. After EFM OAM detects that the link recovers from a
fault, it rapidly notifies that the bound static route is valid again.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
efm enable
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
efm enable
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 track efm-state GigabitEthernet1/0/1
#
return
Relevant Information
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
OSPF Overview
The Open Shortest Path First (OSPF) protocol is a link-state Interior Gateway
Protocol (IGP) developed by the Internet Engineering Task Force (IETF). OSPF
Version 2 defined in RFC 2328 is used in IPv4.
OSPF is loop-free, provides fast route convergence, and supports area partitioning,
equal-cost routes, authentication, and multicast transmission. Therefore, OSPF is
widely used as the mainstream IGP in various industries, including the enterprise,
carrier, government, finance, education, and health care industries.
OSPF uses the hierarchical design, provides various routing policies, and applies to
networks of different sizes and topologies. OSPF is often the first choice for
deploying an IGP.
Configuration Notes
● Each router ID in an OSPF process must be unique on an OSPF network.
Otherwise, the OSPF neighbor relationship cannot be established and routing
information is incorrect. You are advised to configure a unique router ID for
each OSPF process on an OSPF device.
● OSPF partitions an AS into different areas, in which Area 0 is the backbone
area. OSPF requires that all non-backbone areas maintain the connectivity
with the backbone area and devices in the backbone area maintain the
connectivity with each other.
● Network types of interfaces on both ends of a link must be the same;
otherwise, the two interfaces cannot establish an OSPF neighbor relationship.
On a link, if the network type of one OSPF interface is broadcast and the
other is P2P, the two OSPF interfaces can still establish an OSPF neighbor
relationship but cannot learn routing information from each other.
● The IP address masks of OSPF interfaces on both ends of a link must be the
same; otherwise, the two OSPF interfaces cannot establish an OSPF neighbor
relationship. On a P2MP network, however, you can run the ospf p2mp-
mask-ignore command to disable a device from checking the network mask
so that an OSPF neighbor relationship can be established.
● On a broadcast or NBMA network, there must be at least one OSPF interface
of which the DR priority is not 0 to ensure that the DR can be elected.
Otherwise, the neighbor status of devices on both ends can only be 2-Way.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S,
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-127, SwitchA, SwitchB, and SwitchC reside on the OSPF
network. The three switches need to communicate with each other, and SwitchA
and SwitchB function as core switches to support network expansion.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for each VLANIF interface on each switch and specify
the VLAN to which the interfaces belong to implement interworking.
2. Configure basic OSPF functions on each switch and partition the OSPF
network into Area 0 and Area 1 with SwitchA as the area border router (ABR).
Consequently, the area where SwitchA and SwitchB reside becomes the
backbone area and can be used to expand the OSPF network.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] return
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] return
Neighbors
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchC has a route to 192.168.0.0/24
and the route is an inter-area route.
# Check the routing table on SwitchB and perform the ping operation to test the
connectivity between SwitchB and SwitchC.
<SwitchB> display ospf routing
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchB has a route to 192.168.1.0/24
and the route is an inter-area route.
# On SwitchB, perform a ping operation to test the connectivity between SwitchB
and SwitchC.
<SwitchB> ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=254 time=62 ms
Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=254 time=16 ms
Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=254 time=62 ms
Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=254 time=94 ms
Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=254 time=63 ms
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
where the device resides needs to access other areas or network segments outside
the OSPF area, and the next-hop address of routes of the device is the IP address
of the next-hop core device of the link. Therefore, the area where the device
resides does not need to learn a large number of OSPF external routes and can be
configured as a stub area. This configuration can reduce the routing table size of
the area and resource consumption of the device.
Configuration Notes
● The backbone area cannot be configured as a stub area.
● An ASBR cannot exist in a stub area. That is, external routes are not
advertised in a stub area.
● A virtual link cannot pass through a stub area.
● To configure an area as a stub area, configure stub area attributes on all the
routers in this area using the stub command.
● To configure an area as a totally stub area, run the stub command on all the
routers in this area, and run the stub no-summary command on the ABR in
this area.
● The stub no-summary command can only be configured on an ABR to
prevent the ABR from advertising Type 3 LSAs within a stub area. After this
command is configured on the ABR, the area becomes a totally stub area, the
number of routing entries on routers in the area is reduced, and there are
only intra-area routes and a default route advertised by the ABR.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S,
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-128, SwitchA, SwitchB, and SwitchC run OSPF, and the OSPF
network is divided into Area 0 and Area 1. SwitchB functions as an ASBR to
communicate with external networks. The OSPF routing table size on SwitchC
needs to be reduced without affecting communication.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement interworking in
the OSPF network.
2. Configure a static route on SwitchB and import the route to the OSPF routing
table to ensure that there is a reachable route from the OSPF network to
external networks.
3. Configure Area 1 as a stub area to reduce the OSPF routing table size on
SwitchC.
4. Prohibit the ABR (SwitchA) in Area 1 from advertising Type 3 LSAs within the
stub area to configure Area 1 as a totally stub area. This configuration
minimizes the OSPF routing table size on SwitchC.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchA.
[SwitchA] ospf 1 router-id 10.1.1.1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] quit
[SwitchC-ospf-1] quit
# Check the OSPF routing table on SwitchC. The command output shows that the
OSPF routing table contains an AS external route.
[SwitchC] display ospf routing
Total Nets: 3
Intra Area: 1 Inter Area: 1 ASE: 1 NSSA: 0
# Configure SwitchC.
[SwitchC] ospf 1
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the routers in Area 1 must have
# Check the OSPF routing table on SwitchC. The command output shows that the
OSPF routing table does not contain the AS external route 10.0.0.0/8 but contains
a default route to external networks.
[SwitchC] display ospf routing
Total Nets: 3
Intra Area: 1 Inter Area: 2 ASE: 0 NSSA: 0
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
NSSA Overview
An NSSA is a special type of OSPF area. It is similar to a stub area in that neither
of them transmits routes learned from other areas in the AS they reside. The
difference is that an NSSA allows AS external routes to be imported and
advertised in the entire AS whereas a stub area does not. To ensure the
An NSSA allows Type 7 LSAs (NSSA External LSAs) to be advertised. Type 7 LSAs
are generated by the ASBR of the NSSA. When reaching the ABR of the NSSA,
these LSAs can be translated into Type 5 LSAs (AS External LSAs) and advertised
to other areas.
Configuration Notes
● The backbone area cannot be configured as an NSSA.
● To configure an area as an NSSA, configure NSSA attributes on all the routers
in this area.
● A virtual link cannot pass through an NSSA.
● To reduce the number of LSAs that are transmitted to the NSSA, configure
no-summary on an ABR. This prevents the ABR from transmitting Type 3
LSAs to the NSSA, making the area a totally NSSA.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S,
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-129, SwitchA, SwitchB, SwitchC, and SwitchD run OSPF, and
the OSPF network is divided into Area 0 and Area 1. Devices in Area 1 need to be
prohibited from receiving external routes imported from other areas and to
communicate with external networks using the external routes imported by the
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement interworking in
the OSPF network.
2. Configure Area 1 as an NSSA, configure a static route on SwitchD, and
configure SwitchD to import the static route into the OSPF routing table so
that switches in Area 1 can communicate with external networks only through
SwitchD.
3. Configure SwitchA as an LSA translator to translate Type 7 LSAs into Type 5
LSAs and send the LSAs to other OSPF areas.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are
similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 30
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] network 192.168.4.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1 router-id 10.4.4.4
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.4.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
# Configure SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the devices in Area 1 must have the
nssa command configured.
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the devices in Area 1 must have the
nssa command configured.
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
Total Nets: 5
Intra Area: 2 Inter Area: 2 ASE: 1 NSSA: 0
The command output shows that the AS external routes imported into the NSSA
are advertised by SwitchB to other areas. That is, SwitchB translates Type 7 LSAs
into Type 5 LSAs. This is because OSPF selects the ABR with a larger router ID as
an LSA translator.
Step 6 Configure SwitchA as an LSA translator.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 1
[SwitchA-ospf-1-area-0.0.0.1] nssa translator-always
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
Total Nets: 5
Intra Area: 2 Inter Area: 2 ASE: 1 NSSA: 0
The command output shows that the AS external routes imported into the NSSA
are advertised by SwitchA to other areas. That is, SwitchA translates Type 7 LSAs
into Type 5 LSAs.
NOTE
By default, the new LSA translator works with the previous LSA translator to translate LSAs
for 40 seconds. After 40 seconds, only the new LSA translator translates LSAs.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
area 0.0.0.1
network 192.168.3.0 0.0.0.255
nssa translator-always
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet1/0/2
port link-type trunk
Configuration Notes
● The maximum number of equal-cost routes for load balancing can be
configured using the maximum load-balancing command.
● To cancel load balancing, you can set the maximum number of equal-cost
routes to 1.
● This example applies to the following products:
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
– S6700-EI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-130, four switches all belong to Area0 on the OSPF network.
Load balancing needs to be configured so that the traffic from SwitchA is sent to
SwitchD through SwitchB and SwitchC.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Figure 3-130 Networking diagram for configuring load balancing among OSPF
routes
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement basic
connections on the OSPF network.
2. Configure load balancing on SwitchA.
Procedure
Step 1 Configure VLANs to which each interface belongs.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are
similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 50
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 50
[SwitchA-GigabitEthernet1/0/3] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.10.10.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.10.10.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1 router-id 10.10.10.4
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 172.17.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] quit
[SwitchD-ospf-1] quit
As shown in the routing table, two next hops 10.1.1.2 (SwitchB) and 10.1.2.2
(SwitchC) of SwitchA both become valid routes.
If you do not want to implement load balancing between SwitchB and SwitchC,
set the weight of equal-cost routes to specify the next hop.
[SwitchA] ospf 1
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1 //Specify the weight parameter to set the priority of equal-
cost routes. The default weight value is 255. A larger priority value indicates a lower priority.
[SwitchA-ospf-1] quit
As shown in the routing table, the priority of the next hop 10.1.2.2 (SwitchC) with
the weight 1 is higher than that of 10.1.1.2 (SwitchB), after the weight is set for
equal-cost routes. OSPF selects the route with the next hop 10.1.2.2 as the optimal
route.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 50
#
ospf 1 router-id 10.10.10.1
nexthop 10.1.2.2 weight 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1 router-id 10.10.10.2
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 40
#
ospf 1 router-id 10.10.10.3
area 0.0.0.0
Any link fault or topology change on the network will cause the device to
recalculate routes. If the OSPF detection mechanism is used, the route
recalculation time is the OSPF protocol convergence time. In this case, OSPF
detects faults in seconds. In high-speed data transmission, for example, at gigabit
rates, a detection time longer than one second results in the loss of a large
amount of data. In delay-sensitive services such as voice, a delay longer than one
second is unacceptable. When an OSPF network requires high reliability or the
services running on the network are delay-sensitive, BFD for OSPF can be
configured. BFD speeds up OSPF network convergence and then OSPF can detect
the fault in milliseconds if a fault occurs in the link between neighbors.
Configuration Notes
● BFD needs to be configured on the two ends between which the OSPF
neighbor relationship is established.
● The two ends that establish BFD sessions must be located in the same
network segment on an OSPF area.
● The ospf bfd enable and ospf bfd block commands are mutually exclusive
and cannot be enabled at the same time.
● This example applies to the following products:
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
– S6700-EI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-131, OSPF runs among SwitchA, SwitchB, and SwitchC, and
the switch between SwitchA and SwitchB only provides the transparent
transmission function. SwitchA and SwitchB need to quickly detect the status of
the link between them. When the link SwitchA->SwitchB is faulty, services can be
quickly switched to the backup link SwitchA->SwitchC->SwitchB.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on SwitchA, SwitchB, and SwitchC to
implement basic connections on the OSPF network.
2. Configure BFD for OSPF on SwitchA, SwitchB, and SwitchC so that services
can be quickly switched to the backup link when the link between SwitchA
and SwitchB is faulty.
Procedure
Step 1 Configure VLANs to which each interface belongs.
# Configure SwitchA. The configurations of SwitchB and SwitchC are the same as
the configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 30
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.10.10.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 10.3.3.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.10.10.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# After the preceding configurations, run the display ospf peer command. The
neighbor relationships are set up among SwitchA, SwitchB, and SwitchC. The
command output of SwitchA is used as an example.
[SwitchA] display ospf peer
Neighbors
# Check the OSPF routing table on SwitchA. You can see the routing entries to
SwitchB and SwitchC. However, the next-hop address of the route to the
destination network segment 172.16.1.0/24 is 10.3.3.2, which indicates that the
traffic is transmitted on the link SwitchA→SwitchB.
[SwitchA] display ospf routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
# After the preceding configurations, run the display ospf bfd session all
command on SwitchA, SwitchB, or SwitchC. The peer BFD session is Up. The
command output of SwitchA is used as an example.
[SwitchA] display ospf bfd session all
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1 router-id 10.10.10.1
bfd all-interfaces enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.3.0 0.0.0.255
#
return
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 40
#
ospf 1 router-id 10.10.10.2
bfd all-interfaces enable
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
Configuration Notes
● If a device does not have the ARP entry that matches the specified next-hop
IP address, the device triggers ARP learning. If the device cannot learn the
ARP entry, packets are forwarded along the previous forwarding path without
being redirected.
● If multiple next-hop IP addresses are configured using the redirect ip-
nexthop or redirect ipv6-nexthop command, the device redirects packets in
active/standby link mode. That is, the device determines active and standby
links according to the sequence in which next-hop IP addresses were
configured. The first configured next-hop IP address has the highest priority
and its link functions as the active link, while links of other next-hop IP
addresses function as standby links. When the active link is Down, the
standby link of the second-highest-priority next-hop IP address is selected as
the new active link.
● If multiple next-hop IP addresses are configured using the redirect ip-
multihop or redirect ipv6-multihop command, the device redirects packets
in equal-cost route load balancing mode.
● This example applies to the following products:
– S2752EI: V100R005 and V100R006
– S2720-EI: V200R011C10 and later versions
– S3700-SI, S3700-EI, S3700-HI
– S5700-SI, S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI,
S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI,
S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S,
S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-132, an enterprise network is dual-homed to two external
network devices through the Switch. One uplink is a high-speed link with the
gateway at 10.1.20.1/24, and the other is a low-speed link with the gateway at
10.1.30.1/24.
The enterprise intranet has two network segments: 192.168.1.0/24 and
192.168.2.0/24. Network segment 192.168.1.0/24 belongs to the server zone and
requires high link bandwidth. Therefore, traffic of this network segment needs to
be transmitted on the high-speed link. Network segment 192.168.2.0/24 is used
for Internet access and traffic of this network segment is transmitted on the low-
speed link.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, configure interfaces, and configure routes to connect enterprise
users to the external network.
2. Configure ACLs to match data flows of network segments 192.168.1.0 and
192.168.2.0.
3. Create traffic classifiers and reference the ACLs to differentiate packets.
4. Configure traffic behaviors to transmit data traffic matching different ACLs on
different links and allow traffic transmitted between the intranet users to pass
through first.
5. Configure a traffic policy, bind the traffic classifiers and traffic behaviors to it,
and apply it to the inbound direction of GE1/0/3 on the Switch to implement
PBR.
Procedure
Step 1 Create VLANs, configure interfaces, and configure routes for interworking.
# Create VLANs 10 and 20 on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
# On Switch, set the link types of the interfaces connected to PCs to access and
interface connected to the Switch to trunk, and add the interfaces to VLANs.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[SwitchA-GigabitEthernet1/0/3] quit
# On the Switch, set the link types of the interfaces connected to SwitchA to trunk
and interface connected to the external network to access, and add the interfaces
to VLANs.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 200
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet1/0/3] quit
# On the Switch, configure VLANIF10 and VLANIF20 as user gateways and assign
IP addresses 192.168.1.1/24 and 192.168.2.1/24 to them.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 24
[Switch-Vlanif20] quit
# On the Switch, configure VLANIF 100 and VLANIF 200 to connect to external
network devices and assign IP addresses to 10.1.20.2/24 and 10.1.30.2/24 to them,
respectively.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.20.2 24
[Switch-Vlanif100] quit
[Switch] interface vlanif 200
[Switch-Vlanif200] ip address 10.1.30.2 24
[Switch-Vlanif200] quit
# On the Switch, configure two default routes and set their next-hop IP addresses
to IP addresses of the two external network devices.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1
[Switch] ip route-static 0.0.0.0 0 10.1.30.1
After the preceding configuration is complete, intranet users can access the
external network. To ensure that data flows of network segments 192.168.1.0/24
and 192.168.2.0/24 are transmitted on the high-speed link and low-speed link
respectively, perform the following configurations.
[Switch] acl 3000 //This ACL is used to match data traffic between two network segments of the intranet.
The data traffic does not need to be redirected. If this configuration is not performed, traffic between the
network segments will be redirected. As a result, communication between the network segments will fail.
[Switch-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[Switch-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
Switch-acl-adv-3000] quit
[Switch] acl 3001 //Match data traffic of the intranet network segment 192.168.1.0/24.
[Switch-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
[Switch] acl 3002 //Match data traffic of the intranet network segment 192.168.2.0/24.
[Switch-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255
[Switch-acl-adv-3002] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# On the Switch, create a traffic policy p1 and bind the traffic classifiers and
traffic behaviors to this traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c0 behavior b0
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] quit
# Apply the traffic policy p1 to the inbound direction of GE1/0/3 on the Switch.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/3] return
Classifier: c0
Precedence: 5
Operator: OR
Rule(s) : if-match acl 3000
Classifier: c1
Precedence: 10
Operator: OR
Rule(s) : if-match acl 3001
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
● Switch configuration file
#
sysname Switch
#
vlan batch 10 20 100 200
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
traffic classifier c0 operator or precedence 5
if-match acl 3000
traffic classifier c1 operator or precedence 10
if-match acl 3001
traffic classifier c2 operator or precedence 15
if-match acl 3002
#
traffic behavior b0
permit
traffic behavior b1
permit
redirect ip-nexthop 10.1.20.1
traffic behavior b2
permit
redirect ip-nexthop 10.1.30.1
#
traffic policy p1 match-order config
classifier c0 behavior b0
classifier c1 behavior b1
classifier c2 behavior b2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
ip route-static 0.0.0.0 0.0.0.0 10.1.30.1
#
return
Configuration Notes
● This example applies to the following products and versions:
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-EI: V200R009C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards do not support the BGP/MPLS IP VPN function. The X1E
series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN
function.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-133:
● CE1 connects to the headquarters R&D area of a company, and CE3 connects
to the branch R&D area. CE1 and CE3 belong to vpna.
● CE2 connects to the headquarters non-R&D area, and CE4 connects to the
branch non-R&D area. CE2 and CE4 belong to vpnb.
Configuration Roadmap
The configuration roadmap is as follows:
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to
establish MPLS LSP tunnels for VPN data transmission on the backbone
network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target
of vpna to 111:1 and the VPN target of vpnb to 222:2. This configuration
allows users in the same VPN to communicate with each other and isolates
users on different VPNs. Bind the PE interfaces connected to CEs to the
corresponding VPN instances to provide access for VPN users.
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and P can
communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 40 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 40
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 50
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type trunk
[PE2-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 172.2.1.2 24
[PE2-Vlanif60] quit
[PE2] ospf 1 router-id 3.3.3.9
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command.
The command output shows that the Status field is Operational. Run the display
mpls ldp lsp command. Information about the established LDP LSPs is displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 3 Configure VPN instances on PEs and bind the interfaces connected to CEs to the
VPN instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance vpna
[PE2-Vlanif40] ip address 10.3.1.2 24
[PE2-Vlanif40] quit
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address
by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-
address dest-ip-address command to ping a remote CE. If the source IP address is not
specified, the ping fails.
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes
into BGP.
# Configure CE1 connecting to the headquarters R&D area. The configurations on
CE2, CE3, and CE4 are similar to the configuration on CE1 and are not mentioned
here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on the PEs. The command output shows that BGP peer relationships
have been established between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that BGP peer
relationships have been established between the PEs.
[PE1] display bgp peer
Run the display ip routing-table vpn-instance command on the PEs to view the
routes to the remote CEs.
CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
For example, CE1 connecting to the headquarters R&D area can ping CE3
connecting to the branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to
the branch non-R&D area at 10.4.1.1.
----End
Configuration Files
● Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1 router-id 1.1.1.9
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 router-id 2.2.2.9
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
● Configuration file of PE2
#
sysname PE2
#
vlan batch 40 50 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 50
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.4.1.1 as-number 65440
#
ospf 1 router-id 3.3.3.9
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
● Configuration file of CE1 connecting to the headquarters R&D area
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● Configuration file of CE2 connecting to the headquarters non-R&D area
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
● Configuration file of CE3 connecting to the branch R&D area
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
MCE Overview
A multi-VPN-instance customer edge (MCE) device can function as a CE device for
multiple VPN instances in BGP/MPLS IP VPN networking. This differs from the
traditional BGP/MPLS IP VPN architecture, which requires each VPN instance to
use a CE device to connect to a PE device.
MCE is suitable when users on a private network need to be divided into multiple
VPNs or when services of users in different VPNs must be completely isolated.
Deploying a CE device for each VPN increases the cost of device procurement and
maintenance. On the other hand, if multiple VPNs share one CE device, data
security cannot be ensured because all the VPNs use the same routing table.
An MCE device creates and maintains an independent VRF for each VPN to
ensures data security between different VPNs while reducing network construction
and maintenance costs. The Multi-VRF application isolates forwarding paths of
different VPNs on a private network and advertises routes of each VPN to the peer
PE device, ensuring that VPN packets are correctly transmitted on the public
network.
Configuration Notes
● In V100R006C05, only the S3700-EI supports the MCE function.
In other versions, all the switch models except the S5700-SI, S5710-C-LI,
S5710-X-LI, S5700S-LI, S5700-LI, and S2750-EI support the MCE function.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
The headquarters and branches of a company need to communicate through
MPLS VPN, and two services of the company must be isolated. To reduce
hardware costs, the company wants the branch to connect to the PE through just
one CE.
As shown in Figure 3-134, the networking requirements are as follows:
● CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2
belongs to vpnb.
● The MCE connects to vpna and vpnb of the branch through SwitchA and
SwitchB.
Users in the same VPN need to communicate with each other, whereas users in
different VPNs must be isolated.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between PEs so that they can communicate and configure
MP-IBGP to exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP
LSPs.
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and
import BGP routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and
PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces
and loopback interfaces according to Figure 3-134.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 172.1.1.2 24
[PE2-Vlanif30] quit
# Configure CE1. The configuration on CE2, SwitchA and SwitchB is similar to the
configuration on PE1 and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, PEs can obtain Loopback1 address of each
other.
The information displayed on PE2 is used as an example.
[PE2] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 6 Routes : 6
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command
on the PEs. The command output shows that the MPLS LDP session between the
PEs is in Operational state.
The information displayed on PE2 is used as an example.
[PE2] display mpls ldp session
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 0000:00:04 17/17
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1
and CE2 to the VPN instances respectively. On PE2, bind the interface connected to
the MCE to the VPN instances.
# Configure PE1.
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both //Add the RT value 100:1 to routes exported
from the VPN instance vpna to MP-BGP. Only the routes with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna //Bind the interface to vpna.
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit
# Configure PE2.
[PE2] vlan batch 100 200
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100 200
[PE2-GigabitEthernet2/0/0] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip binding vpn-instance vpna
[PE2-Vlanif100] ip address 10.5.1.1 24
[PE2-Vlanif100] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip binding vpn-instance vpnb
Step 5 Configure VPN instances on the MCE and bind the interfaces connected to
SwitchA and SwitchB to the VPN instances respectively.
# Configure MCE.
<HUAWEI> system-view
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70 100 200
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 200
[MCE-GigabitEthernet1/0/0] quit
[MCE] interface gigabitethernet 3/0/0
[MCE-GigabitEthernet3/0/0] port link-type trunk
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet3/0/0] quit
[MCE] interface gigabitethernet 4/0/0
[MCE-GigabitEthernet4/0/0] port link-type trunk
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE-GigabitEthernet4/0/0] quit
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE] interface vlanif 70
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
[MCE] interface vlanif 100
[MCE-Vlanif100] ip binding vpn-instance vpna
[MCE-Vlanif100] ip address 10.5.1.2 24
[MCE-Vlanif100] quit
[MCE] interface vlanif 200
[MCE-Vlanif200] ip binding vpn-instance vpnb
[MCE-Vlanif200] ip address 10.6.1.2 24
[MCE-Vlanif200] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer
relationship between PE1 and CE1, and between PE1 and CE2.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on PE1. The command output shows that PE1 has established an IBGP peer
relationship with PE2 and EBGP peer relationships with CE1 and CE2. The peer
relationships are in Established state.
[PE1] display bgp vpnv4 all peer
● Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The
configuration is not provided here.
[SwitchB] vlan batch 70
[SwitchB] interface gigabitethernet 1/0/0
[SwitchB-GigabitEthernet1/0/0] port link-type trunk
[SwitchB-GigabitEthernet1/0/0] port trunk allow-pass vlan 70
[SwitchB-GigabitEthernet1/0/0] quit
[SwitchB] interface vlanif 70
[SwitchB-Vlanif70] ip address 10.4.1.1 24
[SwitchB-Vlanif70] quit
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
The preceding information shows that the MCE has learned the route to vpnb
using RIP. The route to vpnb and the route to vpna (192.168.1.0) are
maintained in different VPN routing tables so that users in the two VPNs are
isolated from each other.
Step 8 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.
NOTE
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks
on PE2:
● In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
● In the BGP view, import routes of the OSPF processes and advertise the VPN routes of
the MCE to PE1.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp //Import BGP routes to OSPF 100 in vpna between the PE and MCE, so
that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 10.6.1.0 0.0.0.255 //Import BGP routes to OSPF 200 in vpnb
between the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100 //Import OSPF 100 to BGP so that PE2 adds the VPNv4 prefix to
routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200 //Import OSPF 200 to BGP so that PE2 adds the VPNv4 prefix to
routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit
NOTE
Run the display ip routing-table vpn-instance command on the PEs to view the
routes to the remote CEs. The VPN instance vpna on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can
communicate with each other. The information displayed on CE1 is used as an
example.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=252 time=3 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=252 time=3 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=252 time=3 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=252 time=3 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=252 time=11 ms
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB. The ping
from CE1 to SwitchB is used as an example.
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● CE2 configuration file
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
vlan batch 30 100 200
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.5.1.1 255.255.255.0
#
interface Vlanif200
ip binding vpn-instance vpnb
ip address 10.6.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route ospf 100
#
ipv4-family vpn-instance vpnb
import-route ospf 200
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.6.1.0 0.0.0.255
#
return
● MCE configuration file
#
sysname MCE
#
vlan batch 60 70 100 200
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
#
interface Vlanif60
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.5.1.2 255.255.255.0
#
interface Vlanif200
ip binding vpn-instance vpnb
ip address 10.6.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface GigabitEthernet4/0/0
port link-type trunk
port trunk allow-pass vlan 70
#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
vpn-instance-capability simple
area 0.0.0.0
network 10.4.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
import-route ospf 200
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 60
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return
Configuration Notes
● If multicast VPN in multicast domain (MD) mode is used on switches, the
PIM-SM SSM model cannot be used on the public network.
● Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.
● Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.
● Interfaces on the following interface cards cannot be configured as member
interfaces of Eth-Trunk multicast loopback interfaces:
– V200R001 to V200R003: ES0D0G24SA00, ES0D0G24CA00,
ES0D0X12SA00, ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for
the S7700; EH1D2G24SSA0, EH1D2S24CSA0, EH1D2X12SSA0,
EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
– V200R005 to V200R009: X1E series, ES0D0G24SA00, ES0D0G24CA00,
ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700; X1E
series, EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
● This example applies to the following products and versions:
– S5700-HI: V200R005(C01&C02)
– S5710-HI: V200R005C02
– S5720-HI, S5720-EI, S6720-EI, S6720S-EI: V200R010C00 and later versions
– S6720S-EI: V200R010C00 and later versions
– S6720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S6730-H, S6730S-H, S6730-S, S6730S-S: For the applicable versions, see
Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
NOTE
Networking Requirements
As shown in Figure 3-135, a company deploys two services, data of which is
transmitted in multicast mode. The VPN site blue using service A and the VPN site
white using service B both connect to the backbone network through the MCE
devices. Multicast VPN in MD mode can be deployed to meet the multicast service
requirements of the company. This configuration can isolate data of different
services and reduces multicast traffic loads on the public network.
Configuration Roadmap
The configuration roadmap is as follows:
3. Enable multicast routing and PIM on all the devices. Configure the multicast
function in the public network between the PE and P devices. Configure the
multicast function in the VPN instances between PE and MCE devices, and
between the MCE and CE devices.
Procedure
Step 1 Configure BGP/MPLS IP VPN.
1. Configure the Open Shortest Path First (OSPF) protocol on the backbone
network to allow communication between the provider edge devices (PE1 and
PE2) and intermediate device P.
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 0 //Create a loopback interface.
[PE1-LoopBack0] ip address 1.1.1.1 32
[PE1-LoopBack0] quit
[PE1] router id 1.1.1.1 //Set the router ID of PE1 to 1.1.1.1 for route management.
[PE1] vlan batch 30
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 30 //Create a VLANIF interface.
[PE1-Vlanif30] ip address 10.1.3.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the interface running OSPF is
the one connected to the 10.1.3.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configurations on P and PE2 are similar to the configuration of PE1, and
are not mentioned here.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1 //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit
The configurations on P and PE2 are similar to the configuration of PE1, and
are not mentioned here.
After the configuration is complete, LDP sessions can be set up between PE1
and P and between P and PE2. Run the display mpls ldp session command
on the PE and P devices, and you can see that LDP session is in Operational
state.
3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationship between the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100 //Create BGP peer 3.3.3.3 and set its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0 //Specify LoopBack0 as the source interface
to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable //Enable the local switch to exchange BGP-VPNv4 routes
with BGP peer 3.3.3.3.
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100 //Create BGP peer 1.1.1.1 and set its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0 //Specify LoopBack0 as the source interface
to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable ///Enable the local switch to exchange BGP-VPNv4 routes
with BGP peer 1.1.1.1.
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer
command on the PE devices. You can see that a BGP peer relationship has
been set up between PE1 and PE2 and is in Established state.
4. Create VPN instances blue and white on the provider edge devices PE1 and
PE2, and aggregate egress devices MCE1 and MCE2 for branches, to connect
each service site's egress CE to the PE devices through the MCE devices.
# Configure PE1.
[PE1] ip vpn-instance blue //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target list
and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF10 so that
VLANIF10 becomes a private network interface of VPN instance blue.
[PE1-Vlanif10] ip address 10.1.1.1 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance blue to VLANIF20 so that
VLANIF20 becomes a private network interface of VPN instance white.
# Configure MCE1.
[MCE1] ip vpn-instance blue //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
and import VPN target list of VPN instance blue.
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target
list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1] interface gigabitethernet 1/0/1
[MCE1-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1-GigabitEthernet1/0/1] quit
[MCE1] interface gigabitethernet 1/0/2
[MCE1-GigabitEthernet1/0/2] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[MCE1-GigabitEthernet1/0/2] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF10 so that
VLANIF10 becomes a private network interface of VPN instance blue.
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1] interface vlanif 20
[MCE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance white to VLANIF20 so that
VLANIF20 becomes a private network interface of VPN instance white.
[MCE1-Vlanif20] ip address 10.1.2.2 24
[MCE1-Vlanif20] quit
[MCE1] interface vlanif 100
[MCE1-Vlanif100] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF100 so that
VLANIF100 becomes a private network interface of VPN instance blue.
[MCE1-Vlanif100] ip address 192.168.1.1 24
[MCE1-Vlanif100] quit
[MCE1] interface vlanif 200
[MCE1-Vlanif200] ip binding vpn-instance white //Bind VPN instance white to VLANIF200 so that
VLANIF200 becomes a private network interface of VPN instance white.
[MCE1-Vlanif200] ip address 192.168.2.1 24
[MCE1-Vlanif200] quit
# Configure PE2.
[PE2] ip vpn-instance blue //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[PE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
and import VPN target list of VPN instance blue.
[PE2-vpn-instance-blue-af-ipv4] quit
[PE2-vpn-instance-blue] quit
[PE2] ip vpn-instance white //Create VPN instance white.
[PE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[PE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target list
and import VPN target list of VPN instance white.
[PE2-vpn-instance-white-af-ipv4] quit
[PE2-vpn-instance-white] quit
[PE2] vlan batch 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF50 so that
VLANIF50 becomes a private network interface of VPN instance blue.
[PE2-Vlanif50] ip address 10.1.5.1 24
[PE2-Vlanif50] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white to VLANIF60 so that
VLANIF60 becomes a private network interface of VPN instance white.
[PE2-Vlanif60] ip address 10.1.6.1 24
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] ip vpn-instance blue //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
and import VPN target list of VPN instance blue.
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target
list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2-vpn-instance-white] quit
[MCE2] vlan batch 50 60 300 400
[MCE2] interface gigabitethernet 1/0/0
[MCE2-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
[MCE2-GigabitEthernet1/0/0] quit
[MCE2] interface gigabitethernet 1/0/1
[MCE2-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
[MCE2-GigabitEthernet1/0/1] quit
[MCE2] interface gigabitethernet 1/0/2
[MCE2-GigabitEthernet1/0/2] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[MCE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 400
[MCE2-GigabitEthernet1/0/2] quit
[MCE2] interface vlanif 50
[MCE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF50 so that
VLANIF50 becomes a private network interface of VPN instance blue.
[MCE2-Vlanif50] ip address 10.1.5.2 24
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60
[MCE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white to VLANIF60 so that
VLANIF60 becomes a private network interface of VPN instance white.
[MCE2-Vlanif60] ip address 10.1.6.2 24
[MCE2-Vlanif60] quit
[MCE2] interface vlanif 300
[MCE2-Vlanif300] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF300 so that
VLANIF300 becomes a private network interface of VPN instance blue.
[MCE2-Vlanif300] ip address 192.168.3.1 24
[MCE2-Vlanif300] quit
[MCE2] interface vlanif 400
[MCE2-Vlanif400] ip binding vpn-instance white //Bind VPN instance white to VLANIF400 so that
VLANIF400 becomes a private network interface of VPN instance white.
[MCE2-Vlanif400] ip address 192.168.4.1 24
[MCE2-Vlanif400] quit
5. Configure OSPF on the provider edge devices PE1 and PE2, branches'
aggregate egress devices MCE1 and MCE2, and each service site's egress CE.
Import VPN routes to the OSPF routing table.
# Configure PE1.
[PE1] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[PE1-ospf-2] import-route bgp //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the interface running OSPF is
the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-2-area-0.0.0.0] quit
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white //Create an OSPF process to serve VPN instance white.
[PE1-ospf-3] import-route bgp //Import BGP routes.
[PE1-ospf-3] area 0
[PE1-ospf-3-area-0.0.0.0] network 10.1.2.0 0.0.0.255 //Specify that the interface running OSPF is
the one connected to the 10.1.2.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-3-area-0.0.0.0] quit
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family view of BGP-VPN
instance blue.
[PE1-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family view of BGP-VPN
instance white
[PE1-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit
# Configure MCE1.
[MCE1] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[MCE1-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.1.0 network segment and that the interface belongs to
Area 0.
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white //Create an OSPF process to serve VPN instance white.
[MCE1-ospf-2] vpn-instance-capability simple //Disable OSPF routing loop detection.
[MCE1-ospf-2] area 0
[MCE1-ospf-2-area-0.0.0.0] network 10.1.2.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 10.1.2.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.2.0 network segment and that the interface belongs to
Area 0.
[MCE1-ospf-2-area-0.0.0.0] quit
[MCE1-ospf-2] quit
# Configure PE2.
[PE2] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[PE2-ospf-2] import-route bgp //Import BGP routes.
[PE2-ospf-2] area 0
[PE2-ospf-2-area-0.0.0.0] network 10.1.5.0 0.0.0.255 //Specify that the interface is running OSPF
is the one connected to the 10.1.5.0 network segment and that the interface belongs to Area 0.
[PE2-ospf-2-area-0.0.0.0] quit
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white //Create an OSPF process to serve VPN instance white.
[PE2-ospf-3] import-route bgp //Import BGP routes.
[PE2-ospf-3] area 0
[PE2-ospf-3-area-0.0.0.0] network 10.1.6.0 0.0.0.255 //Specify that the interface is running OSPF
is the one connected to the 10.1.6.0 network segment and that the interface belongs to Area 0.
[PE2-ospf-3-area-0.0.0.0] quit
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family view of BGP-VPN
instance blue.
[PE2-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family view of BGP-VPN
instance white.
[PE2-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit
# Configure MCE2.
[MCE2] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[MCE2-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop detection.
[MCE2-ospf-1] area 0
[MCE2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 10.1.5.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.3.0 network segment and that the interface belongs to
Area 0.
[MCE2-ospf-1-area-0.0.0.0] quit
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white //Create an OSPF process to serve VPN instance white.
[MCE2-ospf-2] vpn-instance-capability simple //Disable OSPF routing loop detection.
[MCE2-ospf-2] area 0
[MCE2-ospf-2-area-0.0.0.0] network 10.1.6.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 10.1.6.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-2-area-0.0.0.0] network 192.168.4.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.4.0 network segment and that the interface belongs to
Area 0.
[MCE2-ospf-2-area-0.0.0.0] quit
[MCE2-ospf-2] quit
[CE4-ospf-1] area 0
[CE4-ospf-1-area-0.0.0.0] network 192.168.4.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.4.0 network segment and that the interface belongs to
Area 0.
[CE4-ospf-1-area-0.0.0.0] network 192.168.14.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 192.168.14.0 network segment and that the interface belongs to
Area 0.
[CE4-ospf-1-area-0.0.0.0] quit
[CE4-ospf-1] quit
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a multicast loopback
interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface GE3/0/5 to Eth-Trunk 10.
[PE2-Eth-Trunk10] quit
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel 0 //Specify
239.1.1.1 as the Share-Group for VPN instance blue and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI to
use the address of Loopback0 as the default address.
[PE2-vpn-instance-blue-af-ipv4] quit
[PE2-vpn-instance-blue] quit
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel 10 //Specify
239.1.2.1 as the Share-Group for VPN instance white and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI
Step 3 Configure the multicast function on the public and private networks.
1. Configure the multicast function on the public network.
Enable PIM-SM on the public network. Configure Loopback0 of the provider's
intermediate device P as a candidate bootstrap router (C-BSR) and candidate
rendezvous point (C-RP) on the public network.
# Configure PE1.
[PE1] multicast routing-enable //Enable multicast routing globally.
[PE1] interface vlanif 30
[PE1-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1] interface loopback 0
[PE1-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[PE1-LoopBack0] quit
# Configure PE2.
[PE2] multicast routing-enable //Enable multicast routing globally.
[PE2] interface vlanif 40
[PE2-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[PE2-Vlanif40] quit
[PE2] interface loopback 0
[PE2-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[PE2-LoopBack0] quit
# Configure P.
[P] multicast routing-enable //Enable multicast routing globally.
[P] interface vlanif 30
[P-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P] interface vlanif 40
[P-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P] interface loopback 0
[P-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0 //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0 //Configure Loopback0 as a C-RP interface.
[PE1-pim-blue] quit
[PE1] pim vpn-instance white
[PE1-pim-white] c-bsr vlanif 20 //Configure VLANIF20 as a C-BSR interface for VPN instance white.
[PE1-pim-white] c-rp vlanif 20 //Configure VLANIF20 as a C-RP interface for VPN instance white.
[PE1-pim-white] quit
# Configure MCE1.
[MCE1] multicast routing-enable //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance
blue.
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance
white.
[MCE1-vpn-instance-white] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] pim sm //Enable PIM-SM on VLANIF10.
[MCE1-Vlanif10] quit
[MCE1] interface vlanif 20
[MCE1-Vlanif20] pim sm //Enable PIM-SM on VLANIF20.
[MCE1-Vlanif20] quit
[MCE1] interface vlanif 100
[MCE1-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[MCE1-Vlanif100] quit
[MCE1] interface vlanif 200
[MCE1-Vlanif200] pim sm //Enable PIM-SM on VLANIF200.
[MCE1-Vlanif200] quit
# Configure PE2.
[PE2] interface vlanif 50
[PE2-Vlanif50] pim sm //Enable PIM-SM on VLANIF50.
[PE2-Vlanif50] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] pim sm //Enable PIM-SM on VLANIF60.
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] multicast routing-enable //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance
blue.
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance
white.
[MCE2-vpn-instance-white] quit
[MCE2] interface vlanif 50 //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60 //Enable PIM-SM on VLANIF60.
[MCE2-Vlanif60] pim sm
[MCE2-Vlanif60] quit
[MCE2] interface vlanif 300 //Enable PIM-SM on VLANIF300.
[MCE2-Vlanif300] pim sm
[MCE2-Vlanif300] quit
[MCE2] interface vlanif 400 //Enable PIM-SM on VLANIF400.
[MCE2-Vlanif400] pim sm
[MCE2-Vlanif400] quit
----End
Configuration Files
● Configuration file of provider edge PE1
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Eth-Trunk10
stp disable
service type multicast-tunnel
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet3/0/5
eth-trunk 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
interface MTunnel0
ip binding vpn-instance blue
#
interface MTunnel10
ip binding vpn-instance white
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.3.0 0.0.0.255
#
ospf 2 vpn-instance blue
import-route bgp
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 3 vpn-instance white
import-route bgp
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
pim vpn-instance blue
c-bsr Vlanif10
c-rp Vlanif10
#
pim vpn-instance white
c-bsr Vlanif20
c-rp Vlanif20
#
return
● Configuration file of provider edge PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif50
ip binding vpn-instance blue
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif60
ip binding vpn-instance white
#
multicast routing-enable
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
return
● Configuration file of branches' aggregate egress MCE1
#
sysname MCE1
#
vlan batch 10 20 100 200
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif100
ip binding vpn-instance blue
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif200
ip binding vpn-instance white
ip address 192.168.2.1 255.255.255.0
pim sm
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ospf 1 vpn-instance blue
vpn-instance-capability simple
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
ospf 2 vpn-instance white
vpn-instance-capability simple
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of branches' aggregate egress MCE2
#
sysname MCE2
#
vlan batch 50 60 300 400
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
#
interface Vlanif50
ip binding vpn-instance blue
ip address 10.1.5.2 255.255.255.0
pim sm
#
interface Vlanif60
multicast routing-enable
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif401
ip address 192.168.14.1 255.255.255.0
pim sm
igmp enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 400
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 401
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255
network 192.168.14.0 0.0.0.255
#
return
Configuration Notes
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● This example applies to the following products and versions:
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-EI: V200R009C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards do not support the BGP/MPLS IP VPN function. The X1E
series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN
function.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-136, CE1 and CE2 belong to vpna, and CE1 is dual-homed to PE1 and
PE2 through the switch. The requirements are as follows:
● Normally, CE1 uses PE1 as the default gateway to communicate with CE2.
When PE1 becomes faulty, PE2 takes over PE1, implementing gateway
redundancy.
● After PE1 recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
VRRP is configured to implement gateway redundancy on the L3VPN. The
configuration roadmap is as follows:
1. Configure OSPF between PEs to implement IP connectivity on the backbone
network.
2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can
be established to transmit VPN data.
3. Configure VPN instances on PEs to implement connectivity between VPNs.
Bind VPN instances to PE interfaces connected to CEs so that VPN users can
be connected.
4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to
exchange VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
6. Configure a loop prevention protocol on PE1, PE2, and switch to prevent
loops. Here, MSTP is used.
7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that
PE1 functions as the master to forward traffic, and set the preemption delay
to 20s on PE1. Set a lower priority for PE2 so that PE2 functions as the
backup.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PEs can
communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 300
[PE1-vlan300] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] ip address 192.168.1.1 24
[PE1-Vlanif300] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type hybrid
[PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 200
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 200
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip address 192.168.2.1 24
[PE2-Vlanif200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] vlan batch 200 300
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type hybrid
[PE3-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE3-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type hybrid
[PE3-GigabitEthernet1/0/2] port hybrid pvid vlan 200
[PE3-GigabitEthernet1/0/2] port hybrid untagged vlan 200
[PE3-GigabitEthernet1/0/2] quit
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.3 32
[PE3-LoopBack1] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] ip address 192.168.2.2 24
[PE3-Vlanif200] quit
[PE3] interface vlanif 300
[PE3-Vlanif300] ip address 192.168.1.2 24
[PE3-Vlanif300] quit
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] quit
[PE3-ospf-1] quit
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] mpls
[PE1-Vlanif300] mpls ldp
[PE1-Vlanif300] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls
[PE2-Vlanif200] mpls ldp
[PE2-Vlanif200] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.3
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] mpls
[PE3-Vlanif200] mpls ldp
[PE3-Vlanif200] quit
[PE3] interface vlanif 300
[PE3-Vlanif300] mpls
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
[PE1-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] port link-type hybrid
[PE1-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/5] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip binding vpn-instance vpna
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/5
[PE2-GigabitEthernet1/0/5] port link-type hybrid
[PE2-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/5] quit
# Configure PE3.
[PE3] ip vpn-instance vpna
[PE3-vpn-instance-vpna] route-distinguisher 100:1
[PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE3-vpn-instance-vpna-af-ipv4] quit
[PE3-vpn-instance-vpna] quit
[PE3] vlan 400
[PE3-vlan400] quit
[PE3] interface gigabitethernet 1/0/3
[PE3-GigabitEthernet1/0/3] port link-type hybrid
[PE3-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[PE3-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[PE3-GigabitEthernet1/0/3] quit
[PE3] interface vlanif 400
[PE3-Vlanif400] ip binding vpn-instance vpna
[PE3-Vlanif400] ip address 172.16.1.100 24
[PE3-Vlanif400] quit
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/3
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
[CE1-GigabitEthernet1/0/3] quit
[CE1] interface vlanif 100
[CE1-Vlanif100] ip address 10.1.1.100 24
[CE1-Vlanif100] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 400
[CE2-vlan400] quit
[CE2] interface gigabitethernet 1/0/3
[CE2-GigabitEthernet1/0/3] port link-type hybrid
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[CE2-GigabitEthernet1/0/3] quit
[CE2] interface vlanif 400
[CE2-Vlanif400] ip address 172.16.1.200 24
[CE2-Vlanif400] quit
Step 4 Set up EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.111 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure CE2.
