Huawei Certification HCDA Lab Guide v1.5
Huawei Certification HCDA Lab Guide v1.5
Huawei Certification HCDA Lab Guide v1.5
Huawei Certification
HCDA-HNTD
Huawei Networking Technology and Device Lab Guide
HUAWEI TECHNOLOGIES
HCDA-HNTD
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Certification HCDA-HNTD Huawei Networking Technology and Device Lab Guide
HUAWEI TECHNOLOGIES
HCDA-HNTD
HUAWEI TECHNOLOGIES
HCDA-HNTD
Referenced icon
Router
L3 Switch
L2 Switch
Firewall
Net cloud
Ethernet line
Serial line
HUAWEI TECHNOLOGIES
HCDA-HNTD
Identifier R1 R2 R3 S1 S2 S3 S4 FW
Device AR 2220 AR 2220 AR 2220 S5700-28C-EI-24S S5700-28C-EI-24S S3700-28TP-EI-AC S3700-28TP-EI-AC Eudemon 200E-X2
OS version Version 5.90 ( V200R001C01SPC300) Version 5.90 ( V200R001C01SPC300) Version 5.90 ( V200R001C01SPC300) Version 5.70 (V100R006C00SPC800) Version 5.70 (V100R006C00SPC800) Version 5.70 (V100R006C00SPC800) Version 5.70 (V100R006C00SPC800) Version 5.30 (V100R005C00SPC100)
HUAWEI TECHNOLOGIES
HCDA-HNTD
CONTENTS
Chapter 1 Basic Operations on the VRP Platform ............................................................................................... 1 Lab 1-1 Basic Operations on the VRP Platform ............................................................................................... 1 Chapter 2 Configuring Static Routes and Default Routes .................................................................................. 23 Lab 2-1 Configuring Static Routes and Default Routes .................................................................................. 23 Chapter 3 RIP Configuration ............................................................................................................................. 41 Lab 3-1 Configuring RIPv1 and RIPv2 ............................................................................................................ 41 Lab 3-2 RIPv2 Route Aggregation and Authentication .................................................................................. 58 Chapter 4 OSPF Configuration .......................................................................................................................... 74 Lab 4-1 OSPF Single-area Configuration ....................................................................................................... 74 Lab 4-2 OSPF Multi-area and Authentication Configuration ......................................................................... 89 Chapter 5 RIP and OSPF Route Import ............................................................................................................ 103 Lab 5-1 RIP and OSPF Route Import ........................................................................................................... 103 Chapter 6 Ethernet and STP ........................................................................................................................... 114 Lab 6-1 Ethernet Interface and Link Configuration ..................................................................................... 114 Lab 6-2 STP Configuration .......................................................................................................................... 122 Lab 6-3 VLAN Configuration ....................................................................................................................... 134 Chapter 7 Layer3 Configuration and VRRP ...................................................................................................... 146 Lab 7-1 Configuring Layer 3 Switching ........................................................................................................ 146 Lab 7-2 Configuring the VRRP .................................................................................................................... 160 Chapter 8 WAN Configuration ........................................................................................................................ 176 Lab 8-1 HDLC and PPP Configuration.......................................................................................................... 176 Lab 8-2 FR Configuration (Back to Back) ..................................................................................................... 192
HUAWEI TECHNOLOGIES
HCDA-HNTD
Lab 8-3 FR Configuration (Using FR Switch) ................................................................................................ 213 Chapter 9 Firewall Configuration .................................................................................................................... 230 Lab 9-1 Eudemon Firewall Configuration ................................................................................................... 230 Lab 9-2 Packet Filtering Configuration ....................................................................................................... 245 Lab 9-3 Eudemon Firewall Zone Configuration ........................................................................................... 260 Lab 9-4 NAT Configuration on the Eudemon Firewall ................................................................................. 277 Chapter 10 Comprehensive Exercise .............................................................................................................. 290 Lab 10-1 Comprehensive Exercise .............................................................................................................. 290
HUAWEI TECHNOLOGIES
HCDA-HNTD
HUAWEI TECHNOLOGIES
HCDA-HNTD
router using the Windows built-in terminal software. Configure a device name, time, and time zone