[CE2] bgp 65430
[CE2-bgp] peer 172.16.1.100 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpna
[PE3-bgp-vpna] peer 172.16.1.200 as-number 65430
[PE3-bgp-vpna] import-route direct
[PE3-bgp-vpna] quit
[PE3-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 3.3.3.3 as-number 100
[PE2-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] peer 1.1.1.1 as-number 100
[PE3-bgp] peer 2.2.2.2 as-number 100
[PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE3-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE3-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit
Step 6 Configure MSTP to block the link between PE2 and the switch and prevent loops.
# Configure PE1 to work in MSTP mode.
[PE1] stp mode mstp
# Set the path cost of the port connecting PE2 and the switch to 400000 to block
the link between PE2 and the switch.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp cost 400000
[PE2-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] quit
# After the configuration is complete, run the display stp brief command on the
switch. You can see that GE1/0/2 is the alternate port and in DISCARDING state.
[Switch] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
# After the configuration is complete, run the display vrrp command on PE1 and
PE2. You can see that PE1 is in Master state and PE2 is in Backup state.
[PE1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[PE2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link
fault.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] shutdown
[PE1-GigabitEthernet1/0/5] quit
# Run the display vrrp command on PE2 to check the VRRP status. The command
output shows that PE2 is in Master state.
[PE2] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
# Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s,
run the display vrrp command on PE1 to check the VRRP status. PE1 restores to
be in Master state.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1-GigabitEthernet1/0/5] quit
[PE1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
● Configuration file of PE1
#
sysname PE1
#
vlan batch 100 300
#
stp instance 0 root primary
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/1
#
return
Overview
BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and
easily extended, and is suitable for deployment on a large scale. BGP/MPLS IP VPN
technology can be used to implement secure communication or isolation between
branches in different locations.
Routing policies are used to filter routes and set route attributes. You can change
route attributes to change a route over which network traffic is transmitted.
BGP/MPLS IP VPN can be combined with routing policies to control the receiving
and advertisement of VPN routes, implementing mutual access between specific
branch users.
Configuration Notes
● This example applies to the following products and versions:
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-EI: V200R009C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards do not support the BGP/MPLS IP VPN function. The X1E
series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN
function.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-137, CE1 is connected to the branch Site 1, and CE2 is
connected to the branch Site 2. Site 1 and Site 2 communicate with each other
over the ISP backbone network. The enterprise requires that L3VPN users on some
network segments can securely communicate with each other to meet service
requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the PE devices to ensure IP connectivity on the
backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Create VPN instances on the PE devices, bind CE interfaces to the VPN
instances, and assign different VPN targets to the VPN instances to isolate
users from different branches.
4. Configure routing policies on the PE devices and change the VPN targets of
routes filtered out based on specified routing policies to implement
communication between branch users on a specified network segment.
5. Set up EBGP peer relationships between the CE and PE devices so that they
can exchange VPN routing information.
6. Configure MP-IBGP between the PE devices to enable them to exchange VPN
routing information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE devices
can communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 10 100
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip address 172.10.1.2 24
[PE2-Vlanif100] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ospf peer command. The
command output shows that OSPF neighbor relationship has been set up between
PE1 and PE2, and the neighbor status is Full. Run the display ip routing-table
command on PE1 and PE2, and you can view that PE1 and PE2 have learned the
routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP
LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] mpls
[PE1-Vlanif100] mpls ldp
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] mpls
[PE2-Vlanif100] mpls ldp
[PE2-Vlanif100] quit
After the configuration is complete, PE1 and PE2 have established LDP sessions.
Run the display mpls ldp session command, and you can view that the LDP
session status is Operational.
Step 3 Configure a VPN instance on each PE device and connect the CE devices to the PE
devices.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 192.168.1.1 24
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 222:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip binding vpn-instance vpna
[PE2-Vlanif10] ip address 192.168.2.1 24
[PE2-Vlanif10] quit
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify
a source IP address when pinging the CE device connected to the remote PE device. To
specify the source IP address, set the -a source-ip-address parameter in the ping -vpn-
instance vpn-instance-name -a source-ip-address dest-ip-address command. If no source IP
address is specified, the ping operation fails.
# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] export route-policy vpnroute
[PE1-vpn-instance-vpna] quit
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] export route-policy vpnroute
[PE2-vpn-instance-vpna] quit
Step 5 Set up EBGP peer relationships between the PE and CE devices and import VPN
routes.
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 192.168.1.1 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance
vpna peer command on PE1 and PE2. You can view that BGP peer relationships
between PE and CE devices have been established and are in the Established state.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on PE1 and PE2. You can view that the BGP peer
relationships have been established between the PE devices and are in the
Established state.
Step 7 Verify the configuration.
# Run the ping -vpn-instance command on PE1 and PE2. You can successfully
ping the CE site that is attached to the peer PE device.
The display on PE1 is used as an example:
[PE1] ping -vpn-instance vpna 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=7 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=6 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=5 ms
----End
Configuration Files
● Configuration file of PE1
#
sysname PE1
#
vlan batch 10 100
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
export route-policy vpnroute
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 111:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
#
return
● Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 192.168.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.1.1 enable
#
return
Configuration file of CE2
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65420
peer 192.168.2.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.2.1 enable
#
return
Configuration Notes
● This example applies to the following products and versions:
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-EI: V200R009C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S:
For the applicable versions, see Table 3-1 in the section "Applicable
Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards do not support the VLL function. The X1E series cards of
V200R007 and later versions support the VLL function.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-138, CE1 and CE2 are connected to PE1 and PE2 respectively
through VLANs.
You are required to configure selective QinQ on the interfaces connected to CEs so
that the Switch adds the VLAN tags specified by the carrier to the packets sent
from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN
tag to the packets from different CEs, thereby saving VLAN IDs on the public
network.
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on devices (PE and P) of the backbone network
to implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ termination sub-interfaces on PE interfaces connected to the
switches to implement VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP
addresses to VLANIF interfaces according to Figure 3-138.
# Configure CE1 to ensure that packets sent from CE1 to Switch1 carry single
VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to Switch2 carry single
VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure the P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs
allowed by the interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a fixed switch, first run
the qinq vlan-translation enable command to enable VLAN translation.
[Switch2-GigabitEthernet1/0/0] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the
LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF
neighbor relationship status is Full. Run the display ip routing-table command.
You can see that the PEs learn the route to the Loopback1 interface of each other.
The display on PE1 is used as an example:
[PE1] display ospf peer
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command
on PE1 to view the LDP session setup. You can see that an LDP session is set up
between PE1 and PE2.
----End
Configuration Files
● Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0 port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
return
● Configuration file of PE2
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0 port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
● Configuration file of Switch2
#
sysname Switch2
#
vlan batch 100
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 100
port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 100
#
return
● Configuration file of CE2
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Overview
BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and
easily extended, and is suitable for deployment on a large scale. To add a new site,
the network administrator only needs to modify the configuration of the edge
nodes serving the new site.
As enterprises set up more and more branches in different regions and office
flexibility increases, applications such as instant messaging and teleconferencing
are increasingly widely used. This imposes high requirements for end-to-end (E2E)
datacom technologies. Multiple enterprise branches distributed in different regions
need to communicate over the metropolitan area network (MAN) provided by the
ISP. Layer 2 service packets between enterprise branches need to be transmitted
over the MAN using the VPLS technology, so that the enterprise branches in
different regions can communicate with each other.
The ISP can use the same PE device to provide VPLS and L3VPN services for
enterprises to reduce the network construction costs.
Configuration Notes
● This example applies to the following products and versions:
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-EI: V200R009C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards cannot be used in this example. The X1E series cards of
V200R007 and later versions can be used in this example.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-139:
● An ISP provides both VPLS and L3VPN services.
● CE1 connected to the headquarters of enterprise A and CE3 connected to a
branch belong to the same VPLS to provide Layer 2 services. CE1 and CE3 are
bound to vpna to implement secure transmission of Layer 3 data.
● CE2 connected to the headquarters of enterprise B and CE4 connected to a
branch belong to the same VPLS to provide Layer 2 services. CE2 and CE3 are
bound to vpna to implement secure transmission of Layer 3 data.
● Selective QinQ needs to be configured on CE-side interfaces on switches to
add outer VLAN tags specified by the ISP to the packets sent from CE devices.
If a switch connects to multiple CE devices, it can add the same VLAN tag to
packets from different CE devices. This saves VLAN IDs on the ISP network.
Figure 3-139 Networking for deploying BGP/MPLS IP VPN and VPLS on one ISP
network
Data Plan
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PE devices to ensure IP connectivity on
the backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the P and PE devices to set
up MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure BGP/MPLS IP VPN. Configure L3VPN instances vpna and vpnb on
PE1 and PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb
to 222:2. This configuration allows users in the same VPN to communicate
with each other and isolates users of different VPNs. Configure dot1q
termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent
from CE2 and CE4.
5. Configure the VPLS service. Create VPLS VSI instances on PE1 and PE2. In each
VSI instance, specify BGP as the signaling protocol, and set the RD, VPN target
and site. Bind sub-interfaces to VSI instances so that the sub-interfaces
function as AC interfaces to provide access for VPLS users. Configure dot1q
termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent
from CE2 and CE4.
6. Configure selective QinQ on CE-side interfaces of the switches and specify the
VLANs allowed by the interfaces.
7. Set up EBGP peer relationships between the CE and PE devices so that they
can exchange VPN routing information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE and P
devices can communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type hybrid
# Configure the P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 60
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 172.16.1.2 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 172.17.1.1 24
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type hybrid
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 172.17.1.2 24
[PE2-Vlanif60] quit
[PE2] ospf 1 router-id 3.3.3.9
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
and you can view that the neighbor status is Full. Run the display ip routing-
table command on PE1 and PE2, and you can view that PE1 and PE2 have learned
the routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP
LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
After the configuration is complete, LDP sessions are established between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command on
PE1, P, and PE2, and you can view that the LDP session status is Operational. Run
the display mpls ldp lsp command, and you can view information about the
established LDP LSPs.
The display on PE1 is used as an example:
[PE1] display mpls ldp session
Step 3 Configure L3VPN instances on the PE devices. Configure dot1q termination sub-
interfaces for single-tagged packets from vpna. Configure QinQ termination sub-
interfaces for double-tagged packets from vpnb. (Layer 3 service users are
identified by VLAN 10 and VLAN 20, and the PE devices use VLAN 10 and VLAN
100 to identify Layer 3 services.)
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] vcmp role silent
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 20
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.1] quit
Step 4 Configure selective QinQ on CE-side interfaces of the switches and specify the
VLANs allowed by the interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 100 200
[Switch1] interface gigabitethernet 2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 21 stack-vlan 200
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan batch 100 200
[Switch2] interface gigabitethernet 2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet 1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 21 stack-vlan 200
[Switch2-GigabitEthernet1/0/0] quit
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify
a source IP address when pinging the CE device connected to the remote PE device. To
specify the source IP address, set the -a source-ip-address parameter in the ping -vpn-
instance vpn-instance-name -a source-ip-address dest-ip-address command. If no source IP
address is specified, the ping operation fails.
Step 5 Create VPLS VSI instances on PE1 and PE2. In each VSI instance, specify BGP as the
signaling protocol, and set the RD, VPN target and site. Bind sub-interfaces to VSI
instances so that the sub-interfaces function as AC interfaces to provide access for
VPLS users. Configure dot1q termination sub-interfaces for single-tagged packets
sent from CE1 and CE3. Configure QinQ termination sub-interfaces for double-
tagged packets sent from CE2 and CE4. (The CE devices use VLAN 11 and VLAN
21 to identify Layer 2 service users, and the PE devices use VLAN 11 and VLAN
200 to identify Layer 2 services.)
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vsi vsi1 auto
[PE1-vsi-vsi1] pwsignal bgp
[PE1-vsi-vsi1-bgp] route-distinguisher 101:1
[PE1-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity
[PE1-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity
[PE1-vsi-vsi1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi1-bgp] quit
[PE1-vsi-vsi1] quit
[PE1] vsi vsi2 auto
[PE1-vsi-vsi2] pwsignal bgp
[PE1-vsi-vsi2-bgp] route-distinguisher 101:2
[PE1-vsi-vsi2-bgp] vpn-target 200:1 import-extcommunity
[PE1-vsi-vsi2-bgp] vpn-target 200:1 export-extcommunity
[PE1-vsi-vsi2-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi2-bgp] quit
[PE1-vsi-vsi2] quit
[PE1] interface gigabitethernet 1/0/0.2
[PE1-GigabitEthernet1/0/0.2] dot1q termination vid 11
[PE1-GigabitEthernet1/0/0.2] l2 binding vsi vsi1
[PE1-GigabitEthernet1/0/0.2] quit
[PE1] interface gigabitethernet 2/0/0.2
[PE1-GigabitEthernet2/0/0.2] qinq termination pe-vid 200 ce-vid 21
[PE1-GigabitEthernet2/0/0.2] l2 binding vsi vsi2
[PE1-GigabitEthernet2/0/0.2] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Step 6 Set up EBGP peer relationships between the PE and CE devices and import L3VPN
routes to BGP.
# Configure CE1 connecting to the headquarters of enterprise A. The
configurations of CE2, CE3, and CE4 are similar to that of CE1, and are not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp]quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instance-name peer command on the PE devices. You can view that BGP peer
relationships between PE and CE devices have been established and are in the
Established state.
The BGP peer relationship between PE1 and CE1 is used as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] vpls-family
[PE2-bgp-af-vpls] peer 1.1.1.9 enable
[PE2-bgp-af-vpls] quit
[PE2-bgp] quit
CE devices in the same VPN instance can successfully ping each other, whereas CE
devices in different VPN instances cannot.
For example, CE1 connecting to the headquarters of enterprise A can successfully
ping CE3 connecting to a branch at 10.3.1.1 but cannot ping CE4 connecting to the
headquarters of enterprise B at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Run the display vsi name vsi2 verbose command on PE1, and you can view that
vsi2 has a PW to PE2 and is in Up state.
[PE1] display vsi name vsi2 verbose
BGP RD : 101:2
SiteID/Range/Offset : 1/5/0
Import vpn target : 200:1
Export vpn target : 200:1
Remote Label Block : 35845/5/0
Local Label Block : 0/35845/5/0
**PW Information:
----End
Configuration Files
● Configuration file of PE1
#
sysname PE1
#
vcmp role silent
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
route-distinguisher 101:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
site 1 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
route-distinguisher 101:2
vpn-target 200:1 import-extcommunity
vpn-target 200:1 export-extcommunity
site 1 range 5 default-offset 0
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet1/0/0.2
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 router-id 2.2.2.9
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
● Configuration file of PE2
#
sysname PE2
#
vcmp role silent
#
vlan batch 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
route-distinguisher 201:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
site 2 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
route-distinguisher 201:2
vpn-target 200:1 import-extcommunity
vpn-target 200:1 export-extcommunity
site 2 range 5 default-offset 0
#
mpls ldp
#
interface Vlanif60
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet1/0/0.2
dot1q termination vid 11
l2 binding vsi vsi1
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.2
qinq termination pe-vid 200 ce-vid 21
l2 binding vsi vsi2
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
vpls-family
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1 router-id 3.3.3.9
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname CE1
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 11
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
#
sysname CE4
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 20 to 21
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● The following table lists applicable products and versions.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
An enterprise has a small-scale branch network. The enterprise needs to deploy
WLAN services for mobile office so that its employees can access the enterprise
internal network anywhere and anytime.
As shown in Figure 3-140, the AC connects to APs through a PoE switch, and the
PoE switch provides power for APs. The WLAN service is configured on the AC, and
delivered to APs.
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, SwitchA, and upstream device to implement Layer 2
interoperation.
2. Configure the AC as a DHCP server to assign IP addresses to STAs and the AP
from an IP address pool of an interface.
3. Configure AC system parameters, including the country code, AC ID, carrier ID,
and source interface used by the AC to communicate with the AP.
4. Set the AP authentication mode and add the AP to an AP region.
5. Configure a VAP and deliver VAP parameters to the AP so that STAs can
access the WLAN.
a. Configure a WMM profile and radio profile on the AP, retain the default
settings of the WMM profile and radio profile, bind the WMM profile to
the radio profile to enable STAs to communicate with the AP.
b. Configure a WLAN-ESS interface so that radio packets can be sent to the
WLAN service module after reaching the AC.
c. Configure a security profile and traffic profile on the AP, retain the
default settings of the security profile and traffic profile, configure a
service set, bind the WLAN-ESS interface, security profile, and traffic
profile to the service set to apply security policies and QoS policies to
STAs.
d. Configure a VAP and deliver VAP parameters to the AP so that STAs can
access the Internet through the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to assign an IP address to the AP from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP
address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Power on the APs and run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information: Normal[1],Fault[0],Commit-
failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit
[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption, continue?[Y/N]y
When a STA detects the wireless network test and associates with it, the wireless
PC is allocated an IP address. You need to enter the pre-shared key to access the
wireless network. You can run the display station assoc-info command on the
AC. The command output shows that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc11-1113 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-141, an enterprise's AC connects to the egress gateway
Router of the campus network and connects to APs through a PoE switch. The PoE
switch provides power to APs.
The enterprise requires a WLAN with SSID test so that users can access the
enterprise internal network from anywhere and anytime. The Router needs to
function as a DHCP server to assign IP addresses on 10.10.10.0/24 to users and
manage users on the AC.
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, and upstream device to implement network
interoperation.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an
interface IP address pool, configure the AC as a DHCP relay agent, and
configure the Router connected to the AC to assign IP addresses to STAs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for DHCP relay to
10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on the APs and run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information: Normal[1],Fault[0],Commit-
failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit
After the configuration is complete, run the display vap ap 0 radio 0 command.
The command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
0 0 1 - - 1 00E0-FC11-1111 service
----------------------------------------------------------------------
Total: 1
When a STA detects the wireless network test and associates with it, the wireless
PC is allocated an IP address. You need to enter the pre-shared key to access the
wireless network. You can run the display station assoc-info command on the
AC. The command output shows that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc11-1113 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 10.11.10.1
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 00e0-fc11-1111 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|C"%@%@
encryption-method ccmp
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Configuration Notes
● In this example, Portal authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
A hospital needs to deploy both a wired and a wireless network. To simplify
management and maintenance, the administrator requires that wired and wireless
users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and
wireless users roam under the same AC.
As shown in Figure 3-142, the AC connects to the egress gateway Router in the
uplink direction. In the downlink direction, the AC connects to and manages APs
through S5700-1 and S5700-2 access switches. The S5700-1 and S5700-2 are
deployed in the first and second floors, respectively. An AP2010DN is deployed in
each room to provide both wired and wireless access. The AP5030DN is deployed
in the corridor to provide wireless network coverage. The S5700-1 and S5700-2 are
PoE switches directly providing power to connected APs.
To facilitate network planning and management, the access switches are only
used to transparently transmit data at Layer 2, and all gateways are configured on
the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and
PCs.
Data Planning
AP10 - - AP10
3 3 is
an
AP50
30DN
and is
deplo
yed in
the
corrid
or on
the
first
floor
to
provi
de
wirele
ss
acces
s.
AP20 - - AP20
3 3 is
an
AP50
30DN
and is
deplo
yed in
the
corrid
or on
the
secon
d
floor
to
provi
de
wirele
ss
acces
s.
Country code CN -
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.25
4/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users,
and wireless users.
3. Configure a RADIUS server template, configure authentication, accounting,
and authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP
management, and WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can
access the Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and
VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the
S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set
PVIDs for interfaces directly connected to APs. You are advised to configure port
isolation on these interfaces to reduce unnecessary broadcast traffic. The S5700-1
is used as an example here. The configuration on the S5700-2 is similar. For
details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN
201, GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4
(connected to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to
the controller) to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface
address pool.
# Bind the Portal server template to the WLAN-ESS interface, enable Portal
authentication for wireless users, and configure non-authentication for wired
users.
[AC] interface wlan-ess 1
[AC-Wlan-Ess1] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Wlan-Ess1] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess1] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess1] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify
Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess1] quit
[AC] interface wlan-ess 2
[AC-Wlan-Ess2] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Wlan-Ess2] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess2] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess2] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify
Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess2] quit
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on the APs and run the display ap all command to check the AP state. If
the AP State field is normal, the APs have gone online.
# Create the radio profile radio and bind the WMM profile wmm to the radio
profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the radio to fixed.
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create service sets floor1 and floor2, and bind the service VLANs, WLAN-ESS
interfaces, security profile, and traffic profile to the service sets. Set the forwarding
mode to tunnel forwarding.
[AC-wlan-view] service-set name floor1 id 1 //Create the service set floor1.
[AC-wlan-service-set-floor1] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-service-set-floor1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-floor1] security-profile name security //Bind the security profile security.
[AC-wlan-service-set-floor1] traffic-profile name traffic //Bind the traffic profile traffic.
[AC-wlan-service-set-floor1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-floor1] forward-mode tunnel //Set the forwarding mode to tunnel forwarding. The
default forwarding mode is direct forwarding.
[AC-wlan-service-set-floor1] user-isolate //Configure Layer 2 isolation for users connected to the same
VAP.
[AC-wlan-service-set-floor1] quit
[AC-wlan-view] service-set name floor2 id 2
[AC-wlan-service-set-floor2] ssid hospital-wlan //Set the SSID to hospital-wlan. All service sets must be
configured with the same SSID, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] wlan-ess 2
[AC-wlan-service-set-floor2] security-profile name security //Bind the security profile security. All service
sets must have the same security profile bound, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] traffic-profile name traffic
[AC-wlan-service-set-floor2] service-vlan 102
[AC-wlan-service-set-floor2] forward-mode tunnel
[AC-wlan-service-set-floor2] user-isolate
[AC-wlan-service-set-floor2] quit
# After the configuration is complete, run the display vap all command. The
command output shows that VAPs have been created.
[AC-wlan-view] display vap all
All VAP Information(Total-8):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
101 0 1 - - 1 00e0-fc76-e320 service
102 0 1 - - 1 00e0-fc76-e340 service
103 0 1 - - 1 00e0-fc04-b520 service
103 1 1 - - 1 00e0-fc04-b530 service
201 0 2 - - 1 00e0-fc76-e360 service
202 0 2 - - 1 00e0-fc76-e380 service
203 0 2 - - 1 00e0-fc04-b540 service
203 1 2 - - 1 00e0-fc04-b550 service
----------------------------------------------------------------------
Total: 8
# STAs discover the WLAN with the SSID hospital-wlan and associate with the
WLAN. The STAs are allocated IP addresses. After you enter the key, the STAs can
access the wireless network. Run the display station assoc-info command on the
AC. The command output shows that the STAs are connected to the WLAN
hospital-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
00e0-fcc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
hospital-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
● S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
return
● S5700-2 configuration file
#
sysname S5700-2
#
vlan batch 100 202
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 300
#
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
domain name portal1 force
domain name portal1
authentication portal
web-auth-server portal1 direct
#
interface Wlan-Ess2
port trunk allow-pass vlan 101 to 102
domain name portal1 force
domain name portal1
authentication portal
web-auth-server portal1 direct
#
capwap source interface vlanif100
#
wlan
ap-region id 1
ap-region-name floor1
ap-region id 2
ap-region-name floor2
ap id 101 type-id 38 mac 00e0-fc76-e320
region-id 1
lineate-port ethernet 0 pvid vlan 201
lineate-port ethernet 0 vlan untagged 201
lineate-port ethernet 1 pvid vlan 201
lineate-port ethernet 1 vlan untagged 201
lineate-port gigabitethernet 0 vlan tagged 201
ap id 102 type-id 38 mac 00e0-fc76-e340
region-id 1
lineate-port ethernet 0 pvid vlan 201
lineate-port ethernet 0 vlan untagged 201
lineate-port ethernet 1 pvid vlan 201
lineate-port ethernet 1 vlan untagged 201
lineate-port gigabitethernet 0 vlan tagged 201
ap id 103 type-id 35 mac 00e0-fc04-b520
region-id 1
ap id 201 type-id 38 mac 00e0-fc76-e360
region-id 2
lineate-port ethernet 0 pvid vlan 202
lineate-port ethernet 0 vlan untagged 202
lineate-port ethernet 1 pvid vlan 202
lineate-port ethernet 1 vlan untagged 202
lineate-port gigabitethernet 0 vlan tagged 202
service-set id 2 wlan 1
#
return
Configuration Notes
● In this example, Portal authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
A city needs to deploy the wireless smart city project and requires that Portal
authentication be used for wireless users. Due to the large number of wireless
users, high wireless service performance and Portal authentication performance
are required.
As shown in Figure 3-143, the S9700 core switch functions as the gateway for
STAs and APs and as a DHCP server to assign IP addresses to STAs and APs. The
S9700 connects to APs through PoE access switches S5700-1 and S5700-2. The AC
and APs are located on a Layer 3 network. The AC is the X series card on the
S9700 and connected to the S9700 through Eth-Trunk in bypass mode.
To facilitate network planning and management, the access switches are only
used to transparently transmit data at Layer 2.
Figure 3-143 Networking diagram for configuring WLAN services for a wireless
city project
Data Planning
Country code CN -
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24
Portal server:
● Active IP address:
10.23.30.1
● Active IP address:
10.23.30.2
● Standby IP address:
10.23.30.3
● Port number that the
AC uses to listen on
Portal protocol
packets: 2000
● Destination port
number in the
packets that the AC
sends to the Portal
server: 50100
● Portal shared key:
YsHsjx_202206
● Encryption key for the
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700,
and AC to communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and
APs.
3. Configure a RADIUS server template, configure authentication, accounting,
and authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP
management, and WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can
access the Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management
VLAN) and VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected
to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 10 101
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10 //Set a PVID for the interface directly connected
to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN
101, GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3
connected to the Controller to VLAN 300, GE1/0/4 connected to the upper-layer
network to VLAN 101 and VLAN 102, and GE1/0/5 and GE1/0/6 connected to the
AC to Eth-Trunk 1. Add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700] interface gigabitethernet 1/0/2
[S9700-GigabitEthernet1/0/2] port link-type trunk
[S9700-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 102
[S9700-GigabitEthernet1/0/2] quit
[S9700] interface gigabitethernet 1/0/3
[S9700-GigabitEthernet1/0/3] port link-type trunk
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700-GigabitEthernet1/0/3] quit
[S9700] interface gigabitethernet 1/0/4
[S9700-GigabitEthernet1/0/4] port link-type trunk
[S9700-GigabitEthernet1/0/4] port trunk allow-pass vlan 101 102
[S9700-GigabitEthernet1/0/4] quit
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and GE1/0/6 to Eth-Trunk1.
[S9700-Eth-Trunk1] quit
# On the S9700, configure VLANIF 100 for communication with the AC and
VLANIF 300 for communication with the Controller.
[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24 //Configure an IP address for communication between the
S9700 and AC.
[S9700-Vlanif100] quit
[S9700] interface vlanif300
[S9700-Vlanif300] ip address 10.23.30.10 24 //Configure an IP address for communication between the
S9700 and Controller.
[S9700-Vlanif300] quit
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1
and add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global
address pool.
[S9700] dhcp enable
[S9700] interface vlanif 10 //Configure a global address pool to assign IP addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700-Vlanif10] quit
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 2 ip-address 10.23.100.1 //Since a Layer 3 network is
deployed between the AC and APs, configure Option43 to advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
[S9700] interface vlanif 20 //Configure a global address pool to assign IP addresses to AP201 and AP202.
[S9700-Vlanif20] description manage_ap2
[S9700-Vlanif20] ip address 10.23.20.1 24
[S9700-Vlanif20] dhcp select global
[S9700-Vlanif20] quit
[S9700] ip pool manage_ap2
[S9700-ip-pool-manage_ap2] gateway-list 10.23.20.1
[S9700-ip-pool-manage_ap2] network 10.23.20.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap2] option 43 sub-option 2 ip-address 10.23.100.1 //Since a Layer 3 network is
deployed between the AC and APs, configure Option43 to advertise the AC¡¯s IP address to the APs.
[S9700-ip-pool-manage_ap2] quit
[S9700] interface vlanif 101 //Configure a global IP address pool to assign IP addresses to STAs connected
to AP101 and AP102.
[S9700-Vlanif101] description manage_area1_sta
[S9700-Vlanif101] ip address 10.23.101.1 24
[S9700-Vlanif101] dhcp select global
[S9700-Vlanif101] quit
[S9700] ip pool manage_area1_sta
[S9700-ip-pool-manage_area1_sta] gateway-list 10.23.101.1
[S9700-ip-pool-manage_area1_sta] network 10.23.101.0 mask 255.255.255.0
[S9700-ip-pool-manage_area1_sta] quit
[S9700] interface vlanif 102 //Configure a global IP address pool to assign IP addresses to STAs connected
to AP201 and AP202.
[S9700-Vlanif102] description manage_area2_sta
[S9700-Vlanif102] ip address 10.23.102.1 24
[S9700-Vlanif102] dhcp select global
[S9700-Vlanif102] quit
[S9700] ip pool manage_area2_sta
[S9700-ip-pool-manage_area2_sta] gateway-list 10.23.102.1
[S9700-ip-pool-manage_area2_sta] network 10.23.102.0 mask 255.255.255.0
[S9700-ip-pool-manage_area2_sta] quit
# Bind the Portal server templates to service VLANIF interfaces to enable Portal
authentication.
[AC] vlan batch 101 102
[AC] interface vlanif 101
[AC-Vlanif101] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Vlanif101] domain name portal1 //Configure the default user domain portal1.
[AC-Vlanif101] authentication portal //Configure Portal authentication.
[AC-Vlanif101] web-auth-server portal1 portal3 layer3 //Bind the Portal server templates portal1 and
portal3.
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] domain name portal1 force
[AC-Vlanif102] domain name portal1
[AC-Vlanif102] authentication portal
[AC-Vlanif102] web-auth-server portal2 portal3 layer3
[AC-Vlanif102] quit
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on the APs and run the display ap all command to check the AP state. If
the AP State field displays as normal, the APs have gone online.
[AC-wlan-view] display ap all
All AP(s) information:
Normal[4],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
101 AP6010DN-AGN 00e0-fc76-e320 0/1 normal ap-101
102 AP6010DN-AGN 00e0-fc76-e340 0/1 normal ap-102
201 AP6010DN-AGN 00e0-fc76-e360 0/2 normal ap-201
202 AP6010DN-AGN 00e0-fc76-e380 0/2 normal ap-202
------------------------------------------------------------------------------
Total number: 4,printed: 4
# Create the radio profile radio and bind the WMM profile wmm to the radio
profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the radio to fixed.
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create service sets area1 and area2, and bind the service VLANs, WLAN-ESS
interfaces, security profile, and traffic profile to the service sets. Set the forwarding
mode to direct forwarding.
[AC-wlan-view] service-set name area1 id 1 //Create the service set area1.
[AC-wlan-service-set-area1] ssid city-wlan //Set the SSID to city-wlan.
[AC-wlan-service-set-area1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-area1] security-profile name security //Bind the security profile security.
[AC-wlan-service-set-area1] traffic-profile name traffic //Bind the traffic profile traffic.
[AC-wlan-service-set-area1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-area1] forward-mode direct-forward //Set the forwarding mode to direct
forwarding (default setting).
[AC-wlan-service-set-area1] user-isolate //Configure Layer 2 isolation for users connected to the same VAP.
[AC-wlan-service-set-area1] quit
[AC-wlan-view] service-set name area2 id 2
[AC-wlan-service-set-area2] ssid city-wlan //Set the SSID to city-wlan. All service sets must be configured
with the same SSID, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] wlan-ess 2
[AC-wlan-service-set-area2] security-profile name security //Bind the security profile security. All service
sets must have the same security profile bound, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] traffic-profile name traffic
[AC-wlan-service-set-area2] service-vlan 102
[AC-wlan-service-set-area2] forward-mode direct-forward
[AC-wlan-service-set-area2] user-isolate
[AC-wlan-service-set-area2] quit
[AC-wlan-radio-101/0] channel 20mhz 1 //Configure the channel based on the planning result of the
WLAN Planner.
[AC-wlan-radio-101/0] power-level 10 //Configure the power based on the planning result of the WLAN
Planner.
[AC-wlan-radio-101/0] quit
[AC-wlan-view] ap 101 radio 1 //Configure radio1 of the AP6010DN-AGN.
[AC-wlan-radio-101/1] radio-profile name radio
[AC-wlan-radio-101/1] service-set name area1
[AC-wlan-radio-101/1] channel 20mhz 153
[AC-wlan-radio-101/1] power-level 10
[AC-wlan-radio-101/1] quit
[AC-wlan-view] ap 102 radio 0
[AC-wlan-radio-102/0] radio-profile name radio
[AC-wlan-radio-102/0] service-set name area1
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] power-level 10
[AC-wlan-radio-102/0] quit
[AC-wlan-view] ap 102 radio 1
[AC-wlan-radio-102/1] radio-profile name radio
[AC-wlan-radio-102/1] service-set name area1
[AC-wlan-radio-102/1] channel 20mhz 161
[AC-wlan-radio-102/1] power-level 10
[AC-wlan-radio-102/1] quit
[AC-wlan-view] ap 201 radio 0
[AC-wlan-radio-201/0] radio-profile name radio
[AC-wlan-radio-201/0] service-set name area2
[AC-wlan-radio-201/0] channel 20mhz 1
[AC-wlan-radio-201/0] power-level 10
[AC-wlan-radio-201/0] quit
[AC-wlan-view] ap 201 radio 1
[AC-wlan-radio-201/1] radio-profile name radio
[AC-wlan-radio-201/1] service-set name area2
[AC-wlan-radio-201/1] channel 20mhz 153
[AC-wlan-radio-201/1] power-level 10
[AC-wlan-radio-201/1] quit
[AC-wlan-view] ap 202 radio 0
[AC-wlan-radio-202/0] radio-profile name radio
[AC-wlan-radio-202/0] service-set name area2
[AC-wlan-radio-202/0] channel 20mhz 6
[AC-wlan-radio-202/0] power-level 10
[AC-wlan-radio-202/0] quit
[AC-wlan-view] ap 202 radio 1
[AC-wlan-radio-202/1] radio-profile name radio
[AC-wlan-radio-202/1] service-set name area2
[AC-wlan-radio-202/1] channel 20mhz 161
[AC-wlan-radio-202/1] power-level 10
[AC-wlan-radio-202/1] quit
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN.
The STAs are allocated IP addresses. After you enter the key, the STAs can access
the wireless network. Run the display station assoc-info command on the AC.
The command output shows that the STAs are connected to the WLAN city-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
00e0-fcc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
city-wlan
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 10 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
return
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
radius-server template radius1
radius-server shared-key cipher %#%#8M.(7SIkd!~zHjCXjHv%}13$Y#:t3:m]N$G^9yn3%#%#
radius-server authentication 10.23.30.1 1812 source ip-address 10.23.100.1 weight 80
radius-server authentication 10.23.30.2 1812 source ip-address 10.23.100.1 weight 80
radius-server authentication 10.23.30.3 1812 source ip-address 10.23.100.1 weight 20
radius-server accounting 10.23.30.1 1813 source ip-address 10.23.100.1 weight 80
radius-server accounting 10.23.30.2 1813 source ip-address 10.23.100.1 weight 80
radius-server accounting 10.23.30.3 1813 source ip-address 10.23.100.1 weight 20
radius-server detect-server interval 30
#
web-auth-server portal1
server-ip 10.23.30.1
port 50100
shared-key cipher %#%#a^9$8KWl#+C4xc2}#BEQ4!ZIOciEV7$%dT'S/3JX%#%#
url http://10.23.30.1:8080/portal
server-detect interval 30 action log
#
web-auth-server portal2
server-ip 10.23.30.2
port 50100
shared-key cipher %#%#3'uk~,dhv>_!~;W!v6A3YiqL2UU|*4Q>{UH%Tw'A%#%#
url http://10.23.30.2:8080/portal
server-detect interval 30 action log
#
web-auth-server portal3
server-ip 10.23.30.3
port 50100
shared-key cipher %#%#un.DDNfj[X\.u3&zIya<P,3wBg'cEQFedz,DoIO"%#%#
url http://10.23.30.3:8080/portal
server-detect interval 30 action log
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
web-auth-server portal1 portal3 layer3
domain name portal1 force
domain name portal1
authentication portal
#
interface Vlanif102
radio-profile id 1
channel 20MHz 6
power-level 10
service-set id 1 wlan 1
ap 102 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
service-set id 1 wlan 1
ap 201 radio 0
radio-profile id 1
power-level 10
service-set id 2 wlan 1
ap 201 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
service-set id 2 wlan 1
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
service-set id 2 wlan 1
ap 202 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
service-set id 2 wlan 1
#
return
Configuration Notes
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-144, the enterprise's AC connects to the egress gateway
(Router) and RADIUS server, and connects to the AP through SwitchA. The WLAN
with the SSID of test is available for wireless users and terminals to access
network resources. The gateway also functions as a DHCP server to provide IP
addresses on the 10.10.10.0/24 network segment for STAs, which are managed by
the AC.
The WLAN authentication client cannot be installed on wireless devices providing
public services, such as wireless printers and phones. For these devices, use MAC
address authentication. The RADIUS server authenticates wireless devices using
their MAC addresses. No authentication is required when STAs access the WLAN,
facilitating the use of WLAN services.
Data Planning
AP region ID 10
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure WLAN basic services so that STAs can access the WLAN. This
example uses default configurations.
2. Configure a RADIUS server template and apply it to an AAA domain
3. Configure MAC address authentication on the WLAN-ESS interface to
authenticate STAs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE1/0/2 that connects the AC to the RADIUS server to VLAN 103.
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address
pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for DHCP relay to
10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
The STA sends its MAC address as the user name to the RADIUS server for
authentication, so the AC needs to be disabled from adding a domain name to the
user name (default setting).
[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.12.10.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on the APs and run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information: Normal[1],Fault[0],Commit-
failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set to 101. The default value
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to tunnel forwarding.
[AC-wlan-service-set-test] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 103
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server authentication 10.12.10.1 1812 weight 80
radius-server shared-key cipher %@%@hH67%f}f8X"AE&Pw`wS~{:;0%@%@
undo radius-server user-name domain-included
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 103
#
interface WLAN-ESS1
port trunk allow-pass vlan 101
authentication mac-authen
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 00e0-fc11-1111 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security open
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
A user can access a known Portal authentication website and enter a user name
and password for authentication. This mode is called active authentication. If a
user attempts to access other external networks through HTTP, the device forcibly
redirects the user to the Portal authentication website. This mode is called forcible
authentication.
Configuration Notes
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● The following table lists applicable products and versions.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-145, the AC deployed in a public area connects to the egress
gateway (Router), RADIUS server, and Portal server, and connects to the AP
through SwitchA. Users can access network resources through the WLAN with the
SSID of test. The gateway also functions as a DHCP server to assign IP addresses
on the 10.10.10.0/24 network segment to STAs, which are managed by the AC.
Because the WLAN is too easy for users to access, there are potential security
risks. To facilitate access to the WLAN, use the default security policy on the AC, in
which STAs are not authenticated and data is not encrypted. To centrally manage
STAs and allow only paid users to access the Internet, configure Portal
authentication on the AC. Any user who attempts to access the Internet is
redirected to the Portal authentication web page. A paying user connects to the
Internet after entering the user name and password, and the RADIUS server starts
accounting. A non-paying user must pay for the WLAN service and use the
obtained user name and password to complete Portal authentication. Generally,
the Portal authentication web page provides the paying function.
Data planning
AP region ID 10
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN. This
example uses default configurations.
2. Configure a RADIUS server template, apply it to an AAA domain, and use a
RADIUS server to authenticate STAs' identities and perform accounting.
3. Configure Portal authentication so that Hypertext Transfer Protocol (HTTP)
request packets from a user are redirected to the web page of the Portal
server. After the user enters identity information, the STA sends the user
identity information to the RADIUS server.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit
# Add GE1/0/4 that connects the AC to the Portal server to VLAN 104.
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 104
[AC-GigabitEthernet1/0/4] quit
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for DHCP relay to
10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
# Power on the APs and run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information: Normal[1],Fault[0],Commit-
failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set to 101. The default value
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to tunnel forwarding.
[AC-wlan-service-set-test] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
ip pool sta
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 104
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server authentication 10.12.10.1 1812 weight 80
radius-server accounting 10.12.10.1 1813 weight 80
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9`ocp<^c"q%%#%
#
web-auth-server test
server-ip 10.13.10.1
port 50100
shared-key cipher %#%#Q"r\<Ei]o@"%dKN@Y(i,:nj2IY$e>=mXxg8Cdb]0%#%#
url http://10.13.10.1
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme radius_huawei
accounting-mode radius
domain huawei.com
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface Vlanif104
ip address 10.13.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 104
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
permit-domain name huawei.com
domain name huawei.com force
web-auth-server test direct
authentication portal
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 00e0-fc11-1111 sn AB35015384
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security open
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● When configuring radio calibration, set the channel mode and power mode of
an AP that needs radio calibration to auto.
● In the following example, scheduled radio calibration is used as an example.
Configure the APs to perform radio calibration in off-peak hours, for example,
between 00:00 am and 06:00 am.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-146, a WLAN containing three APs (AP1, AP2, and AP3) is
deployed on the campus network. The three APs join AP region 10.
Users expect the three APs to automatically adjust their channels and power to
reduce interference and perform optimally.
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
2. Set the radio calibration mode to schedule mode for APs to enable the APs to
dynamically adjust channels and power so that the APs perform optimally.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4
to VLAN 100 (management VLAN).
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs.
# Configure the AC as a DHCP server to assign IP addresses to the APs from the IP
address pool on VLANIF 100 and assign IP addresses to STAs from the IP address
pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3
[AC-wlan-ap-3] region-id 10
[AC-wlan-ap-3] quit
# Power on the three APs and run the display ap all command on the AC to
check the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc76-e360 0/10 normal ap-1
2 AP6010DN-AGN 00e0-fc04-b500 0/10 normal ap-2
3 AP6010DN-AGN 00e0-fc96-e4c0 0/10 normal ap-3
------------------------------------------------------------------------------
Total number: 3,printed: 3
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile. Set the channel mode and power mode to auto in the radio profile
(default settings).
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the
profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
# Set the radio calibration mode to schedule and configure the device to start
radio calibration at 3:00 a.m. every day.
[AC-wlan-view] calibrate enable schedule time 03:00:00
------------------------------------------------------------------------------
00e0-fc08-9abf 1 0 1 test
------------------------------------------------------------------------------
Total stations: 1
You can run the display statistics calibrate ap 1 radio 0 command on AC to
check radio calibration statistics on AP1.
[AC-wlan-view] display statistics calibrate ap 1 radio 0
-----------------------------------------------------------------------
Signal environment deterioration :1
Power calibration :1
Channel calibration :0
-----------------------------------------------------------------------
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface gigabitethernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface gigabitethernet1/0/4
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● Each load balancing group supports a maximum of three APs.
● APs on which load balancing needs to be configured must be configured
within the same AP region.
● A load balancing group is a set of radios, and each radio can join only one
load balancing group. If dual-band APs are used, traffic is load balanced
among APs working on the same frequency band. That is, a dual-band AP can
join two load balancing groups.
● All APs in a load balancing group work on the same frequency band (2.4 GHz
or 5 GHz). AP radios in a load balancing group must have different channels
configured and work on different channels.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-147, AP1 and AP2 connect to the AC through SwitchA and
join AP region 10.
When a large number of STAs access the Internet through the same AP, the AP
becomes heavily loaded and WLAN service quality deteriorates. Therefore, the
STAs need to be balanced on the two APs.
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the WLAN service so that users can connect to the Internet through
the WLAN.
2. Configure session-based static load balancing to prevent new STAs from
associating with heavily-loaded APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address
pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc76-e360 0/10 normal ap-1
2 AP6010DN-AGN 00e0-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile. Set the channel mode to fixed.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The default value is auto.
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the
profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set to 101. The default value
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel forwarding.
[AC-wlan-service-set-test] quit
Step 8 Configure a load balancing group, add AP1 and AP2 to the load balancing group,
and set the load balancing mode of the group to session-based load balancing.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
Static load balancing supports a limited number of group members, and all
members must be manually added to the group and work on the same frequency
band. Dynamic load balancing overcomes these limitations and better ensures
bandwidth for each STA.
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● Radio traffic statistics packets are sent and received together with Echo
packets. In this example, traffic-based dynamic load balancing is used. You are
advised to set the CAPWAP heartbeat detection interval to between 30s and
60s so that the radio traffic statistics can be updated in a timely manner.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-148, AP1 and AP2 connecting to the AC through SwitchA
are dual-band APs and join AP region 10. STAs in AP region 10 support 2.4 GHz
and 5 GHz frequency bands. Both 2.4 GHz and 5 GHz WLANs need to be deployed
in AP region 10.
When a large number of STAs access the Internet through the same AP, the AP
becomes heavily loaded and WLAN service quality deteriorates. Therefore, the
STAs need to be balanced on the two APs.
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the WLAN service so that users can connect to the Internet through
the WLAN.
2. Configure traffic-based dynamic load balancing to prevent new STAs from
associating with heavily-loaded APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address
pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc76-e360 0/10 normal ap-1
2 AP6010DN-AGN 00e0-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile. Set the channel mode to fixed.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The default value is auto.
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the
profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set to 101. The default value
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel forwarding.
[AC-wlan-service-set-test] quit
● If a new STA requests to connect to one of the four VAPs in AP region 10, the
AC uses a dynamic load balancing algorithm to determine whether to allow
access from the STA. If the requested VAP has more than 25% greater load
than the other VAPs, the AC rejects the association request of the STA. If the
STA continues to send more than 10 association requests to the VAP, the AC
allows the STA to associate with the AP.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc76-e360 sn 210235419610CB002287
region-id 10
ap id 2 type-id 19 mac 00e0-fc04-b500 sn 210235555310CC000094
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|C"%@%@
encryption-method ccmp
sta-load-balance enable
sta-load-balance mode traffic
sta-load-balance traffic gap 25
sta-load-balance associate-threshold 10
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 11
service-set id 1 wlan 1
ap 1 radio 1
radio-profile id 1
channel 40MHz-plus 157
service-set id 1 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 1
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 149
service-set id 1 wlan 1
#
return
Roaming between APs in the same service VLAN is classified into fast roaming and
non-fast roaming. Non-fast roaming technology is used when a STA uses a non-
WPA2-802.1X security policy. If a STA uses WPA2-802.1X but does not support fast
roaming, the STA still needs to complete 802.1X authentication before roaming
between two APs. When the user uses the WPA2-802.1X security policy and
supports fast roaming, the user does not need to perform 802.1X authentication
again during roaming and only needs to perform key negotiation. Fast roaming
reduces roaming delay and improves service experience.
Configuration Notes
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In direct forwarding mode, if the ARP entry of a user is not aged out in time
on the access device connected to the AP after the user roams, services of the
user will be temporarily interrupted. You are advised to enable STA address
learning on the AC. After the function is enabled, the AP will send a
gratuitous ARP packet to the access device so that the access device can
update ARP entries in a timely manner. This ensures nonstop service
transmission during user roaming.
You can use either of the following methods to enable STA address learning
according to the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client
ip-address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in
the VAP profile view.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● The following table lists applicable products and versions.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-149, a department on a campus network deploys two APs
that are managed and controlled by an AC, which dynamically assigns IP
addresses to the APs and STAs. All users in the department belong to the same
VLAN, that is, AP1 and AP2 use the same service VLAN. The default security policy
(WEP open system authentication) is used. User data is forwarded through
tunnels.
The department requires services to be uninterrupted when a STA moves from AP1
to AP2.
Figure 3-149 Networking diagram for configuring non-fast roaming between APs
in the same service VLAN
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The default security policy is used and access authentication is not required,
which shortens the roaming switchover time. Configure non-fast roaming
between APs in the same service VLAN to ensure nonstop service transmission
during roaming.
2. Configure parameters used for communication between the AC and APs to
transmit CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to APs
and STAs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and
the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to assign an IP address to the AP from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP
address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-service-set-test] quit
After the configuration is complete, the STA can connect to the WLAN with the
SSID test in the coverage area of AP1.
Assume that the STA MAC address is 00e0-fc12-3457. When the STA connects to
the WLAN with the SSID test in the coverage area of AP1, run the display station
assoc-info ap 1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to that of AP2, run the display
station assoc-info ap 2 command on the AC to check the STA access information.
The STA is associated with AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
3.11.8.2 Example for Configuring Fast Roaming Between APs in the Same
Service VLAN
Configuration Notes
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In direct forwarding mode, if the ARP entry of a user is not aged out in time
on the access device connected to the AP after the user roams, services of the
user will be temporarily interrupted. You are advised to enable STA address
learning on the AC. After the function is enabled, the AP will send a
gratuitous ARP packet to the access device so that the access device can
update ARP entries in a timely manner. This ensures nonstop service
transmission during user roaming.
You can use either of the following methods to enable STA address learning
according to the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client
ip-address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in
the VAP profile view.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● The following table lists applicable products and versions.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-150, a department on a campus network deploys two APs
that are managed and controlled by an AC, which dynamically assigns IP
addresses to the APs and STAs. All users in the department belong to the same
VLAN, that is, AP1 and AP2 use the same service VLAN. The security policy
WPA2-802.1X is used. User data is forwarded through tunnels.
The department requires services to be uninterrupted when a STA moves from AP1
to AP2.
Figure 3-150 Networking diagram for configuring fast roaming between APs in
the same service VLAN
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2-802.1X is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming
between APs in the same service VLAN to ensure nonstop service transmission
during roaming.
2. Configure parameters used for communication between the AC and APs to
transmit CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to APs
and STAs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
5. Configure key negotiation between STAs and APs to shorten the roaming
switchover time.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and
the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs, and
configure VLANIF 102 to allow the AC to communicate with the RADIUS server.
# Configure a DHCP server to assign IP addresses to the APs from the IP address
pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //Specify the IP address
and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure the shared key of a
RADIUS server
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to
radius.
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure an
authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS server template
for the domain.
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-1
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method ccmp //Configure
WPA2 802.1X authentication and encryption.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name test
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name test
[AC-wlan-radio-2/0] quit
After the configuration is complete, the STA can connect to the WLAN with the
SSID test in the coverage area of AP1. Use 802.1X authentication on the STA and
enter the user name and password. If the authentication succeeds, the STA can
connect to the Internet. Configure the STA according to the configured
authentication mode PEAP.
● Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select
Manually create a network profile. Add SSID test. Set the
authentication mode to WPA2-Enterprise, the encryption mode to CCMP,
and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP
type to PEAP and click Settings. In the displayed dialog box, deselect
Validate server certificate and click Configure. In the displayed dialog
box, deselect Automatically use my Windows logon name and
password and click OK.
Assume that the STA MAC address is 00e0-fc12-3457. When the STA connects to
the WLAN with the SSID test in the coverage area of AP1, run the display station
assoc-info ap 1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to that of AP2, run the display
station assoc-info ap 2 command on the AC to check the STA access information.
The STA is associated with AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %@%@xI&d>!p~&X_GJ0~yU/z!,x,J%@%@
radius-server authentication 192.168.0.2 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk pvid vlan 102
port trunk allow-pass vlan 102
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc11-1111 sn 190901007618
region-id 10
ap id 2 type-id 19 mac 00e0-fc12-3456 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 1 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 1
#
return
Configuration Notes
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In direct forwarding mode, if the ARP entry of a user is not aged out in time
on the access device connected to the AP after the user roams, services of the
user will be temporarily interrupted. You are advised to enable STA address
learning on the AC. After the function is enabled, the AP will send a
gratuitous ARP packet to the access device so that the access device can
update ARP entries in a timely manner. This ensures nonstop service
transmission during user roaming.
You can use either of the following methods to enable STA address learning
according to the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client
ip-address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in
the VAP profile view.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● The following table lists applicable products and versions.
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-151, two APs are deployed in a campus network to provide
WLAN services for employees of two departments, and are managed and
controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs.
The employees of the two departments belong to different VLANs, that is, AP1
belongs to VLAN101 and AP2 belongs to VLAN102. The default security policy
(WEP open system authentication) is used. User data is forwarded through
tunnels.
The department requires that services should not be interrupted when a STA
moves from AP1 to AP2.
Figure 3-151 Networking diagram for configuring non-fast roaming between APs
in different service VLANs
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The default security policy is used and access authentication is not required,
which shortens the roaming switchover time. Configure non-fast roaming
between APs in different service VLANs to ensure nonstop service
transmission during roaming.
2. Configure parameters used for communication between the AC and APs to
transmit CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to APs
and STAs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and
the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs
and APs.
# Configure the DHCP server based on the interface address pool. VLANIF 100
provides IP addresses for AP1 and AP2, VLANIF 101 provides IP addresses for STAs
connected to AP1, and VLANIF 102 provides IP addresses for STAs connected to
AP2.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.12.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-1
2 AP6010DN-AGN 00e0-fc12-3456 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Configure service sets for AP1 and AP2, and set the data forwarding mode to
tunnel forwarding.
[AC-wlan-view] service-set name huawei-1
[AC-wlan-service-set-huawei-1] ssid test
[AC-wlan-service-set-huawei-1] wlan-ess 0
[AC-wlan-service-set-huawei-1] service-vlan 101
[AC-wlan-service-set-huawei-1] security-profile name security
[AC-wlan-service-set-huawei-1] traffic-profile name traffic
[AC-wlan-service-set-huawei-1] forward-mode tunnel
[AC-wlan-service-set-huawei-1] quit
[AC-wlan-view] service-set name huawei-2
[AC-wlan-service-set-huawei-2] ssid test
[AC-wlan-service-set-huawei-2] wlan-ess 1
[AC-wlan-service-set-huawei-2] service-vlan 102
[AC-wlan-service-set-huawei-2] security-profile name security
[AC-wlan-service-set-huawei-2] traffic-profile name traffic
[AC-wlan-service-set-huawei-2] forward-mode tunnel
[AC-wlan-service-set-huawei-2] quit
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name huawei-1
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name huawei-2
[AC-wlan-radio-2/0] quit
Assume that the STA MAC address is 00e0-fc12-3457. When the STA connects to
the WLAN with the SSID test in the coverage area of AP1, run the display station
assoc-info ap 1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to that of AP2, run the display
station assoc-info ap 2 command on the AC to check the STA access information.
The STA is associated with AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface Wlan-Ess0
port trunk allow-pass vlan 101 to 102
#
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc11-1111 sn 190901007618
region-id 10
ap id 2 type-id 19 mac 00e0-fc12-3456 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|C"%@%@
encryption-method ccmp
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
service-set name huawei-2 id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 102
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 0 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 2
#
return
Roaming between APs in the same service VLAN is classified into fast roaming and
non-fast roaming. Non-fast roaming technology is used when a STA uses a non-
WPA2-802.1X security policy. If a STA uses WPA2-802.1X but does not support fast
roaming, the STA still needs to complete 802.1X authentication before roaming
between two APs. When the user uses the WPA2-802.1X security policy and
supports fast roaming, the user does not need to perform 802.1X authentication
again during roaming and only needs to perform key negotiation. In this case, fast
roaming reduces the roaming delay and improves the WLAN service experience.
Configuration Notes
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In direct forwarding mode, if the ARP entry of a user is not aged out in time
on the access device connected to the AP after the user roams, services of the
user will be temporarily interrupted. You are advised to enable STA address
learning on the AC. After the function is enabled, the AP will send a
gratuitous ARP packet to the access device so that the access device can
update ARP entries in a timely manner. This ensures nonstop service
transmission during user roaming.
You can use either of the following methods to enable STA address learning
according to the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client
ip-address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in
the VAP profile view.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● How to configure the source interface:
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703
switches are not recommended.
Networking Requirements
As shown in Figure 3-152, two APs are deployed in a campus network to provide
WLAN services for employees of two departments, and are managed and
controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs.
The employees of the two departments belong to different VLANs, that is, AP1
belongs to VLAN101 and AP2 belongs to VLAN102. The security policy
WPA2-802.1X is used. User data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA
moves from AP1 to AP2.
Figure 3-152 Networking diagram for configuring fast roaming between APs in
different service VLANs
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2-802.1X is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming
between APs in the same service VLAN to ensure nonstop service transmission
during roaming.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and
the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs
and APs, and configure VLANIF 103 to allow the AC to communicate with the
RADIUS server.
# Configure the DHCP server based on the interface address pool. VLANIF100
provides IP addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs
connected to AP1, and VLANIF102 provides IP addresses for STAs connected to
AP2.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.12.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //Specify the IP address
and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure the shared key of a
RADIUS server
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to
radius.
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure an
authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS server template
for the domain.
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
# Check the AP type IDs after obtaining the MAC addresses of the APs.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc11-1111 0/10 normal ap-1
2 AP6010DN-AGN 00e0-fc12-3456 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method ccmp //Configure
WPA2 802.1X authentication and encryption.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Configure service sets for AP1 and AP2, and set the data forwarding mode to
tunnel forwarding.
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name huawei-1
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name huawei-2
[AC-wlan-radio-2/0] quit
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to that of AP2, run the display
station assoc-info ap 2 command on the AC to check the STA access information.
The STA is associated with AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
dhcp select interface
#
interface Vlanif103
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 103
#
interface Wlan-Ess0
port trunk allow-pass vlan 101 to 102
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc11-1111 sn 190901007618
region-id 10
ap id 2 type-id 19 mac 00e0-fc12-3456 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
service-set name huawei-2 id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 102
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 0 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 2
#
return
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs
using wireless links to establish a large network.
Both WDS and mesh technologies can implement wireless bridging between APs.
A WDS network supports a maximum of three hops (for example, a WDS link can
be established along a root node, a middle node, and a leaf node), has a tree
topology, and does not support link redundancy between nodes. On the other
hand, a mesh network supports a maximum of eight hops, has a mesh topology,
and supports link redundancy between nodes. These factors make a mesh network
more reliable than a WDS network. You can choose the WDS or mesh technology
to deploy wireless bridging between APs according to your networking needs.
Configuration Notes
● The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the WDS function.
Among all WDS- and mesh-capable APs, only the AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE,
AP7050DN-E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
● If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency
band and used for WDS or mesh services, the software version of the AP
connected to the AP8130DN must be V200R005C10 or later.
● When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single
WDS network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node.
Middle nodes do not set up WDS links between each other.
– Three hops are recommended for each WDS link (a 3-hop WDS link
includes a root node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
NOTE
APs supporting WDS can be interconnected. APs with 802.11ac and 802.11n chips are
not subject to interoperation constraints.
● You cannot use WDS and mesh technologies on the same network.
● If WDS and Mesh services are configured on an AP radio, WIDS, spectrum
analysis, or WLAN location on the radio does not take effect.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● The following table lists applicable products and versions.
Networking Requirements
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A
can connect to SwitchA through cables, but AP2 in Area B and AP3 in Area C
cannot. The enterprise needs to provide Internet access for WLAN users in the
three areas and wired users in Area C, as shown in Figure 3-153.
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of
the APs used as WDS bridges. The following table provides the data plan for this
example.
NOTE
AP Type MAC
Service VLANs: 101, 102, 103, 104, The WDS bridges must
105, 106 allow packets of service
● Area A: VLAN 101 for WLAN VLANs to which Area A,
services Area B, and Area C
belong to pass through.
● Area B: VLAN 102 for WLAN
services
● Area C: VLAN 103 for WLAN
services
● Area C: VLANs 104, 105, and
106 on AP3 wired interfaces
Radio profile Name: rp01 and rp02 Use radio profile rp02
for the WDS service and
radio profile rp01 for the
basic WLAN service.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the
AC, SwitchA, and AP1.
2. Configure the WDS function to allow AP2 and AP3 to connect to the AC using
wireless links.
3. Configure the basic WLAN service to provide Internet access service for WLAN
users in Area A, Area B, and Area C.
Procedure
Step 1 Connect AC and AP1.
# Configure the access switch SwitchA. Add GE0/0/1 on SwitchA to VLAN 100
(management VLAN), and set the PVID of GE0/0/1 to VLAN 100. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLANs 100 to 106 to pass through.
NOTE
Configure port isolation on GE0/0/1 that connects SwitchA and AP. Otherwise, unnecessary
packets are broadcast in the VLAN or WLAN users of different APs can communicate with each
other at Layer 2.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 to 106
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 106
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the port isolation group is not specified, the
interface is added to port isolation group 1 by default.
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 106
[SwitchA-GigabitEthernet0/0/2] quit
# Set the NAC mode to unified mode on the AC (default setting). Configure
GE1/0/0 to allow packets from VLANs 100 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 to 106
[AC] interface gigabitEthernet 1/0/0
[AC-GigabitEthernet1/0/0] port link-type trunk
[AC-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 106
[AC-GigabitEthernet1/0/0] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID
0. AP regions 101, 102, and 103 are used as an example here.
[AC-wlan-view] ap-region id 101
[AC-wlan-ap-region-101] quit
[AC-wlan-view] ap-region id 102
[AC-wlan-ap-region-102] quit
[AC-wlan-view] ap-region id 103
[AC-wlan-ap-region-103] quit
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By
default, an AP is added to region 0. This example adds the three APs to regions
101, 102, and 103 respectively.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 101
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2
[AC-wlan-ap-2] region-id 102
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3
[AC-wlan-ap-3] region-id 103
[AC-wlan-ap-3] quit
# Create a radio profile rp02 for the WDS bridges, set the channel mode to fixed
and retain the default settings for other parameters, and bind the WMM profile
wp01 to the radio profile. The default channel mode is auto, but the fixed mode
must be used in this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed // The APs along the WDS link must use the same
channel, so the fixed mode must be used.
[AC-wlan-radio-prof-rp02] quit
# Create the bridge whitelists bw01 and bw02. By default, no bridge whitelist is
created. This example uses whitelist bw01 for the root node and whitelist bw02
for the middle node to control the connection between neighboring APs.
[AC-wlan-view] bridge-whitelist name bw01
[AC-wlan-br-whitelist-bw01] peer ap mac 00e0-fc59-1d20 // The middle AP needs to connect to the
root AP, so AP2's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw01] quit
[AC-wlan-view] bridge-whitelist name bw02
[AC-wlan-br-whitelist-bw02] peer ap mac 00e0-fc59-1d40 // The leaf AP needs to connect to the
middle AP, so AP3's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw02] quit
# Bind the radio profile rp02 to radio 1 of AP1, set the bridge mode of radio 1 to
root, and bind the bridge whitelist bw01 to radio 1. By default, no bridge whitelist
is bound to a radio. This example binds bridge whitelist bw01 to the root AP's
radio.
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] bridge enable mode root
[AC-wlan-radio-1/1] bridge-whitelist name bw01
[AC-wlan-radio-1/1] bridge whitelist enable
[AC-wlan-radio-1/1] quit
# Bind the radio profile rp02 to radio 1 of AP2, set the bridge mode of radio 1 to
middle, and bind the bridge whitelist bw02 to radio 1. By default, no bridge
whitelist is bound to a radio. This example binds bridge whitelist bw02 to the
middle AP's radio.
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] radio-profile name rp02
[AC-wlan-radio-2/1] bridge enable mode middle
[AC-wlan-radio-2/1] bridge-whitelist name bw02
[AC-wlan-radio-2/1] bridge whitelist enable
[AC-wlan-radio-2/1] quit
# Bind AP3 radio 1 to the radio profile rp02 and set the wireless bridge working
mode to leaf.
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] radio-profile name rp02
[AC-wlan-radio-3/1] bridge enable mode leaf
[AC-wlan-radio-3/1] quit
# After the preceding configurations are complete, power on the APs. If the APs
are already powered on, restart the root AP to make the configuration take effect.
Run the display ap all and display bridge-link all commands on the AC to check
whether the APs work properly and whether WVLs are successfully established. If
the WVLs are displayed and the states of all the APs are normal, the management
bridge is successfully established.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 00e0-fc59-1d20 0/102 normal ap-2
3 AP6010DN-AGN 00e0-fc59-1d40 0/103 normal ap-3
------------------------------------------------------------------------------
Total number: 3,printed: 3
NOTE
The AP that establishes the bridge on a WDS network supports only WPA2+PSK+CCMP.
[AC] wlan
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher Example@123
encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a bridge profile with the name bp01 and identifier ChinaNet01, and
bind the bridge profile to the security profile sp01.
[AC-wlan-view] bridge-profile name bp01
[AC-wlan-bridge-prof-bp01] bridge-name ChinaNet01
[AC-wlan-bridge-prof-bp01] vlan tagged 101 to 106 // Allow packets of service VLANs to pass.
[AC-wlan-bridge-prof-bp01] security-profile name sp01
[AC-wlan-bridge-prof-bp01] quit
# Create a bridge VAP on AP1 radio 1 and bind the radio to the bridge profile.
Create a service VAP on AP1 radio 0 and bind the radio to the radio profile and
service set.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name rp01
[AC-wlan-radio-1/0] service-set name ss01
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] bridge-profile name bp01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 // Radios that establish a WDS link must use the same
channel and bandwidth. Here, the radios use 40 MHz bandwidth and channel 157.
[AC-wlan-radio-1/1] quit
# Create a bridge VAP on AP2 radio 1 and bind the radio to the bridge profile.
Create a service VAP on AP2 radio 0 and bind the radio to the radio profile and
service set.
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name rp01
[AC-wlan-radio-2/0] service-set name ss02
[AC-wlan-radio-2/0] quit
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] bridge-profile name bp01
[AC-wlan-radio-2/1] channel 40mhz-plus 157
[AC-wlan-radio-2/1] quit
# Create a bridge VAP on AP3 radio 0 and bind the radio to the bridge profile.
Create a service VAP on AP3 radio 0 and bind the radio to the radio profile and
service set.
[AC-wlan-view] ap 3 radio 0
[AC-wlan-radio-3/0] radio-profile name rp01
[AC-wlan-radio-3/0] service-set name ss03
[AC-wlan-radio-3/0] quit
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] bridge-profile name bp01
[AC-wlan-radio-3/1] channel 40mhz-plus 157
[AC-wlan-radio-3/1] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the
configurations take effect.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 106
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 106
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 106
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 106
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
dhcp select interface
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 106
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
interface Wlan-Ess2
port trunk allow-pass vlan 102
#
interface Wlan-Ess3
port trunk allow-pass vlan 103
#
wlan
wlan ac source interface vlanif100
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 00e0-fc59-1ee0 sn 210235555310CC003587
region-id 101
ap id 2 type-id 19 mac 00e0-fc59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 00e0-fc59-1d40 sn 210235555310CC00AC69
region-id 103
lineate-port gigabitethernet 0 mode endpoint
lineate-port gigabitethernet 0 vlan tagged 104 to 106
wmm-profile name wp01 id 0
traffic-profile name tp01 id 0
security-profile name sp01 id 0
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\{QFUWb
%@%@ encryption-method ccmp
service-set name ss01 id 0
wlan-ess 1
ssid ChinaSer01
traffic-profile id 0
security-profile id 0
service-vlan 101
service-set name ss02 id 1
wlan-ess 2
ssid ChinaSer02
traffic-profile id 0
security-profile id 0
service-vlan 102
service-set name ss03 id 2
wlan-ess 3
ssid ChinaSer03
traffic-profile id 0
security-profile id 0
service-vlan 103
bridge-profile name bp01 id 0
bridge-name ChinaNet01
security-profile id 0
vlan tagged 101 to 106
radio-profile name rp01 id 0
wmm-profile id 0
radio-profile name rp02 id 1
channel-mode fixed
wmm-profile id 1
bridge-whitelist name bw01 id 0
peer ap mac 00e0-fc59-1d20
bridge-whitelist name bw02 id 1
peer ap mac 0046-4b59-1d40
ap 1 radio 0
radio-profile id 0
service-set id 0 wlan 1
ap 1 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode root
bridge whitelist enable
bridge-whitelist id 0
bridge-profile id 0
ap 2 radio 0
radio-profile id 0
service-set id 1 wlan 1
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode middle
bridge whitelist enable
bridge-whitelist id 1
bridge-profile id 0
ap 3 radio 0
radio-profile id 0
service-set id 2 wlan 1
ap 3 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode leaf
bridge-profile id 0
#
return
Configuration Notes
● The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the mesh function.
● On a WDS or mesh network, an 802.11ac AP cannot interoperate with
non-802.11ac APs regardless of their radio types. Only 802.11ac APs can
interoperate with each other.
NOTE
Among all WDS- and mesh-capable APs, only the AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE,
AP7050DN-E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
● If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency
band and used for WDS or mesh services, the software version of the AP
connected to the AP8130DN must be V200R005C10 or later.
● It is recommended that you deploy no more than 40 mesh nodes on a mesh
network.
● You cannot use WDS and mesh technologies on the same network.
● If WDS and Mesh services are configured on an AP radio, WIDS, spectrum
analysis, or WLAN location on the radio does not take effect.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● The following table lists applicable products and versions.
Networking Requirements
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A
can connect to the access switch (SwitchA) through a wired link, but AP2 in Area
B and AP3 in Area C cannot. A WMN needs to be deployed in the three areas to
connect AP2 and AP3 to the enterprise network, as shown in Figure 3-154.
Data Plan
Before configuring the mesh service, determine the types and MAC addresses of
the APs used as mesh nodes. The following table provides the data plan for this
example.
NOTE
AP Type MAC
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the
AC, SwitchA, and AP1.
2. Configure the mesh function to enable AP2 and AP3 to connect to the AC
through mesh links.
3. Configure the basic WLAN service to provide Internet access service for WLAN
users in Area A, Area B, and Area C.
Procedure
Step 1 Connect AP1 to the AC.
# Configure SwitchA. Add GE0/0/1 of SwitchA to management VLAN 100, set the
PVID to VLAN 100, and configure GE0/0/1 and GE0/0/2 to allow packets from
VLAN 100 and VLANs 102 to 106 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects SwitchA to AP1. If port
isolation is not configured, unnecessary packets are broadcast in the VLANs or WLAN users
connected to different APs can communicate with each other at Layer 2.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
# Set the NAC mode to unified mode on the AC (default setting). Configure
GE1/0/1 to allow packets from VLAN 100 and VLANs 102 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 102 to 106
[AC] interface gigabitEthernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 102 to 106
[AC-GigabitEthernet1/0/1] quit
# Configure the Ethernet interfaces that connect APs to SwitchA to allow packets
from VLAN 102 to VLAN 106 to pass through.
NOTE
If MPP Ethernet interfaces are not configured to allow packets carrying service VLAN tags to
pass through, communication fails.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] lineate-port gigabitethernet 0 vlan tagged 102 to 106
[AC-wlan-ap-1] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID
0. AP regions 101, 102, and 103 are used as an example here.
[AC-wlan-view] ap-region id 101
[AC-wlan-ap-region-101] quit
[AC-wlan-view] ap-region id 102
[AC-wlan-ap-region-102] quit
[AC-wlan-view] ap-region id 103
[AC-wlan-ap-region-103] quit
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By
default, an AP is added to region 0. This example adds the three APs to regions
101, 102, and 103 respectively.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 101
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2
[AC-wlan-ap-2] region-id 102
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3
[AC-wlan-ap-3] region-id 103
[AC-wlan-ap-3] quit
# Create a radio profile rp02, set the channel mode to fixed and retain the default
settings for other parameters, and bind the WMM profile wp01 to the radio
profile. The default channel mode is auto, but the fixed mode must be used in
this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed //The APs along the mesh link must use the same
channel, so the fixed mode is used here.
[AC-wlan-radio-prof-rp02] quit
# Create security profile sp01, set the security and authentication policy to WPA2-
PSK, set the authentication key to YsHsjx_202206, and set the encryption mode to
CCMP.
NOTE
On a WMN, the APs that connect to each other wirelessly support only security policy
WPA2+PSK+CCMP.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher YsHsjx_202206
encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a mesh profile mesh01. Set the mesh network ID to ChinaNet01, bind
the security profile sp01 to the mesh profile, and retain the default settings of
other parameters.
[AC-wlan-view] mesh-profile name mesh01
[AC-wlan-mesh-prof-mesh01] mesh-id ChinaNet01
[AC-wlan-mesh-prof-mesh01] security-profile name sp01
[AC-wlan-mesh-prof-mesh01] quit
# Create a mesh VAP on radio 1 of AP1 and set the role of radio 1 to MPP, and
bind the mesh whitelist mesh01 and mesh profile mesh01 to the radio.
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] mesh-role mesh-portal
[AC-wlan-radio-1/1] mesh-whitelist name mesh01
[AC-wlan-radio-1/1] mesh-profile name mesh01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Radios setting up a mesh link must use the same
channel and bandwidth. This example uses 40 MHz bandwidth and channel 157.
[AC-wlan-radio-1/1] quit
# Create a mesh VAP on radio 1 of AP2 and set the role of radio 1 to MP, and bind
the mesh whitelist mesh01 and mesh profile mesh01 to the radio. Create a
service VAP on radio 0 of AP2 and bind radio profile rp01 and service set ss02 to
radio 0.
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name rp01
[AC-wlan-radio-2/0] service-set name ss02
[AC-wlan-radio-2/0] quit
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] radio-profile name rp02
[AC-wlan-radio-2/1] mesh-role mesh-node
[AC-wlan-radio-2/1] mesh-whitelist name mesh01
[AC-wlan-radio-2/1] mesh-profile name mesh01
[AC-wlan-radio-2/1] channel 40mhz-plus 157
[AC-wlan-radio-2/1] quit
# Create a mesh VAP on radio 1 of AP3 and set the role of radio 1 to MP, and bind
the mesh whitelist mesh01 and mesh profile mesh01 to the radio. Create a
service VAP on radio 0 of AP3 and bind radio profile rp01 and service set ss03 to
radio 0.
[AC-wlan-view] ap 3 radio 0
[AC-wlan-radio-3/0] radio-profile name rp01
[AC-wlan-radio-3/0] service-set name ss03
[AC-wlan-radio-3/0] quit
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] radio-profile name rp02
[AC-wlan-radio-3/1] mesh-role mesh-node
[AC-wlan-radio-3/1] mesh-whitelist name mesh01
[AC-wlan-radio-3/1] mesh-profile name mesh01
[AC-wlan-radio-3/1] channel 40mhz-plus 157
[AC-wlan-radio-3/1] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the
configurations take effect.
[AC-wlan-view] commit ap 2
Warning: Committing configuration may cause service interruption, continue?[Y/N]y
[AC-wlan-view] commit ap 1
Warning: Committing configuration may cause service interruption, continue?[Y/N]y
# Run the display ap all command on the AC to check whether the status of APs
is normal and run the display mesh-link all command on the AC to check
whether mesh links have been established. If the command output shows that APs
are in normal state and displays mesh link information, APs have established
mesh links.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 00e0-fc59-1d20 0/102 normal ap-2
3 AP6010DN-AGN 00e0-fc59-1d40 0/103 normal ap-3
------------------------------------------------------------------------------
Total number: 3
[AC-wlan-view] display mesh-link all
----------------------------------------------------------------------
AP ID Radio ID Mesh-link ID WLAN ID Peer AP ID Mesh Role
----------------------------------------------------------------------
1 1 0 16 3 mesh-portal
1 1 1 16 2 mesh-portal
2 1 0 16 3 mesh-node
2 1 1 16 1 mesh-node
3 1 0 16 1 mesh-node
3 1 1 16 2 mesh-node
----------------------------------------------------------------------
Total: 6
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 102 to 106
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102 to 106
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102 to 106
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 102 to 103
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
dhcp select interface
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 102 to 106
#
interface Wlan-Ess2
port trunk allow-pass vlan 102
#
interface Wlan-Ess3
port trunk allow-pass vlan 103
#
wlan
wlan ac source interface vlanif100
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 00e0-fc59-1ee0 sn 210235555310CC003587
region-id 101
lineate-port gigabitethernet 0 vlan tagged 102 to 106
ap id 2 type-id 19 mac 00e0-fc59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 00e0-fc59-1d40 sn 210235555310CC00AC69
region-id 103
lineate-port gigabitethernet 0 mode endpoint
lineate-port gigabitethernet 0 vlan tagged 104 to 106
wmm-profile name wp01 id 1
traffic-profile name tp01 id 0
security-profile name sp01 id 0
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\{QFUWb
%@%@ encryption-method ccmp
service-set name ss02 id 1
wlan-ess 2
ssid ChinaSer02
traffic-profile id 0
security-profile id 0
service-vlan 102
service-set name ss03 id 2
wlan-ess 3
ssid ChinaSer03
traffic-profile id 0
security-profile id 0
service-vlan 103
mesh-profile name mesh01 id 0
mesh-id ChinaNet01
security-profile id 0
radio-profile name rp01 id 0
wmm-profile id 1
radio-profile name rp02 id 1
channel-mode fixed
wmm-profile id 1
mesh-whitelist name mesh01 id 0
peer ap mac 00e0-fc59-1ee0
peer ap mac 00e0-fc59-1d20
peer ap mac 00e0-fc59-1d40
ap 1 radio 1
radio-profile id 1
channel 40MHz-plus 157
mesh-role mesh-portal
mesh-whitelist id 0
mesh-profile id 0
ap 2 radio 0
radio-profile id 0
service-set id 1 wlan 1
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 157
mesh-whitelist id 0
mesh-profile id 0
ap 3 radio 0
radio-profile id 0
service-set id 1 wlan 1
ap 3 radio 1
radio-profile id 1
channel 40MHz-plus 157
mesh-whitelist id 0
mesh-profile id 0
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large amount of abnormal
multicast traffic is received on the network side, the air interfaces may be
congested, and STAs may suffer from slow network access. You are advised to
configure multicast packet suppression to reduce impact of a large number of
low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
● In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
● In tunnel forwarding mode, you are advised to configure multicast packet
suppression on WLAN-ESS interfaces of the AC.
Procedure
● Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 00e0-fc00-0000 mac-address-mask ffff-
ff00-0000 //Match the destination MAC address of multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set
the traffic rate limit.
c. Create the traffic policy test and bind the traffic classifier and traffic
behavior to the traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set
the traffic rate limit.
[AC] traffic behavior test
[AC-behavior-test] statistic enable
[AC-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If multicast services are
available, you are advised to set the rate limit according to the service traffic.
[AC-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic
behavior to the traffic policy.
[AC] traffic policy test
[AC-trafficpolicy-test] classifier test behavior test
[AC-trafficpolicy-test] quit
----End
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for
management packets and service data packets.
● Management VLAN: transmits packets that are forwarded through CAPWAP
tunnels, including management packets and service data packets forwarded
through CAPWAP tunnels.
● Service VLAN: transmits service data packets.
NOTE
● It is recommended that you use different VLANs for the management VLAN and service
VLAN.
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● In tunnel forwarding mode, the management VLAN and service VLAN must be different. The
network between the AC and AP can only permit packets with management VLAN tags to
pass through, and cannot permit packets with service VLAN tags to pass through.
● When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface
allows packets from all VLANs but no VLAN is created by default. VLANs are automatically
created or deleted based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.
In Figure 3-155:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving
downstream management packets, the AC encapsulates the packets in
CAPWAP packets and tags them with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets.
● Figure 3-156 shows the process of directly forwarding service data packets.
When the STP topology changes, the device sends Topology Change (TC) packets
to instruct other devices to update their forwarding tables. If network flapping
occurs, the devices will receive a large number of TC packets in a short period of
time, and update MAC address or ARP entries frequently. As a result, the devices
are heavily burdened, threatening network stability.
The STP TC protection function is enabled by default. After enabling the TC
protection function, you can set the number of times a switching device processes
TC packets within a given time. If the number of TC packets received by the
switching device within the given time exceeds the specified threshold, the
switching device processes TC packets only for the specified number of times. For
the TC packets exceeding the threshold, the switching device processes them
together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved
from the ensuing burdens.
# If you need to understand how the switching device processes TC packets,
enable the TC protection alarm function.
<HUAWEI> system-view
[HUAWEI] stp tc-protection
Optimized ARP reply enabled globally or on a specified VLANIF does not take
effect if any of the following commands is executed:
● arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-
collision function.
● arp ip-conflict-detect enable: enables IP address conflict detection.
● arp anti-attack check user-bind enable: enables dynamic ARP inspection.
● dhcp snooping arp security enable: enables egress ARP inspection.
● arp over-vpls enable: enables ARP proxy on the device located on a VPLS
network.
● arp-proxy enable: configures the routed ARP proxy function.
After the optimized ARP reply function is enabled, the following functions become
invalid:
● ARP rate limiting based on source MAC addresses (configured using the arp
speed-limit source-mac command)
● ARP rate limiting based on source IP addresses (configured using the arp
speed-limit source-ip command)
● Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate
limiting on interfaces (configured using the arp anti-attack rate-limit
enable command)
Reliability Configuration
ACs use cluster switch system (CSS) technology for networking, and access
switches are connected to different members in the CSS through Eth-Trunks. If one
AC is faulty, the network can be restored rapidly.
proxy function be disabled when the AC serves as the gateway, unless otherwise
required.
If STAs of multiple types exist, you can configure different authentication and
encryption modes. Hybrid encryption is recommended.
# Configure WPA-WPA2 authentication (802.1X authentication and hybrid
encryption).
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
In wireless city scenarios, you are advised to reduce the association aging time of
STAs. One minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
The STA blacklist and whitelist increase the burden on the AC and degrade AC
performance. Therefore, the blacklist and whitelist are not recommended, unless
otherwise required.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r
cannot associate with 802.11r-enabled WLANs. It is recommended that 802.11r be
disabled when multiple types of STAs exist on a WLAN.
Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration
on APs to eSight. After this function is enabled, the AC collects and reports the
information to eSight through Syslog when STAs get offline or roam within the
AC, which facilitates data query on eSight.
# Disable the AC from reporting information about STA traffic and online duration
on APs.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
● Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled
on an AP by default. The rate thresholds for ARP, ND, and IGMP flood attack
detection are 5 pps, 16 pps, and 4 pps, respectively. You are not advised to
change the default values. When service traffic is heavy on a network, the
values can be increased properly. However, it is recommended that the values
be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This
function is supported only by V200R010.)
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
● Data traffic limiting: The rate limit of upstream and downstream packets for
each STA or all STAs associated with a VAP is configured in a traffic profile on
an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated
with the VAP that has the traffic profile p1.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
Different suggestions are provided for X series cards and non-X series cards of ACs.
● The user-level rate limiting function is recommended for X series cards and is
enabled by default. Supported packet types include ARP Request, ARP Reply,
ND, DHCP Request, DHCPv6 Request, and 802.1X. By default, the user-level
rate limit is 10 pps. You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c
to 20 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
● The attack source tracing function is recommended for non-X series cards and
is enabled by default. If the number of protocol packets of normal services
exceeds the specified checking threshold and an attack source punishment
action is configured, the attack source tracing function may affect these
normal services. You can attempt to disable the attack source tracing function
or disable this function for corresponding protocols to restore the services.
# Configure the device to discard packets from the identified source every 10
seconds.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
# Set the radio calibration mode to schedule and set the time for scheduled radio
calibration to 20:30:00.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually
associate with the 2.4 GHz frequency band by default when connecting to the
Internet through APs. To associate STAs with the 5 GHz frequency band, you need
to manually select the 5 GHz frequency band. The band steering function
addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency
band. After the 5 GHz frequency band is fully loaded, the AP steers the STAs to
the 2.4 GHz frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes
effect on both the radios as long as the function is enabled for an SSID on one
radio of the AP. For example, if the band steering function is enabled for the SSID
huawei on the 2.4 GHz radio but not on the 5 GHz radio, the AP preferentially
steers STAs associated with the SSID to the 5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support
the band steering function.
This function applies to high-density static scenarios, for example, lecture halls.
This function is not recommended in scenarios where STAs move frequently, such
as wireless cities. If this function is enabled, you are advised to retain the default
roaming threshold.
The dynamic EDCA parameter adjustment function allows APs to adjust EDCA
parameters flexibly by detecting the number of STAs to reduce the possibility of
collision, improve the throughput, and enhance user experience.
# Enable dynamic EDCA parameter adjustment.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name myprofile
[HUAWEI-wlan-rrm-prof-myprofile] dynamic-edca enable
If a large signal strength threshold is set, STAs may go offline easily. Set a proper threshold
based on the actual situation.
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
Networking Requirements
An enterprise has a small-scale branch network. The enterprise needs to deploy
WLAN services for mobile office so that its employees can access the enterprise
internal network anywhere and anytime.
As shown in Figure 3-161, the AC is connected to the AP through a PoE switch,
and the PoE switch supplies power to the AP. The WLAN service is configured on
the AC, and delivered to APs.
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, SwitchA, and upstream device to implement Layer 2
interoperation.
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and AP.
3. Configure the AP to go online.
a. Create an AP group to allow for the unified configuration of multiple APs.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that
the AP can go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
The AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc11-1111
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# Power on the AP and run the display ap all command to check the AP state. If
the State field is displayed as nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extrainfo : Extra information
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //Configure security
policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
After the service configuration is complete, run the display vap ssid wlan-net
command. In the command output, if Status is ON, the VAPs have been
successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 00E0-FC11-1111 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 00E0-FC11-1112 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
---------------------------------------------------------------------------------
00e0-fc11-1115 0 area_1 1/1 5G 11n 46/59 -68 101 10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 00e0-fc11-1111 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Service packets and management packets can be forwarded normally
only if the network between APs and upper-layer network is added to the
service VLAN and the network between the AC and APs is added to the
management VLAN.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● For applicable products and versions, see Quick Reference for WLAN AP
Version Mapping and Models.
Networking Requirements
As shown in Figure 3-162, an enterprise's AC connects to the egress gateway
Router of the campus network and connects to the AP through a PoE switch. The
PoE switch provides power to the AP.
The enterprise requires a WLAN with SSID wlan-net so that users can access the
enterprise internal network from anywhere and anytime. The Router needs to
function as a DHCP server to assign IP addresses on 10.23.101.0/24 to users and
manage users on the AC.
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each
other.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an
interface IP address pool, configure the AC as a DHCP relay agent, and
configure the Router connected to the AC to assign IP addresses to STAs.
3. Configure the WLAN service for users to connect to the Internet.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address
pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address for DHCP relay to
10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta //Configure the address pool to assign IP addresses to STAs.
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
[Router-Vlanif102] dhcp select global //Configure a global address pool.
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] undo port trunk allow-pass vlan 1
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.102.2 //Configure a route on the Router destined for the
network segment 10.23.101.0/24.
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
The AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
# Power on the AP and run the display ap all command to check the AP state. If
the State field is displayed as nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extrainfo : Extra information
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
After the service configuration is complete, run the display vap ssid wlan-net
command. In the command output, if Status is ON, the VAPs have been
successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 00E0-FC11-1111 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 00E0-FC11-1112 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
---------------------------------------------------------------------------------
00e0-fc11-1115 0 area_1 1/1 5G 11n 46/59 -68 101 10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.102.1
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
The default retransmission timeout interval for wireless users is 5 seconds,
which is suitable for most wireless user authentication scenarios. When IP
addresses of more than eight authentication servers are configured in a
RADIUS server template, or 802.1X authentication is used, it is recommended
that the retransmission timeout interval be set to 1 second to improve
network processing efficiency.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, Portal authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Networking Requirements
A hospital needs to deploy both a wired and a wireless network. To simplify
management and maintenance, the administrator requires that wired and wireless
users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and
intra-AC roaming is enabled for wireless users.
As shown in Figure 3-163, the AC connects to the egress gateway Router in the
uplink direction. In the downstream direction, the AC connects to and manages
APs through access switches S5700-1 and S5700-2. S5700-1 is deployed on the
first floor, and S5700-2 is deployed on the second floor. An AP2030DN is deployed
in each room to provide both wired and wireless access. AP5030DNs are deployed
in corridors to provide wireless network coverage. Both S5700-1 and S5700-2 are
PoE switches and supply power to connected APs.
To facilitate network planning and management, the access switches are only
used to transparently transmit data at Layer 2, and all gateways are configured on
the AC.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.
The following uses an AC running V200R009C00 as an example. The key
configurations vary in different versions. For details, see the Command Reference
in the actual version.
Data Planning
AP10 - - AP10
3 3 is
an
AP50
30DN
and
deplo
yed in
the
corrid
or on
the
first
floor
to
provi
de
wirele
ss
acces
s.
AP20 - - AP20
3 3 is
an
AP50
30DN
and
deplo
yed in
the
corrid
or on
the
secon
d
floor
to
provi
de
wirele
ss
acces
s.
● Name: ap-group2
● Referenced profiles:
VAP profile wlan-
vap2, regulatory
domain profile
domain1, and radio
profiles radio-2g and
radio-5g
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.25
4/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other
network devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users,
and wireless users.
3. Configure a RADIUS server template, configure authentication, accounting,
and authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP
management, and WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can
access the Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of S5700-1 to VLAN 100 (management VLAN) and
VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of
S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set
PVIDs for interfaces directly connected to APs. You are advised to configure port
isolation on these interfaces to reduce unnecessary broadcast traffic. S5700-1 is
used as an example here. The configuration on S5700-2 is similar. For details, see
the configuration file of S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
# On the AC, add GE1/0/1 (connected to S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected
to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the
controller) to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/4] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface
address pool.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to assign IP addresses to STAs on the first
floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102 //Configure an interface address pool to assign IP addresses to STAs on the
second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201 //Configure an interface address pool to assign IP addresses to PCs on the first
floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202 //Configure an interface address pool to assign IP addresses to PCs on the
second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the controller functions as the RADIUS server,
the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to RADIUS. To facilitate
account status information maintenance on the RADIUS server, including the login and logout information,
and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country code. Radio features of
APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [6]
ExtraInfo : Extra information
P : insufficient power supply
-------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
-------------------------------------------------------------------------------------------------
101 00e0-fc76-e320 ap-101 ap-group1 10.23.101.254 AP2030DN nor 0 10S -
102 00e0-fc76-e340 ap-102 ap-group1 10.23.101.253 AP2030DN nor 0 15S -
103 00e0-fc76-b520 ap-103 ap-group1 10.23.101.252 AP5030DN nor 0 23S -
201 00e0-fc76-e360 ap-201 ap-group2 10.23.102.254 AP2030DN nor 0 45S -
202 00e0-fc76-e380 ap-202 ap-group2 10.23.102.253 AP2030DN nor 0 49S -
203 00e0-fc76-b540 ap-203 ap-group2 10.23.102.252 AP5030DN nor 0 55S -
-------------------------------------------------------------------------------------------------
Total: 6
# Create RRM profile rrm1. By default, the automatic channel and transmit power
selection functions are enabled. When you need to manually specify the channel
and power for a radio, set the channel and transmit power selection modes to
fixed.
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the channel selection mode of the
radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel mode of the radio to
fixed.
[AC-wlan-rrm-prof-rrm1] quit
NOTE
In V200R012 and later versions, the commands for configuring the channel selection and
transmit power selection modes are executed in the AP group radio view or AP radio view
instead of in the RRM profile view. For example, run the following commands to set the
channel and transmit power selection modes of radio 0 of APs in AP group 1 to fixed:
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
# Create radio profiles radio-2g and radio-5g, and bind the RRM profile rrm1 to
the radio files.
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has been enabled on the
interface. Set the security policy to OPEN, that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding
mode and service VLANs, and apply the security profile, SSID profile, and
authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 // //Set the VLAN ID to 102. By default, the VLAN
ID is 1.
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the
password, the STAs can access the wireless network. Run the display station all
command on the AC. The command output shows that the STAs are connected to
the WLAN hospital-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
00e0-fc12-3456 0 ap-101 0/1 2.4G 11n 3/8 -70 10 10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
● S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 201
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 201
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 201
stp edged-port enable
port-isolate enable group 1
#
return
● S5700-2 configuration file
#
sysname S5700-2
#
vlan batch 100 202
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 202
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 202
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 202
stp edged-port enable
port-isolate enable group 1
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-PTj=H1p_J<1/%ZAXuB5)0%^%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %^%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]
$M{]DND|;=s"%^%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 300
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
security open
ssid-profile name wlan-ssid
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
forward-mode tunnel
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
regulatory-domain-profile name domain1
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name radio-2g
rrm-profile rrm1
radio-5g-profile name radio-5g
rrm-profile rrm1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
wired-port-profile name wired2
vlan tagged 201
wired-port-profile name wired3
vlan pvid 202
vlan untagged 202
wired-port-profile name wired4
vlan tagged 202
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
ap-id 101 type-id 35 ap-mac 00e0-fc76-e320 ap-sn 210235419610CB002378
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 102 type-id 35 ap-mac 00e0-fc76-e340 ap-sn 210235419610CB002204
ap-name ap-102
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 103 type-id 35 ap-mac 00e0-fc76-b520 ap-sn 210235419610CB002561
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 201 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235419610CB002287
ap-name ap-201
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 202 type-id 35 ap-mac 00e0-fc76-e380 ap-sn 210235419610CB002984
ap-name ap-202
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 203 type-id 35 ap-mac 00e0-fc76-b540 ap-sn 210235419610CB002632
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
Relevant Information
Support Community
NA
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
Networking Requirements
A city needs to deploy the wireless smart city project and requires that Portal
authentication be used for wireless users. Due to the large number of wireless
users, high wireless service performance and Portal authentication performance
are required.
As shown in Figure 3-164, the core switch S7700 functions as the gateway for
STAs and APs and as a DHCP server to assign IP addresses to STAs and APs. The
S7700 connects to APs through PoE access switches S5700-1 and S5700-2. The AC
and APs are located on a Layer 3 network. The AC is the X series card on the
S7700 and connected to the S7700 through Eth-Trunk in bypass mode.
To facilitate network planning and management, the access switches are only
used to transparently transmit data at Layer 2.
The following uses an AC running V200R009C00 as an example. The key
configurations vary in different versions. For details, see the Command Reference
in the actual version.
Figure 3-164 Networking for configuring WLAN services for a wireless city project
Data Planning
● Name: ap-group2
● Referenced profiles:
VAP profile wlan-
vap2, regulatory
domain profile
domain1, and radio
profiles radio-2g and
radio-5g
● Name: portal2
● Referenced templates:
Portal server
templates portal2
and portal3
● Name: portal2
● Referenced profile:
Portal access profile
portal2
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24
Portal server:
● Active IP address:
10.23.30.1
● Active IP address:
10.23.30.2
● Standby IP address:
10.23.30.3
● Port number that the
AC uses to listen on
Portal protocol
packets: 2000
● Destination port
number in the packets
that the AC sends to
the Portal server:
50100
● Portal shared key:
YsHsjx_202206
● Encryption key for the
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, S7700, and
other network devices.
2. Configure the S7700 as a DHCP server to assign IP addresses to APs and STAs.
3. Configure a RADIUS server template, configure authentication, accounting,
and authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP
management, and WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can
access the Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/3 of S5700-1 to VLAN 10 (management VLAN) and
VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs. You
are advised to configure port isolation on these interfaces to reduce unnecessary
broadcast traffic.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 10 101
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10 //Set a PVID for the interface directly connected
to the AP.
[S5700-1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/2] stp edged-port enable
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S5700-1-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/3] stp edged-port enable
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
# On the S7700, add GE1/0/1 (connected to S5700-1) to VLAN 10 and VLAN 101,
GE1/0/2 (connected to S5700-2) to VLAN 20 and VLAN 102, GE1/0/3 (connected
to the controller) to VLAN 300, GE1/0/4 (connected to the upper-layer network)
to VLAN 101 and VLAN 102, and GE1/0/5 and GE1/0/6 (connected to the AC) to
Eth-Trunk 1. Add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname S7700
[S7700] vlan batch 10 20 100 101 102 300
[S7700] interface gigabitethernet 1/0/1
[S7700-GigabitEthernet1/0/1] port link-type trunk
[S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S7700-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/1] quit
[S7700] interface gigabitethernet 1/0/2
[S7700-GigabitEthernet1/0/2] port link-type trunk
[S7700-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 102
[S7700-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/2] quit
[S7700] interface gigabitethernet 1/0/3
[S7700-GigabitEthernet1/0/3] port link-type trunk
[S7700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S7700-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/3] quit
[S7700] interface gigabitethernet 1/0/4
[S7700-GigabitEthernet1/0/4] port link-type trunk
[S7700-GigabitEthernet1/0/4] port trunk allow-pass vlan 101 102
[S7700-GigabitEthernet1/0/4] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/4] quit
[S7700] interface eth-trunk 1
[S7700-Eth-Trunk1] port link-type trunk
[S7700-Eth-Trunk1] port trunk allow-pass vlan 100
[S7700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and GE1/0/6 to Eth-Trunk 1.
You are advised to select inter-card or inter-chassis interfaces as member interfaces of the Eth-Trunk to
improve interface reliability.
[S7700-Eth-Trunk1] quit
# On the S7700, configure VLANIF 100 for communication with the AC and
VLANIF 300 for communication with the controller.
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S7700 to Eth-Trunk 1
and add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2 to Eth-Trunk1. You
are advised to select inter-card or inter-chassis interfaces as member interfaces of the Eth-Trunk to improve
interface reliability.
[AC-Eth-Trunk1] quit
Step 2 Configure the S7700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S7700 to assign IP addresses to the STAs and APs from the global
address pool.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[S7700] dhcp enable
[S7700] interface vlanif 10 //Configure a global address pool to assign IP addresses to AP101 and AP102.
[S7700-Vlanif10] description manage_ap1
[S7700-Vlanif10] ip address 10.23.10.1 24
[S7700-Vlanif10] dhcp select global
[S7700-Vlanif10] quit
[S7700] ip pool manage_ap1
[S7700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S7700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S7700-ip-pool-manage_ap1] option 43 sub-option 2 ip-address 10.23.100.1 //Since a Layer 3 network is
deployed between the AC and APs, configure Option43 to advertise the AC's IP address to the APs.
[S7700-ip-pool-manage_ap1] quit
[S7700] interface vlanif 20 //Configure a global address pool to assign IP addresses to AP201 and AP202.
[S7700-Vlanif20] description manage_ap2
[S7700-Vlanif20] ip address 10.23.20.1 24
[S7700-Vlanif20] dhcp select global
[S7700-Vlanif20] quit
[S7700] ip pool manage_ap2
[S7700-ip-pool-manage_ap2] gateway-list 10.23.20.1
[S7700-ip-pool-manage_ap2] network 10.23.20.0 mask 255.255.255.0
[S7700-ip-pool-manage_ap2] option 43 sub-option 2 ip-address 10.23.100.1 //Since a Layer 3 network is
deployed between the AC and APs, configure Option 43 to advertise the AC's IP address to the APs.
[S7700-ip-pool-manage_ap2] quit
[S7700] interface vlanif 101 //Configure a global IP address pool to assign IP addresses to STAs connected
to AP101 and AP102.
# Configure a Portal server template for each of the three controller nodes.
[AC] web-auth-server portal1 //Create the Portal server template portal1 for controller node 1.
[AC-web-auth-server-portal1] server-ip 10.23.30.1 //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50100 //Set the destination port number used by the device to send
packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher YsHsjx_202206 //Configure the shared key for message
exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.30.1:8080/portal //Configure the URL of the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log //Set the RADIUS automatic detection
interval to 30s. The default value is 60s.
[AC-web-auth-server-portal1] quit
[AC] web-auth-server portal2 //Create the Portal server template portal2 for controller node 2.
[AC-web-auth-server-portal2] server-ip 10.23.30.2
[AC-web-auth-server-portal2] port 50100
[AC-web-auth-server-portal2] shared-key cipher YsHsjx_202206
[AC-web-auth-server-portal2] url http://10.23.30.2:8080/portal
[AC-web-auth-server-portal2] server-detect interval 30 action log
[AC-web-auth-server-portal2] quit
[AC] web-auth-server portal3 //Create the Portal server template portal3 for controller node 3.
[AC-web-auth-server-portal3] server-ip 10.23.30.3
[AC-web-auth-server-portal3] port 50100
[AC-web-auth-server-portal3] shared-key cipher YsHsjx_202206
[AC-web-auth-server-portal3] url http://10.23.30.3:8080/portal
[AC-web-auth-server-portal3] server-detect interval 30 action log
[AC-web-auth-server-portal3] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country code. Radio features of
APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]
-------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------------------
101 00e0-fc76-e320 ap-101 ap-group1 10.23.101.254 AP5030DN nor 0 10S
102 00e0-fc76-e340 ap-102 ap-group1 10.23.101.253 AP5030DN nor 0 15S
201 00e0-fc76-e360 ap-201 ap-group2 10.23.102.254 AP5030DN nor 0 45S
202 00e0-fc76-e380 ap-202 ap-group2 10.23.102.253 AP5030DN nor 0 49S
-------------------------------------------------------------------------------------------------
Total: 4
NOTE
In V200R012 and later versions, the commands for configuring the channel selection and
transmit power selection modes are executed in the AP group radio view or AP radio view
instead of in the RRM profile view. For example, run the following commands to set the
channel and transmit power selection modes of radio 0 of APs in AP group 1 to fixed:
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
# Create radio profiles radio-2g and radio-5g, and bind the RRM profile rrm1 to
the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has been enabled on the
interface. Set the security policy to OPEN, that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to city-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid city-wlan //Set the SSID to city-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding
mode and service VLANs, and apply the security profile, SSID profile, and
authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode direct-forward //Set the service forwarding mode to direct.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
# Connect STAs to the WLAN with SSID city-wlan. After you enter the password,
the STAs can access the wireless network. Run the display station all command
on the AC. The command output shows that the STAs are connected to the WLAN
city-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
00e0-fc08-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10 10.23.101.254 city-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
● S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 10 101
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
interface Vlanif10
description manage_ap1
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
description manage_ap2
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
description manage_area1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
description manage_area2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 102
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
access-domain portal1 force
authentication-profile name portal2
portal-access-profile portal2
access-domain portal1
access-domain portal1 force
#
radius-server template radius1
radius-server shared-key cipher %^%#~!W(.rpP$Psx"U>yy2uGMbJf-c.>vIWU[@V85Qe*%^%#
radius-server authentication 10.23.30.1 1812 source ip-address 10.23.100.1 weight 80
radius-server authentication 10.23.30.2 1812 source ip-address 10.23.100.1 weight 80
radius-server authentication 10.23.30.3 1812 source ip-address 10.23.100.1 weight 20
radius-server accounting 10.23.30.1 1813 source ip-address 10.23.100.1 weight 80
radius-server accounting 10.23.30.2 1813 source ip-address 10.23.100.1 weight 80
radius-server accounting 10.23.30.3 1813 source ip-address 10.23.100.1 weight 20
radius-server detect-server interval 30
#
web-auth-server portal1
server-ip 10.23.30.1
port 50100
shared-key cipher %^%#T)1I)52A-*iIrZ>='1l:P[[TYo!BX7_Z/AJkCGxC%^%#
url http://10.23.30.1:8080/portal
server-detect interval 30 action log
#
web-auth-server portal2
server-ip 10.23.30.2
port 50100
shared-key cipher %^%#"xJ,SrfdB4>n]ZAJ@|0IG`g@JAT"m81Jv8R3I{CM%^%#
url http://10.23.30.2:8080/portal
server-detect interval 30 action log
#
web-auth-server portal3
server-ip 10.23.30.3
port 50100
shared-key cipher %^%#dS6|(!NeF>qv;O7bJ[5D^QF"5#Na<,AG4b~y@3[(%^%#
url http://10.23.30.3:8080/portal
server-detect interval 30 action log
#
portal-access-profile name portal1
web-auth-server portal1 portal3 layer3
#
portal-access-profile name portal2
web-auth-server portal2 portal3 layer3
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
accounting realtime 15
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
authentication-profile portal1
#
interface Vlanif102
authentication-profile portal2
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
security open
ssid-profile name default
vap-profile name wlan-vap1
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
vap-profile name wlan-vap2
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
regulatory-domain-profile name domain1
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name radio-2g
rrm-profile rrm1
radio-5g-profile name radio-5g
rrm-profile rrm1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
ap-id 101 ap-mac 00e0-fc76-e320 ap-sn 210235419610CB002000
ap-name ap-101
ap-group ap-group1
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 102 ap-mac 00e0-fc76-e340 ap-sn 210235419610CB003333
ap-name ap-102
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
ap-id 201 ap-mac 00e0-fc76-e360 ap-sn 210235419610CB002287
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 202 ap-mac 00e0-fc76-e380 ap-sn 210235419610CB002299
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
#
return
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
The default retransmission timeout interval for wireless users is 5 seconds,
which is suitable for most wireless user authentication scenarios. When IP
addresses of more than eight authentication servers are configured in a
RADIUS server template, or 802.1X authentication is used, it is recommended
that the retransmission timeout interval be set to 1 second to improve
network processing efficiency.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
Networking Requirements
As shown in Figure 3-165, an AC in an enterprise is connected to the AP through
access switch SwitchA. The enterprise deploys the WLAN wlan-net to provide
wireless network access. The AC functions as a DHCP server to assign IP addresses
on the network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, access control is required for the WLAN to
ensure information security. Configure MAC address authentication to
authenticate dumb terminals such as wireless network printers and wireless
phones that do not support an authentication client. MAC addresses of terminals
are used as user information and sent to the RADIUS server for authentication.
When users connect to the WLAN, authentication is not required.
Data Planning
Item Data
MAC ● Name: m1
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Item Data
Authentica ● Name: p1
tion ● Bound profile: MAC access profile m1
profile
● Forcible authentication domain: huawei.com
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that the AC can communicate with upper-
layer and lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a MAC access profile to manage MAC access control parameters.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the RADIUS server. (Assume that the IP address
of the upper-layer device connected to the AC is 10.23.101.2.)
[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
The AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc11-1111
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
# Power on the AP and run the display ap all command to check the AP state. If
the State field is displayed as nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extrainfo : Extra information
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured
correctly and are the same as those on the RADIUS server.
# Create an AAA domain and configure the RADIUS server template and
authentication scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
radius-server authentication 10.23.200.1 1812 weight 80
#
mac-access-profile name m1
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security open
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 ap-mac 00e0-fc11-1111
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
The default retransmission timeout interval for wireless users is 5 seconds,
which is suitable for most wireless user authentication scenarios. When IP
addresses of more than eight authentication servers are configured in a
RADIUS server template, or 802.1X authentication is used, it is recommended
that the retransmission timeout interval be set to 1 second to improve
network processing efficiency.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, Portal authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Networking Requirements
Users in the guest area of a company want to access the company's intranet
through an AP. The company needs to deploy an identity authentication system
for access control of users who attempt to connect to the network, preventing
unauthorized access.
Because visitors move frequently, Portal authentication is configured and the
RADIUS server is used to authenticate users.
Data Plan
Item Data
Item Data
Authentica ● Name: p1
tion ● Referenced profiles: Portal access profile web1
profile
● Forcible authentication domain for users: huawei.com
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with
upstream and downstream network devices, and the AP can go online.
2. Configure AAA on the AC to implement identity authentication on access
users through the RADIUS server. The configuration includes configuring a
RADIUS server template, an AAA scheme, and an authentication domain, and
binding the RADIUS server template and AAA scheme to the authentication
domain.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC
to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] quit
Configure the AC's upstream interfaces to transparently transmit service VLAN packets and
communicate with upstream network devices.
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.1.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.2.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. In this
example, the AP's MAC address is 00e0-fc12-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is
located. For example, if the AP with MAC address 00e0-fc12-e360 is deployed in
area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc12-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# Power on the AP and run the display ap all command to check the AP state. If
the State field is nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.1.254 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. (The test user test and
password Example@123 have been configured on the RADIUS server.)
[AC] test-aaa test Example@123 radius-template rd1
Info: Account test succeed.
# Configure the authentication profile p1, bind the Portal access profile web1, and
authentication-free rule profile default_free_rule to the authentication profile,
specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the
maximum number of access users to 100.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100
[AC-authen-profile-p1] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID
profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and
radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
portal-access-profile web1
free-rule-template default_free_rule
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
dhcp enable
#
radius-server template rd1
radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
radius-server authentication 10.23.2.30 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 10.23.3.1 mask 255.255.255.255
#
web-auth-server abc
server-ip 10.23.2.30
port 50200
shared-key cipher %^%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%^%#
url http://10.23.2.30:8080/webagent
#
portal-access-profile name web1
web-auth-server abc direct
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface Vlanif100
ip address 10.23.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
Networking Requirements
Users in the guest area of a company want to access the company's intranet
through an AP. The company needs to deploy an identity authentication system
for access control of users who attempt to connect to the network, preventing
unauthorized access.
Because visitors move frequently, Portal authentication is configured and the
RADIUS server is used to authenticate users.
Data Plan
Item Data
Item Data
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with
upstream and downstream network devices, and the AP can go online.
2. Configure AAA on the AC to implement identity authentication on access
users through the RADIUS server. The configuration includes configuring a
RADIUS server template, an AAA scheme, and an authentication domain, and
binding the RADIUS server template and AAA scheme to the authentication
domain.
3. Configure Portal authentication. The configuration includes configuring a
Portal server template, a Portal access profile, an authentication-free rule
profile, and an authentication profile, and binding the authentication profile
to an interface.
4. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default
VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure GE1/0/1 on the AC to VLAN 100, and GE1/0/2 to VLAN 101 and VLAN
102. Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.1/24.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] quit
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 102
[AC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/2] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF
100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs,
and specify the default gateway.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server gateway-list 10.23.101.2
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] dhcp server gateway-list 10.23.102.2
[AC-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default
setting is not changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the
similar method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1
(5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc12-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. (The test user test and
password Example@123 have been configured on the RADIUS server.)
# Configure the authentication profile p1, bind the Portal access profile web1, and
authentication-free rule profile default_free_rule to the authentication profile,
specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the
maximum number of access users to 100.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100
[AC-authen-profile-p1] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID
profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and
radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
return
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.10.0 255.255.255.0 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security open
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 0 ap-mac 00e0-fc12-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
The default retransmission timeout interval for wireless users is 5 seconds,
which is suitable for most wireless user authentication scenarios. When IP
addresses of more than eight authentication servers are configured in a
RADIUS server template, or 802.1X authentication is used, it is recommended
that the retransmission timeout interval be set to 1 second to improve
network processing efficiency.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, MAC address authentication is used. To ensure network
security, configure an appropriate security policy according to your network
requirements.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Service packets and management packets can be forwarded normally
only if the network between APs and upper-layer network is added to the
service VLAN and the network between the AC and APs is added to the
management VLAN.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Networking Requirements
Users in the guest area of a company want to access the company's intranet
through an AP. The company needs to deploy an identity authentication system
for access control of users who attempt to connect to the network, preventing
unauthorized access.
Because visitors move frequently, Portal authentication is configured and the
RADIUS server is used to authenticate users.
To facilitate network access, the company decides to configure MAC address-
prioritized Portal authentication. If a user first goes offline after passing Portal
authentication, the user can go online again within a certain period (1 hour for
example) without re-entering their user name and password.
Data Plan
Item Data
MAC ● Name: m1
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authentica ● Name: p1
tion ● Referenced profiles: Portal access profile web1 and MAC access
profile profile m1
● Forcible authentication domain for users: huawei.com
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] quit
Configure the AC's upstream interfaces to transparently transmit service VLAN packets and
communicate with upstream network devices.
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.1.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.2.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. In this
example, the AP's MAC address is 00e0-fc12-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is
located. For example, if the AP with MAC address 00e0-fc12-e360 is deployed in
area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc12-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# Power on the AP and run the display ap all command to check the AP state. If
the State field is nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.1.254 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. (The test user test and
password Example@123 have been configured on the RADIUS server.)
[AC] test-aaa test Example@123 radius-template rd1
Info: Account test succeed.
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the Portal access profile web1,
MAC access profile m1, and authentication-free rule profile default_free_rule to
the authentication profile, specify the domain huawei.com as the forcible
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] mac-access-profile m1
# Create security profile wlan-security and set the security policy in the profile.
By default, the security policy is set to open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID
profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and
radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
For details on how to log in to the Agile Controller, add user accounts and
switches to the Agile Controller, and configure authorization results and
authorization rules on the Agile Controller, see 3.14.2.1 Configuring Portal
Authentication for Access Users on Huawei Agile Controller-Campus
(Authentication Point on Core Switch). The configurations are not described
here.
3. Click OK.
Step 10 Verify the configuration.
Item Expected Result
A user When the user attempts to visit a website, the user authentication
disconnect page is pushed to them. After the user enters the correct user
s from the name and password, the requested web page is displayed.
wireless
network
and
reconnects
to the
network 65
minutes
later.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 101
#
authentication-profile name p1
mac-access-profile m1
portal-access-profile web1
free-rule-template default_free_rule
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
radius-server template rd1
radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
radius-server authentication 10.23.2.30 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 10.23.3.1 mask 255.255.255.255
#
web-auth-server abc
server-ip 10.23.2.30
port 50200
shared-key cipher %^%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%^%#
url http://10.23.2.30:8080/webagent
#
portal-access-profile name web1
web-auth-server abc direct
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface Vlanif100
ip address 10.23.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● For details about radio configuration notes, see 3.12.1.4 Radio Configuration
Suggestion.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Service packets and management packets can be forwarded normally
only if the network between APs and upper-layer network is added to the
service VLAN and the network between the AC and APs is added to the
management VLAN.
● When configuring radio calibration, set the channel mode and power mode of
an AP that needs radio calibration to auto.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● For applicable products and versions, see Quick Reference for WLAN AP
Version Mapping and Models.
Networking Requirements
As shown in Figure 3-169, a large number of APs are deployed in an office
building. The APs connect to the AC through Switch_A to provide wireless services
for users.
Manually configuring radio parameters (such as the channel) for the APs one by
one would be time-consuming. To simplify network deployment, the IT
department requires that the AC automatically allocate channels to the APs based
on radio environments.
Data Planning
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each
other.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group to allow for the unified configuration of multiple APs.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to
allow the APs to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure radio calibration so that the AC can automatically allocate the
optimal working channels to the APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the APs and AC to transmit CAPWAP packets.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100 (management
VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] stp edged-port enable
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import APs offline on the WLAN AC and add APs area_1 and area_2 to AP
group ap-group1. Configure a name for the AP based on the AP's deployment
location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
Each AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
---------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
---------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.101.253 AP5030DN nor 0 5M:2S
1 00e0-fc74-9640 area_2 ap-group1 10.23.101.254 AP5030DN nor 0 5M:4S
---------------------------------------------------------------------------------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the RRM profile wlan-net and enable automatic channel selection and
automatic transmit power selection in the RRM profile. By default, automatic
channel selection and automatic transmit power selection are enabled.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
NOTE
In V200R012 and later versions, the commands for configuring the channel selection and
transmit power selection modes are executed in the AP group radio view or AP radio view
instead of in the RRM profile view. For example, run the following commands to set the
channel and transmit power selection modes of radio 0 of APs in AP group 1 to automatic:
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
In V200R019C00 and later versions, the format of commands for configuring the channel
and transmit power selection modes is changed as follows:
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select enable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select enable
[AC-wlan-group-radio-ap-group1/0] quit
# Create the air scan profile wlan-airscan and configure the scan channel set,
scan interval, and scan duration. By default, an air scan channel set contains all
channels supported by the corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air
scan profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air
scan profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g // //In V200R010C00 and later versions, you need
to specify the radio ID using the radio-5g-profile radio5g radio 1 command.
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g //In V200R010C00 and later versions, you need to
specify the radio ID using the radio-2g-profile radio2g radio 0 command.
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to schedule, configure the AC to start radio
calibration at 3:00 a.m. every day.
[AC-wlan-view] calibrate enable schedule time 03:00:00
● # Run the display radio all command on the AC to check radio calibration
results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
NOTE
In V200R012 and later versions, the commands for configuring the channel
selection and transmit power selection modes are executed in the AP group radio
view or AP radio view instead of in the RRM profile view. For example, run the
following commands to set the channel and transmit power selection modes of
radio 0 of APs in AP group 1 to fixed:
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● AP load balancing is not recommended.
After AP load balancing is configured, APs in the load balancing group
forward received Probe packets to the AC. The AC then determines the APs
from which STAs can access the WLAN. Too many Probe packets may degrade
AC performance. Therefore, it is recommended that the AP load balancing
function be disabled, unless otherwise required.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
Networking Requirements
As shown in Figure 3-170, the AC connects to the upper layer network and
manages the APs through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. Traffic must
be balanced on AP radios to prevent one AP radio from being heavily loaded.
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
the STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each
other.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to
the group for unified configuration.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to
allow the APs to go online.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels. This example configures the radio calibration function.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on SwitchA to the management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] stp edged-port enable
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-gigabitethernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-gigabitethernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/3] stp edged-port enable
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-gigabitethernet0/0/3] quit
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address for DHCP relay to
10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta //Configure the address pool to assign IP addresses to STAs.
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
[Router-Vlanif102] dhcp select global //Configure a global address pool.
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] undo port trunk allow-pass vlan 1
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.102.2 //Configure a route on the Router destined for the
network segment 10.23.101.0/24.
# Create an AP group.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import APs offline on the WLAN AC and add APs area_1 and area_2 to AP
group ap-group1. Configure a name for the AP based on the AP's deployment
location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
Each AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
---------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
---------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.101.253 AP5030DN nor 0 5M:2S
1 00e0-fc74-9640 area_2 ap-group1 10.23.101.254 AP5030DN nor 0 5M:4S
---------------------------------------------------------------------------------------
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //Configure security
policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the static load balancing group and set the start threshold for static load
balancing to 15 and the load difference threshold to 25%.
[AC-wlan-view] sta-load-balance static-group name wlan-static //Create load balancing group wlan-
static.
[AC-wlan-sta-lb-static-wlan-static] start-threshold 15 //Set the start threshold for load balancing (based
on the number of users) to 15. The default value is 10.
[AC-wlan-sta-lb-static-wlan-static] gap-threshold 25 //Set the load difference threshold for load balancing
(based on the number of users) to 25%. The default value is 20%.
NOTE
From V200R011C00 to V200R019C00, the device supports static load balancing based on
channel usage. Configure static load balancing based on the number of users as follows:
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] mode sta-number //Configure static load balancing based on the
number of users. By default, static load balancing based on the number of users is used.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold 25 //In V200R011C10 and later
versions, the format is changed to sta-number gap-threshold percentage 25.
In V200R019C10 and later versions, the device does not support static load balancing based
on channel usage. Configure static load balancing based on the number of users as follows:
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold percentage 25
● When a new STA requests to connect to AP area_1, the AC uses a static load
balancing algorithm to redirect the STA to a lightly loaded AP in the same
load balancing group.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface gigabitethernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.102.1
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● AP load balancing is not recommended.
After AP load balancing is configured, APs in the load balancing group
forward received Probe packets to the AC. The AC then determines the APs
from which STAs can access the WLAN. Too many Probe packets may degrade
AC performance. Therefore, it is recommended that the AP load balancing
function be disabled, unless otherwise required.
Networking Requirements
As shown in Figure 3-171, the AC connects to the upper-layer network and
manages the APs through the access and aggregation switches.
When a large number of STAs access the Internet through the same AP, the AP is
heavily loaded, degrading user experience. The enterprise requires that data traffic
be balanced on AP radios to prevent one AP radio from being heavily loaded.
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each
other.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels. This example configures the radio calibration function.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
assign IP addresses to STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address
pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address for DHCP relay to
10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta //Configure the address pool to assign IP addresses to STAs.
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import APs offline on the WLAN AC and add APs area_1 and area_2 to AP
group ap-group1. Configure a name for the AP based on the AP's deployment
location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
Each AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //Configure security
policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
NOTE
From V200R011C00 to V200R019C00, the device supports dynamic load balancing based on
channel utilization. Configure dynamic load balancing based on the number of STAs as
follows:
[AC-wlan-view] rrm-profile name loadbalance-dynamic
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic enable //In V200R013C00 and
later versions, the format is changed to undo sta-load-balance dynamic disable.
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance mode sta-number //Configure dynamic
load balancing based on the number of STAs.
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number start-threshold 15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number gap-threshold
25 //The command changes to sta-load-balance dynamic sta-number gap-threshold percentage 25
in V200R011C10 and later versions.
[AC-wlan-rrm-prof-loadbalance-dynamic] quit
In V200R019C10 and later versions, the device does not support dynamic load balancing
based on channel utilization. Configure dynamic load balancing based on the number of
STAs as follows:
[AC-wlan-view] rrm-profile name loadbalance-dynamic
[AC-wlan-rrm-prof-loadbalance-dynamic] undo sta-load-balance dynamic disable
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number start-threshold 15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number gap-threshold
percentage 25
[AC-wlan-rrm-prof-loadbalance-dynamic] quit
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-
dynamic to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-
dynamic to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g
[AC-wlan-ap-group-ap-group1] quit
-------------------------------------------------------------------------------------
Total: 2 2.4G: 2 5G: 0
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
interface gigabitethernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.102.1
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
Roaming between APs in the same service VLAN is classified into fast roaming and
non-fast roaming. Non-fast roaming technology is used when a STA uses a non-
WPA2-802.1X security policy. If a STA uses WPA2-802.1X or WPA3-802.1X but does
not support fast roaming, the STA still needs to complete 802.1X authentication
before roaming between two APs. When the user uses the WPA2-802.1X security
policy or the WPA3-802.1X security policy and supports fast roaming, the user
does not need to perform 802.1X authentication again during roaming and only
needs to perform key negotiation. Fast roaming reduces roaming delay and
improves service experience.
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● Enabling smart roaming based on scenarios.
On a traditional WLAN, when a STA is moving away from an AP, the STA's
access rate becomes lower, but the STA still associates with the AP instead of
re-initiating a connection with the AP or roaming to another AP. This
degrades user experience. The smart roaming function can address this issue.
When detecting that the signal-to-noise ratio (SNR) or access rate of a STA is
lower than the specified threshold, the AP sends a Disassociation packet to
the STA so that the STA can reconnect to the AP or roam to another AP.
This function applies to high-density static scenarios, for example, lecture
halls. This function is not recommended in scenarios where STAs move
frequently, such as wireless cities. If this function is enabled, you are advised
to retain the default roaming threshold.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Service packets and management packets can be forwarded normally
only if the network between APs and upper-layer network is added to the
service VLAN and the network between the AC and APs is added to the
management VLAN.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
Networking Requirements
A small enterprise needs to provide WLAN services for employees. One AC is
deployed to manage APs. To differentiate department management, employees
are assigned different subnets by department. The enterprise wants to allow
employees to roam with nonstop service transmission.
As shown in Figure 3-172, an AC provides services for the employees. It connects
to AP_1 and AP_2 through Switch_1 and Switch_2 respectively.
Data planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
the STAs
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure parameters used for communication between the AC and APs to
transmit CAPWAP packets.
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and APs.
3. Configure basic WLAN services so that users can connect to the wireless
network.
Procedure
Step 1 Configure the switches and the AC so that the AC can communicate with the APs.
# On Switch_1, create VLAN 100 (management VLAN). Add GE0/0/1 connected to
AP_1 and GE0/0/2 connected to AC to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_1-GigabitEthernet0/0/1] stp edged-port enable
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_1-GigabitEthernet0/0/2] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to STAs and APs.
# Configure the AC as a DHCP server based on interface address pools. Configure
VLANIF 100 to assign IP addresses to APs and VLANIF 101 to assign IP addresses
to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
# Import APs offline on the AC and add APs to AP group ap-group1. Assume that
the type of AP_1 and AP_2 is AP6010DN-AGN, and their MAC addresses are 00e0-
fc76-e360 and 00e0-fc04-b500, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name ap1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc04-b500
[AC-wlan-ap-1] ap-name ap2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# Power on the APs and run the display ap all command to check the AP state. If
the State field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
--------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------
0 00e0-fc76-e360 ap1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 15S
1 00e0-fc04-b500 ap2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 10S
--------------------------------------------------------------------------------------
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security and SSID profile wlan-ssid to
the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] quit
# Bind VAP profile wlan-vap1 to AP group ap-group1, and apply the VAP profiles
to radio 0 and radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
--------------------------------------------------------------------------------------
0 ap1 0 1 00E0-FC76-E360 ON WPA2-PSK 0 wlan-net
0 ap1 1 1 00E0-FC76-E370 ON WPA2-PSK 0 wlan-net
0 ap2 0 1 00E0-FC04-B500 ON WPA2-PSK 0 wlan-net
0 ap2 1 1 00E0-FC04-B510 ON WPA2-PSK 0 wlan-net
---------------------------------------------------------------------------------------
Total: 2
In the coverage area of AP_1, connect the STA to the wireless network with SSID
wlan-net and enter the password YsHsjx_202206. After the STA successfully
associates with the network, run the display station ssid wlan-net command on
the AC. The command output shows that the STA with MAC address 00e0-
fcc7-1e08 has associated with AP_1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------
00e0-fcc7-1e08 0 ap1 1/1 5G 11n 46/59 -57 101 10.23.101.254
------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
After the STA moves from the coverage area of AP_1 to that of AP_2, run the
display station ssid wlan-net command on AC. The command output shows that
the STA has associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------
00e0-fcc7-1e08 1 ap2 1/1 5G 11n 46/59 -58 101 10.23.101.254
------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs
using wireless links to establish a large network.
Both WDS and mesh technologies can implement wireless bridging between APs.
A WDS network supports a maximum of three hops (for example, a WDS link can
be established along a root node, a middle node, and a leaf node), has a tree
topology, and does not support link redundancy between nodes. On the other
hand, a mesh network supports a maximum of eight hops, has a mesh topology,
and supports link redundancy between nodes. These factors make a mesh network
more reliable than a WDS network. You can choose the WDS or mesh technology
to deploy wireless bridging between APs according to your networking needs.
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
Among all WDS- and mesh-capable APs, only the AP1050DN-S, AP4050DN, AP4051DN,
AP4151DN, AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP8130DN-W, AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN,
AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are
802.11ac APs.
● If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency
band and used for WDS or mesh services, the software version of the AP
connected to the AP8130DN must be V200R005C10 or later.
● When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single
WDS network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node.
Middle nodes do not set up WDS links between each other.
– Three hops are recommended for each WDS link (a 3-hop WDS link
includes a root node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
NOTE
APs supporting WDS can be interconnected. APs with 802.11ac and 802.11n chips are
not subject to interoperation constraints.
● You cannot use WDS and mesh technologies on the same network.
● If WDS and Mesh services are configured on an AP radio, WIDS, spectrum
analysis, or WLAN location on the radio does not take effect.
● For applicable products and versions, see Quick Reference for WLAN AP
Version Mapping and Models.
WDS is not supported by the Central AP(including the mapping RUs),
AP7060DN, AP6310SN-GN, AP2010DN, AP2030DN, AP2050DN, AP2050DN-E,
AP2050DN-S, AP1010SN, AP7030DE, AP9330DN, AP2030DN-S, AP2051DN,
AP2051DN-S, AP2051DN-L-S, AP5510-W-GP, AirEngine 5760-10, WA375DD-
CE, and AP6310SN-GN.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. In the office
environment, AP_1 in Area A can be connected to the AC through a network cable;
AP_2 and AP_3 in Area B can be connected through a cable but cannot be
connected to the AC in wired mode; Area C is near Area B but AP_4 in Area C
cannot be connected to the AC through a network cable either. The enterprise
requires that APs be connected to each other in back-to-back WDS mode and go
online on the AC to provide network services for PCs in VLAN 101, as shown in
Figure 3-173:
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of
the APs used as WDS bridges. The following table provides the data plan for this
example.
NOTE
AP Type MAC
AP Type MAC
WDS wds-net
name
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go
online on the AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the
wired network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the
AC.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100
(management VLAN) and set the PVID of the interface to VLAN 100. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 and VLAN 101 to pass
through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_B-GigabitEthernet0/0/1] stp edged-port enable
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[Switch_A-GigabitEthernet0/0/3] quit
# Configure GE1/0/1 of the AC to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitEthernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/1] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group
wds-leaf1 and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS
mode to root. Apply the security profile wds-sec and allow packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net //Only WDS VAPs with the same WDS name can set
up WDS links.
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS
mode to root. Apply the security profile wds-sec and allow packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net2
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
[AC-wlan-wds-prof-wds-net2] security-profile wds-sec
[AC-wlan-wds-prof-wds-net2] vlan tagged 101
[AC-wlan-wds-prof-wds-net2] quit
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS
mode to leaf. Bind the security profile wds-sec to the WDS profile, allowing
packets from service VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net3
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
[AC-wlan-wds-prof-wds-net3] security-profile wds-sec
[AC-wlan-wds-prof-wds-net3] vlan tagged 101
[AC-wlan-wds-prof-wds-net3] quit
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the
wired interface mode to endpoint. In this example, the PVID of the wired interface
is set to VLAN 101 and the wired interface is added to VLAN 101 in untagged
mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the
group.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
[AC-wlan-ap-group-wds-root1] quit
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the
group.
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
[AC-wlan-ap-group-wds-root2] quit
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the
group.
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf1] quit
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and
wired port profile wired-port to the group.
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-wds-leaf2] quit
Run the display wlan wds link all command to check information about the WDS
links.
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101
#
return
● Mesh portal point (MPP): a mesh point that provides the portal function to
connect the mesh network to other types of networks for communication.
● Mesh point (MP): a mesh-capable node that uses IEEE 802.11 MAC and
physical layer protocols for wireless communication. This node supports
automatic topology discovery, automatic route discovery, and data packet
forwarding. MPs can provide both mesh service and user access service.
Both WDS and mesh technologies can implement wireless bridging between APs.
A WDS network supports a maximum of three hops (for example, a WDS link can
be established along a root node, a middle node, and a leaf node), has a tree
topology, and does not support link redundancy between nodes. On the other
hand, a mesh network supports a maximum of eight hops, has a mesh topology,
and supports link redundancy between nodes. These factors make a mesh network
more reliable than a WDS network. You can choose the WDS or mesh technology
to deploy wireless bridging between APs according to your networking needs.
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● On a WDS or mesh network, an 802.11ac AP cannot interoperate with
non-802.11ac APs regardless of their radio types. Only 802.11ac APs can
interoperate with each other.
NOTE
Among all WDS- and mesh-capable APs, only the AP1050DN-S, AP4050DN, AP4051DN,
AP4151DN, AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP8130DN-W, AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN,
AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are
802.11ac APs.
● If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency
band and used for WDS or mesh services, the software version of the AP
connected to the AP8130DN must be V200R005C10 or later.
● It is recommended that you deploy no more than 40 mesh nodes on a mesh
network.
● You cannot use WDS and mesh technologies on the same network.
● If WDS and Mesh services are configured on an AP radio, WIDS, spectrum
analysis, or WLAN location on the radio does not take effect.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● For applicable products and versions, see Quick Reference for WLAN AP
Version Mapping and Models.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. Restricted by
geographical locations, the AP in Area A can be deployed in wired mode, but
wired deployment of APs is costly in Area B and Area C. The enterprise requires
that APs be deployed in Area B and Area C at low cost.
As shown in Figure 3-174, a mesh network is deployed to connect AP_2 and AP_3
to AP_1 through mesh links, which can reduce network construction cost.
Data Plan
Before configuring the mesh service, determine the types and MAC addresses of
the APs used as mesh nodes. The following table provides the data plan for this
example.
NOTE
Radio Radio 1:
used by ● Bandwidth: 40mhz-plus
Mesh
services ● Channel: 157
● Radio coverage distance parameter: 4 (unit: 100 m)
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity and enable the AP (MPP) in Area A to go
online on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go
online on the AC through Mesh links.
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management
VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1 and
GE0/0/2 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_A-GigabitEthernet0/0/1] stp edged-port enable
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_A-GigabitEthernet0/0/2] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp //Configure an AP group for MPPs.
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp //Configure an AP group for MPs.
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group
mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 00e0-fc76-e360
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 00e0-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
bandwidth.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4 //After the radio coverage distance parameter
is configured based on distances between APs, the APs will automatically adjust the values of slottime,
acktimeout, and ctstimeout based on the configured distance parameter.
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
[AC-wlan-ap-group-mesh-mp] quit
# Set parameters for the APs' wired interfaces. This example assumes that the
service VLAN is VLAN 101. Wired interfaces of all mesh nodes are therefore added
to VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Configure the security profile mesh-sec used by mesh links. The mesh network
supports only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure mesh roles. Set the mesh role of AP_1 to mesh-portal. AP_2 and AP_3
use the default mesh role mesh-node. Mesh roles are configured through the AP
system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a mesh profile. Set the mesh network ID to mesh-net, aging time of
mesh links to 30s, and bind the security profile and mesh whitelist to the mesh
profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net //Only mesh VAPs with the same mesh network
ID can set up mesh links.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 5 Bind required profiles to the AP groups to make mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-
mp to make AP wired port parameters take effect on mesh nodes. This example
assumes that all APs connect to Switch_A through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the
MPP role take effect on AP_1.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# After mesh services take effect, run the display wlan mesh link all command
to check mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
stp edged-port enable
port-isolate enable group 1
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 00e0-fc74-9640
peer-ap mac 00e0-fc76-e360
peer-ap mac 00e0-fcf6-76a0
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 type-id 19 ap-mac 00e0-fc74-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group mesh-mpp
ap-id 2 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235557610DB000046
ap-name AP_2
ap-group mesh-mp
ap-id 3 type-id 19 ap-mac dcd2-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group mesh-mp
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces,
and wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. Heavy multicast traffic received on the network
side may congest air interfaces, causing STAs' network access to slow down. You
are advised to configure multicast packet suppression to reduce this impact.
Exercise caution when configuring the rate limit; otherwise, the multicast services
may be affected.
● In direct forwarding mode, configure multicast packet suppression on switch
interfaces connected to APs.
● In tunnel forwarding mode, configure multicast packet suppression on the
traffic profile of the AC.
Procedure
● Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-
ff00-0000 //Match the destination MAC address of multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set
the traffic rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If multicast services are
available, you are advised to set the rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic
behavior to the traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound and outbound directions of interfaces.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
[SwitchA-GigabitEthernet0/0/1] quit
● Configure multicast packet suppression in tunnel forwarding mode.
a. Create the traffic profile test and set the maximum traffic volume of
multicast packets in the profile.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] traffic-profile name test
[AC-wlan-traffic-prof-test] traffic-optimize multicast-suppression packets 100 //Set the
maximum traffic volume of multicast packets to 100 pps. If multicast services are available, you
are advised to set the rate limit according to the service traffic.
[AC-wlan-traffic-prof-test] quit
----End
3.13.1.1 Example for Associating the BFD Session Status with the Interface
Status
BFD Overview
A network device must detect a communication fault between adjacent devices
quickly so that measures can be taken immediately and service interruptions can
be prevented. In practice, hardware detection is used to detect link faults. For
example, Synchronous Digital Hierarchy (SDH) alarms are used to report link
faults. However, not all media can provide the hardware detection mechanism.
Applications use the Hello mechanism of the upper-layer routing protocol to
detect faults. Detection using this mechanism takes more than 1 second, which is
too long for some applications. On a Layer 3 network, the Hello packet detection
mechanism cannot detect faults for all routes, such as static routes. This means
that a fault between interconnected systems is difficult to locate.
BFD provides fast fault detection independent of media and routing protocols.
With the millisecond-level fault detection and switching, BFD is suitable for
scenarios that are sensitive to the packet loss and delay.
Configuration Notes
● The local discriminator of the local system and the remote discriminator of
the remote system must be the same. If the local discriminator of the local
system and the remote discriminator of the remote system are different, a
static BFD session cannot be set up. After the local discriminator and the
remote discriminator are configured, you cannot modify them.
● If a BFD session is bound to the default multicast address, the local
discriminator and the remote discriminator must be different.
● If the WTR time is set, set the same WTR time on both devices. Otherwise,
when the BFD session status changes on one device, applications on both
devices detect different BFD session statuses.
● This example applies to the following products:
– S3700-EI, S3700-HI
– S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI, S5710-EI, S5720-EI,
S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S-I, S5735S-H, S5736-S, S5735-S,
S5735S-S
Networking Requirements
In Figure 3-175, SwitchA is directly connected to SwitchB at the network layer and
Layer 2 transmission devices, SwitchC and SwitchD, are deployed between them. It
is required that SwitchA and SwitchB quickly detect link faults of the Layer 2
transmission devices to trigger fast route convergence.
Figure 3-175 Associating the BFD session status with the interface status
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a BFD session on SwitchA and SwitchB to detect faults on the link
between SwitchA and SwitchB.
2. Configure association between the BFD session status and interface status on
SwitchA and SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default
link type of an interface is not hybrid, you need to configure it manually.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.1 24
[SwitchA-Vlanif10] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default
link type of an interface is not hybrid, you need to configure it manually.
[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.1.1.2 24
[SwitchB-Vlanif10] quit
# Enable BFD on SwitchB and establish a BFD session named btoa between
SwitchB and SwitchA.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a BFD session
named btoa.
[SwitchB-bfd-session-btoa] discriminator local 20
[SwitchB-bfd-session-btoa] discriminator remote 10
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
# After the configuration is complete, run the display bfd session all verbose
command on SwitchA and SwitchB. You can see that a single-hop BFD session is
set up and its status is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id :3 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status
on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
[SwitchA-bfd-session-atob] quit
# Configure association between the BFD session status and the interface status
on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status
[SwitchB-bfd-session-btoa] quit
Run the shutdown command on GE1/0/1 of SwitchB to make the BFD session go
Down.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] shutdown
[SwitchB-GigabitEthernet1/0/1] quit
Run the display bfd session all verbose and display interface gigabitethernet
1/0/1 commands on SwitchA. You can see that the BFD session status is Down,
and the status of GE1/0/1 is UP (BFD status down).
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id :3 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 10
Actual Tx Interval (ms): 13000 Actual Rx Interval (ms): 13000
Local Detect Multi :3 Detect Interval (ms) : 30
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc interface status : Enable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3
Last Local Diagnostic : Control Detection Time Expired
Bind Application : IFNET
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
NOTE
Only important information is listed under the display interface gigabitethernet 1/0/1
command, and "..." indicates that information is omitted.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
bfd atob bind peer-ip default-ip interface GigabitEthernet1/0/1
discriminator local 10
discriminator remote 20
process-interface-status
commit
#
return
VRRP solves this problem. VRRP virtualizes multiple routing devices into a virtual
router without changing the networking, and uses the virtual router IP address as
the default gateway address to implement gateway backup. When the gateway
becomes faulty, VRRP selects a new gateway to transmit service traffic to ensure
reliable communication.
It is recommended that you set the preemption delay of the backup in a VRRP
group to 0, configure the master in preemption mode, and set the preemption
delay to be longer than 15s. These settings allow a period of time for status
synchronization between the uplink and downlink on an unstable network. If the
preceding settings are not used, two masters may coexist and user devices may
learn an incorrect address of the master. As a result, traffic is interrupted.
● Preemption mode: A backup preempts to be the master when its priority is
higher than the master.
● Non-preemption mode: As long as the master is working properly, the backup
with a higher priority cannot become the master.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S2730S-S
– S3700-EI, S3700-HI
– S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI,
S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-L-I, S5735-L1,
S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I, S5735S-H,
S5736-S, S5735-S, S500, S5735S-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
In Figure 3-176, HostA is dual-homed to SwitchA and SwitchB through the switch.
To ensure nonstop service transmission, a VRRP group in active/standby mode
needs to be configured on SwitchA and SwitchB.
● The host uses SwitchA as the default gateway to connect to the Internet.
When SwitchA becomes faulty, SwitchB functions as the gateway. This
implements gateway backup.
● After SwitchA recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure a VRRP group on SwitchA and SwitchB. Set a higher priority for
SwitchA so that SwitchA functions as the master to forward traffic, and set
the preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so
that SwitchB functions as the backup.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA,
and are not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 300
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display vrrp command on SwitchB to view the VRRP status. The
command output shows that SwitchB is in Master state.
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40
# After 20s, run the display vrrp command on SwitchA to view the VRRP status.
The command output shows that SwitchA is in Master state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 200 300 400
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 400
port hybrid untagged vlan 400
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of the switch
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
Video
Configuring VRRP
● Multiple VRRP groups need to be created, and the master in each VRRP group
can be different.
● A VRRP device can join multiple VRRP groups and has different priorities in
different VRRP groups.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● This example applies to the following products:
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI,
S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I,
S5735S-H, S5736-S, S5735-S, S500, S5735S-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
In Figure 3-177, HostA and HostC are dual-homed to SwitchA and SwitchB
through the switch. To reduce the load of data traffic on SwitchA, HostA uses
SwitchA as the default gateway to connect to the Internet, and SwitchB functions
as the backup gateway. HostC uses SwitchB as the default gateway to connect to
the Internet, and SwitchA functions as the backup gateway. This implements load
balancing.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 3-177 Networking diagram for configuring a VRRP group in load balancing
mode
Configuration Roadmap
A VRRP group in load balancing mode is used to implement load balancing. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA,
and are not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 300 500
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB] interface vlanif 500
[SwitchB-Vlanif500] vrrp vrid 2 virtual-ip 10.1.50.111
[SwitchB-Vlanif500] vrrp vrid 2 priority 120 //The default priority of a device in a VRRP group is
100. Change the priority of the master to be higher than that of the backup.
[SwitchB-Vlanif500] vrrp vrid 2 preempt-mode timer delay 20 //A device in a VRRP group uses
immediate preemption by default. Change the preemption delay of the master to prevent service
interruptions on an unstable network where devices in the VRRP group preempt to be the master.
[SwitchB-Vlanif500] quit
[SwitchA] interface vlanif 500
[SwitchA-Vlanif500] vrrp vrid 2 virtual-ip 10.1.50.111
[SwitchA-Vlanif500] quit
# After the configuration is complete, run the display vrrp command on SwitchB.
You can see that SwitchB is the backup in VRRP group 1 and the master in VRRP
group 2.
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 300 500
#
interface Vlanif100
ip address 10.1.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.50.111
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 500
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● Multiple VRRP groups can monitor a BFD session, and a VRRP group can
monitor a maximum of eight BFD sessions simultaneously.
● This example applies to the following products:
– S3700-EI, S3700-HI
– S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI, S5710-EI, S5720-EI,
S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S-I, S5735S-H, S5736-S, S5735-S,
S5735S-S
Networking Requirements
In Figure 3-178, hosts on a LAN are dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is
the master.
When SwitchA or a link between SwitchA and SwitchB is faulty, VRRP packets are
sent after VRRP negotiation is complete. To speed up link switchovers, deploy a
BFD session on the link and associate the VRRP group with the BFD session. When
the interface on the master or the link fails, the BFD session rapidly detects the
fault and notifies the VRRP group of the fault. After receiving the notification, the
VRRP group performs a rapid active/standby switchover. The backup becomes the
Master and takes over traffic. This reduces the impact of the fault on service
transmission.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 3-178 Association between VRRP and BFD to implement a rapid active/
standby switchover
Configuration Roadmap
Association between VRRP and BFD is used to implement a rapid active/standby
switchover. The configuration roadmap is as follows:
Procedure
Step 1 Configure devices to ensure network connectivity.
# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and
the preemption delay to 20s.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.3
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP group is
100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a VRRP group uses
immediate preemption by default. Change the preemption delay of the master to prevent service
interruptions on an unstable network where devices in the VRRP group preempt to be the master.
[SwitchA-Vlanif100] quit
Run the display bfd session command on SwitchA and SwitchB. You can see that
the BFD session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# Configure association between VRRP and BFD on SwitchB. When the BFD
session becomes Down, the priority of SwitchB increases by 40.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40 //The value 2 indicates the local
discriminator.
[SwitchB-Vlanif100] quit
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.3
Master IP : 10.1.1.2
PriorityRun : 140
PriorityConfig : 100
MasterPriority : 140
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track BFD : 2 Priority increased : 40
BFD-session state : DOWN
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA is restored as the master, SwitchB is restored as the backup, and the
associated BFD session is in Up state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.3
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.3
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track BFD : 2 Priority increased : 40
BFD-session state : UP
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.3
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
discriminator local 1
discriminator remote 2
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
return
When the master detects that the uplink interface fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
packets. After the backup receives the VRRP packets, it detects that the priority in
the VRRP packets is lower than its priority and switches to the master. This ensures
correct traffic forwarding.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
Networking Requirements
As shown in Figure 3-179, the user hosts are dual-homed to SwitchA and SwitchB
through the switch. The requirements are as follows:
● The hosts use SwitchA as the default gateway to connect to the Internet.
When SwitchA or the downlink/uplink fails, SwitchB functions as the gateway
to implement gateway backup.
● The bandwidth of the link between SwitchA and SwitchB is increased to
implement link backup and improve link reliability.
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 3-179 Networking of association between VRRP and the interface status
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2
isolation and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to
the Eth-Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority
for SwitchA so that SwitchA functions as the master to forward traffic, and set
the preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so
that SwitchB functions as the backup.
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group
can detect the fault of the master and perform an active/standby switchover
immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an
example. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit
[SwitchB] interface vlanif 12
[SwitchB-Vlanif12] vrrp vrid 2 virtual-ip 10.1.2.1
[SwitchB-Vlanif12] vrrp advertise send-mode 302
[SwitchB-Vlanif12] quit
[SwitchB] interface vlanif 13
[SwitchB-Vlanif13] vrrp vrid 3 virtual-ip 10.1.3.1
[SwitchB-Vlanif13] vrrp advertise send-mode 303
[SwitchB-Vlanif13] quit
[SwitchB] interface vlanif 14
[SwitchB-Vlanif14] vrrp vrid 4 virtual-ip 10.1.4.1
[SwitchB-Vlanif14] vrrp advertise send-mode 304
[SwitchB-Vlanif14] quit
[SwitchB] interface vlanif 15
[SwitchB-Vlanif15] vrrp vrid 5 virtual-ip 10.1.5.1
[SwitchB-Vlanif15] vrrp advertise send-mode 305
[SwitchB-Vlanif15] quit
# Run the display vrrp command on SwitchB. You can see that SwitchB is the
backup. VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA is restored as the master and SwitchB is restored as the backup, and
the associated interface is in Up state.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable #
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
access-vlan 117 to 132 302
vlan 13
aggregate-vlan
access-vlan 133 to 148 303
vlan 14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 1 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
vrrp vrid 2 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 2 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 20
vrrp vrid 3 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 3 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 303
#
interface Vlanif14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp advertise send-mode 303
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.4.1
vrrp advertise send-mode 304
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.5.1
vrrp advertise send-mode 305
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301 to 305
mode lacp
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 180
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 200 300 400
#
stp disable #
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 400
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 300
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
VRRP Overview
Generally, all hosts on the same network segment have the same default route
with the gateway address as the next hop address. The hosts use the default route
to send packets to the gateway and the gateway forwards the packets to other
network segments. When the gateway fails, the hosts with the same default route
cannot communicate with external networks. Configuring multiple egress
Configuration Notes
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● In V200R003C00 and earlier versions, only the VLANIF interface supports
VRRP. In V200R005C00 and later versions, VLANIF and Layer 3 Ethernet
interfaces support VRRP.
● This example applies to the following products:
– S3700-EI, S3700-HI
– S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI, S5710-EI, S5720-EI,
S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S-I, S5735S-H, S5736-S, S5735-S,
S500, S5735S-S
– S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,
S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
Networking Requirements
As shown in Figure 3-180, SwitchA and SwitchB are egress gateways of the
campus network; SwitchC and SwitchD are core switches. The multicast source
connects to the campus network through a router. Key nodes on the network work
in redundancy mode to improve network reliability, and the egress gateways and
core switches are fully meshed to implement link redundancy. The egress
gateways and core switches must be configured to enable multicast data to be
reliably transmitted to the downstream network.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
To ensure reliable multicast data transmission, configure the Virtual Router
Redundancy Protocol (VRRP) and Bidirectional Forwarding Detection (BFD) on the
egress gateways and core switches. To ensure normal multicast forwarding,
configure a multicast protocol on the egress gateways and core switches.
1. Configure link aggregation groups between SwitchA and SwitchB, and
between SwitchC and SwitchD to ensure fast and reliable exchange of VRRP
packets.
2. Create VLANs on the switches and add their interfaces to respective VLANs.
Configure IP addresses for the corresponding VLANIF interfaces to make local
network segments reachable.
3. Configure the Open Shortest Path First (OSPF) protocol on the switches to
ensure reachable routes between them. OSPF routes load balance unicast
traffic between the egress gateways and core switches to reduce loads of links
that transmit multicast and unicast data simultaneously.
4. Configure a VRRP group between SwitchA and SwitchB and a VRRP group
between SwitchC and SwitchD to ensure reliable multicast forwarding. The
VRRP groups implement load balancing for unicast traffic to reduce loads of
links that transmit multicast and unicast data simultaneously.
5. Configure a multicast protocol on the switches to ensure normal multicast
data forwarding.
6. Configure BFD for OSPF and BFD for PIM on the switches to enable the
switches to quickly detect link failures, realizing fast convergence of unicast
and multicast routes.
Procedure
1. Configure link aggregation groups on the switches.
# Create Eth-Trunks and add member interfaces to the Eth-Trunks on the
campus egress gateway and core devices.
<SwitchA> system-view
[SwitchA] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchA-Eth-Trunk1] quit
<SwitchB> system-view
[SwitchB] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchB-Eth-Trunk1] quit
<SwitchC> system-view
[SwitchC] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchC-Eth-Trunk1] quit
<SwitchD> system-view
[SwitchD] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchD-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchD-Eth-Trunk1] quit
By default, an Eth-Trunk works in manual load balancing mode, and all active
interfaces load balance traffic.
2. Create VLANs, add interfaces to respective VLANs, and configure IP addresses
for corresponding VLANIF interfaces.
a. Create VLANs and add interfaces to the VLANs on the campus egress
gateway and core devices. The configurations on SwitchB, SwitchC, and
SwitchD are similar to the configuration on SwitchA, and are not
mentioned here.
NOTE
3. Configure OSPF.
# Enable OSPF on the campus egress gateway and core devices, add the
devices to area 0, and advertise local network segments in area 0. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the
configuration on SwitchA, and are not mentioned here.
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the interface running
OSPF is the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255 //Specify that the interface running
OSPF is the one connected to the 10.1.2.0 network segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the interface running
OSPF is the one connected to the 10.1.3.0 network segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0 //Specify that the interface running OSPF
is the one connected to the 10.10.1.1 network segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
4. Configure VRRP groups.
a. Create VRRP group 1 on campus egress gateway devices SwitchA and
SwitchB. Set the priority of SwitchA to 120 and the preemption delay to
20 seconds. Retain the default priority of SwitchB. Therefore, SwitchA
becomes the master device and SwitchB becomes the backup device of
VRRP group 1.
# Configure SwitchA.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP group 1 on VLANIF100
and set the virtual IP address of the VRRP group to 10.1.1.253.
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of VLANIF100 in VRRP group 1
to 120.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay
of VLANIF100 in VRRP group 1 to 20 seconds.
[SwitchA-Vlanif100] quit
# Configure SwitchB.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP group 1 on VLANIF100
and set the virtual IP address of the VRRP group to 10.1.1.253.
[SwitchB-Vlanif100] quit
b. Create VRRP group 2 on campus egress gateway devices SwitchA and
SwitchB. Set the priority of SwitchB to 120 and the preemption delay to
20 seconds. Retain the default priority of SwitchA. Therefore, SwitchB
becomes the master device and SwitchA becomes the backup device of
VRRP group 1.
# Configure SwitchA.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP group 2 on VLANIF100
and set the virtual IP address of the VRRP group to 10.1.1.254.
[SwitchA-Vlanif100] quit
# Configure SwitchB.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP group 2 on VLANIF100
and set the virtual IP address of the VRRP group to 10.1.1.254.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120 //Set the priority of VLANIF100 in VRRP group 2
to 120.
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption delay
of VLANIF100 in VRRP group 2 to 20 seconds.
[SwitchB-Vlanif100] quit
# Configure SwitchB.
[SwitchB] multicast routing-enable //Enable multicast routing globally.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[SwitchB-Vlanif100] quit
[SwitchB] interface vlanif 303
[SwitchB-Vlanif303] pim sm //Enable PIM-SM on VLANIF303.
[SwitchB-Vlanif303] quit
[SwitchB] interface vlanif 304
[SwitchB-Vlanif304] pim sm //Enable PIM-SM on VLANIF304.
[SwitchB-Vlanif304] quit
[SwitchB] interface loopback 1
[SwitchB-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB-LoopBack1] quit
# Configure SwitchC.
[SwitchC] multicast routing-enable //Enable multicast routing globally.
[SwitchC] interface vlanif 400
[SwitchC-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchC-Vlanif400] igmp enable //Enable PIM-SM on VLANIF400.
[SwitchC-Vlanif400] quit
[SwitchC] interface vlanif 301
[SwitchC-Vlanif301] pim sm //Enable PIM-SM on VLANIF301.
[SwitchC-Vlanif301] quit
[SwitchC] interface vlanif 304
[SwitchC-Vlanif304] pim sm //Enable PIM-SM on VLANIF304.
[SwitchC-Vlanif304] quit
[SwitchC] interface loopback 1
[SwitchC-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchC-LoopBack1] quit
# Configure SwitchD.
[SwitchD] multicast routing-enable //Enable multicast routing globally.
[SwitchD] interface vlanif 400
[SwitchD-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchD-Vlanif400] igmp enable //Enable IGMP on VLANIF400.
[SwitchD-Vlanif400] quit
[SwitchD] interface vlanif 302
[SwitchD-Vlanif302] pim sm //Enable PIM-SM on VLANIF302.
[SwitchD-Vlanif302] quit
[SwitchD] interface vlanif 303
[SwitchD-Vlanif303] pim sm //Enable PIM-SM on VLANIF303.
[SwitchD-Vlanif303] quit
[SwitchD] interface loopback 1
[SwitchD-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchD-LoopBack1] quit
6. Configure BFD.
a. Enable global BFD on the campus egress gateway and core devices.
Global BFD must be enabled before you configure BFD for OSPF and BFD
for PIM. The configurations on SwitchB, SwitchC, and SwitchD are similar
to the configuration on SwitchA, and are not mentioned here.
[SwitchA] bfd //Enable BFD globally.
[SwitchA-bfd] quit
b. Enable BFD for OSPF on the campus egress gateway and core devices.
The configurations on SwitchB, SwitchC, and SwitchD are similar to the
configuration on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ospf bfd enable //Enable BFD for OSPF on VLANIF100.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 301
[SwitchA-Vlanif301] ospf bfd enable //Enable BFD for OSPF on VLANIF301.
[SwitchA-Vlanif301] quit
[SwitchA] interface vlanif 302
[SwitchA-Vlanif302] ospf bfd enable //Enable BFD for OSPF on VLANIF302.
[SwitchA-Vlanif302] quit
c. Enable BFD for PIM on the campus egress gateway and core devices. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the
configuration on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] pim bfd enable //Enable BFD for PIM on VLANIF100.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 301
[SwitchA-Vlanif301] pim bfd enable //Enable BFD for PIM on VLANIF301.
[SwitchA-Vlanif301] quit
[SwitchA] interface vlanif 302
[SwitchA-Vlanif302] pim bfd enable //Enable BFD for PIM on VLANIF302.
[SwitchA-Vlanif302] quit
7. Verify the configuration.
– Verify the configuration of link aggregation.
# Run the display eth-trunk 1 command on SwitchA. The command
output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet2/0/1, GigabitEthernet2/0/2, and GigabitEthernet2/0/3. All
the member interfaces are Up.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet2/0/1 Up 1
GigabitEthernet2/0/2 Up 1
GigabitEthernet2/0/3 Up 1
The display eth-trunk 1 command outputs on SwitchB, SwitchC, and
SwitchD are similar to the command output on SwitchA.
– Verify the VRRP configuration.
# Run the display vrrp command on SwitchA. The command output
shows that SwitchA is the master device in VRRP group 1 and the backup
device in VRRP group 2.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.253
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-12-31 10:34:23 UTC-08:00
Last change time : 2012-12-31 10:34:26 UTC-08:00
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif100
Upstream neighbor: 10.1.1.3
RPF prime neighbor: 10.1.1.3
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif303
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
[SwitchD] display pim routing-table
VPN-Instance: public net
Total 0 (*, G) entry; 1 (S, G) entry
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif303
Upstream neighbor: 10.1.4.1
RPF prime neighbor: 10.1.4.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif400
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
The display ospf bfd session all command outputs on SwitchB, SwitchC,
and SwitchD are similar to the command output on SwitchA.
# Run the display pim bfd session command on SwitchA. The command
output shows that PIM BFD sessions have been successfully set up.
[SwitchA] display pim bfd session
VPN-Instance: public net
Configuration Files
● Configuration file of campus egress gateway SwitchA
#
sysname SwitchA
#
vlan batch 100 200 301 to 302
#
multicast routing-enable
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.253
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 2 virtual-ip 10.1.1.254
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif301
ip address 10.1.2.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif302
ip address 10.1.3.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 301
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 302
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
return
● Configuration file of campus egress gateway SwitchB
#
sysname SwitchB
#
vlan batch 100 200 303 to 304
#
multicast routing-enable
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.253
vrrp vrid 2 virtual-ip 10.1.1.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 303
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 304
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.2.2.2 0.0.0.0
#
return
● Configuration file of core device SwitchC
#
sysname SwitchC
#
vlan batch 301 304 400 500
#
multicast routing-enable
#
bfd
#
interface Vlanif301
ip address 10.1.2.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.6.253
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 2 virtual-ip 10.1.6.254
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 400 500
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 400
stp disable
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 301
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 304
#
interface LoopBack1
ip address 10.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.3.3.3 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
● Configuration file of core device SwitchD
#
sysname SwitchD
#
vlan batch 302 to 303 400 500
#
multicast routing-enable
#
bfd
#
interface Vlanif302
ip address 10.1.3.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.6.253
vrrp vrid 2 virtual-ip 10.1.6.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 400 500
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 400
stp disable
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 303
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 302
#
interface LoopBack1
ip address 10.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.4.4.4 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
Command Function
Notice to Be Taken When the Device Connects to an H3C iMC RADIUS Server
When the device connects to an H3C iMC RADIUS server to perform
authentication, authorization, or accounting for 802.1X users, configure security
check policies (for example, check whether the 802.1X client has two network
cards and whether the 802.1X client version is correct) on the RADIUS server to
improve security. In addition, perform the following operations on the device:
1. Configure RADIUS accounting.
2. Run the dot1x authentication-method eap command to configure EAP relay
authentication for 802.1X users.
3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to
configure the device to return the EAP packets with type value of 10 and data
type of 25 to the RADIUS server.
4. Run the radius-attribute translate HW-Up-Priority HW-User-Information
receive command to convert the HW-Up-Priority attribute in the received
RADIUS packets into HW-User-Information.
5. If the RADIUS server needs to dynamically authorize AAA users, the attributes
delivered by security check policy may be different from the attributes
delivered by dynamic authorization. Therefore, run the authorization-modify
mode modify command to set the update mode for user authorization
information delivered by the RADIUS server to Modify. After the command is
If the active server fails, the switch sends the authentication request packets to the
standby server. The timeout interval of the security check session on iNode is
short. Therefore, you are advised to run the following command to ensure non-
stop service:
3.14.1.2 Example for Configuring Authentication for Telnet Login Users (AAA
Local Authentication)
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-181, administrator needs to remotely manage the device in
a simplified and secure manner. The specific requirements are as follows:
1. The administrator must enter correct user name and password to log in to the
device through Telnet.
2. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-3.
Figure 3-181 Configuring authentication for Telnet login users (AAA local
authentication)
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the
user access type to Telnet, and setting the user level to 15.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value
range varies according to product versions and models). By default, the maximum number of Telnet users is
5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to
AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[Switch-ui-vty0-14] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default administrative domain default_admin. By default, the default
administrative domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: local authentication
● Accounting scheme default: non-accounting
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
telnet server enable
telnet server-source -i Vlanif 10
#
aaa
local-user user1 password irreversible-cipher %^%#.)P`(ahmeXKljES$}IC%OdjjC$m)cA#}T(8z4*ZK!_Z
+GSo<7C*O8WO,!rt;%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/1
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-182, a RADIUS server is deployed on a network. The
administrator is authenticated through RADIUS and Telnet to the device to
remotely manage it. The specific requirements are as follows:
1. The administrator must enter correct user name and password to log in to the
device through Telnet.
2. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-15.
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure RADIUS authentication, including creating a RADIUS server
template, an AAA authentication scheme, and a service scheme, and applying
the schemes to a domain.
4. Configure the domain to which the administrator belongs as the default
administrative domain so that the administrator does not need to enter the
domain name when logging in.
NOTE
This example only provides the configurations on the device. Ensure that the required
parameters have been set on the RADIUS server, for example, device's IP address, shared key,
and the creating user.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.6.10 24
[Switch-Vlanif20] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value
range varies according to product versions and models). By default, the maximum number of Telnet users is
5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to
AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[Switch-ui-vty0-14] quit
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo
radius-server user-name domain-included command on the device so that the packets sent
from the device to the RADIUS server do not contain domain names.
# Apply the AAA authentication scheme, RADIUS server template, and service
scheme to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
Step 5 Configure the domain to which the administrator belongs as the default
administrative domain so that the administrator does not need to enter the
domain name when logging in to the device through Telnet.
[Switch] domain huawei.com admin
# Choose Start > Run on your computer running Windows operating system and
enter cmd to open the cmd window. Run the telnet command and enter the user
name user1 and password YsHsjx_202207 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1
Password:***********
<Switch>//The administrator successfully logs in.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain huawei.com admin
#
telnet server enable
telnet server-source -i Vlanif 10
#
radius-server template 1
radius-server shared-key cipher %^%#Zh-H!i<+2RUI,E4_q<''+[14Fmj4@>Aa0pM0H}@D%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
service-scheme sch1
admin-user privilege level 15
domain huawei.com
authentication-scheme sch1
service-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
Configuration Notes
This configuration example applies to all switches running all versions.
In this example, the RADIUS authentication server is the secure ACS running
version 5.2.0.26.
Networking Requirements
As shown in Figure 3-183, on an enterprise network, an administrator connects to
the switch through a management network and an 802.1X user connects to the
switch through an access network. The enterprise uses ACS to create and maintain
user information. The administrator can log in to the ACS through web.
The administrator and 802.1X user are allocated different accounts and rights to
improve security. The requirements are as follows:
1. The administrator can Telnet to the switch only after entering the user name
and password, and can use the commands from level 0 to level 15 after login.
2. To access the switch, the 802.1X user needs to start the 802.1X client, enter
the user name and password, and be authenticated.
After the 802.1X user accesses the switch:
– The user can use the commands at level 0 to level 2.
– The ACS delivers VLAN 100 and ACL 3000 to the user.
3. The administrator is authenticated in the default domain, and the 802.1X user
is authenticated in the huawei.com domain.
Figure 3-183 Networking of Telnet login user authentication (Using the Secure
ACS as a RADIUS Authentication Server)
Preparations
Item Data
Item Data
Configuration Roadmap
1. Configure the switch.
a. Configure interfaces and allocate IP addresses to them, so that the switch
can communicate with the ACS.
b. Create a VLAN and an ACL that the ACS will deliver.
c. Enable the Telnet service.
d. Configure AAA authentication for the administrator to Telnet to the
switch.
e. Configure RADIUS authentication, including creating the RADIUS server
template and AAA authentication scheme and applying them to the
default_admin and huawei.com domains.
f. Enable 802.1X authentication on the interface that the 802.1X user
accesses.
2. Configure the ACS, add access devices and users, and configure an
authentication and authorization profile. Add access policies and bind users to
the authentication and authorization profile.
NOTE
Ensure that the Switch and ACS can communicate with each other.
Procedure
Step 1 Configure the switch.
1. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.6.10 24 //Configure the IP address used to communicate with the
ACS.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.10 24
[Switch-Vlanif30] quit
NOTE
If the user name stored on the AAA server does not contain a domain name, run the undo
radius-server user-name domain-included command. After this command is executed,
the user names in the packets sent from the switch to RADIUS server do not contain
domain names.
# Apply the AAA authentication scheme and RADIUS server template to the
default administrative domain.
NOTE
Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are
authenticated in the default administrative domain.
By default, the administrative domain is default_admin.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] radius-server 1
[Switch-aaa-domain-default_admin] authentication-scheme sch1
[Switch-aaa-domain-default_admin] quit
# Apply the AAA authentication scheme and RADIUS server template to the
huawei.com domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
NOTE
After a switching between common mode and unified mode, the device automatically
restarts.
Enter the uniform resource locator (URL) address of the ACS and press Enter
to open the ACS login page. Enter the user name and password, and click
Login.
NOTE
The ACS's URL address is in the format http://IP/ or https://IP/, for example, http://
10.13.1.1/ or https://10.13.1.1/.
b. Enter the switch name and IP address, set the authentication mode
between the switch and ACS to RADIUS, enter the shared secret and CoA
port number, and click Submit, as shown in Figure 3-185.
3. Add a user.
a. Choose Users and Identity Stores > Internal Identity Stores > Users >
Create, as shown in Figure 3-186.
b. Enter the user name, password, and confirm password, and click Submit,
as shown in Figure 3-187.
Figure 3-187 shows the page for adding an 802.1X user. After adding the
access user, add an administrator according to the administrator
parameters.
When you use the RADIUS protocol, it is recommended that you choose Policy
Elements > Authorization and Permissions > Network Access.
When you use the TACACS+ protocol, it is recommended that you choose Policy
Elements > Authorization and Permissions > Authorization Profiles.
The settings on the RADIUS Attributes tab page are shown in Figure
3-190. Click Submit to commit the profile configuration.
Figure 3-192 Setting common task parameters for the 802.1X user's
authentication and authorization profile
Figure 3-193 Setting RADIUS attribute parameters for the 802.1X user's
authentication and authorization profile
NOTE
The S series switches support the first five user access protocols.
c. Choose Access Policies > Access Services > Service Selection Rules to
create a rule, as shown in Figure 3-196.
d. Configure the rule. Set the authentication mode to RADIUS and add
attributes according to Figure 3-197.
You can choose Access Policies > Access Services > Service Selection
Rules to prepare the attributes that you want to add.
# The 802.1X user starts the 802.1X client on the PC, and enters the user
name user1@huawei.com and password YsHsjx_2022063. If the user name
and password are correct, the client displays a successful authentication
message. The user can access the network.
# After the 802.1X user goes online, run the display access-user access-type
dot1x command on the switch to view the user information. The Dynamic
VLAN and Dynamic ACL number(Effective) fields indicate the VLAN and
ACL delivered by the RADIUS server.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 100
#
telnet server enable
telnet server-source -i Vlanif 20
#
acl number 3000
#
radius-server template 1
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
domain default_admin
authentication-scheme sch1
radius-server 1
domain huawei.com
authentication-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.6.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid untagged vlan 30
authentication dot1x
dot1x authentication-method eap
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-202, an HWTACACS server is deployed on a network, and
the administrator Telnets to the device to remotely manage it. The specific
requirements are as follows:
1. The administrator must enter correct user name and password to log in to the
device through Telnet.
2. The device performs HWTACACS authentication for the administrator first. If
the HWTACACS server does not respond, the device performs local
authentication.
3. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-15.
Figure 3-202 Configuring authentication for Telnet login users (HWTACACS and
local authentication)
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the
user access type to Telnet, and setting the user level to 15.
4. Configure HWTACACS authentication, including creating an HWTACACS server
template, an AAA authentication scheme, and a service scheme, and applying
the schemes to a domain.
NOTE
This example only provides the configurations on the device. Ensure that the required
parameters have been set on the HWTACACS server, for example, device's IP address, shared key,
and user information.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.6.10 24
[Switch-Vlanif20] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value
range varies according to product versions and models). By default, the maximum number of Telnet users is
5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to
AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[Switch-ui-vty0-14] quit
# Apply the AAA authentication scheme, HWTACACS server template, and service
scheme to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] hwtacacs-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
telnet server enable
telnet server-source -i Vlanif 10
#
hwtacacs-server template 1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server shared-key cipher %^%#q(P3<qAXm=Pq).G8bgq@"sbFOf%0k%umgQJ3#MF3%^%#
#
aaa
authentication-scheme sch1
authentication-mode hwtacacs local
service-scheme sch1
admin-user privilege level 15
domain huawei.com
authentication-scheme sch1
service-scheme sch1
hwtacacs-server 1
local-user user1@huawei.com password irreversible-cipher %^%#+bxGT|w}~J-FHdDG"R8"($BX%XF/
R1uba0UwL0).&r"Z#zbz*2G1$%6)Rd/V%^%#
local-user user1@huawei.com privilege level 15
local-user user1@huawei.com service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
entered user names do not contain domain names. If a user name contains a
domain name, the user belongs to this domain; otherwise, the user belongs to the
default domain. If most users on a network belong to the same domain, you can
configure this domain as the default domain so that these users do not need to
enter the domain name when logging in to the device.
Default domains fall into default administrative domain and default common
domain.
● The administrator (logging in through Telnet, SSH, FTP, HTTP, or Terminal) is
authenticated in the default administrative domain.
By default, the default administrative domain is default_admin.
● The common users (logging in through MAC, Portal, or 802.1X authentication,
or PPP authentication in V200R005) are authenticated in the default common
domain.
By default, the default common domain is default.
NOTE
You can modify the configuration of the default domains by default, but cannot delete the
default domains by default.
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-204, the administrator Telnets to the device and remotely
manages the device after passing AAA local authentication, and 802.1X users log
in to the device through 802.1X clients after passing RADIUS authentication.
Therefore, both AAA local authentication and RADIUS authentication need to be
configured on the device.
1. The administrator must enter correct user name and password to Telnet to
the device. After logging in to the device, the administrator can run all the
commands at levels 0-15.
2. 802.1X users must enter correct user names and passwords to log in to the
device.
3. The administrator and 802.1X users do not need to enter domain names when
logging in.
Configuration Roadmap
1. Allow the administrator to Telnet to the device.
a. Enable the Telnet service.
b. Set the authentication method for Telnet login users to AAA.
c. Configure AAA local authentication, including creating a local user,
setting the user access type to Telnet, and setting the user level to 15.
2. Allow 802.1X users to log in to the device through RADIUS authentication.
a. Enable 802.1X authentication on the interface.
b. Configure RADIUS authentication, including creating a RADIUS server
template, an AAA authentication scheme, and a service scheme, and
applying the schemes to the default common domain.
NOTE
This example only provides the configurations on the device. Ensure that the required
parameters have been set on the RADIUS server, for example, device's IP address, shared key,
and the creating user.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.3.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
Step 2 Configure AAA local authentication for the administrator to Telnet to the device.
# Enable the Telnet server.
[Switch] telnet server enable
[Switch] telnet server-source -i Vlanif 20 //Configure the source interface of the server as the interface
corresponding to 10.1.2.10. Assume that the interface is Vlanif 20.
# Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value
range varies according to product versions and models). By default, the maximum number of Telnet users is
5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to
AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.
[Switch-ui-vty0-14] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default administrative domain default_admin. By default, the default
administrative domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: local authentication
● Accounting scheme default: non-accounting
Step 3 Configure RADIUS authentication for 802.1X users to log in to the device.
# Configure the RADIUS server template to implement communication between
the device and the RADIUS server.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP address and port number of
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo
radius-server user-name domain-included command on the device so that the packets sent
from the device to the RADIUS server do not contain domain names.
# Apply the AAA authentication scheme, RADIUS server template, and service
scheme to the default common domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme sch1
[Switch-aaa-domain-default] service-scheme sch1
[Switch-aaa-domain-default] radius-server 1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
# Set the NAC mode to unified (this step is required in V200R005 and later
versions).
[Switch] authentication unified-mode
NOTE
After the common mode is changed to unified mode, the device automatically restarts. By
default, the unified mode is used.
# Choose Start > Run on your computer running Windows operating system and
enter cmd to open the cmd window. Run the telnet command and enter the user
name user1 and password YsHsjx_2022064 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1
Password:***********
<Switch>//The administrator successfully logs in.
# Run the test-aaa command to test whether an 802.1X user can pass the
authentication.
[Switch] test-aaa liming YsHsjx_202206 radius-template 1
# A user starts the 802.1X client on a terminal, and enters the user name liming
and password YsHsjx_202206 for authentication. If the user name and password
are correct, an authentication success message is displayed on the client page. The
user can access the network.
# After the user goes online, you can run the display access-user access-type
dot1x command to check online 802.1X user information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
telnet server enable
telnet server-source -i Vlanif 20
#
authentication-profile name p1 //Available only in V200R009 and later versions
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template 1
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
service-scheme sch1
admin-user privilege level 15
domain default
authentication-scheme sch1
service-scheme sch1
radius-server 1
local-user user1 password irreversible-cipher $1a$BKfS8Ml4qP$1\a5RWc)oTIuB0'wN;p090;>{APtaL8/x/T.$
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.3.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
authentication dot1x //Available only in the versions earlier than V200R009
authentication-profile p1 //Available only in V200R009 and later versions
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
dot1x-access-profile name d1 //Available only in V200R009 and later versions
#
return
● Ease of use: In most cases, Portal authentication does not require the client to
have additional software installed and allows the client to be directly
authenticated on a web page.
● Convenient operations: Portal authentication achieves service expansion on
the Portal page, including advertisement push, responsibility announcement,
and enterprise publicity.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control
employees' network access rights and allow only authorized users to access the
network. The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization. Minimum client software is installed on
user terminals.
● To facilitate network reconstruction and reduce investments, the enterprise
requires the authentication point be deployed on the core switch.
● A unified identity authentication mechanism is used to authenticate all
terminals accessing the campus network and deny access from unauthorized
terminals.
● R&D employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect to both
the intranet (code library and issue tracking system) and Internet after being
authenticated.
● Marketing employees can connect only to public servers (such as the web and
DNS servers) of the enterprise before the authentication, and can connect
only to the Internet after being authenticated.
Configuration Logic
Configuration Notes
● This configuration example applies to all switches running V200R009C00 or a
later version.
● Huawei's Agile Controller-Campus in V100R001 functions as the Portal server
and RADIUS server in this example. For the Agile Controller-Campus, the
version required is V100R001, V100R002, V100R003.
● The RADIUS authentication and accounting shared keys and Portal shared key
on the switch must be the same as those on the Agile Controller-Campus
server.
● By default, the switch allows the packets from RADIUS and Portal servers to
pass. You do not need to configure authentication-free rules for the two
servers on the switch.
Data Plan
VLAN ID Function
Core switch Number of the ACL for R&D You need to enter this ACL
employees' post- number when configuring
authentication domain: 3001 authorization rules and results
on the Agile Controller-
Campus.
Device IP address: -
172.16.1.254
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting
to the R&D department. The configuration for SwitchB, the access switch
connecting to the marketing department, is similar to that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchD-Vlanif103] quit
[SwitchD] interface gigabitethernet 1/0/2 //Interface connected to the server area
[SwitchD-GigabitEthernet1/0/2] port link-type access
[SwitchD-GigabitEthernet1/0/2] port default vlan 104
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface vlanif 104
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0 //Configure the gateway address for
the server area.
[SwitchD-Vlanif104] quit
[SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1 //Configure routes to the network
segment assigned to the R&D department.
[SwitchD] ip route-static 192.168.1.0 255.255.255.0 172.16.2.1 //Configure routes to the network
segment assigned to the marketing department.
2. Configure network access rights for users after successful authentication.
[SwitchD] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent marketing employees
from accessing the code library.
[SwitchD-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0 //Prevent marketing employees
from accessing the issue tracking system.
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.
[SwitchD-acl-adv-3002] quit
3. Configure parameters for connecting to the RADIUS server.
[SwitchD] radius-server template policy //Create the RADIUS server template policy.
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812 //Configure the IP address
and port number of the RADIUS authentication server.
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813 //Configure the IP address and
port number of the RADIUS accounting server.
[SwitchD-radius-policy] radius-server shared-key cipher YsHsjx_202206 //Set the authentication
key and accounting key to YsHsjx_202206.
[SwitchD-radius-policy] quit
[SwitchD] aaa //Enter the AAA view.
[SwitchD-aaa] authentication-scheme auth //Configure the authentication scheme auth.
[SwitchD-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS.
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the authentication scheme auth
to the domain.
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco to the
domain.
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server template policy to the
domain.
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.
4. Configure parameters for connecting to the Portal server.
[SwitchD] web-auth-server portal_huawei //In V200R020C10SPC100 and later versions, you must
also run the web-auth-server server-source or server-source command to configure the local
gateway address used to receive and respond to the packets sent by the Portal server, so as to
implement Portal authentication.
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the
switch uses to communicate with the Portal server.
[SwitchD-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the
packets that the switch sends to the Portal server to 50200, which is the same as the port number
that the Portal server uses to receive packets. The default destination port number on the switch is
50100, and you must change it to 50200 manually, so that it matches the port number on the Portal
server.
[SwitchD-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
shared key for communication with the Portal server, which must be the same as that configured on
NOTE
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by
DNS and the DNS server is on the upstream network of the NAS device, you also need to
create authentication-free rules and ensure that the DNS server is included in the
authentication-free rules. In V200R012C00 and later versions, the NAS device automatically
allows DNS packets to pass through and no authentication-free rule is required in Portal
authentication.
[SwitchD] free-rule-template name default_free_rule
[SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal authentication users, so that these
users can access the DNS server before the authentication.
[SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask
255.255.255.255 //Configure authentication-free rules for Portal authentication users, so that these
users can access the web server before the authentication.
[SwitchD-free-rule-default_free_rule] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
Name SW -
Device Huawei -
series Quidway
Series
Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24
d. Click OK.
4. Configure employee authorization. This example describes how to configure
R&D employee authorization. The configuration procedure for marketing
employees is the same, except that the network resources the two types of
employees can access are different.
a. Choose Policy > Permission Control > Authentication and
Authorization > Authorization Result, and configure resources that
R&D employees can access after authentication and authorization.
Parameter Value Description
Department R&D -
----End
Configuration Files
# Configuration file of the access switch for the employee department (The
configuration file of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
authentication-profile name p1
portal-access-profile web1
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.***.com:8080/portal
source-ip 172.16.1.254
#
portal-access-profile name web1
web-auth-server portal_huawei layer3
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
authentication-profile p1
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
● Ease of use: In most cases, Portal authentication does not require the client to
have additional software installed and allows the client to be directly
authenticated on a web page.
● Convenient operations: Portal authentication achieves service expansion on
the Portal page, including advertisement push, responsibility announcement,
and enterprise publicity.
● Mature technology: Portal authentication has been widely used in networks of
carriers, fast food chains, hotels, and schools.
● Flexible deployment: Portal authentication implements access control at the
access layer or at the ingress of key data.
● Flexible user management: Portal authentication can be performed on users
based on the combination of user names and any one of VLANs, IP addresses,
and MAC addresses.
Enterprises often choose Portal authentication for guests because they move
frequently.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control
employees' network access rights and allow only authorized users to access the
network. The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization. Minimum client software is installed on
user terminals.
● Moderate security control is required. To facilitate maintenance, a moderate
number of authentication points need to be deployed on the aggregation
switch.
Configuration Logic
Configuration Notes
● This configuration example applies to all switches running V200R009C00 or a
later version.
● Huawei's Agile Controller-Campus in V100R001 functions as the Portal server
and RADIUS server in this example. For the Agile Controller-Campus, the
version required is V100R001, V100R002, V100R003.
● The RADIUS authentication and accounting shared keys and Portal shared key
on the switch must be the same as those on the Agile Controller-Campus
server.
● By default, the switch allows the packets from RADIUS and Portal servers to
pass. You do not need to configure authentication-free rules for the two
servers on the switch.
● When you run the access-user arp-detect command to configure the IP
address and MAC address of the user gateway as the source IP address and
source MAC address of user offline detection packets, ensure that the MAC
address of the gateway remains unchanged, especially in active/standby
switchover scenarios. If the gateway MAC address is changed, ARP entries of
terminals will be incorrect on the device, and the terminals cannot
communicate with the device.
Data Plan
VLAN ID Function
Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post- number when configuring
authentication domain: 3001 authorization rules and results
on the Agile Controller-
Campus.
Device IP address: -
172.16.1.254
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting
to the R&D department. The configuration for SwitchB, the access switch
connecting to the marketing department, is similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
5. Enable Portal authentication and configure network access rights for users in
the pre-authentication domain and post-authentication domain.
# Set the NAC mode to unified.
[SwitchC] authentication unified-mode //Set the NAC mode to unified. By default, the switch
works in unified mode. After changing the NAC mode from common to unified, save the
configuration and restart the switch to make the configuration take effect.
NOTE
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by
DNS and the DNS server is on the upstream network of the NAS device, you also need to
create authentication-free rules and ensure that the DNS server is included in the
authentication-free rules. In V200R012C00 and later versions, the NAS device automatically
allows DNS packets to pass through and no authentication-free rule is required in Portal
authentication.
[SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal authentication users, so that these
users can access the DNS server before the authentication.
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask
255.255.255.255 //Configure authentication-free rules for Portal authentication users, so that these
users can access the web server before the authentication.
[SwitchC-free-rule-default_free_rule] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
Name SW -
Device Huawei -
series Quidway
Series
Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24
d. Click OK.
4. Configure employee authorization. This example describes how to configure
R&D employee authorization. The configuration procedure for marketing
employees is the same, except that the network resources the two types of
employees can access are different.
a. Choose Policy > Permission Control > Authentication and
Authorization > Authorization Result, and configure resources that
R&D employees can access after authentication and authorization.
Parameter Value Description
Department R&D -
----End
Configuration Files
# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
● Configuration Notes
● Data Plan
● Procedure
● Configuration Files
Overview
On a NAC network, the 802.1X, MAC address, and Portal authentication modes
are configured on the user access interfaces of a device to meet various
authentication requirements. Users can access the network using any
authentication mode.
If multiple authentication modes are enabled, the authentication modes take
effect in the sequence they are configured. In addition, after multiple
authentication modes are deployed, users can be authenticated in different modes
by default and assigned different network rights accordingly by the device.
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized
access and protect information security, an enterprise requests users to pass
identity authentication and security check before they access the enterprise
network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the
enterprise network only after passing authentication.
The enterprise network has the following characteristics:
● The access switches on the network do not support 802.1X authentication.
● The enterprise network has a small size and does not have branch networks.
● The enterprise has no more than 1000 employees. A maximum of 2000 users,
including guests, access the network every day.
● Dumb terminals, such as IP phones and printers, are connected to the
enterprise network.
To reduce network reconstruction investment, you are advised to configure the
802.1X authentication function on the aggregation switch and connect a single
centralized authentication server to the aggregation switch in bypass mode. MAC
address authentication needs to be configured for dumb terminals.
Configuration Logic
Configuration Notes
This configuration example applies to all switches running V200R009C00 or a later
version, Huawei Agile Controller-Campus in V100R001 functions as the RADIUS
server. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not
need to configure authentication-free rules for the server on the switch.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Data Plan
Procedure
Step 1 Configure the access switches.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets
can be forwarded. This example uses SwitchC to describe the configuration.
The configuration on SwitchD is the same as that on SwitchC.
# Create VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 200
In this example, SwitchC and SwitchD are deployed between the authentication switch
SwitchA and users. 802.1X packet transparent transmission needs to be configured on
SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit
– Method 2: This method is recommended when a large number of users
exist or high network performance is required. Only the S5720-EI, S5720-
HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-
HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this method.
[SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to
method 2.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface connected to SwitchC.
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface connected to SwitchD.
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/6 //Configure the interface connected to the server.
[SwitchA-GigabitEthernet0/0/6] port link-type trunk
[SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management IP address for
SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway address for terminal
users.
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.100.100 //Configure a route to the
network segment where the pre-authentication domain resides.
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.102.100 //Configure a route to the
network segment where the post-authentication domain resides.
# Create an AAA authentication scheme abc and set the authentication mode
to RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, the device
automatically restarts.
By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the
RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication
request packets.
[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] dot1x authentication-method eap
[SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[SwitchA-dot1x-access-profile-d1] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
c. Click the device group in the navigation tree and select ALL Device. Click
Add to add network access devices.
d. Set connection parameters on the Add Device page.
Name SwitchA -
Device Huawei -
Series Quidway
series switch
Name Access -
authentication
rule
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
on protocol ▪ EAP-MD5
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP
Name Post-authentication -
domain
After a user passes the authentication, authorization phase starts. The Agile
Controller-Campus grants the user access rights based on the authorization
rule.
Authorization Post-authentication -
Result domain
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name p1
dot1x-access-profile d1
mac-access-profile m1
#
domain isp
#
access-user arp-detect vlan 200 ip-address 192.168.200.1 mac-address 00e0-fc12-3456
#
radius-server template rd1
radius-server shared-key cipher %#%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%#%#
radius-server authentication 192.168.100.100 1812 weight 80
radius-server accounting 192.168.100.100 1813 weight 80
#
dot1x-access-profile name d1
#
mac-access-profile name m1
mac-authen username fixed A-123 password cipher %#%#'Fxw8E,G-81(A3U<^HH9Sj
\:&hTdd>R>HILQYLtW%#%#
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme acco1
accounting-mode radius
accounting realtime 15
domain isp
authentication-scheme abc
accounting-scheme acco1
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
authentication-profile p1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
authentication-profile p1
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return
#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
return
Overview
After an 802.1X user is successfully authenticated on a RADIUS server, the server
sends authorization information to the access device of the user. When the Agile
Controller-Campus functions as the RADIUS server, it can deliver multiple
authorization parameters.
● ACL-based authorization is classified into:
– ACL description-based authorization: If ACL description-based
authorization is configured on the server, authorization information
includes the ACL description. The device matches ACL rules based on the
ACL description authorized by the server to control user rights. The ACL
number, corresponding description, and ACL rule must be configured on
the device.
The standard RADIUS attribute (011) Filter-Id is used.
– Dynamic ACL-based authorization: The server authorizes rules in an ACL
to the device. Users can access network resources controlled using this
ACL. The ACL and ACL rules must be configured on the server. The ACL
does not need to be configured on the device.
The following uses ACL number and dynamic VLAN delivery as an example. The configuration
differences between ACL number delivery and dynamic ACL delivery are described in notes.
Networking Requirements
As shown in Figure 3-211, a large number of employees' terminals in a company
connect to the intranet through GE0/0/1 on SwitchA. To ensure network security,
the administrator needs to control network access rights of terminals. The
requirements are as follows:
● Before passing authentication, terminals can access the public server (with IP
address 192.168.40.1), and download the 802.1X client or update the antivirus
database.
● After passing authentication, terminals can access the service server (with IP
address 192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP
address segment 192.168.20.10-192.168.20.100).
Configuration Logic
Configuration Notes
This configuration example applies to all switches running V200R009C00 or a later
version, Huawei Agile Controller-Campus in V100R001 functions as the RADIUS
server. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
When the device supports UCL groups, using UCL groups to configure
authorization rules is recommended. For details, see section "AAA Configuration"
> "Configuring Authorization Rules" in the Configuration Guide - User Access and
Authentication.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Data Plan
Resources accessible to users Access rights to the public server are configured
before authentication using an authentication-free rule. The name of
the authentication-free rule profile is
default_free_rule.
Resources accessible to users Access rights to the laboratory are granted using
after authentication a dynamic VLAN. The VLAN ID is 20.
Access rights to the service server are granted
using an ACL number. The ACL number is 3002.
Procedure
Step 1 Configure access switch SwitchA.
1. Create VLANs and configure the allowed VLANs on interfaces to ensure
network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
In dynamic ACL mode, this step does not need to be configured on the device.
[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0
[SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0
[SwitchA-acl-adv-3002] rule 3 deny ip destination any
[SwitchA-acl-adv-3002] quit
# Create the AAA authentication scheme abc and set the authentication
mode to RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
# Configure the accounting scheme acco1 and set the accounting mode to
RADIUS.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15
[SwitchA-aaa-accounting-acco1] quit
NOTE
By default, the unified mode is enabled. Before changing the NAC mode, you must save
the configuration. After the mode is changed and the device is restarted, functions of the
newly configured mode take effect.
# Configure the authentication profile p1, bind the 802.1X access profile d1
and authentication-free rule profile default_free_rule to the authentication
profile, specify the domain huawei as the forcible authentication domain in
the authentication profile, and set the user access mode to multi-authen.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] free-rule-template default_free_rule
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] authentication mode multi-authen
[SwitchA-authen-profile-p1] quit
c. Click the User tab in the operation area on the right, and then click Add
under the User tab to add a user A.
e. In the User tab, select user A. Click Transfer to add user A to the
department R&D.
Dynamic 3002 -
ACL
----End
Configuration File
#
sysname SwitchA
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
● Configuration Files
Context
As an increasing number of smart terminals are used, Bring Your Own Device
(BYOD), a new working style for enterprises, has become a trend. When an
enterprise uses the BYOD solution, the administrator must determine the users
and terminals that can connect to the enterprise network, where users can
connect to the enterprise network, and access rights of different terminals. All
these require terminal type identification.
● Local identification
A switch identifies terminal types by analyzing MAC addresses, DHCP option
information, and user agent (UA) information of terminals and then controls
terminal access and grants access rights to terminals accordingly. The switch
can also send identified terminal type information to a server, which then
controls terminal access and grants access rights to terminals accordingly.
● Remote identification
A switch obtains MAC addresses, DHCP option information, and UA
information of terminals and sends the information to a server, which then
controls terminal access and grants access rights to terminals accordingly.
Networking Requirements
In Figure 3-213, to meet service requirements, an enterprise needs to deploy an
identity authentication system to implement access control on users who attempt
to access the enterprise network. Only authorized users can access the enterprise
network.
Configuration Logic
1. Perform Portal authentication configuration. For details, see 3.14.2.1
Configuring Portal Authentication for Access Users on Huawei Agile
Controller-Campus (Authentication Point on Core Switch).
2. Configure the terminal type awareness function so that the switch can
identify terminal types based on the packets sent by terminals.
3. Enable the UA function so that the switch can obtain UA information from
the packets sent by terminals.
Configuration Notes
The authentication control point in this example must be deployed on the S5720-
HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-
H, S6730S-H, S6730-S, or S6730S-S fixed switch or X series card of modular switch
running V200R009C00 or a later version.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS and Portal servers to pass.
You do not need to configure authentication-free rules for the two servers on the
switch.
Data Plan
This example provides only the configuration of terminal type identification. For
details about VLAN planning, network data planning, and service data planning,
see 3.14.2.1 Configuring Portal Authentication for Access Users on Huawei
Agile Controller-Campus (Authentication Point on Core Switch).
In this example, the administrator user name and password are admin and
Admin_123, and the user name and password of Portal users are Jason and
Admin_1234.
Procedure
Step 1 Configure the core switch.
# Configure the core switch to send DHCP option and UA information to the Agile
Controller-Campus, which then uses the information as original information to
identify terminals.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] dhcp enable
[SwitchD] dhcp snooping enable
[SwitchD] device-sensor dhcp option 12 55 60
[SwitchD] http parse user-agent enable
NOTE
For wireless users, you can configure attributes for APs when the switch works as an AC. In
versions earlier than V200R011C10, the configurations are not delivered to APs in real time,
and are delivered to APs only after you run the commit command in the WLAN view. In
V200R011C10 and later versions, the commit command is deleted, the switch delivers the
configurations to APs every 5 seconds.
----End
Configuration Files
# Core switch configuration file
#
sysname SwitchD
#
device-sensor dhcp option 12 55 60
#
dhcp enable
#
dhcp snooping enable
#
http parse user-agent enable
#
return
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-216, terminals in a company's offices are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control users' network access rights to ensure internal network security.
The 802.1X authentication is configured and the RADIUS server is used to
authenticate user identities, to meet the company's high security requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interoperation.
2. Configure AAA on the Switch to implement identity authentication on access
users through the RADIUS server. The configuration includes configuring a
RADIUS server template, an AAA scheme, and an authentication domain, and
binding the RADIUS server template and AAA scheme to the authentication
domain.
3. Configure 802.1X authentication to control network access rights of the
employees in the offices. The configuration includes:
a. Configure an 802.1X access profile.
b. Configure an authentication profile.
c. Enable 802.1X authentication on an interface.
● Before performing operations in this example, ensure that user access
terminals and the server can communicate.
● This example only provides the configuration of the Switch. The
configurations of the LAN Switch and server are not provided here.
● In this example, the LAN switch exists between the access switch Switch and
users. To ensure that users can pass 802.1X authentication, you must
configure the EAP packet transparent transmission function on the LAN
switch.
– Method 1: The S5700-LI is used as an example of the LAN switch.
Perform the following operations:
i. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002 command in the
system view of the LAN switch to configure the LAN switch to
transparently transmit EAP packets.
ii. Run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on the interface connecting to users and the interface
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can
be forwarded.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. The test user test and
password YsHsjx_202206 have been configured on the RADIUS server.
[Switch] test-aaa test YsHsjx_202206 radius-template rd1
Info: Account test succeeded.
NOTE
By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the
RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication
request packets.
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] dot1x timer client-timeout 30
[Switch-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, specify the domain huawei.com as the forcible
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
#
radius-server template rd1
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
radius-server authentication 192.168.2.30 1812 weight 80
#
dot1x-access-profile name d1
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-217, terminals in a company's physical access control
department are connected to the company's internal network through the Switch.
Unauthorized access to the internal network can damage the company's service
system and cause leakage of key information. Therefore, the administrator
requires that the Switch should control users' network access rights to ensure
internal network security.
Because dumb terminals (such as printers) in the physical access control
department cannot have the authentication client installed, MAC address
authentication needs to be configured on the Switch. MAC addresses of terminals
are used as user information and sent to the RADIUS server for authentication.
When users connect to the network, authentication is not required.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
● Before performing operations in this example, ensure that user access terminals and the
server can communicate.
● This example only provides the configuration of the Switch. The configurations of the
LAN Switch and server are not provided here.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can
be forwarded.
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. The test user test and
password YsHsjx_202206 have been configured on the RADIUS server.
[Switch] test-aaa test YsHsjx_202206 radius-template rd1
Info: Account test succeeded.
NOTE
NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication. Ensure that the formats of the user name and
password for MAC address authentication configured on the RADIUS server are the same as
those configured on the access device.
[Switch] mac-access-profile name m1
[Switch-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the
authentication profile, specify the domain huawei.com as the forcible
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] mac-access-profile m1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
mac-access-profile m1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
#
radius-server template rd1
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-218, terminals in a company's visitor area are connected to
the company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
● Before performing operations in this example, ensure that user access terminals and the
server can communicate.
● This example only provides the configuration of the Switch. The configurations of the LAN
Switch and server are not provided here.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can
be forwarded.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Check whether a user can pass RADIUS authentication. The test user test and
password YsHsjx_202206 have been configured on the RADIUS server.
[Switch] test-aaa test YsHsjx_202206 radius-template rd1
Info: Account test succeeded.
NOTE
NOTE
Ensure that the port number configured on the device is the same as the port number used by
the Portal server.
# Configure the authentication profile p1, bind the Portal access profile web1 to
the authentication profile, specify the domain huawei.com as the forcible
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] portal-access-profile web1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through
DHCP and the DHCP server is on the upstream network of the NAS device, use the free-rule
command to create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS
and the DNS server is on the upstream network of the NAS device, you also need to create
authentication-free rules and ensure that the DNS server is included in the authentication-free
rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to
pass through and no authentication-free rule is required in Portal authentication.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets. This function does not take
effect for users who use Layer 3 Portal authentication.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
portal-access-profile web1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
#
radius-server template rd1
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.30
port 50200
shared-key cipher %#%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%#
%#
url http://192.168.2.30:8080/portal
#
portal-access-profile name web1
web-auth-server abc direct
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/2
Portal authentication applies to the users who are sparsely distributed and move
frequently, for example, guests of a company.
Configuration Notes
This configuration example applies to all switches running all versions.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS and Portal servers to pass.
You do not need to configure authentication-free rules for the two servers on the
switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control
employees' network access rights and allow only authorized users to access the
network. The enterprise has the following requirements:
Data Plan
VLAN ID Function
VLAN ID Function
Core switch Number of the ACL for R&D You need to enter this ACL
employees' post- number when configuring
authentication domain: 3001 authorization rules and results
on the Agile Controller-
Campus.
Device IP address: -
172.16.1.254
Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure
network connectivity.
2. Configure Portal authentication on the core switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those
for connecting to the Portal server, enable Portal authentication, and
configure network access rights for the pre-authentication domain and post-
authentication domain.
3. Configure the Agile Controller-Campus:
a. Log in to the Agile Controller-Campus.
b. Add user accounts to the Agile Controller-Campus.
c. Add a switch to the Agile Controller-Campus and configure related
parameters to ensure normal communication between the Agile
Controller-Campus and switch.
d. Add authorization results and authorization rules to the Agile Controller-
Campus to grant different access rights to R&D employees and marketing
employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting
to the R&D department. The configuration for SwitchB, the access switch
connecting to the marketing department, is similar to that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
Name SW -
Device Huawei -
series Quidway
Series
Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24
d. Click OK.
4. Configure employee authorization. This example describes how to configure
R&D employee authorization. The configuration procedure for marketing
employees is the same, except that the network resources the two types of
employees can access are different.
a. Choose Policy > Permission Control > Authentication and
Authorization > Authorization Result, and configure resources that
R&D employees can access after authentication and authorization.
Parameter Value Description
Department R&D -
----End
Configuration Files
# Configuration file of the access switch for the employee department (The
configuration file of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.***.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
authentication portal
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Configuration Notes
● This configuration example applies to all switches running V200R009C00 or a
later version.
● Huawei's Agile Controller-Campus in V100R001 functions as the Portal server
and RADIUS server in this example. For the Agile Controller-Campus, the
version required is V100R001, V100R002, V100R003.
● The RADIUS authentication and accounting shared keys and Portal shared key
on the switch must be the same as those on the Agile Controller-Campus
server.
● By default, the switch allows the packets from RADIUS and Portal servers to
pass. You do not need to configure authentication-free rules for the two
servers on the switch.
● When you run the access-user arp-detect command to configure the IP
address and MAC address of the user gateway as the source IP address and
source MAC address of user offline detection packets, ensure that the MAC
address of the gateway remains unchanged, especially in active/standby
switchover scenarios. If the gateway MAC address is changed, ARP entries of
terminals will be incorrect on the device, and the terminals cannot
communicate with the device.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control
employees' network access rights and allow only authorized users to access the
network. The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization. Minimum client software is installed on
user terminals.
Data Plan
VLAN ID Function
VLAN ID Function
Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post- number when configuring
authentication domain: 3001 authorization rules and results
on the Agile Controller-
Campus.
Device IP address: -
172.16.1.254
Configuration Roadmap
1. Configure the access switch and aggregation switch to ensure network
connectivity.
2. Configure Portal authentication on the aggregation switch to implement user
access control. Configure parameters for connecting to the RADIUS server and
those for connecting to the Portal server, enable Portal authentication, and
configure network access rights for the pre-authentication domain and post-
authentication domain.
3. Configure the Agile Controller-Campus:
a. Log in to the Agile Controller-Campus.
b. Add user accounts to the Agile Controller-Campus.
c. Add a switch to the Agile Controller-Campus and configure related
parameters to ensure normal communication between the Agile
Controller-Campus and switch.
d. Add authorization results and authorization rules to the Agile Controller-
Campus to grant different access rights to R&D employees and marketing
employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting
to the R&D department. The configuration for SwitchB, the access switch
connecting to the marketing department, is similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
5. Configure network access rights for the pre-authentication domain and post-
authentication domain.
[SwitchC] authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255 //
Configure authentication-free rules for Portal authentication users, so that these users can access the
DNS server before the authentication.
[SwitchC] authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255 //
Configure authentication-free rules for Portal authentication users, so that these users can access the
web server before the authentication.
[SwitchC] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent marketing employees
from accessing the code library.
[SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0 //Prevent marketing employees
from accessing the issue tracking system.
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.
[SwitchC-acl-adv-3002] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
Name SW -
Device Huawei -
series Quidway
Series
Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24
d. Click OK.
4. Configure employee authorization. This example describes how to configure
R&D employee authorization. The configuration procedure for marketing
employees is the same, except that the network resources the two types of
employees can access are different.
a. Choose Policy > Permission Control > Authentication and
Authorization > Authorization Result, and configure resources that
R&D employees can access after authentication and authorization.
Parameter Value Description
Department R&D -
----End
Overview
802.1X authentication and MAC address authentication are two methods used for
Network Access Control (NAC). 802.1X authentication is implemented based on
interfaces and MAC address authentication is implemented based on interfaces
and MAC addresses. Both protocols can protect security for enterprise networks.
802.1X authentication is more secure than MAC address authentication; however,
it requires that 802.1X client software be installed on all user terminals, allowing
Configuration Notes
This configuration example applies to all switches running all versions.
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in
this example. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not
need to configure authentication-free rules for the server on the switch.
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized
access and protect information security, an enterprise requests users to pass
identity authentication and security check before they access the enterprise
network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the
enterprise network only after passing authentication.
The enterprise network has the following characteristics:
● All access switches support 802.1X authentication.
● The enterprise network has a small size and does not have branch networks.
● The enterprise has no more than 1000 employees. A maximum of 2000 users,
including guests, access the network every day.
● Dumb terminals, such as IP phones and printers, are connected to the
enterprise network.
To provide high security for the network, you are advised to configure the 802.1X
authentication function on access switches and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address
authentication needs to be configured for dumb terminals.
Data Plan
Item Data
Item Data
Configuration Roadmap
1. Configure the access switches, including the VLANs interfaces belong to,
parameters for connecting to the RADIUS server, enabling NAC
authentication, and access right to the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD),
aggregation switch (SwitchA), and Agile Controller-Campus server.
2. Configure the Agile Controller-Campus:
a. Log in to the Agile Controller-Campus.
Procedure
Step 1 Configure the access switches. This example uses SwitchC to describe the
configuration. The domain configuration on SwitchD is the same as that on
SwitchC.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets
can be forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1 //Configure the interface connected to fixed terminals.
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2 //Configure the interface connected to dumb terminals.
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 10
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3 //Configure the interface connected to SwitchA.
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/3] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 192.168.30.30 24 //Configure the IP address used to communicate
with the Controller.
2. Create and configure a RADIUS server template, an AAA authentication
scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[SwitchC] radius-server template rd1
[SwitchC-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchC-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchC-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[SwitchC-radius-rd1] quit
# Create an AAA authentication scheme abc and set the authentication mode
to RADIUS.
[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit
# Configure the accounting scheme acco1 and set the accounting mode to
RADIUS.
[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchC-aaa-accounting-acco1] quit
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, the device
automatically restarts.
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
c. Click the device group in the navigation tree and select ALL Device. Click
Add to add network access devices.
d. Set connection parameters on the Add Device page.
This example uses SwitchC to describe the configuration procedure. The
configuration on SwitchD is the same as that on SwitchC except that the
IP addresses are different.
Name SwitchC -
Device Huawei -
Series Quidway
series switch
Name Access -
authentication
rule
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
on protocol ▪ EAP-MD5
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP
Name Post-authentication -
domain
After a user passes the authentication, authorization phase starts. The Agile
Controller-Campus grants the user access rights based on the authorization
rule.
Authorization Post-authentication -
Result domain
----End
Overview
On a NAC network, the 802.1X, MAC address, and Portal authentication modes
are configured on the user access interfaces of a device to meet various
authentication requirements. Users can access the network using any
authentication mode.
If multiple authentication modes are enabled, the authentication modes take
effect in the sequence they are configured. In addition, after multiple
authentication modes are deployed, users can be authenticated in different modes
by default and assigned different network rights accordingly by the device.
Configuration Notes
This configuration example applies to all switches running all versions.
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in
this example. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not
need to configure authentication-free rules for the server on the switch.
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized
access and protect information security, an enterprise requests users to pass
identity authentication and security check before they access the enterprise
network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the
enterprise network only after passing authentication.
The enterprise network has the following characteristics:
● The access switches on the network do not support 802.1X authentication.
● The enterprise network has a small size and does not have branch networks.
● The enterprise has no more than 1000 employees. A maximum of 2000 users,
including guests, access the network every day.
● Dumb terminals, such as IP phones and printers, are connected to the
enterprise network.
To reduce network reconstruction investment, you are advised to configure the
802.1X authentication function on the aggregation switch and connect a single
centralized authentication server to the aggregation switch in bypass mode. MAC
address authentication needs to be configured for dumb terminals.
Data Plan
Item Data
Item Data
Configuration Roadmap
1. Configure the aggregation switch, including the VLANs interfaces belong to,
parameters for connecting to the RADIUS server, enabling NAC
authentication, and access right to the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD),
aggregation switch (SwitchA), and Agile Controller-Campus server.
2. Configure the access switches, including the VLANs and 802.1X transparent
transmission.
3. Configure the Agile Controller-Campus:
Procedure
Step 1 Configure the aggregation switch.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets
can be forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface connected to SwitchC.
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface connected to SwitchD.
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/6 //Configure the interface connected to the server.
[SwitchA-GigabitEthernet0/0/6] port link-type trunk
[SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management IP address for
SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway address for terminal
users.
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.100.100 //Configure a route to the
network segment where the pre-authentication domain resides.
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.102.100 //Configure a route to the
network segment where the post-authentication domain resides.
# Create an AAA authentication scheme abc and set the authentication mode
to RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
15 minutes.
[SwitchA-aaa-accounting-acco1] quit
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, the device
automatically restarts.
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit
In this example, SwitchC and SwitchD are deployed between the authentication switch
SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC
and SwitchD so that SwitchA can perform 802.1X authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1x enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.
c. Click the device group in the navigation tree and select ALL Device. Click
Add to add network access devices.
d. Set connection parameters on the Add Device page.
Name SwitchA -
Device Huawei -
Series Quidway
series switch
Name Access -
authentication
rule
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
on protocol ▪ EAP-MD5
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP
Name Post-authentication -
domain
After a user passes the authentication, authorization phase starts. The Agile
Controller-Campus grants the user access rights based on the authorization
rule.
Authorization Post-authentication -
Result domain
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
domain isp
#
radius-server template rd1
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
radius-server authentication 192.168.100.100 1812 weight 80
radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme acco1
accounting-mode radius
accounting realtime 15
domain isp
authentication-scheme abc
accounting-scheme acco1
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
authentication dot1x mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
authentication dot1x mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.100.100
ip route-static 192.168.102.0 255.255.255.0 192.168.102.100
#
return
802.1X authentication ensures high security; however, it requires that 802.1X client
software be installed on user terminals, resulting in inflexible network
deployment. Another two NAC authentication methods have their advantages and
disadvantages: MAC address authentication does not require client software
installation, but MAC addresses must be registered on an authentication server.
Portal authentication also does not require client software installation and
provides flexible deployment, but it has low security.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-223, the terminals in an office are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain so that the Switch can authenticate access users
through the RADIUS server.
2. Enable 802.1X authentication to control network access rights of the
employees in the office.
3. Configure the user access mode to multi-authen and set the maximum
number of access users to 100, so the device can control the network access
rights of each user independently.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the
network.
In this example, the LAN switch exists between the access switch Switch and users. To ensure
that users can pass 802.1x authentication, you must configure the EAP packet transparent
transmission function on the LAN switch. Method 1: The S5700-LI is used as an example of the
LAN switch. Perform the following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure
the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol tunneling function.
Method 2: This method is recommended when a large number of users exist or high network
performance is required. Only the S5720-EI, S5720-HI, and S6720-EI support this method.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure
network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
NOTE
Configure the interface type and VLANs based on the site requirements. In this example,
users are added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server
as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[Switch-radius-rd1] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and
RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
NOTE
After the common mode and unified mode are switched, the device automatically restarts.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication dot1x
authentication mode multi-authen max-user 100
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-224, the terminals in the physical access control department
are connected to the company's internal network through the Switch.
Unauthorized access to the internal network can damage the company's service
system and cause leakage of key information. Therefore, the administrator
requires that the Switch should control the users' network access rights to ensure
internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
3. Configure the user access mode to multi-authen and set the maximum
number of access users to 100, so the device can control the network access
rights of each user independently.
NOTE
Before configuring this example, ensure that devices can communicate with each other on the
network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure
network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
NOTE
Configure the interface type and VLANs based on the site requirements. In this example,
users are added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server
as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[Switch-radius-rd1] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and
RADIUS server template rd1 to the domain isp1.
NOTE
After the common mode and unified mode are switched, the device automatically restarts.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1 #
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456#
Portal authentication cannot ensure high security, but it does not require client
software installation and provides flexible deployment. Another two NAC
authentication methods have their advantages and disadvantages: 802.1X
authentication ensures high security, but it requires that 802.1X client software be
installed on user terminals, causing inflexible network deployment. MAC address
authentication does not require client software installation, but MAC addresses
must be registered on an authentication server, resulting in complex management.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-225, the terminals in the visitor area are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain so that the Switch can authenticate access users
through the RADIUS server.
2. Enable Portal authentication so that the Switch can control network access
rights of the visitors in the visitor areas.
3. Configure a Portal server template so that the device can communicate with
the Portal server.
NOTE
Before configuring this example, ensure that devices can communicate with each other on the
network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure
network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
NOTE
Configure the interface type and VLANs based on the site requirements. In this example,
users are added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server
as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[Switch-radius-rd1] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and
RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
NOTE
After the common mode and unified mode are switched, the device automatically restarts.
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through
DHCP and the DHCP server is upstream connected to Switch, use the authentication free-rule
command to create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is
upstream connected to Switch, you also need to create authentication-free rules and ensure that
the DNS server is included in the authentication-free rules.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets. This function does not take
effect for users who use Layer 3 Portal authentication.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc11-1234
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1 #
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight
80# web-auth-server
abc server-ip 192.168.2.20
port 50200 shared-key cipher %^%#t:hJ@gD7<
+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%# url http://192.168.2.20:8080/
webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10 authentication portal
authentication mode multi-authen max-user 100 web-auth-server abc direct
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20 #
return
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-226, the terminals in a company are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Before configuring this example, ensure that devices can communicate with each other on the
network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure
network communication.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
NOTE
Configure the interface type and VLANs based on the site requirements. In this example,
users are added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server
as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[Switch-radius-rd1] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and
RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
NOTE
After the common mode and unified mode are switched, the device automatically restarts.
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets. This function does not take
effect for users who use Layer 3 Portal authentication.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc11-1234
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1 #
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight
80#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10 authentication dot1x mac-authen portal
authentication mode multi-authen max-user 100 web-auth-server abc direct
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20 #
return
Networking Requirements
The user accounts and organization structure of an enterprise are maintained on
the AD server. A wired network access solution is required on the campus network
to meet the non-mobile office requirements. For security purposes, users access
the network using wired 802.1X authentication.
Users can access the Internet only after they are authenticated.
Data Plan
Post-authentication Internet -
domain
Configuration Roadmap
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation
switch, and core switch to ensure network connectivity.
2. Set RADIUS interconnection parameters and wired access service parameters
on the aggregation switch to implement wired 802.1X access.
3. Add an authentication device on iMaster NCE-Campus, and configure
authentication and authorization to assign specified rights to authenticated
users.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network
connectivity.
1. Configure the access switch.
<HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan 101
[ACC-vlan101] quit
[ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 101
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2
[ACC-GigabitEthernet0/0/2] port link-type trunk
[ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[ACC-GigabitEthernet0/0/2] quit
NOTE
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
NOTE
The global default domain is default. If the domain needs to be changed, create the
required domain in the AAA view and set it as the global default domain.
Step 4 [Device] Configure the bypass function so that services are not affected when
iMaster NCE-Campus is faulty.
1. Configure a service scheme and define resources that users can access when
the bypass path is enabled.
# Run the ucl-group { group-index | name group-name } command to bind a
service scheme to the UCL group.
[AGG] ucl-group 10 name ucl_server_down
[AGG] aaa
[AGG-aaa] service-scheme server_down
[AGG-aaa-service-server_down] ucl-group name ucl_server_down
[AGG-aaa-service-server_down] quit
[AGG-aaa] quit
# Create a user ACL (with a number from 6000 to 9999) in the system view
and specify the service resources that users in the UCL group can access in the
ACL view. When the authentication server is down, users belong to the UCL
group that is bound to the service scheme.
[AGG] acl 6001
[AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination
192.168.11.1 0
[AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination
192.168.11.10 0
[AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination
192.168.11.100 0
[AGG-acl-ucl-6001] quit
# Run the traffic-filter inbound acl acl-number command in the system view
to configure ACL-based packet filtering. The UCL group-based rules take
effect only after this command is executed.
[AGG] traffic-filter inbound acl 6001
----End
Verification
Users use the built-in 802.1X client of the OS for authentication.
1. Fixed terminal users can ping resources in the server zone before successful
authentication.
2. Fixed terminal users can automatically obtain IP addresses on network
segment 172.16.11.0/24 and ping Internet resources after successful
authentication.
3. An administrator can view detailed online user information by running the
display access-user and display access-user user-id user-id commands on
the aggregation switch.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event
Logs > Terminal Authentication Logs of iMaster NCE-Campus contain
detailed information about fixed terminal users.
Configuration Files
ACC configuration file
#
sysname ACC
#
vlan 101
#
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
l2protocol-tunnel user-defined-protocol dot1x enable
bpdu enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
l2protocol-tunnel user-defined-protocol dot1x enable
bpdu enable
#
return
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255
free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255
#
ucl-group 10 name ucl_server_down
#
interface vlanif 101
ip address 172.16.11.254 255.255.255.0
dhcp select interface
dhcp server dns-list 192.168.11.1
#
interface vlanif 102
ip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 101
authentication-profile dot1x_authen_profile1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return
Networking Requirements
The user accounts and organization structure of an enterprise are maintained on
the AD server. A wireless network access solution is required on the campus
network to meet the mobile office requirements. For security purposes, users
access the network using wireless 802.1X authentication.
Users can access the Internet only after they are authenticated.
Data Plan
Post-authentication Internet -
domain
Configuration Roadmap
To ensure unified user traffic control on the WAC, it is recommended that the
tunnel forwarding mode be used to forward packets between the WAC and APs.
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation
switch, and WAC to ensure network connectivity.
2. Configure RADIUS interconnection parameters and wireless access service
parameters on the WAC to implement wireless 802.1X access.
3. Add the WAC on iMaster NCE-Campus and configure the authentication and
authorization rules to assign specified rights to authenticated users.
NOTE
In this example, the core router functions as the user gateway. If the AC6605 needs to
function as the user gateway, you only need to configure dhcp select interface in the
service VLAN on the AC6605.
This example describes only the configurations of the WAC, aggregation switch, and access
switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network
connectivity.
1. Configure the access switch.
<HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan 10
[ACC-vlan10] quit
# Configure a default route with the next hop pointing to the core router.
[AC6605] ip route-static 0.0.0.0 0 172.16.21.254
Step 2 [Device] Set related parameters to enable the AP to go online automatically after
the AP connects to the network.
NOTE
If a Layer 3 network is deployed between the AP and WAC, you need to configure the
DHCP Option 43 field on the DHCP server to carry the WAC's IP address in advertisement
packets, allowing the AP to discover the WAC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool
view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify
an IP address for the WAC.
3. Run the following command to enable VLANIF 10 to use the global address pool.
[AC6605] dhcp enable
[AC6605] interface vlanif 10
[AC6605-Vlanif10] ip address 10.10.10.254 24
[AC6605-Vlanif10] dhcp select global
[AC6605-Vlanif10] quit
# Create an AP group, to which APs with the same configuration are added.
[AC6605] wlan
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the WAC country code in the
profile, and apply the profile to the corresponding AP group.
[AC6605-wlan-view] regulatory-domain-profile name domain1
[AC6605-wlan-regulatory-domain-prof-domain1] country-code cn
[AC6605-wlan-regulatory-domain-prof-domain1] quit
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-ap-group-ap-group1] quit
[AC6605-wlan-view] quit
# Import an AP to the WAC in offline mode and add the AP to the AP group ap-
group1. Assume that the AP's MAC address is 00e0-fc76-a320. Configure a name
for the AP based on the AP's deployment location, so that you can know where
the AP is deployed from its name. For example, name the AP area_1 if it is
deployed in area 1.
[AC6605] wlan
[AC6605-wlan-view] ap auth-mode mac-auth
[AC6605-wlan-view] ap-id 0 ap-mac 00e0-fc76-a320
[AC6605-wlan-ap-0] ap-name area_1
[AC6605-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-ap-0] quit
[AC6605-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP
status. If the State field is displayed as nor, the AP goes online normally.
[AC6605] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
0 00e0-fc76-a320 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
NOTE
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
The access profile defines the 802.1X authentication protocol and packet processing
parameters. By default, the 802.1X access profile uses EAP authentication.
[AC6605] dot1x-access-profile name acc_dot1x
[AC6605-dot1x-access-profile-acc_dot1x] quit
The authentication profile specifies the user access mode through the access
profile. Specify RADIUS authentication by binding the RADIUS authentication
scheme, accounting scheme, and RADIUS server template.
[AC6605] authentication-profile name auth_dot1x
[AC6605-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC6605-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC6605-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC6605-authentication-profile-auth_dot1x] radius-server radius_template
[AC6605-authentication-profile-auth_dot1x] quit
# Create an SSID profile wlan-ssid and set the SSID name to dot1x_access.
[AC6605-wlan-view] ssid-profile name wlan-ssid
[AC6605-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?[Y/N]
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create a VAP profile wlan-vap, configure the data forwarding mode and
service VLAN, and apply the security profile, SSID profile, and authentication
profile to the VAP profile.
[AC6605-wlan-view] vap-profile name wlan-vap
[AC6605-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]
[AC6605-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC6605-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC6605-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC6605-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC6605-wlan-vap-prof-wlan-vap] quit
# Bind a VAP profile wlan-vap to the AP group and apply the profile to radio
0 and radio 1 of the AP.
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC6605-wlan-ap-group-ap-group1] quit
[AC6605-wlan-view] quit
Step 4 [Device] Configure resources that terminal users can access after passing
authentication.
For other modes, see Example for Configuring Authorization by VLAN and
Example for Configuring Authorization by Dynamic ACL.
[AC6605] acl 3001
[AC6605-acl-adv-3001] rule 1 permit ip
[AC6605-acl-adv-3001] quit
Choose Admission > Admission Resources > Admission Device, click Create, and
add the AC6605.
----End
Verification
1. Use a mobile phone to associate the dot1x_access SSID and enter an AD
domain account and password.
2. After successful authentication, you can automatically obtain an IP address in
the 172.16.21.0/24 network segment and access Internet resources.
3. An administrator can view detailed information about online users by running
the display access-user and display access-user user-id user-id commands
on the AC6605.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event
Logs > Terminal Authentication Logs of iMaster NCE-Campus can be
viewed.
Configuration Files
ACC configuration file
#
sysname ACC
#
vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
return
Networking Requirements
An enterprise needs to deploy an authentication system to implement access
control for employees who attempt to connect to the enterprise network. Only
authenticated users can connect to the enterprise network. All employees'
accounts are maintained on the AD server.
The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization. Minimum client software is installed on
user terminals.
● Moderate security control is required. To facilitate maintenance, a moderate
number of authentication points need to be deployed on the aggregation
switch.
● The authentication system performs unified identity authentication on all
terminals attempting to access the campus network and denies the access
from unauthorized terminals.
● Terminals can access only public servers (such as the AD and DNS servers) of
the enterprise before authentication, and can access all network resources
after they are successfully authenticated.
● A bypass path needs to be configured so that terminals can access the service
system even when the Portal server is unavailable.
Requirement Analysis
● The enterprise does not want to install extra software on terminals. For this,
the Portal access control solution is recommended based on the networking
so that terminals can access the network through web pages.
● Different ACL rules need to be configured on the aggregation switch to
control access rights of employees.
VLAN Plan
VLAN ID Function
Post-authentication Internet -
domain
Configuration Roadmap
1. Configure the access, aggregation, and core switches to ensure network
connectivity.
Prerequisites
All employees' accounts are maintained on the AD server. Therefore, AD/LDAP
synchronization must have been configured so that users can use their AD
accounts to complete authentication on iMaster NCE-Campus. For details about
the configuration, see AD/LDAP Synchronization.
Procedure
1. [Device] Configure the access switch to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan 101
[ACC-vlan101] quit
[ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 101
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2
[ACC-GigabitEthernet0/0/2] port link-type trunk
[ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[ACC-GigabitEthernet0/0/2] quit
NOTE
NAC supports the common configuration mode and unified configuration mode.
Compared with the common configuration mode, the unified configuration mode
has the following advantages:
● The command lines are easy to understand and the format design meets user
requirements.
● Similar concepts are deleted from the function design, and the configuration
logic is simpler.
Considering advantages of the unified configuration mode, you are advised to
deploy NAC in unified configuration mode.
NOTE
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
NOTE
The global default domain is default. If the domain needs to be changed, create
the required domain in the AAA view and set it as the global default domain.
d. Configure parameters for connecting to the Portal server.
[AGG] web-auth-server portal_huawei
[AGG-web-auth-server-portal_huawei] server-source ip-address 192.168.100.100 //Configure
the local gateway address for receiving and responding to the packets sent by the Portal server.
[AGG-web-auth-server-portal_huawei] protocol portal //Set the protocol used in Portal
authentication to Portal.
[AGG-web-auth-server-portal_huawei] server-ip 192.168.11.10 //Configure the IP address of
the Portal server.
[AGG-web-auth-server-portal_huawei] source-ip 192.168.100.100 //Configure the IP address
used by the device to communicate with the Portal server.
[AGG-web-auth-server-portal_huawei] port 50100 //The port number is fixed at 50100 when
iMaster NCE-Campus functions as the Portal server.
[AGG-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-num 0
action log
//Enable the Portal server detection function. After the Portal server detection function is
enabled in the Portal server template, the device detects all Portal servers configured in the
Portal server template.
//If the number of times that the device fails to detect a Portal server exceeds the upper limit,
the status of the Portal server is changed from Up to Down. If the number of Portal servers in
Up state is less than or equal to the minimum number (specified by the critical-num
parameter), the device performs the corresponding operation to allow the administrator to
obtain the real-time Portal server status or ensure that the users have certain network access
rights.
//The recommended detection interval is 100s.
[AGG-web-auth-server-portal_huawei] quit
[AGG] url-template name url_huawei //Configure a URL template.
[AGG-url-template-url_huawei] url https://access.example.com:19008/portal
//access.example.com is the host name of the Portal server. You are advised to push Portal
pages by domain name. In this case, you need to configure the mapping between the domain
name and the iMaster NCE-Campus IP address on the DNS server.
[AGG-url-template-url_huawei] url-parameter device-ip ac-ip device-mac lsw-mac redirect-
url redirect-url user-ipaddress uaddress user-mac umac
//device-mac lsw-mac specifies the MAC address of the device in the URL and sets the
parameter name displayed in the URL.
//redirect-url redirect-url specifies the original URL that a user accesses in the URL and sets
the parameter name displayed in the URL.
//The first ssid indicates that the URL contains the SSID field, and the second ssid indicates the
parameter name. For example, after ssid ssid is configured, the URL redirected to the user
contains ssid=guest, where ssid indicates the parameter name and guest indicates the SSID
with which the user associates.
//The second ssid represents the transmitted parameter name and cannot be replaced with the
actual user SSID.
[AGG-url-template-url_huawei] url-parameter set device-ip 192.168.100.100 //Bind the device
IP address.
[AGG-url-template-url_huawei] quit
[AGG] web-auth-server portal_huawei
[AGG-web-auth-server-portal_huawei] url-template url_huawei //Bind the URL template.
[AGG-web-auth-server-portal_huawei] quit
[AGG] portal quiet-period //Enable the quiet function for Portal authentication. With this
function enabled, the device discards packets of an authentication user during the quiet period
if the user fails Portal authentication for the specified number of times in 60 seconds. This
function protects the device from being overloaded due to frequent authentications.
[AGG] portal quiet-times 5 //Set the number of authentication failures within 60 seconds
which, when exceeded, causes Portal authentication users to enter the quiet state.
[AGG] portal timer quiet-period 240 //Set the quiet period for Portal authentication users to
240 seconds.
[AGG] web-auth-server listening-port 2000 //The default port number is 2000. If you run this
command to change the port number, set the same port number when adding the Portal device
to iMaster NCE-Campus.
[AGG] portal-access-profile name portal_access_profile1
[AGG-portal-acces-profile-portal_access_profile1] web-auth-server portal_huawei direct
//Configure the Portal server template used by the Portal access profile. If the network between
end users and the WAC is a Layer 2 network, configure the direct mode.
//If the network is a Layer 3 network, configure the layer3 mode.
[AGG-portal-acces-profile-portal_access_profile1] quit
[AGG] free-rule-template name default_free_rule
[AGG-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255
[AGG-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.10 mask
255.255.255.255
[AGG-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.100 mask
255.255.255.255
[AGG-free-rule-default_free_rule] quit
[AGG] authentication-profile name portal_authen_profile1
[AGG-authen-profile-portal_authen_profile1] portal-access-profile portal_access_profile1
[AGG-authen-profile-portal_authen_profile1] free-rule-template default_free_rule
[AGG-authen-profile-portal_authen_profile1] quit
[AGG] interface vlanif 101
[AGG-Vlanif101] authentication-profile portal_authen_profile1 //Apply the Portal
authentication profile to the interface.
[AGG-Vlanif101] quit
[AGG] acl 3001
[AGG-acl-adv-3001] rule 1 permit ip
[AGG-acl-adv-3001] quit
NOTE
b. Configure the bypass path used when the authentication server or the
Portal server is Down.
Device SW -
name
Terminal IP 172.16.11.254/ -
address list 24
Verification
1. Verify that the terminal user can access only the iMaster NCE-Campus, DNS,
and AD servers before authentication.
2. Verify that the Portal authentication page is pushed to the terminal user
when the terminal user attempts to access the Internet. After the terminal
user enters the correct user name and password, the requested web page is
displayed.
3. Verify that the terminal user can access the Internet only after the
authentication succeeds.
4. After the terminal user is successfully authenticated, run the display access-
user command on the switch. The command output shows information about
the online user.
5. Choose Admission > Admission Policy > Online User Control from the main
menu and click Online User. Information about terminal users is displayed.
6. Choose Monitoring > Event Logs > Terminal Authentication Logs from the
main menu and click Portal Login and Logout logs. The Portal
authentication logs of the terminal user can be viewed.
7. Choose Monitoring > Event Logs > Terminal Authentication Logs from the
main menu and click RADIUS Login and Logout logs. The RADIUS
authentication logs of the terminal user can be viewed.
Configuration Files
ACC configuration file
#
sysname ACC
#
vlan 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
service-scheme server_down
acl-id 3001
domain default
authentication-scheme auth_scheme
accounting-scheme acco_scheme
radius-server radius_huawei
#
domain default
#
acl 3001
rule 1 permit ip
#
web-auth-server portal_huawei
server-source ip-address 192.168.100.100
protocol portal
server-ip 192.168.11.10
source-ip 192.168.100.100
port 50100
server-detect interval 100 max-times 5 critical-num 0 action log
#
url-template name url_huawei
url https://access.example.com:19008/portal
url-parameter device-ip ac-ip device-mac lsw-mac redirect-url redirect-url user-ipaddress uaddress user-
mac umac
url-parameter set device-ip 192.168.100.100
#
web-auth-server portal_huawei
url-template url_huawei
#
portal-access-profile name portal_access_profile1
web-auth-server portal_huawei direct
authentication event portal-server-down action authorize service-scheme server_down
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255
free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255
#
portal quiet-period
portal quiet-times 5
portal timer quiet-period 240
web-auth-server listening-port 2000
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255
free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255
#
interface vlanif 101
ip address 172.16.11.254 255.255.255.0
dhcp select interface
dhcp server dns-list 192.168.11.1
authentication-profile portal_authen_profile1
#
interface vlanif 102
ip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return
#
sysname Core
#
vlan batch 102 200
#
interface vlanif 102
ip address 192.168.100.200 255.255.255.0
#
interface vlanif 200
ip address 192.168.11.254 255.255.255.0
#
interface gigabitethernet 1/0/1
port link-type trunk
port trunk allow-pass vlan 102
#
interface gigabitethernet 1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
return
Networking Requirements
An enterprise has about 1000 employees and needs to deploy an identity
authentication system to implement access control for all the wireless users who
attempt to access the enterprise network. Only authorized users can access the
enterprise network.
The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization and does not require any client software
on user terminals.
● The authentication system performs unified identity authentication on all
terminals attempting to access the campus network and denies the access
from unauthorized terminals.
● Employees can only access public servers (such as the DHCP and DNS servers)
of the enterprise before authentication, and can access both the enterprise's
service systems and Internet after being authenticated.
● If authenticated employees move out of the wireless signal coverage area and
move in again within a certain period (60 minutes for example), they can
connect to the wireless network directly without entering their user names
and passwords again. This ensures a good network access experience of
employees.
● Guests can only access public servers (such as the DHCP and DNS servers) of
the enterprise before authentication, and can only access the Internet after
being authenticated.
● Different authentication pages are pushed to employees and guests.
Requirement Analysis
● The enterprise has no specific requirement on terminal security check and
requires simple operations, without a need for authentication client on
wireless terminals. Considering the networking and requirements of the
enterprise, Portal authentication can be used on the campus network.
● To ensure unified user traffic control on the WAC, it is recommended that the
tunnel forwarding mode be used to forward packets between the WAC and
APs.
● To ensure network connectivity, plan VLANs as follows:
– Add employees to VLAN 100 and guests to VLAN 101 to isolate
employees from guests.
– Use VLAN 10 as the management VLAN of the APs.
– Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch to VLAN 10 so
that these interfaces can transparently transmit packets from
management VLAN 10 of the APs.
– On the aggregation switch, add GE0/0/1 to management VLAN 10,
GE0/0/3 to management VLAN 10 and service VLANs 100 and 101, and
GE0/0/2 to service VLANs 100 and 101. In this way, these interfaces can
transparently transmit data of the corresponding VLANs.
– Add GE0/0/1 of the WAC to management VLAN 10 and service VLANs
100 and 101 so that the WAC can transparently transmit packets of these
VLANs.
● Employees and guests are all authenticated on the web pages pushed by the
Portal server. You need to configure different ACL rules on the WAC to control
access rights of employees and guests.
● Different SSIDs need to be configured for employees and guests so that
different authentication pages can be pushed to them based on their SSIDs.
● Enable MAC address-prioritized Portal authentication to allow employees to
connect to the wireless network without entering user names and passwords
when they move in and out of the wireless coverage area repeatedly within a
period (60 minutes for example).
MAC address-prioritized Portal authentication is a function provided by a
WAC. When the Portal server needs to authenticate a user, the WAC first
sends the user terminal's MAC address to the Portal server for identity
authentication. If the authentication fails, the Portal server pushes the Portal
authentication page to the terminal. The user then enters the account and
password for authentication. The RADIUS server caches a terminal's MAC
address and associated SSID during the first authentication for the terminal. If
the terminal is disconnected and then connected to the network within the
MAC address validity period, the RADIUS server searches for the SSID and
MAC address of the terminal in the cache to authenticate the terminal.
VLAN Plan
VLAN ID Function
Post-authentication Internet -
domain for guests
Configuration Roadmap
1. Configure the access switch, aggregation switch, and WAC to ensure network
connectivity.
2. On the WAC, configure a RADIUS server template, configure authentication,
accounting, and authorization schemes in the template, and specify the IP
address of the Portal server. In this way, the WAC can communicate with the
RADIUS server and Portal server to perform MAC address-prioritized Portal
authentication for employees.
3. Add the WAC on iMaster NCE-Campus and configure parameters for the WAC
to ensure that iMaster NCE-Campus interacts properly with the WAC.
4. Configure authentication and authorization rules to grant different network
access rights to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and
configure Portal page push rules to ensure that different web pages are
pushed to employees and guests.
Prerequisites
● You have configured a sub-interface, assigned an IP address to the sub-
interface, and enabled DHCP relay on the core router to enable terminals to
automatically obtain IP addresses from the DHCP server on a different
network segment.
● The SMS server has been interconnected.
Procedure
1. [Device] Configure the access switch to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan 10
[ACC-vlan10] quit
[ACC] interface gigabitethernet 0/0/3
[ACC-GigabitEthernet0/0/3] port link-type trunk
[ACC-GigabitEthernet0/0/3] port trunk pvid vlan 10
[ACC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/3] quit
[ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] port link-type trunk
[ACC-GigabitEthernet0/0/1] port trunk pvid vlan 10
[ACC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2
[ACC-GigabitEthernet0/0/2] port link-type trunk
[ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/2] quit
If a Layer 3 network is deployed between the AP and WAC, you need to configure the
DHCP Option 43 field on the DHCP server to carry the WAC's IP address in
advertisement packets, allowing the AP to discover the WAC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address
pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to
specify an IP address for the WAC.
# Create an AP group, to which APs with the same configuration are added.
[AC6605] wlan
[AC6605-wlan-view] ap-group name employee //Configure an AP group for employees.
[AC6605-wlan-ap-group-employee] quit
[AC6605-wlan-view] ap-group name guest //Configure an AP group for guests.
[AC6605-wlan-ap-group-guest] quit
# Create a regulatory domain profile, configure the WAC country code in the
profile, and apply the profile to the corresponding AP group.
[AC6605-wlan-view] regulatory-domain-profile name domain1
[AC6605-wlan-regulatory-domain-prof-domain1] country-code cn
[AC6605-wlan-regulatory-domain-prof-domain1] quit
[AC6605-wlan-view] ap-group name employee
[AC6605-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continue?[Y/N]:y
[AC6605-wlan-ap-group-employee] quit
[AC6605-wlan-view] ap-group name guest
[AC6605-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continue?[Y/N]:y
[AC6605-wlan-ap-group-guest] quit
[AC6605-wlan-view] quit
# Import the AP offline on the WAC and add the AP to the AP group. This
example assumes that the AP model is AP6010DN-AGN, the MAC address of
AP_0 serving employees is 00e0-fc76-a320, and the MAC address of AP_1
serving guests is 00e0-fc76-a330.
[AC6605] wlan
[AC6605-wlan-view] ap auth-mode mac-auth
[AC6605-wlan-view] ap-id 0 ap-mac 00e0-fc76-a320
[AC6605-wlan-ap-0] ap-name ap_0
[AC6605-wlan-ap-0] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-ap-0] quit
[AC6605-wlan-view] ap-id 1 ap-mac 00e0-fc76-a330
[AC6605-wlan-ap-1] ap-name ap_1
[AC6605-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-ap-1] quit
[AC6605-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the
AP status. If the State field is displayed as nor, the AP goes online normally.
NOTE
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
NOTE
By default, iMaster NCE-Campus supports only HTTPS, because HTTP may pose
security risks. If the HTTP protocol needs to be used to push Portal pages, you
need to enable the HTTP port on the iMaster NCE-Campus management plane
For details, see (Optional) Enabling the HTTP Port. Then, run the following
command:
[AC6605-url-template-huawei] url http://access.example.com:8445/portal //
access.example.com is the host name of the Portal server.
c. Specify the port number used to process Portal protocol packets. The
default port number is 2000. If you change the port number on the WAC,
set the same port number when you add this WAC to iMaster NCE-
Campus.
[AC6605] web-auth-server listening-port 2000
e. Configure the shared key used to communicate with the Portal server,
which must be the same as that on the Portal server.
[AC6605-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
shared key used to communicate with the Portal server.
[AC6605-web-auth-server-portal_huawei] url-template huawei //Bind the URL template to
the Portal server template.
# Enable the Portal authentication quiet period function. With this function
enabled, the WAC drops packets of an authentication user during the quiet
period if the user fails Portal authentication for the specified number of times
in 60 seconds. This function protects the WAC from being overloaded due to
frequent authentication.
# Create a Portal access profile, and bind the Portal server template to it.
In this example, different Portal bypass solutions need to be configured for
employees and guests. Therefore, configure two Portal access profiles.
[AC6605] portal-access-profile name acc_portal_employee //Create a Portal access profile for
employees.
[AC6605-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei direct
//Configure the Portal server template used by the Portal access profile. If the network between
terminal users and the WAC is a Layer 2 network, configure the direct mode.
//If the network is a Layer 3 network, configure the layer3 mode.
[AC6605-portal-access-profile-acc_portal_employee] quit
[AC6605] portal-access-profile name acc_portal_guest //Create a Portal access profile for guests.
[AC6605-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct
[AC6605-portal-access-profile-acc_portal_guest] quit
# Enable terminal type awareness to allow the WAC to send the option fields
containing the terminal type in DHCP packets to the authentication server. In
this way, the authentication server can push correct Portal authentication
pages to users based on terminal types.
[AC6605] dhcp snooping enable
[AC6605] device-sensor dhcp option 12 55 60
# Configure Portal bypass. Configure the device to grant network access
rights of a user group to users when the Portal server is Down so that the
users can access the post-authentication domain. In addition, configure the
device to re-authenticate users when the Portal server changes from Down to
Up.
[AC6605] user-group group1
[AC6605-user-group-group1] acl 3001
[AC6605-user-group-group1] quit
[AC6605] portal-access-profile name acc_portal_employee
[AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-down
action authorize user-group group1 //Configure the network access permission to be granted to
employees when the Portal server is Down.
[AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-up action
re-authen //Enable the device to re-authenticate users when the Portal server state changes from
Down to Up.
[AC6605-portal-access-profile-acc_portal_employee] quit
[AC6605] user-group group2
[AC6605-user-group-group2] acl 3002
[AC6605-user-group-group2] quit
[AC6605] portal-access-profile name acc_portal_guest
[AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-down action
authorize user-group group2 //Configure the network access permission to be granted to guests
when the Portal server is Down.
[AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-up action re-
authen
[AC6605-portal-access-profile-acc_portal_guest] quit
6. [Device] Set WLAN service parameters.
# Create the security profile security_portal and set the security policy in the
profile.
[AC6605] wlan
[AC6605-wlan-view] security-profile name security_portal
[AC6605-wlan-sec-prof-security_portal] security open
[AC6605-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the
SSID names to employee and guest, respectively.
[AC6605-wlan-view] ssid-profile name wlan-ssid-employee
[AC6605-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC6605-wlan-ssid-prof-wlan-ssid-employee] quit
[AC6605-wlan-view] ssid-profile name wlan-ssid-guest
[AC6605-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC6605-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure
the service data forwarding mode and service VLANs, and apply the security,
SSID, and authentication profiles to the VAP profiles.
[AC6605-wlan-view] vap-profile name wlan-vap-employee
[AC6605-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC6605-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC6605-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC6605-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC6605-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal_employee //Bind
the authentication profile of employees.
[AC6605-wlan-vap-prof-wlan-vap-employee] quit
# Bind the VAP profile to the AP groups, and apply the VAP profile to radio 0
and radio 1 of APs.
[AC6605-wlan-view] ap-group name employee
[AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
[AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
[AC6605-wlan-ap-group-employee] quit
[AC6605-wlan-view] ap-group name guest
[AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
[AC6605-wlan-ap-group-guest] quit
Device WAC -
name
Accounting 15 [AC6605-aaa-accounting-acco_scheme]
interval accounting realtime 15
(min)
b. Set Page name, set System template to SMS Template, set the guest
account policy, and click Create.
11. [iMaster NCE-Campus] Configure Portal page push rules to ensure that
different authentication pages are pushed to employees and guests.
a. Choose Admission > Admission Resources > Page Management and
click Portal Page Push Policy. Click Create and set the push policy for
employees.
b. Configure push rules for guests in a similar manner and click OK.
Parameter Value
Verification
Item Expected Result
Guest ● Guests can access only the iMaster NCE-Campus server, DNS
authenticat server, and DHCP server before authentication.
ion ● When the guest connects to the Wi-Fi hotspot guest using a
mobile phone and attempts to visit the Internet, the guest
authentication page is pushed to the mobile phone. After the
guest enters the correct user name and password, the
authentication succeeds and the requested web page is
displayed automatically.
● When a guest connects to the Wi-Fi hotspot guest using a PC
or tablet and attempts to visit the Internet, the guest
authentication page is pushed to the PC or tablet. After the
guest enters the correct user name and password, the
authentication succeeds and the requested web page is
displayed automatically.
● After guests are successfully authenticated using the accounts
registered by their mobile numbers, they can access the
Internet but not the service system.
● After the authentication succeeds, run the display access-user
command on the WAC. Information about online guests is
displayed.
● Choose Admission > Admission Policy > Online User Control
from the main menu and click Online User. Information about
online users is displayed.
● Choose Monitoring > Event Logs > Terminal Authentication
Logs from the main menu. You can see the Portal
authentication logs for guest accounts on the Portal Login
and Logout Logs tab page.
Configuration Files
ACC configuration file
#
sysname ACC
#
vlan 10
#
interface gigabitethernet 0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface gigabitethernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
interface gigabitethernet 0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
return
portal quiet-times 5
portal timer quiet-period 240
#
portal-access-profile name acc_portal_employee
web-auth-server portal_huawei direct
authentication event portal-server-down action authorize user-group group1
authentication event portal-server-up action re-authen
portal-access-profile name acc_portal_guest
web-auth-server portal_huawei direct
authentication event portal-server-down action authorize user-group group2
authentication event portal-server-up action re-authen
#
mac-access-profile name acc_mac
#
authentication-profile name auth_portal_employee
mac-access-profile acc_mac
portal-access-profile acc_portal_employee
authentication-scheme auth_scheme
accounting-scheme acco_scheme
radius-server radius_template
free-rule-template default_free_rule
authentication-profile name auth_portal_guest
portal-access-profile acc_portal_guest
authentication-scheme auth_scheme
accounting-scheme acco_scheme
radius-server radius_template
free-rule-template default_free_rule
#
user-group group1
acl 3001
user-group group2
acl 3002
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
free-rule 2 destination ip 192.168.11.100 mask 255.255.255.255
free-rule 3 destination ip 192.168.11.2 mask 255.255.255.255
#
acl 3001
rule 5 permit ip
acl 3002
rule 5 deny ip destination 192.168.11.200 255.255.255.255
rule 10 permit ip
#
interface vlanif 10
ip address 10.10.10.254 24
dhcp select interface
#
interface gigabitethernet 0/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 101
#
wlan
security-profile name security_portal
security open
ssid-profile name wlan-ssid-employee
ssid employee
ssid-profile name wlan-ssid-guest
ssid guest
regulatory-domain-profile name domain1
country-code cn
vap-profile name wlan-vap-employee
forward-mode tunnel
service-vlan vlan-id 100
security-profile security_portal
ssid-profile wlan-ssid-employee
authentication-profile auth_portal_employee
vap-profile name wlan-vap-guest
forward-mode tunnel
802.1X authentication ensures high security; however, it requires that 802.1X client
software be installed on user terminals, resulting in inflexible network
deployment. Another two NAC authentication methods have their advantages and
disadvantages: MAC address authentication does not require client software
installation, but MAC addresses must be registered on an authentication server.
Portal authentication also does not require client software installation and
provides flexible deployment, but it has low security.
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-232, the terminals in an office are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain so that the Switch can authenticate access users
through the RADIUS server.
2. Configure 802.1X authentication on the Switch.
a. Enable 802.1X authentication to control network access rights of the
employees in the office.
b. Enable MAC address bypass authentication to authenticate terminals
(such as printers) that cannot install 802.1X authentication client
software.
NOTE
● Before configuring this example, ensure that devices can communicate with each other
in the network.
● In this example, the LAN switch exists between the access switch Switch and users. To
ensure that users can pass 802.1X authentication, you must configure the EAP packet
transparent transmission function on the LAN switch.
● Method 1: The S5700-LI is used as an example of the LAN switch. Perform the
following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-
c200-0003 group-mac 0100-0000-0002 command in the system view of the
LAN switch to configure the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command
on the interface connecting to users and the interface connecting to the access
switch to enable the Layer 2 protocol tunneling function.
● Method 2: This method is recommended when a large number of users exist or
high network performance is required. Only the S5720-EI, S5720-HI, S5730-HI,
S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-HI, S6720S-EI, S5732-H,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this method.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run
the undo l2protocol-tunnel user-defined-protocol 802.1x enable command
in the interface view to delete the configuration of transparent transmission of
802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add
GE1/0/1 to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example,
users are added to VLAN 10.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
NOTE
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
dot1x enable
dot1x authentication-method eap
dot1x mac-bypass
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
user does not need to install any client software. MAC address authentication
ensures security of enterprise intranets.
In MAC address authentication, client software does not need to be installed on
user terminals, but MAC addresses must be registered on servers, resulting in
complex management. Another two NAC authentication methods have their
advantages and disadvantages: 802.1X authentication ensures high security, but it
requires that 802.1X client software be installed on user terminals, causing
inflexible network deployment. Portal authentication also does not require client
software installation and provides flexible deployment, but it has low security.
MAC address authentication is applied to access authentication scenarios of dumb
terminals such as printers and fax machines.
Configuration Notes
This configuration example applies to all switches running all versions.
Networking Requirements
As shown in Figure 3-233, the terminals in the physical access control department
are connected to the company's internal network through the Switch.
Unauthorized access to the internal network can damage the company's service
system and cause leakage of key information. Therefore, the administrator
requires that the Switch should control the users' network access rights to ensure
internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain so that the Switch can authenticate access users
through the RADIUS server.
2. Enable MAC address authentication so that the Switch can control network
access rights of the dumb terminals in the physical access control department.
NOTE
Before configuring this example, ensure that devices can communicate with each other on the
network.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add
GE1/0/1 to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example,
users are added to VLAN 10.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
NOTE
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
mac-authen
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
mac-authen
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Configuration Notes
This example applies to the following products:
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5710-C-LI, S5710-X-LI, S5700-SI, S5700-EI, S5710-EI, S5720-EI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S5700-HI,
S5710-HI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H,
S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
Networking Requirements
As shown in Figure 3-234, the terminals in the visitor area are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Before configuring this example, ensure that devices can communicate with each other in the
network.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add
GE1/0/1 to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example,
users are added to VLAN 10.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
NOTE
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through
DHCP and the DHCP server is upstream connected to Switch, use the portal free-rule command
to create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS
and the DNS server is on the upstream network of the NAS device, you also need to create
authentication-free rules and ensure that the DNS server is included in the authentication-free
rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to
pass through and no authentication-free rule is required in Portal authentication.
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
web-auth-server abc direct
# interface GigabitEthernet1/0/1 port link-type access port default vlan 10
# interface GigabitEthernet1/0/2 port link-type
access port default vlan 20 #
return
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on
information such as source IP addresses, fragment information, and time ranges. If
you only need to filter packets based on source IP addresses, you can configure a
basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the
specified clients to access the FTP server, improving FTP server security.
Configuration Notes
● In this example, the local user password is in irreversible-cipher mode,
indicating that the password is encrypted using the irreversible algorithm.
Unauthorized users cannot obtain the password through decryption.
Therefore, this algorithm is secure. This password mode only applies to
V200R003C00 and later versions. In versions earlier than V200R003C00, the
local user passwords can only be in cipher mode, indicating that the
passwords are encrypted using the reversible algorithm. Unauthorized users
can obtain the passwords through decryption. This algorithm is less secure.
● This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-235, the Switch functions as an FTP server. The
requirements are as follows:
● All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP
server anytime.
● All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP
server only during the specified period of time.
● Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the
Switch to limit user access to the FTP server.
Procedure
Step 1 Configure a time range.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an absolute time range
for an ACL.
[Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time range for an ACL. The
time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time
ranges.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
FTP server enable
FTP server-source -i Vlanif 10
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
3.15.1.2 Example for Using ACLs to Control Access to the Specified Server in
the Specified Time Range
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on
source IP addresses, destination addresses, IP protocol types, TCP source/
destination port numbers, UDP source/destination port numbers, fragment
information, and time ranges. Compared with a basic ACL, an advanced ACL is
more accurate, flexible, and provides more functions. For example, if you want to
filter packets based on source and destination IP addresses, configure an advanced
ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the
device can filter the packets sent from users to the specified server and thus
restrict access to the specified server during a time range.
Configuration Notes
This example applies to all versions of all S series switches.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-236, the departments of an enterprise are connected
through the Switch. The R&D and marketing departments cannot access the salary
query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president
office can access the server at anytime.
Figure 3-236 Using ACLs to control access to the specified server in the specified
time range
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure the time range, advanced ACL, and ACL-based traffic classifier to
filter packets from users to the server in the specified time range. In this way,
you can restrict the access of different users to the server in the specified time
range.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add
GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The
configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The
configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations
on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100
are similar to the configurations on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 100
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
# Configure an ACL for the R&D department accessing the salary query server.
[Switch] acl 3003
[Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range
satime //Prevent the R&D department from accessing the salary query server in the time range satime.
[Switch-acl-adv-3003] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier.
[Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic classifier.
[Switch-classifier-c_rd] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the
traffic behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy.
[Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the traffic classifier c_rd with the
traffic behavior b_rd.
[Switch-trafficpolicy-p_rd] quit
# Packets from the R&D department to the server are received by GE1/0/3;
therefore, apply the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic policy to the inbound
direction of an interface.
[Switch-GigabitEthernet1/0/3] quit
Classifier: c_rd
Precedence: 10
Operator: OR
Rule(s) : if-match acl 3003
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
# The R&D and marketing departments cannot access the salary query server in
work hours (08:00 to 17:30).
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market match-order config
classifier c_market behavior b_market
Related Information
Support Community
ACL Application
3.15.1.3 Example for Using an ACL to Block Network Access of the Specified
Users
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based
on Ethernet frame information, such as source MAC addresses, destination MAC
addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter
packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter
packets based on Layer 2 information. For example, if you want to filter packets
based on MAC addresses and VLANs, configure a Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the
device can filter the packets sent from users with certain MAC addresses to the
Internet and thus prevent these users from accessing the Internet.
Configuration Notes
This example applies to all versions of all S series switches.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-237, the Switch that functions as the gateway is connected
to PCs, and there are reachable routes to all subnets on Switch. The administrator
wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101)
is an unauthorized user.
Figure 3-237 Using Layer 2 ACLs to block network access of the specified users
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets
from MAC address 00e0-f201-0101 (preventing the user with this MAC
address from accessing the network).
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure an ACL.
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or precedence 5
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface GigabitEthernet2/0/1
traffic-policy tp1 inbound
#
return
Configuration Notes
This example applies to all versions of modular switches, but does not apply to
fixed switches.
Networking Requirements
As shown in Figure 3-238, Switch functions as the gateway to connect PCs to the
Internet. There are reachable routes among the devices. To ensure internal
network security, the administrator allows servers on the Internet to establish UDP
connections with internal PCs only after the internal PCs have established UDP
connections with the external servers.
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure an advanced ACL based on which the device will generate a
reflective ACL.
2. Configure the reflective ACL function to allow internal PC1 to establish a UDP
connection with a server on the Internet and prevent the external server from
actively establishing a UDP connection with internal hosts.
Procedure
Step 1 Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass.
[Switch-acl-adv-3000] quit
# Packets from the Internet are received by GE2/0/1; therefore, configure the
reflective ACL function in the outbound direction of GE2/0/1 so that the Switch
can generate reflective ACL for UDP packets.
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 //Apply the reflective ACL to the
outbound direction of an interface.
[Switch-GigabitEthernet2/0/1] quit
The preceding information will be displayed only after internal hosts have
established UDP connections with external servers. The preceding information
shows that a reflective ACL has been generated on GE2/0/1 for the UDP packets
between PC1 and server (192.168.1.2), and provides packet statistics.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
acl number 3000
rule 5 permit udp
#
interface GigabitEthernet2/0/1
traffic-reflect outbound acl 3000
#
return
3.15.1.5 Example for Allowing Certain Users to Access the Internet in the
Specified Time Range
You can configure a time range and associate the time range with an ACL rule to
filter packets based on time. This specifies different policies for users in different
time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic
policy module so that the device can filter packets sent from internal users to the
Internet in the specified time range. As a result, users can access the Internet only
in the specified time range.
Configuration Notes
This example applies to all versions of all S series switches.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-239, the departments of an enterprise are connected
through the Switch. The enterprise allows all employees to access the Internet on
work days (Monday to Friday), and only the managers to access the Internet on
weekends (Saturday and Sunday).
Figure 3-239 Allowing certain users to access the Internet in the specified time
range
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure the time range, basic ACL, and ACL-based traffic classifier to filter
packets sent from internal users to the Internet and thus allow only certain
users to access the Internet in the specified time range.
2. Configure a traffic behavior to permit the packets that match the ACL permit
rule.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk
interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet2/0/1] quit
# Create basic ACL 2001 and configure rules to allow the R&D and marketing
managers (10.1.1.11 and 10.1.2.12) to access the Internet anytime and prevent
other employees from accessing the Internet on Saturday and Sunday. That is,
only the managers of R&D and marketing departments can access the Internet on
Saturday and Sunday.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.11 0 //Allow the manager of the R&D department to
access the Internet anytime.
[Switch-acl-basic-2001] rule permit source 10.1.2.12 0 //Allow the manager of the marketing department
to access the Internet anytime.
[Switch-acl-basic-2001] rule deny time-range rest-time //Prevent other users from accessing the Internet
On Saturday and Sunday.
[Switch-acl-basic-2001] quit
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic
behavior.
[Switch] traffic behavior tb1 //Create a traffic behavior.
[Switch-behavior-tb1] quit
Operator: OR
Behavior: tb1
Permit
Total policy number is 1
# All employees can access the Internet on work days. Only the managers
(10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access the
Internet on weekends.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
time-range rest-time 00:00 to 23:59 off-day
#
acl number 2001
rule 5 permit source 10.1.1.11 0
rule 10 permit source 10.1.2.12 0
rule 15 deny time-range rest-time
#
traffic classifier tc1 operator or precedence 5
if-match acl 2001
#
traffic behavior tb1
permit
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy tp1 outbound
#
return
3.15.1.6 Example for Using ACLs to Restrict Mutual Access Between Network
Segments
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on
source IP addresses, destination addresses, IP protocol types, TCP source/
destination port numbers, UDP source/destination port numbers, fragment
information, and time ranges. Compared with a basic ACL, an advanced ACL is
more accurate, flexible, and provides more functions. For example, if you want to
filter packets based on source and destination IP addresses, configure an advanced
ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the
device can filter the packets between different network segments and thus restrict
mutual access between network segments.
Configuration Notes
This example applies to all versions and models.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-240, the departments of an enterprise are connected
through the Switch. To facilitate network management, the administrator
allocates the IP addresses on two network segments to the R&D and marketing
departments respectively. The two departments belong to different VLANs. The
mutual access between two network segments must be controlled to ensure
information security.
Figure 3-240 Using advanced ACLs to restrict mutual access between network
segments
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
Precedence: 5
Operator: OR
Rule(s) : if-match acl 3001
# The network segments where the R&D and marketing departments reside
cannot access each other, but they can access the network segments of other
departments.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
acl number 3001
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
traffic classifier tc1 operator or precedence 5
if-match acl 3001
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy tp1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return
Related Content
Videos
Configure ACL
3.15.1.7 Example for Using an ACL to Prevent Internal Hosts from Accessing
the Internet
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on
information such as source IP addresses, fragment information, and time ranges. If
you only need to filter packets based on source IP addresses, you can configure a
basic ACL.
In this example, a basic ACL is applied to the traffic policy module so that the
device can filter the packets from internal hosts to the Internet and thus prevent
internal hosts from accessing the Internet.
Configuration Notes
This example applies to all versions and models.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-241, the departments of an enterprise are connected
through the Switch. The Switch needs to prevent some hosts of the R&D and
marketing departments from accessing the Internet to protect information security
of the enterprise.
Figure 3-241 Using an ACL to prevent internal hosts from accessing the Internet
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure a basic ACL and ACL-based traffic classifier to filter packets from
the specified hosts of the R&D and marketing departments.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk
interface and add it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet2/0/1] quit
# The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts
can access the Internet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
acl number 2001
rule 5 deny source 10.1.1.11 0
rule 10 deny source 10.1.2.12 0
#
traffic classifier tc1 operator or precedence 5
if-match acl 2001
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy tp1 outbound
#
return
3.15.1.8 Example for Using an ACL to Prevent External Hosts from Accessing
Internal Servers
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on
source IP addresses, destination addresses, IP protocol types, TCP source/
destination port numbers, UDP source/destination port numbers, fragment
information, and time ranges. Compared with a basic ACL, an advanced ACL is
more accurate, flexible, and provides more functions. For example, if you want to
filter packets based on source and destination IP addresses, configure an advanced
ACL.
In this example, an advanced ACL is applied to the traffic policy module so that
the device can filter the packets sent from external hosts to internal servers and
thus restrict access of external hosts to internal servers.
Configuration Notes
This example applies to all versions of all S series switches.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-242, the departments of an enterprise are connected
through the Switch. The enterprise allows only internal hosts to access the finance
server, preventing external hosts from accessing the server.
Figure 3-242 Using an ACL to prevent external hosts from accessing internal
servers
Configuration Roadmap
The following configurations are performed on the Switch. The configuration
roadmap is as follows:
1. Configure an advanced ACL and ACL-based traffic classifier to filter the
packets from external hosts to the finance server and thus prevent external
hosts from accessing this server.
2. Configure a traffic behavior to permit the packets that match the ACL permit
rule.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add
GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The
configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The
configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations
on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100
are similar to the configurations on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 100
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
[Switch-Vlanif10] quit
# Create advanced ACL 3002 and configure rules to allow the packets from the
president's office, R&D department, and marketing department to reach the
finance server and block the packets sent from external hosts to the finance
server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow
the president's office to access the finance server.
[Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow
the marketing department to access the finance server.
[Switch-acl-adv-3002] rule permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow
the R&D department to access the finance server.
[Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent other users from accessing
the finance server.
[Switch-acl-adv-3002] quit
# Configure the traffic classifier c_network to classify the packets that match ACL
3002.
[Switch] traffic classifier c_network //Create a traffic classifier.
[Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the traffic classifier.
[Switch-classifier-c_network] quit
# Configure the traffic behavior b_network and keep the action set to permit
(default value).
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic
behavior.
[Switch] traffic behavior b_network //Create a traffic behavior.
[Switch-behavior-b_network] quit
# Configure the traffic policy p_network and associate the traffic classifier
c_network and the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy.
[Switch-trafficpolicy-p_network] classifier c_network behavior b_network //Associate the traffic classifier
c_network with the traffic behavior b_network.
[Switch-trafficpolicy-p_network] quit
# Packets from internal and external hosts are forwarded to the finance server
through GE2/0/1; therefore, apply the traffic policy p_network to the outbound
direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the traffic policy to the
outbound direction of an interface.
[Switch-GigabitEthernet2/0/1] quit
# The president's office, marketing department, and R&D department can access
the finance server, but external hosts cannot.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3002
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0
rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on
information such as source IP addresses, fragment information, and time ranges. If
you only need to filter packets based on source IP addresses, you can configure a
basic ACL.
In this example, a basic ACL is applied to the SNMP module so that only the
specified NMS can access the switch. This improves switch security.
Configuration Notes
This example applies to all versions of all S series switches.
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
Networking Requirements
As shown in Figure 3-243, a new switch on the same network segment as the
NMS is added to an enterprise's network, and uses SNMPv3 to communicate with
the NMS. To improve switch security, the switch can only be managed by the
existing NMS on the network.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SNMPv3 on the switch so that the NMS running SNMPv3 can
manage the switch.
2. Configure access control so that only the NMS with the specified IP address
can perform read/write operations on the specified MIB objects of the switch.
3. Configure a user group and user based on which the switch permits access of
the NMS.
4. Configure a trap host and enable the switch to automatically send traps to
the NMS.
5. Add the switch to the NMS. The user group and user configured on the switch
must be the same as those used by the NMS; otherwise, the NMS cannot
manage the switch.
Procedure
Step 1 Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage
the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] snmp-agent sys-info version v3 //By default, SNMPv3 is supported. If SNMPv3 is not disabled,
skip this command.
Step 2 Configure the interface on the switch to receive and respond to NMS request
packets. This step must be performed in V200R020 and later versions. Otherwise,
the switch cannot connect to the NMS.
[Switch] snmp-agent protocol source-interface vlanif 10
Step 3 Configure access control so that only the NMS with the specified IP address can
perform read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0
[Switch-acl-basic-2001] rule deny
[Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the
NMS.
[Switch] snmp-agent mib-view included isoview iso //Configure the MIB view isoview to access the iso
subtree.
Step 4 Configure a user group and user based on which the switch permits access of the
NMS.
# Configure the user group group001, set the security level to privacy, and
configure access control to restrict the access of NMS to the switch.
[Switch] snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view
isoview acl 2001
# Configure an SNMPv3 user named user001 and add the user to group001.
[Switch] snmp-agent usm-user v3 user001 group group001
NOTE
In versions earlier than V200R003C00, the user name is configured using snmp-agent usm-user
v3 user001 group001 authentication-mode sha Authe@1234 privacy-mode des56
Priva@1234.
In V200R019C00, the system software does not support the sha parameter. To use the sha
parameter, you need to install the V200R019SPH007 patch or the SHA1 plug-in. For higher
security purposes, you are advised to specify the sha2-256 parameter, which indicates the more
secure HMAC-SHA2-256-192 algorithm.
You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise
Network or Carrier), and choose the desired plug-in usage guide based on the switch model
and software version. If you do not have permission to access the website, contact technical
support personnel.
Step 5 Configure a trap host and enable the switch to automatically send traps to the
NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //Enable all trap functions
on the switch. By default, only some trap functions are enabled. You can run the display snmp-agent trap
all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3
privacy //Configure a trap host. By default, traps are sent by UDP port 162. The security name must be the
same as the user name; otherwise, the NMS cannot manage the device.
IP address 10.1.1.2
Version V3
Port 161
NOTE
The parameter settings on the NMS and switch must be the same; otherwise, the switch
cannot be added to the NMS.
If authentication is required for remote logins to the switch, Telnet parameters need to be
set so that the NMS can manage the switch. In this example, administrators can remotely
log in to the switch using Telnet, password authentication is used, and the password is
YsHsjx_202206.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.1 0
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent sys-info version v3
snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view isoview acl 2001
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3 privacy
snmp-agent mib-view included isoview iso
snmp-agent usm-user v3 user001
snmp-agent usm-user v3 user001 group group001
snmp-agent usm-user v3 user001 authentication-mode sha cipher %^%#*2C
%=4LZn1L>ni9xaybHdbXFW&[c_Wv0m!0MpTj!%^%#
snmp-agent usm-user v3 user001 privacy-mode aes128 cipher %^%#i\Fv-cC(u)+x26S2'rEX<.;V+e~nP)*.J
$Ulr($/%^%#
snmp-agent trap enable
snmp-agent protocol source-interface Vlanif10
#
return
1. When user hosts directly connect to the gateway, the attacker forges an ARP
packet of the gateway and sends the ARP packet to user hosts. The user hosts
then consider that the attacker is the gateway, and record incorrect gateway
address mappings into their ARP tables. The traffic destined for the gateway is
then received by the attacker. In this way, the attacker intercepts the data sent
by user hosts.
2. A user host sends a large number of IP packets with unresolvable destination
IP addresses (the routing table contains the routing entries matching the
destination IP addresses of the packets but the device does not have the ARP
entries matching the next hop addresses of the routing entries) to the device,
causing the device to generate a large number of ARP Miss packets. The IP
packets (ARP Miss packets) triggering ARP Miss messages are sent to the CPU
for processing. The device generates and delivers many temporary ARP entries
according to the ARP Miss messages, and sends a large number of ARP
request packets to the destination network. This increases CPU usage of the
device and consumes much network bandwidth.
3. The device receives a large number of ARP attack packets and needs to
process all of them. As a result, the device's CPU may be overloaded.
The following ARP security measures can be taken to protect the network against
ARP attacks:
● To prevent the first attack (the attacker poses as the gateway to intercept
host information), configure ARP gateway anti-collision.
● To prevent the second attack, configure ARP Miss rate limiting to reduce CPU
load and save bandwidth on destination network.
● To prevent the third attack, configure ARP packet rate limiting to protect CPU
resources.
Configuration Notes
● This example applies to all modular switch models and versions.
● For the fixed switch models and versions that support this example, see
Applicable Products and Versions.
Networking Requirements
As shown in Figure 3-244, the switch functioning as the gateway connects to a
server using GE1/0/3 and connects to four users in VLAN 10 and VLAN 20 using
GE1/0/1 and GE1/0/2, respectively. The following ARP threats exist on a network:
● The attacker poses as the gateway to send an ARP packet to the switch, so
user hosts consider that the attacker is the gateway. As a result, traffic
destined for the gateway from user hosts is received by the attacker, and the
attacker intercepts data from user hosts.
● Attackers send a large number of IP packets with unresolvable destination IP
addresses to the switch, leading to CPU overload.
● User1 sends a large number of ARP packets with fixed MAC addresses but
variable source IP addresses to the switch. As a result, the available CPU of
the switch is insufficient to process other services.
● User3 sends a large number of ARP packets with fixed source IP addresses to
the switch. As a result, the available CPU of the switch is insufficient to
process other services.
The administrator wants to prevent the preceding ARP attacks and provide users
with stable services on a secure network.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure ARP gateway anti-collision to prevent attackers from posing as the
gateway to intercept data.
2. Configure ARP Miss rate limiting based on source IP addresses to prevent
user-side attackers from sending a large number of unresolvable IP packets,
triggering ARP Miss messages and forming ARP flood attacks. In addition,
ensure that the switch can process ARP packets from servers because network
communication will be unavailable if such packets are discarded.
3. Configure ARP rate limiting based on source MAC addresses to prevent User1
from sending a large number of ARP packets with different source IP
addresses and a fixed MAC address to form ARP flood attacks. The ARP flood
attacks will overload the switch's CPU.
4. Configure rate limiting on ARP packets based on the source IP address. This
function defends against ARP flood attacks from User3 with a fixed IP address
and prevents CPU overload.
Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, VLAN 30, and add GE1/0/1 to VLAN 10, GE1/0/2 to
VLAN 20, and GE1/0/3 to VLAN 30.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 30
[Switch-GigabitEthernet1/0/3] quit
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.8.8.4 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.9.9.4 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.10.10.3 24
[Switch-Vlanif30] quit
Step 3 Configure rate limiting on ARP Miss messages based on the source IP address.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP
address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages
triggered by other hosts to 20 pps.
[Switch] arp-miss speed-limit source-ip maximum 20 //Configure rate limiting on ARP Miss messages
based on the source IP address
[Switch] arp-miss speed-limit source-ip 10.10.10.2 maximum 40 //Configure rate limiting on ARP Miss
messages based on the source IP address
Step 4 Configure rate limiting on ARP packets based on the source MAC address.
# Set the maximum rate of ARP packets from User1 with the source MAC address
0001-0001-0001 to 10 pps.
[Switch] arp speed-limit source-mac 0001-0001-0001 maximum 10 //Configure rate limiting on ARP
packets based on the source MAC address
Step 5 Configure rate limiting on ARP packets based on the source IP address.
# Set the maximum rate of ARP packets from User3 with the source IP address
10.9.9.2 to 10 pps.
[Switch] arp speed-limit source-ip 10.9.9.2 maximum 10 //Configure rate limiting on ARP packets based
on the source IP address
-------------------------------------------------------------------------------
All disabled
-------------------------------------------------------------------------------
# Run the display arp packet statistics command to check statistics on ARP-
based packets.
[Switch] display arp packet statistics
ARP Pkt Received: sum 8678904
ARP-Miss Msg Received: sum 183
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum 40529
ARP Pkt Discard For Proxy Suppress: sum 0
ARP Pkt Discard For Other: sum 8367601
ARP-Miss Msg Discard For SpeedLimit: sum 20
ARP-Miss Msg Discard For Other: sum 104
In the preceding command output, the numbers of ARP packets and ARP Miss
messages discarded by the switch are displayed, indicating that the ARP security
functions have taken effect.
----End
Configuration File
# Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 10.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack gateway-duplicate enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
ip address 10.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 10.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
return
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2730S-S V200R020C10
S2752EI V100R006C05
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
Table 3-147 ARP Miss message rate limiting (based on source IP addresses)
Product Software Version
Model
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
Table 3-148 ARP packet rate limiting (based on source MAC addresses)
Product Software Version
Model
S3700-HI V200R001C00
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
DAI Overview
Address Resolution Protocol (ARP) security protects network devices against ARP
attacks by learning ARP entries, limiting ARP packet rate, and checking ARP
packets. In addition to preventing ARP protocol attacks, ARP security also prevents
ARP-based network scanning attacks.
Man-in-the-middle (MITM) attack is a frequently launched ARP attack. The
attacker functions as the "man in the middle" to intercept data.
To defend against MITM attacks, deploy dynamic ARP inspection (DAI) on the
device.
DAI defends against MITM attacks using binding entries. When a device receives
an ARP packet, it compares the source IP address, source MAC address, interface
information, and VLAN ID of the ARP packet with binding entries. If the ARP
packet matches a binding entry, the device considers the ARP packet valid and
allows the packet to pass through. If the ARP packet matches no binding entry,
the device considers the ARP packet invalid and discards the packet.
NOTE
The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP
users go online. If a user uses a static IP address, you need to manually configure a static
binding entry for the user.
Configuration Notes
In V100R006C05, S2700-SI does not support the DHCP snooping function. This
example applies to all models in other versions.
Networking Requirements
As shown in Figure 3-245, SwitchA connects to the DHCP server using GE2/0/1,
connects to DHCP clients UserA and UserB using GE1/0/1 and GE1/0/2, and
Figure 3-245 Networking diagram for defending against ARP MITM attacks
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP snooping and configure a static binding entry.
2. Enable DAI so that SwitchA compares the source IP address, source MAC
address, interface information, and VLAN ID of the ARP packet with binding
entries. This prevents ARP MITM attacks.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Create VLAN 10, and add GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
# Run the display arp anti-attack statistics check user-bind interface command
to check the number of ARP packets discarded based on DAI. GE1/0/1 is used as
an example.
[SwitchA] display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605
When you run the display arp anti-attack statistics check user-bind interface
command for multiple times on each interface, the administrator can learn the
frequency and range of ARP MITM attacks based on the number of discarded ARP
packets.
----End
Configuration File
# Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface GigabitEthernet1/0/3 vlan 10
#
vlan 10
dhcp snooping enable
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping trusted
#
return
● Some terminals on the network use the Windows Server 2003 or 2008 and is
enabled to allocate IP addresses using DHCP by default.
● Some interfaces at the access layer are connected to the wireless router that
is enabled to allocate IP addresses using DHCP.
You are advised to deploy DHCP snooping at an access switch. The interface
control is accurate if you deploy DHCP snooping on a switch closer to the PC. Each
switch interface should be connected to only one PC. If a certain interface is
connected to multiple PCs through a hub, DHCP snooping attacks occurring on the
hub cannot be prevented because the snooping packets are directly forwarded
between the hub interfaces and cannot be controlled through DHCP snooping
deployed on the access switch.
Configuration Notes
In V100R006C05, the S2700-SI does not support DHCP snooping. All models in
other versions are applicable to this example.
Networking Requirements
As shown in Figure 3-246, SwitchA is an access switch and its connected PC
obtains an IP address through DHCP. SwitchB as a core switch is deployed with the
DHCP server function. DHCP snooping needs to be configured to prevent
unauthorized DHCP servers such as built-in wireless routers from accessing the
network. If an unauthorized DHCP server is connected to the network, common
users obtain incorrect addresses and cannot access the network or they obtain
conflicting addresses.
Configuration Roadmap
The configuration roadmap is as follows:
1. Deploy the DHCP server function on SwitchB.
2. Enable global DHCP snooping on SwitchA, enable DHCP snooping on the
interface connected to the PC, and configure the interface connected to
SwitchB as a trusted interface. (The trusted interface receives the DHCP
response packets from the DHCP server. SwitchA sends the DHCP request
packets from the PC to SwitchB only through the trusted interface.)
Procedure
Step 1 Configure the DHCP server function.
# Configure the DHCP server function on SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vlanif10] dhcp select interface //Enable the device to allocate IP addresses based on the
interface address pool.
[SwitchB-Vlanif10] quit
# Run the display ip pool interface vlanif10 used command on SwitchB to check
the used IP addresses in the address pool.
[SwitchB] display ip pool interface vlanif10 used
Pool-name : Vlanif10
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
Network section :
-----------------------------------------------------------------------------
Index IP MAC Lease Status
-----------------------------------------------------------------------------
253 10.1.1.254 xxxx-xxxx-xxxx 46 Used
-----------------------------------------------------------------------------
# Run the display dhcp snooping user-bind all command on SwitchA to check
the DHCP snooping binding table.
[SwitchA] display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease
--------------------------------------------------------------------------------
10.1.1.254 xxxx-xxxx-xxxx 10 /-- /-- GE0/0/2 2014.09.21-09:33
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
The IP addresses obtained by all the subsequent PCs through DHCP can be
allocated only by SwitchB.
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable ipv4
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping trusted
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
dhcp snooping enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
dhcp snooping enable
#
return
IPSG Overview
As shown in Figure 3-247, a hacker (Host_2) uses the IP and MAC addresses of
Host_1, which belongs to an R&D engineer, to construct IP packets to attack the
intranet. The network administrator thinks the R&D engineer is the attacker. Such
attacks can be prevented by configuring IPSG. On the access switch, after a static
binding table is configured and IP packet check is enabled on the interfaces
connected to terminals, only the packets matching the static binding entries can
access the intranet and the Internet, and the packets not matching the entries are
discarded.
Configuration Notes
This example applies to all versions and models except the following:
Networking Requirements
As shown in Figure 3-247, the user gateway is configured on the core switch
(Core). An ACL is configured on the Core to allow fixed hosts to access the
Internet. The hosts connected to the access switch (ACC) use statically configured
IP addresses. The administrator requires that the hosts can only use fixed IP
addresses to access the Internet. Users are not allowed to change their own IP
addresses to access the Internet.
Figure 3-247 Configuring IPSG to prevent hosts with static IP addresses from
changing their own IP addresses
Data Plan
To perform the configuration, you need to the following data.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an ACL on the user gateway (Core) to allow the hosts with IP
addresses 10.0.0.2 and 10.0.0.3 to access the Internet.
2. Create static binding entries for the hosts on the ACC to fix the mappings
between IP addresses and MAC addresses.
3. Enable IPSG on the ACC's interfaces connected to user hosts so that the hosts
can only use the fixed IP addresses to access the network. Host_1 can access
the Internet, and Host_2 cannot access the Internet, even if it changes its IP
address.
Procedure
Step 1 Configure an ACL.
<HUAWEI> system-view
[HUAWEI] sysname Core
[Core] vlan batch 10
[Core] interface gigabitethernet 0/0/1
[Core-GigabitEthernet0/0/1] port link-type trunk
[Core-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Core-GigabitEthernet0/0/1] quit
[Core] interface vlanif 10 //Configure the gateway address.
[Core-Vlanif10] ip address 10.0.0.1 255.255.255.0
[Core-Vlanif10] quit
[Core] acl number 3001 //Configure an ACL.
[Core-acl-adv-3001] rule permit ip source 10.0.0.2 0
[Core-acl-adv-3001] rule permit ip source 10.0.0.3 0
[Core-acl-adv-3001] rule deny ip source 10.0.0.0 0.0.0.255
[Core-acl-adv-3001] quit
[Core] traffic classifier c1 //Configure an ACL-based traffic classifier.
[Core-classifier-c1] if-match acl 3001
[Core-classifier-c1] quit
[Core] traffic behavior b1 //Configure a traffic behavior.
[Core-behavior-b1] permit
[Core-behavior-b1] quit
[Core] traffic policy p1 //Configure a traffic policy.
[Core-trafficpolicy-p1] classifier c1 behavior b1
[Core-trafficpolicy-p1] quit
[Core] interface gigabitethernet 0/0/2
[Core-GigabitEthernet0/0/2] traffic-policy p1 outbound //Apply the traffic policy.
[Core-GigabitEthernet0/0/2] quit
Run the display dhcp static user-bind all verbose command on the ACC to view
IPSG status. If the status is effective, the static entry has taken effect.
[ACC] display dhcp static user-bind all verbose
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
IP Address : 10.0.0.2
MAC Address : 0002-0002-0002
VSI : --
Host_1 can access the Internet, and Host_2 cannot access the Internet. After the IP
address of Host_2 is changed to 10.0.0.3, Host_2 cannot access the Internet and
the intranet.
----End
Configuration Files
● Configuration file of the Core
#
sysname Core
#
vlan batch 10
#
acl number 3001
rule 5 permit ip source 10.0.0.2 0
rule 10 permit ip source 10.0.0.3 0
rule 15 deny ip source 10.0.0.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
traffic-policy p1 outbound
#
return
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
ip source check user-bind enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10
#
return
Related Content
Videos
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It
filters IP packets based on the binding table on a switch. An entry in the binding
table contains the IP address, MAC address, VLAN ID, and interface. Binding
entries include static entries and dynamic entries. A static binding table is
manually created, a dynamic binding table is the DHCP snooping binding table.
When hosts obtain dynamic IP addresses, the switch automatically generates the
dynamic binding entries according to the DHCP Reply packets. After a binding
table is built, the switch matches the packets received by IPSG-enabled interfaces
against binding entries. If the packets match binding entries, they are forwarded;
otherwise, they are discarded. The packet matching options can be a combination
of IP address, MAC address, VLAN ID, and interface. For example, the switch
matches only IP addresses, both IP addresses and MAC addresses, or a
combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the
packets.
For example, on a network where the hosts obtain IP addresses from a DHCP
server, the hosts can access the network by using only the dynamic IP addresses,
and cannot use static IP addresses to access the network, unless the administrator
creates static binding entries for them.
Configuration Notes
This example applies to all versions and models except the following:
● S2700-SI of V100R006C05 does not support IPSG.
● After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the
following versions, the switches do not support IPSG:
Networking Requirements
As shown in Figure 3-248, hosts access the intranet through ACC, and the Core
functions as a DHCP server to allocate IP addresses to the hosts. The printer uses a
static IP address. The gateway is the egress device of the intranet. The
administrator does not want the hosts to access the intranet by using the IP
addresses statically configured by themselves.
Figure 3-248 Configuring IPSG to prevent hosts with dynamic IP addresses from
changing their own IP addresses
Data Plan
To perform the configuration, you need to the following data.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP server on the Core to allocate IP addresses to hosts.
2. Configure DHCP snooping on the ACC to ensure that the hosts can obtain IP
addresses from the valid DHCP server and the DHCP server can generate
DHCP snooping dynamic binding entries, which record the bindings of IP
addresses, MAC addresses, VLANs, and interfaces of hosts.
3. Create a static binding entry for the printer on the ACC to ensure secure
access of the printer.
4. Enable IPSG in the VLAN to which the hosts belong to on the ACC to prevent
the hosts from accessing the intranet with changed IP addresses.
Procedure
Step 1 Configure the DHCP server on the Core.
<HUAWEI> system-view
[HUAWEI] sysname Core
[Core] vlan batch 10
[Core] interface gigabitethernet 0/0/1
[Core-GigabitEthernet0/0/1] port link-type trunk
[Core-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Core-GigabitEthernet0/0/1] quit
[Core] dhcp enable
[Core] ip pool 10
[Core-ip-pool-10] network 10.1.1.0 mask 24
[Core-ip-pool-10] gateway-list 10.1.1.1
[Core-ip-pool-10] quit
[Core] interface vlanif 10
[Core-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Core-Vlanif10] dhcp select global
[Core-Vlanif10] quit
<HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan batch 10
[ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 10
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2
[ACC-GigabitEthernet0/0/2] port link-type access
[ACC-GigabitEthernet0/0/2] port default vlan 10
[ACC-GigabitEthernet0/0/2] quit
[ACC] interface gigabitethernet 0/0/3
[ACC-GigabitEthernet0/0/3] port link-type access
[ACC-GigabitEthernet0/0/3] port default vlan 10
[ACC-GigabitEthernet0/0/3] quit
[ACC] interface gigabitethernet 0/0/4
[ACC-GigabitEthernet0/0/4] port link-type trunk
[ACC-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/4] quit
# Enable DHCP snooping and configure GE0/0/4 connected to the DHCP server as
a trusted interface.
[ACC] dhcp enable //Enable DHCP
[ACC] dhcp snooping enable //Enable DHCP Snooping globally
[ACC] vlan 10
[ACC-vlan10] dhcp snooping enable //Enable DHCP Snooping in VLAN 10
[ACC-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4 //Configure a trusted interface
[ACC-vlan10] quit
Run the display dhcp static user-bind all command on the ACC to view the static
binding entry of the printer.
[ACC] display dhcp static user-bind all
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.1.1.2 0003-0003-0003 10 /-- /-- GE0/0/3
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
The hosts can access the intranet using the IP addresses dynamically allocated by
the DHCP server. After the dynamic IP addresses of the hosts are changed to
statically configured IP addresses that are different from the dynamic ones, the
hosts cannot access the intranet.
----End
Configuration Files
● Configuration file of the Core
#
sysname Core
#
vlan batch 10
#
dhcp enable
#
ip pool 10
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
● Configuration file of the ACC
#
sysname ACC
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface GigabitEthernet0/0/3 vlan
10
#
vlan 10
dhcp snooping enable
dhcp snooping trusted interface GigabitEthernet0/0/4
ip source check user-bind enable
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
return
Related Content
Videos
3.15.4.3 Example for Configuring IPSG Based on the Static Binding Table to
Prevent Unauthorized Hosts from Accessing the Intranet
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It
filters IP packets based on the binding table on a switch. An entry in the binding
table contains the IP address, MAC address, VLAN ID, and interface. Binding
entries include static entries and dynamic entries. A static binding table is
manually created, a dynamic binding table is the DHCP snooping binding table.
When hosts obtain dynamic IP addresses, the switch automatically generates the
dynamic binding entries according to the DHCP Reply packets. After a binding
table is built, the switch matches the packets received by IPSG-enabled interfaces
against binding entries. If the packets match binding entries, they are forwarded;
otherwise, they are discarded. The packet matching options can be a combination
of IP address, MAC address, VLAN ID, and interface. For example, the switch
matches only IP addresses, both IP addresses and MAC addresses, or a
combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the
packets.
For example, when all the hosts on an intranet use static IP addresses, they must
use the fixed IP addresses allocated by the network administrator and access the
intranet through fixed interfaces. To ensure intranet security, external hosts cannot
access the intranet without permission.
Configuration Notes
This example applies to all versions and models except the following:
● S2700-SI of V100R006C05 does not support IPSG.
● After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the
following versions, the switches do not support IPSG:
– V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI,
S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
– V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC,
and S5700-10P-PWR-LI-AC
Networking Requirements
As shown in Figure 3-249, hosts access the enterprise intranet through the switch.
The gateway is the egress device of the enterprise intranet. The hosts use static IP
addresses. The administrator has configured interface rate limiting on the switch,
and requires that the hosts use fixed IP addresses to access the intranet through
fixed ports. To ensure network security, the administrator does not allow external
hosts to access the intranet without permission.
Figure 3-249 Configuring IPSG based on the static binding table to prevent
unauthorized hosts from accessing the intranet
Data Plan
To perform the configuration, you need to the following data.
Configuration Roadmap
The requirement of the administrator can be met by configuring IPSG on the
Switch. The configuration roadmap is as follows:
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/4] quit
Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are
changed or the hosts connect to other interfaces, they cannot access the intranet.
When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access
the intranet, indicating that external hosts cannot access the intranet without
permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the
static binding table.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/2
#
vlan 10
ip source check user-bind enable
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping trusted
#
return
Related Content
Videos
Bind IP and MAC Addresses
Configuration Notes
● After MAC address limiting is configured on an interface, port security cannot
be configured on the interface.
● This example applies to all versions of all S series switches.
Networking Requirements
As shown in Figure 3-250, PC1, PC2, and PC3 connect to the company network
through the switch. To improve user access security, port security is enabled on the
interface of the switch so that external users cannot use their PCs to access the
company network.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure port security and enable the sticky MAC function so that MAC
address entries are not lost after the device configuration is saved and the
device restarts.
Procedure
Step 1 Create a VLAN on the switch and add interfaces to the VLAN. The configurations
of GE1/0/2 and GE1/0/3 are similar to the configuration of 1/0/1, and are not
mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10 //Create VLAN 10.
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //The link type of the interface connected to the PC
must be access. The default link type of an interface is not access, so you need to manually configure the
link type of the interface.
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 2 Configure port security on GE1/0/1. The configurations of GE1/0/2 and GE1/0/3
are similar to the configuration of GE1/0/1, and are not mentioned here.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security enable //Enable port security.
[Switch-GigabitEthernet1/0/1] port-security mac-address sticky //The sticky MAC function can be
enabled only after port security is enabled.
[Switch-GigabitEthernet1/0/1] port-security max-mac-num 1 //After port security is enabled, an
interface can learn only one secure MAC address entry by default. If one user needs to be limited, ignore
this configuration.
NOTE
● An interface can learn only one secure MAC address entry by default. If multiple PCs
connect to the company network using one interface, run the port-security max-mac-
num command to change the maximum number of secure MAC addresses.
● If a PC connects to the switch using an IP phone, set the maximum number of secure
MAC addresses to 3 because the IP phone occupies two MAC address entries and the PC
occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the
IP phone are different. The two VLANs are used to transmit voice and data packets
respectively.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
return
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-251, a company has three services: data query, email processing, and
file transfer. The three services have different priorities. When HostA and HostB
access servers of the three services, the services must be processed in descending
order of priority. Priority re-marking and queue scheduling can achieve this.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure traffic classifiers to classify packets based on servers' IP addresses.
2. Configure traffic behaviors and define priority re-marking.
3. Configure a traffic policy and bind the traffic policy to the traffic classifiers
and traffic behaviors, and apply the traffic policy to GE1/0/1 in the inbound
direction to re-mark priorities of incoming packets.
4. Configure PQ on GE1/0/2 to schedule packets in descending order of priority.
Procedure
Step 1 Configure ACLs to classify packets based on servers' IP addresses.
# Configure advanced ACL 3001 to classify packets with the destination IP address
of 192.168.1.10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule permit ip destination 192.168.1.10 0.0.0.0
[SwitchA-acl-adv-3001] quit
# Configure advanced ACL 3002 to classify packets with the destination IP address
of 192.168.1.11.
[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule permit ip destination 192.168.1.11 0.0.0.0
[SwitchA-acl-adv-3002] quit
# Configure advanced ACL 3003 to classify packets with the destination IP address
of 192.168.1.12.
Step 4 Configure a traffic policy and bind the traffic classifiers and traffic behaviors to the
traffic policy.
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier dbserver behavior dbserver
[SwitchA-trafficpolicy-policy1] classifier mailserver behavior mailserver
[SwitchA-trafficpolicy-policy1] classifier ftpserver behavior ftpserver
[SwitchA-trafficpolicy-policy1] quit
Step 5 Apply the traffic policy to GE1/0/1 to re-mark priorities of incoming packets.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] traffic-policy policy1 inbound //Apply the traffic policy in the inbound
direction.
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
This example uses a configuration file containing the qos pq command on a fixed
switch as an example. On a modular switch, an interface queue uses PQ by default,
and the qos pq command is not contained in the configuration file.
● On the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-
X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI,
S5735S-H, S5736-S, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, perform
the following configurations.
[SwitchA] qos schedule-profile pqtemplate //Create a scheduling profile.
[SwitchA-qos-schedule-profile-pqtemplate] qos pq //Configure PQ scheduling.
[SwitchA-qos-schedule-profile-pqtemplate] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] qos schedule-profile pqtemplate //Apply the scheduling profile to
the interface.
[SwitchA-GigabitEthernet1/0/2] quit
# Check the traffic policy record. The traffic policy has been successfully applied to
GE1/0/1.
[SwitchA] display traffic-policy applied-record policy1
-------------------------------------------------
Policy Name: policy1
Policy Index: 0
Classifier:dbserver Behavior:dbserver
Classifier:mailserver Behavior:mailserver
Classifier:ftpserver Behavior:ftpserver
-------------------------------------------------
*interface GigabitEthernet1/0/1
traffic-policy policy1 inbound
slot 1 : success
-------------------------------------------------
Policy total applied times: 1.
----End
Configuration Files
● SwitchA configuration file (applicable to the S2700-52P-EI, S2700-52P-PWR-
EI, S2710-SI, S3700-EI, S3700-HI, S3700-SI, S5700-EI, S5700-HI, S5710-EI,
S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S6700-EI, S6720-
EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, S6730S-S, S7700, and
S9700)
#
sysname SwitchA
#
acl number 3001
rule 5 permit ip destination 192.168.1.10 0
acl number 3002
rule 5 permit ip destination 192.168.1.11 0
acl number 3003
rule 5 permit ip destination 192.168.1.12 0
#
traffic classifier dbserver operator and
if-match acl 3001
traffic classifier ftpserver operator and
if-match acl 3003
traffic classifier mailserver operator and
if-match acl 3002
#
traffic behavior dbserver
remark local-precedence af4
traffic behavior ftpserver
remark local-precedence af2
traffic behavior mailserver
remark local-precedence af3
#
traffic policy policy1 match-order config
classifier dbserver behavior dbserver
classifier mailserver behavior mailserver
classifier ftpserver behavior ftpserver
#
interface GigabitEthernet1/0/1
traffic-policy policy1 inbound
#
interface GigabitEthernet1/0/2
qos pq
#
return
● SwitchA configuration file (applicable to the S2720-EI, S2750-EI, S5700-LI,
S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI,
S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S5735S-H, S5736-S, S6720-LI,
S6720S-LI, S6720S-SI, and S6720-SI)
#
sysname SwitchA
#
Overview
Interface-based rate limiting is easy to configure and limits the rate of all packets
sent or received on an interface regardless of packet type. An interface enabled
with this function can be assigned fixed bandwidth.
Interface-based rate limiting in the inbound and outbound directions can be
configured simultaneously or separately.
Configuration Notes
● This example applies to the following products and versions:
– S2752EI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-252, the Switch connects to the router through GE0/0/3, and
departments 1 and 2 are connected to the Switch through GE0/0/1 and GE0/0/2
respectively and access the Internet through the Switch and router.
Services are singular, and therefore do not need to be differentiated. With finite
network bandwidth, bandwidth of each department needs to be limited.
Department 1 requires the CIR of 8 Mbit/s in the outbound direction, and
department 2 requires the CIR of 5 Mbit/s in the outbound direction.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces of the Switch so that users can access the Internet.
2. Configure interface-based rate limiting on GE0/0/1 and GE0/0/2 of the Switch
in the inbound direction.
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLAN 100, VLAN 200, and VLAN 300.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200 300
NOTE
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24,
and configure sub-interfaces on the interface to terminate VLANs.
# Configure rate limiting on GE0/0/2 in the inbound direction and set the CIR to
5120 kbit/s.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] qos lr inbound cir 5120 //Set the CIR of department 2 in the outbound
direction to 5 Mbit/s.
[Switch-GigabitEthernet0/0/2] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 200 300
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
qos lr inbound cir 8192 cbs 1024000
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
qos lr inbound cir 5120 cbs 640000
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200 300
#
return
Configuration Notes
● This example applies to all modular switch models and versions.
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-253, the Switch connects to the router through GE2/0/1, and
departments 1 and 2 are connected to the Switch through GE1/0/1 and GE1/0/2
respectively and access the Internet through the Switch and router.
Only data services are transmitted on the network, so services do not need to be
differentiated. With finite network bandwidth, bandwidth of each department
needs to be limited. Department 1 requires the CIR of 8 Mbit/s and PIR of 10
Mbit/s, and department 2 requires the CIR of 5 Mbit/s and PIR of 8 Mbit/s.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that users can access the Internet
through the Switch.
2. Create different CAR profiles and configure the CIRs and PIRs in the CAR
profiles, and apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in
the inbound direction to limit the rate of packets from different departments.
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE1/0/1, GE1/0/2, and GE2/0/1 as trunk interfaces, and add GE1/0/1
to VLAN 100, GE1/0/2 to VLAN 200, and GE2/0/1 to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk. The
default link type of the interface is not trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet2/0/1] quit
# Send traffic at rates of 6000 kbit/s, 9000 kbit/s, and 11000 kbit/s to GE1/0/1 and
GE1/0/2, and run the display qos car statistics command to view traffic statistics.
When packets are sent to GE1/0/1 and GE1/0/2 at a rate of 6000 kbit/s, all
packets are forwarded. When packets are sent to GE1/0/1 and GE1/0/2 at a rate of
9000 kbit/s, all packets on GE1/0/1 are forwarded and some packets on GE1/0/2
are discarded. When packets are sent to GE1/0/1 and GE1/0/2 at a rate of 11000
kbit/s, some packets on both GE1/0/1 and GE1/0/2 are discarded.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
qos car car1 cir 8192 pir 10240 cbs 1024000 pbs 1280000
qos car car2 cir 5120 pir 8192 cbs 640000 pbs 1024000
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
qos car inbound car1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
qos car inbound car2
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
Overview
In a traffic policy, access control list (ACL) rules can be used to classify packets.
ACLs are classified as basic, advanced, and Layer 2 ACLs. A basic ACL defines rules
based on the source IP address, fragment flag, and time range. Traffic policing is
configured in the traffic behavior to limit the rate of matched packets.
An Access Control List (ACL) consists of one or more rules. The rules determine
whether packets match conditions such as source addresses, destination addresses,
and port numbers of packets.
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-254, the company has two departments, belonging to VLAN 10 and
VLAN 20, respectively. Some servers are deployed in VLAN 10 and high bandwidth
is required; employees need to access the Internet in VLAN 20 only and there are
no high requirements for bandwidth. The company purchases a 10 Mbit/s leased
line. The company requires the bandwidth for Internet access in VLAN 20 to be
between 2 Mbit/s and 4 Mbit/s, and traffic exceeding 4 Mbit/s is discarded.
GigabitEthern VLAN 20 - -
et1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. Configure an ACL on the Switch to match traffic from a specified network
segment.
3. Configure a traffic classifier on the Switch to classify packets based on the
ACL.
4. Configure a traffic behavior on the Switch to limit the rate of matched traffic.
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic
classifier and traffic behavior, and apply the traffic policy to GE1/0/1
connected to SwitchA in the inbound direction to implement rate limiting.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet1/0/2] port default vlan 30 //Add the interface to VLAN 30.
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0 //Configure an IP address for the VLANIF
interface. The IP address is the gateway address of network segment 192.168.1.0/24.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30 //Create a VLANIF interface.
[Switch-Vlanif30] ip address 10.1.20.2 255.255.255.0 //Configure an IP address for the VLANIF interface to
connect to the router.
[Switch-Vlanif30] quit
[Switch] ip route-static 0.0.0.0 0 10.1.20.1 //Configure a static route pointing to the external network to
implement interworking.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction
of GE1/0/1 connected to SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
# Check the traffic policy that is applied to the interface. When the rate of packets
from network segment 192.168.2.0/24 is larger than 4 Mbit/s, packet loss occurs.
The rate of packets from the network segment is limited within 4 Mbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 82,455
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 53,385
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 29,070
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 29,070
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
car cir 2048 pir 4096 cbs 256000 pbs 512000 mode color-blind green pass yellow pass red discard
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-255, users connect to external network devices through GE2/0/1 of
the switch.
During work hours from 8:30 to 18:00, the Internet access rate of employees needs
to be limited to 4 Mbit/s.
Figure 3-255 Networking for configuring rate limiting in a specified time range
Configuration Roadmap
The traffic policy based on the time range is used to implement rate limiting. The
configuration roadmap is as follows:
1. Configure interfaces so that users can access the Internet through the Switch.
2. Configure a time range and reference the time range in an ACL.
3. Configure an ACL to match traffic passing the device in the specified time
range.
4. Configure a traffic policy to limit the rate of packets matching ACL rules.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them
to VLAN 10.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet2/0/1] quit
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it
to VLAN 10.
NOTE
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24,
and configure a sub-interface on the interface to terminate the VLAN.
Step 2 Create a periodic time range working_time that defines work hours from 8:30 to
18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day //Define the work hours.
Step 3 Configure ACL 2001 and define three rules to limit the bandwidth of packets from
192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range working_time //Limit the rate of
packets from 192.168.1.10 at work hours.
[Switch-acl-basic-2001] rule permit source 192.168.1.11 0 time-range working_time //Limit the rate of
packets from 192.168.1.11 at work hours.
[Switch-acl-basic-2001] rule permit source 192.168.1.12 0 time-range working_time //Limit the rate of
packets from 192.168.1.12 at work hours.
[Switch-acl-basic-2001] quit
Step 6 Configure a traffic policy and apply the traffic policy to GE1/0/1 in the inbound
direction.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
# Check the traffic policy that is applied to the interface. During work hours, when
the rate of packets from each network segment on GE1/0/1 in the inbound
direction is larger than 4 Mbit/s, packet loss occurs. The rate of packets from each
network segment is limited within 4 Mbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 38,761
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 25,534
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 13,227
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 13,227
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 2001
rule 5 permit source 192.168.1.10 0 time-range working_time
rule 10 permit source 192.168.1.11 0 time-range working_time
rule 15 permit source 192.168.1.12 0 time-range working_time
#
traffic classifier c1 operator or precedence 5
if-match acl 2001
#
traffic behavior b1
permit
car cir 4096 pir 4096 cbs 770048 pbs 1282048 mode color-blind green pass yellow pass red discard
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
Overview
In addition to an ACL, a traffic classifier in MQC defines many Layer 2 and Layer 3
matching rules such as the VLAN ID, 802.1p priority, DSCP priority, source MAC
address, and destination MAC address. You can configure different traffic
classifiers on the device to identify packets and configure actions for them such as
rate limiting, statistics, or mirroring.
In this example, traffic classifiers are configured based on VLAN IDs and different
CIR values are configured so that the device allocates different bandwidth to
service flows.
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-256, the Switch connects to the router through GE2/0/1, and the
enterprise connects to the Internet through the Switch and router.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN
100 respectively.
Voice, video, and data services have QoS requirements in descending order of
priority. The Switch needs to re-mark DSCP priorities in different service packets so
that the downstream router processes them based on priorities, ensuring QoS of
different services.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and configure interfaces so that the enterprise can access the
Internet through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN
IDs.
3. Configure traffic behaviors on the Switch to limit the rate of packets and re-
mark DSCP priorities of packets.
4. Configure a traffic policy on the Switch, bind traffic behaviors and traffic
classifiers, and apply the traffic policy to the interface on the Switch
connected to the LSW.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 100,
VLAN 110, and VLAN 120.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy p1 on the Switch, bind the traffic classifiers and traffic
behaviors to the traffic policy, and apply the traffic policy to GE1/0/1 in the
inbound direction to police packets and re-mark the packet priorities.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] classifier c3 behavior b3
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
Classifier: c3
Precedence: 15
Operator: AND
Rule(s) : if-match vlan-id 100
Classifier: c1
Precedence: 5
Operator: AND
Rule(s) : if-match vlan-id 120
# Check information about the traffic policy that is applied to the interface. Voice
packets on GE1/0/1 are used as an example. When the rate of the packets is larger
than 10000 kbit/s, packet loss occurs. The rate of voice packets is limited within
10000 kbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound verbose classifier-base
class c1
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 49,491
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 40,971
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 8,520
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 8,520
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 110 120
#
traffic classifier c1 operator and precedence 5
if-match vlan-id 120
traffic classifier c2 operator and precedence 10
if-match vlan-id 110
traffic classifier c3 operator and precedence 15
if-match vlan-id 100
#
traffic behavior b1
permit
car cir 2000 pir 10000 cbs 250000 pbs 1250000 mode color-blind green pass yellow pass red discard
remark dscp ef
statistic enable
traffic behavior b2
permit
car cir 4000 pir 10000 cbs 500000 pbs 1250000 mode color-blind green pass yellow pass red discard
remark dscp af33
statistic enable
traffic behavior b3
permit
car cir 4000 pir 10000 cbs 500000 pbs 1250000 mode color-blind green pass yellow pass red discard
remark dscp af13
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
#
return
Overview
Traffic shaping adjusts the rate of outgoing traffic to ensure even transmission.
Traffic shaping uses the buffer and token bucket to control traffic. When packets
are sent at a high rate, traffic shaping caches packets in the buffer and then
evenly sends these cached packets based on the token bucket.
Traffic shaping is often configured on the downstream device to prevent packet
loss caused by congestion. For example, the headquarters connects to its branch
through a leased line that has finite bandwidth. Traffic policing is configured on
the headquarters edge device to limit the packet sending rate. In this situation,
traffic shaping can be configured on the branch edge device to cache excess
packets, preventing packet loss.
Configuration Notes
● This example applies to the following products:
– S5700-HI, S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5731-H,
S5731-S, S5731S-S, S5731S-H, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S,
S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-257, the Switch is connected to the router through GE2/0/1. The
802.1p priorities of voice, video, and data services are 6, 5, and 2, respectively, and
these services can reach residential users through the router and Switch. The
transmission rate of traffic from the user LAN is higher than the transmission rate
of traffic from the router; therefore, jitter may occur on GE2/0/1. To prevent jitter
and ensure bandwidth of services, ensure that:
● The CIR of the interface is 10000 kbit/s.
● The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s
respectively.
● The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s
respectively.
● The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s
respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that users can access the Internet
through the Switch.
2. Configure priority mapping to map 802.1p priorities of different service
packets to PHBs.
3. Configure traffic shaping on an interface to limit the total bandwidth of the
interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of
voice, video, and data services.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 10.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet2/0/1] quit
NOTE
On the router, set the IP address of the interface connected to the Switch to 10.10.10.1/24,
and configure a sub-interface on the interface to terminate the VLAN.
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, and 2 to PHBs CS7,
EF, and AF2 respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb cs7 //Map 802.l priorities in different service flows to PHBs
so that the service flows enter different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb ef
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af2
[Switch-dsdomain-ds1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] trust upstream ds1
[Switch-GigabitEthernet1/0/1] quit
# Configure traffic shaping on an interface of the Switch to limit the CIR of the
interface to 10000 kbit/s.
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] qos lr cir 10000 outbound //Configure interface-based rate limiting in the
outbound direction to limit the total bandwidth.
# Configure traffic shaping on queues of the interface on the Switch to set the CIR
values of voice, video, and data services to 3000 kbit/s, 5000 kbit/s, and 2000
kbit/s respectively and their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000 kbit/s
respectively.
[Switch-GigabitEthernet2/0/1] qos queue 7 shaping cir 3000 pir 5000 //Set the bandwidth of voice
packets entering queue 7 to 3000 kbit/s according to the default mapping between PHBs and local
priorities.
[Switch-GigabitEthernet2/0/1] qos queue 5 shaping cir 5000 pir 8000
[Switch-GigabitEthernet2/0/1] qos queue 2 shaping cir 2000 pir 3000
[Switch-GigabitEthernet2/0/1] quit
[Switch] quit
# After the configuration is complete, the CIR of packets sent from GE2/0/1 is
10000 kbit/s; the CIR of the voice service packets is 3000 kbit/s and PIR is 5000
kbit/s; the CIR of the video service packets is 5000 kbit/s and the PIR is 8000
kbit/s; the CIR of the data service packets is 2000 kbit/s and the PIR is 3000 kbit/s.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
diffserv domain ds1
8021p-inbound 6 phb cs7 green
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
trust upstream ds1
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
qos lr cir 10000 cbs 1250000 outbound
qos queue 2 shaping cir 2000 pir 3000
qos queue 5 shaping cir 5000 pir 8000
qos queue 7 shaping cir 3000 pir 5000
#
return
Overview
Traffic shaping adjusts the rate of outgoing traffic to ensure even transmission.
Traffic shaping uses the buffer and token bucket to control traffic. When packets
are sent at a high rate, traffic shaping caches packets in the buffer and then
evenly sends these cached packets based on the token bucket.
Configuration Notes
● This example applies to the following products:
– S2752EI, S2720-EI, S2750-EI
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-258, the Switch is connected to the router through GE0/0/2. The
802.1p priorities of voice, video, and data services are 6, 5, and 2, respectively, and
these services can reach residential users through the router and Switch. The
transmission rate of traffic from the user LAN is higher than the transmission rate
of traffic from the router; therefore, jitter may occur on GE0/0/2. To prevent jitter
and ensure bandwidth of services, ensure that:
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and configure interfaces so that users can access the Internet
through the Switch.
2. Configure an interface to trust 802.1p priorities of packets.
3. Configure traffic shaping on an interface to limit the bandwidth of the
interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of
voice, video, and data services.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces and add them to VLAN 10.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
NOTE
On the router, set the IP address of the interface connected to the Switch to 10.10.10.1/24,
and configure a sub-interface on the interface to terminate the VLAN.
# Configure traffic shaping on an interface of the Switch to limit the CIR of the
interface to 10000 kbit/s.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] qos lr outbound cir 10000 //Configure interface-based rate limiting in the
outbound direction to limit the total bandwidth.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
trust 8021p
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
qos lr outbound cir 10000 cbs 1250000
qos queue 2 shaping cir 2000 pir 3000
qos queue 5 shaping cir 5000 pir 8000
qos queue 6 shaping cir 3000 pir 5000
#
return
Overview
Congestion management implements queuing and scheduling when sending
packet flows. The device provides the following congestion management
technologies: Priority Queuing (PQ), Weighted Deficit Round Robin (WDRR),
Weighted Round Robin (WRR), PQ+WDRR, and PQ+WRR. The device has eight
queues on each interface in the outbound direction, which are identified by index
numbers 0 to 7. Based on the mappings between local priorities and queues, the
device sends the classified packets to queues, and then schedules the packets
using queue scheduling mechanisms.
This example uses PQ+WRR to implement congestion management. In WRR
scheduling, the device performs scheduling in a polling manner according to the
weight of each queue. The number of times packets are scheduled in each queue
is in directly proportional to the weight of the queue. A higher weight indicates
more packet scheduling times.
Configuration Notes
● This example applies to the following products:
– S2720-EI, S2750-EI
– S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720-LI, S5720S-
LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S5736-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-259, the Switch is connected to the router through GE0/0/3. The
802.1p priorities of voice, video, and data services are 7, 5, and 2, respectively, and
these services can reach residential users through the router and Switch. To reduce
the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to the following table.
Voice CS7 0
Video EF 20
Data AF2 10
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VLAN for each interface so that devices can communicate with
each other at the link layer.
2. Configure an interface to trust 802.1p priorities of packets.
3. Configure a scheduling profile and apply the scheduling profile to the
interface.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each
other at the link layer.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/3] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30
trust 8021p
#
qos schedule-profile p1
qos queue 2 wrr weight 10
qos queue 5 wrr weight 20
qos queue 7 wrr weight 0
#
return
Overview
Congestion management implements queuing and scheduling when sending
packet flows. The device provides the following congestion management
technologies: Priority Queuing (PQ), Weighted Deficit Round Robin (WDRR),
Weighted Round Robin (WRR), PQ+WDRR, and PQ+WRR. The device has eight
queues on each interface in the outbound direction, which are identified by index
numbers 0 to 7. Based on the mappings between local priorities and queues, the
device sends the classified packets to queues, and then schedules the packets
using queue scheduling mechanisms.
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI
– S3700-SI, S3700-EI
– S5700-EI
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-260, the Switch is connected to the router through GE0/0/3. The
802.1p priorities of voice, video, and data services are 7, 5, and 2, respectively, and
these services can reach residential users through the router and Switch. To reduce
the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to the following table.
Voice CS7 0
Video EF 20
Data AF2 10
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VLAN for each interface so that devices can communicate with
each other at the link layer.
2. Configure an interface to trust 802.1p priorities of packets.
3. Set scheduling parameters of queues.
4. Set SRED drop thresholds and maximum drop probability of queues.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each
other at the link layer.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/3] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
qos sred queue 2 red 500 discard-probability 1 yellow 1000 discard-probability 4
qos sred queue 5 red 500 discard-probability 1 yellow 1000 discard-probability 4
qos sred queue 7 red 500 discard-probability 1 yellow 1000 discard-probability 4
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos queue 2 wrr weight 10
Overview
Congestion management implements queuing and scheduling when sending
packet flows. Based on the queuing and scheduling policies, the device provides
the following congestion management technologies: Priority Queuing (PQ),
Weighted Deficit Round Robin (WDRR), Weighted Round Robin (WRR), PQ
+WDRR, and PQ+WRR. The device has eight queues on each interface in the
outbound direction, which are identified by index numbers 0 to 7. Based on the
mappings between local priorities and queues, the device sends the classified
packets to queues, and then schedules the packets using queue scheduling
mechanisms.
Configuration Notes
● This example applies to the following products:
– S3700-HI
– S5700-HI, S5710-EI, S5720-EI, S5710-HI
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-261, the Switch is connected to the router through GE2/0/1. The
802.1p priorities of voice, video, and data services from the Internet are 6, 5, and
2, respectively, and these services can reach residential users through the router
and Switch. On the Switch, the rate of GE2/0/1 (inbound interface) is higher than
the rates of GE1/0/1 and GE1/0/2 (outbound interfaces), so congestion may occur
on the two outbound interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-
priority and delay-sensitive services, set parameters according to Table 3-157 and
Table 3-158.
Video Yellow 60 80 20
Data Red 40 60 40
Voice EF 0
Data AF1 50
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VLAN for each interface so that devices can communicate with
each other at the link layer.
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different
service packets to PHBs and colors, and bind the DiffServ domain to the
inbound interface of the Switch.
3. Configure a WRED profile on the Switch and apply the WRED profile to the
outbound interfaces.
4. Set scheduling parameters of each queue on the outbound interface of the
Switch.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each
other at the link layer.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 5 6
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet1/0/2] quit
# Apply the WRED profile wred1 to GE1/0/1 and GE1/0/2 on the Switch.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] qos wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 3 wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 1 wred wred1
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] qos wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 3 wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 1 wred wred1
[Switch-GigabitEthernet1/0/2] quit
----End
Configuration Files
● Switch configuration file (modular switch)
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
Configuration Notes
● On fixed switches except the following switches in specified versions, if the
permit action is configured in the traffic behavior view, CPCAR may become
invalid:
– S5720-HI in V200R006C00 and later versions
– S5720-EI and S6720-EI in V200R008C00 and later versions
– S6720S-EI in V200R009C00 and later versions
– S5730-HI and S6720-HI in V200R012C00 and later versions
– S5731-H and S6730-H in V200R013C02 and later versions
– S5731-S, S5731S-S, S6730-S, S6730S-S, S5731S-H, and S5732-H in
V200R019C00 and later versions
– S6730S-H in V200R019C10 and later versions
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-262, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. Servers are deployed in VLAN 10 to provide services for
internal and external users, and office services of employees are transmitted in
VLAN 20. The company requires that employees in VLAN 20 access only servers in
VLAN 10 during the working time (8:00 to 18:00).
Figure 3-262 Preventing employees from accessing the Internet at the specified
time
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. On the Switch, configure a time range 8:00-18:00 from Monday to Friday so
that the device can control traffic based on the time range.
3. On the Switch, configure an ACL to match the traffic when employees in
VLAN 20 access servers in VLAN 10 based on the time range.
4. Configure a traffic classifier on the Switch to classify packets based on the
ACL.
5. Configure a traffic behavior on the Switch to permit matched traffic to pass
through.
6. Configure a traffic policy on the Switch, bind the traffic policy to the traffic
classifier and traffic behavior, and apply the traffic policy to the inbound
direction of GE1/0/1 connected to SwitchA so that employees in VLAN 20
cannot access the Internet during the working time and can access the
Internet during the non-working time.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet1/0/2] port default vlan 30 //Add the interface to VLAN 30.
[Switch-GigabitEthernet1/0/2] quit
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
# Configure an ACL on the Switch and define rules permit and reject traffic.
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
time-range worktime //Configure an ACL rule to permit users in VLAN 20 to access servers in VLAN 10
during the working time.
[Switch-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255 time-range worktime //Configure an
ACL rule to prevent users in VLAN 20 from accessing the public network during the working time.
[Switch-acl-adv-3000] quit
# Configure a traffic classifier on the Switch to classify packets based on the ACL.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] quit
Step 6 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction
of GE1/0/1 connected to SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
NOTE
If the time of the device is within the defined time range, the time range in the ACL rule is
displayed as Active; otherwise, the time range in the ACL rule is displayed as Inactive.
# Employees in VLAN 20 cannot access the public network during the working
time, and can access servers in VLAN 10.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 40
#
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-263, the PC cannot access the server. The device where data flows
pass needs to be configured to collect statistics on ping packets so that the fault
point can be located.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to ensure network connectivity.
2. Configure ACLs to match ICMP packets exchanged between the PC and server.
3. Configure traffic classifiers to classify packets based on the ACLs.
4. Configure traffic behaviors and define the traffic statistics action.
5. Configure traffic policies, bind the traffic classifiers and traffic behaviors to
the traffic policies, and apply the traffic policies to inbound and outbound
directions of GE1/0/1 and GE1/0/2 of the Switch.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the PC's gateway address 10.1.1.2/24 for the interface of the router
connected to the Switch, and configure the IP address 10.1.2.1/24 for the interface
of the router connected to the server.
# Configure ACL rules on the Switch to match ICMP packets exchanged between
the PC and server.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit icmp source 10.1.1.1 0 destination 10.1.2.10 0 //Configure an ACL
rule to permit packets from the PC to the server.
[Switch-acl-adv-3001] quit
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit icmp source 10.1.2.10 0 destination 10.1.1.1 0 //Configure an ACL
# Configure traffic classifiers on the Switch to classify packets based on the ACL.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match acl 3001
[Switch-classifier-c1] quit
[Switch] traffic classifier c2 operator and
[Switch-classifier-c2] if-match acl 3002
[Switch-classifier-c2] quit
# Configure traffic behaviors on the Switch and define the traffic statistics action
in the traffic behaviors.
[Switch] traffic behavior b1
[Switch-behavior-b1] statistic enable
[Switch-behavior-b1] quit
[Switch] traffic behavior b2
[Switch-behavior-b2] statistic enable
[Switch-behavior-b2] quit
Step 5 Configure traffic policies and apply the traffic policies to interfaces.
# Create traffic policies p1 and p2 on the Switch, bind the traffic behaviors and
traffic classifiers to the traffic policies, apply the traffic policy p1 to the inbound
direction of GE1/0/1 and outbound direction of GE1/0/2, and apply the traffic
policy p2 to the outbound direction of GE1/0/1 and inbound direction of GE1/0/2.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] traffic policy p2
[Switch-trafficpolicy-p2] classifier c2 behavior b2
[Switch-trafficpolicy-p2] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] traffic-policy p2 outbound
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] traffic-policy p1 outbound
[Switch-GigabitEthernet1/0/2] traffic-policy p2 inbound
[Switch-GigabitEthernet1/0/2] quit
NOTE
In V200R009 and later versions, (match-counter 0) is not displayed in the display acl
command output.
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Ping the server from the PC and check the traffic statistics in the inbound and
outbound directions of GE1/0/1 and GE1/0/2 on the Switch. Here, check the traffic
statistics in the inbound direction of GE1/0/1.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic
classifier, and Passed indicates the numbers of forwarded packets and bytes
matching the traffic classifier. The following table describes the traffic statistics.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
acl number 3001
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0
acl number 3002
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0
#
traffic classifier c1 operator and precedence 5
if-match acl 3001
traffic classifier c2 operator and precedence 10
if-match acl 3002
#
traffic behavior b1
permit
statistic enable
traffic behavior b2
permit
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
traffic policy p2 match-order config
classifier c2 behavior b2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
traffic-policy p1 inbound
traffic-policy p2 outbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
traffic-policy p2 inbound
traffic-policy p1 outbound
#
return
Configuration Notes
● This example applies to the following products:
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-264, the company has two departments, belonging to VLAN 10 and
VLAN 20, respectively. The network administrator wants to determine whether the
host at 192.168.2.200/24 in VLAN 20 can access the server at 192.168.1.100/24 in
VLAN 10.
GigabitEthern VLAN 20 - -
et1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking.
2. Configure an ACL on the Switch to match specified traffic.
3. Configure a traffic classifier on the Switch to classify packets based on the
ACL.
4. Configure a traffic behavior on the Switch to collect statistics on matched
packets.
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic
classifier and traffic behavior, and apply the traffic policy to GE1/0/1
connected to SwitchA in the inbound direction.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet1/0/2] port default vlan 30 //Add the interface to VLAN 30.
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0 //Configure an IP address for the VLANIF
interface. The IP address is the gateway address of network segment 192.168.1.0/24.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30 //Create a VLANIF interface.
[Switch-Vlanif30] ip address 10.1.20.2 255.255.255.0 //Configure an IP address for the VLANIF interface to
connect to the router.
[Switch-Vlanif30] quit
[Switch] ip route-static 0.0.0.0 0 10.1.20.1 //Configure a static route pointing to the external network to
implement interworking.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction
of GE1/0/1 connected to SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic
classifier, and Passed indicates the numbers of forwarded packets and bytes
matching the traffic classifier. If the values of Matched and Passed are not 0, the
host at 192.168.2.200 in VLAN 20 has accessed the server at 192.168.1.100 in
VLAN 10.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
Overview
When the same traffic classification rules need to be configured and the same
action needs to be taken for packets that match the traffic classification rules on
different interfaces or in different VLANs, to save ACL resources, configure the
device to classify packets based on ACL rules, to re-mark the flow ID of each type
of packets, and then to classify packets based on the flow ID and to process
packets matching the same flow ID in the same manner.
Assume that M ACLs are configured on the device to distinguish services, and each
ACL contains N ACL rules. Traffic classifiers classify packets based on ACL rules,
and the traffic policy containing the ACL rules are applied to X interfaces. If the
action of re-marking flow IDs and matching rules based on the flow IDs are not
configured, applying the traffic policy occupies M*N*X ACL resources. If the action
of re-marking flow IDs and matching rules based on flow IDs are configured,
applying the traffic policy occupies only M*(N+X) ACL resources.
In this example, the device is configured to re-mark flow IDs of packets matching
ACL rules, to classify packets based on flow IDs, and to permit or deny packets
matching rules to limit the access.
Configuration Notes
● This example applies to the following products and versions:
– S5720-EI: V200R008C00 and later versions
– S5720-HI, S5730-HI, S5731-H, S6720-HI, S6730-H: V200R019C00 and
later versions
– S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500,
S5735S-S, S5735-S-I: For the applicable versions, see Table 3-1 in the
section "Applicable Products and Versions."
– S6720-EI, S6720S-EI, S6730-S, S6730S-S, S6730S-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S7703, S7706, S7712, S9703, S9706, S9712: V200R008C00 and later
versions
– S7703 PoE, S7706 PoE: For the applicable versions, see Table 3-1 in the
section "Applicable Products and Versions."
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
Networking Requirements
In Figure 3-265, the Switch connects to SwitchA, and SwitchA connect to the
router. Guests can connect to the enterprise network in guest areas of office
buildings 1, 2, and 3. Guests can access the public file server and the Internet, but
cannot access the confidential file server and financial department server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol so that the
enterprise can access the Internet.
2. Configure ACLs on the Switch to match packets from guest areas.
3. Configure traffic classifiers on the Switch to classify packets based on ACLs.
4. Configure traffic behaviors on the Switch to re-mark flow IDs of packets
matching ACLs.
5. Configure a traffic policy that contains flow ID re-marking on the Switch, bind
the traffic behaviors and traffic classifiers to the traffic policy, and apply the
traffic policy to the Switch globally in the inbound direction.
6. Configure traffic classifiers on the Switch to classify packets from guest areas
based on flow IDs.
7. Configure traffic behaviors on the Switch to permit or reject packets from
guest areas to implement access control.
8. Configure a traffic policy for access control on the Switch, bind the traffic
behaviors and traffic classifiers to the traffic policy, and apply the traffic policy
to the interfaces on the Switch connected to guest areas in the inbound
direction.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol (the static route is
used here).
# Configure the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the interface as an access interface.
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port default vlan 30
[Switch-GigabitEthernet1/0/3] quit
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as a trunk interface.
[Switch-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30 40
[Switch-GigabitEthernet1/0/4] quit
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 10.1.1.1 255.255.255.0 //Configure an IP address for the VLANIF interface.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.1 255.255.255.0
[Switch-Vlanif30] quit
[Switch] interface vlanif 40
[Switch-Vlanif40] ip address 10.1.4.1 255.255.255.0
[Switch-Vlanif40] quit
[Switch] ip route-static 10.1.5.0 255.255.255.0 10.1.4.2 //Configure a static route.
[Switch] ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
[Switch] ip route-static 10.1.7.0 255.255.255.0 10.1.4.2
[Switch] ip route-static 10.1.8.0 255.255.255.0 10.1.4.2
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 40 50 60 70 80 //Create VLAN 40 to VLAN 80.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk //Configure the interface as a trunk interface.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 40 50 60 70 80
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access //Configure the interface as an access interface.
[SwitchA-GigabitEthernet1/0/2] port default vlan 50
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 60
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type access
[SwitchA-GigabitEthernet1/0/4] port default vlan 70
[SwitchA-GigabitEthernet1/0/4] quit
[SwitchA] interface gigabitethernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] port link-type access
[SwitchA-GigabitEthernet1/0/5] port default vlan 80
[SwitchA-GigabitEthernet1/0/5] quit
[SwitchA] interface vlanif 40 //Create a VLANIF interface.
[SwitchA-Vlanif40] ip address 10.1.4.2 255.255.255.0 //Configure an IP address for the VLANIF interface.
[SwitchA-Vlanif40] quit
[SwitchA] interface vlanif 50
[SwitchA-Vlanif50] ip address 10.1.5.1 255.255.255.0
[SwitchA-Vlanif50] quit
[SwitchA] interface vlanif 60
[SwitchA-Vlanif60] ip address 10.1.6.1 255.255.255.0
[SwitchA-Vlanif60] quit
[SwitchA] interface vlanif 70
[SwitchA-Vlanif70] ip address 10.1.7.1 255.255.255.0
[SwitchA-Vlanif70] quit
[SwitchA] interface vlanif 80
[SwitchA-Vlanif80] ip address 10.1.8.1 255.255.255.0
[SwitchA-Vlanif80] quit
[SwitchA] ip route-static 10.1.1.0 255.255.255.0 10.1.4.1 //Configure a static route.
[SwitchA] ip route-static 10.1.2.0 255.255.255.0 10.1.4.1
[SwitchA] ip route-static 10.1.3.0 255.255.255.0 10.1.4.1
# Configure an ACL rule to match packets sent from the guest area to the
financial department server.
[Switch] acl name non-access-finance
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq
20 //Configure a rule to permit FTP data packets sent from the guest area to the financial department
server.
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq
21 //Configure a rule to permit FTP protocol packets sent from the guest area to the financial department
server.
[Switch-acl-adv-non-access-finance] quit
# Configure an ACL rule to match packets sent from the guest area to the public
file server.
[Switch] acl name access-file
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq 20 //
Configure a rule to permit FTP data packets sent from the guest area to the public file server.
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq 21 //
Configure a rule to permit FTP protocol packets sent from the guest area to the public file server.
[Switch-acl-adv-access-file] quit
# Configure an ACL rule to match packets sent from the guest area to the
external network.
[Switch] acl name access-internet
[Switch-acl-adv-access-internet] rule permit tcp destination-port eq 80
[Switch-acl-adv-access-internet] quit
Step 5 Configure a traffic policy that contains flow ID re-marking and apply the traffic
policy globally in the inbound direction.
# Create the traffic policy flow-id on the Switch, bind the traffic classifiers and
traffic behaviors to the traffic policy, and apply the traffic policy globally in the
inbound direction.
[Switch] traffic policy flow-id
[Switch-trafficpolicy-flow-id] classifier non-access-file behavior non-access-file
[Switch-trafficpolicy-flow-id] classifier non-access-finance behavior non-access-finance
[Switch-trafficpolicy-flow-id] classifier access-file behavior access-file
[Switch-trafficpolicy-flow-id] classifier access-internet behavior access-internet
[Switch-trafficpolicy-flow-id] quit
[Switch] traffic-policy flow-id global inbound
Step 8 Configure a traffic policy for access control and apply the traffic policy to an
interface.
# Create the traffic policy access_policy on the Switch, bind the traffic behaviors
and traffic classifiers to the traffic policy, and apply the traffic policy to GE1/0/1,
GE1/0/2, and GE1/0/3 in the inbound direction to limit access of guest areas.
[Switch] traffic policy access_policy
[Switch-trafficpolicy-access_policy] classifier flow-id1 behavior flow-id1
[Switch-trafficpolicy-access_policy] classifier flow-id2 behavior flow-id2
[Switch-trafficpolicy-access_policy] classifier flow-id3 behavior flow-id3
Classifier: flow-id2
Precedence: 30
Operator: AND
Rule(s) : if-match flow-id 2
Classifier: flow-id3
Precedence: 35
Operator: AND
Rule(s) : if-match flow-id 3
Classifier: flow-id4
Precedence: 40
Operator: AND
Rule(s) : if-match flow-id 4
Classifier: non-access-file
Precedence: 5
Oper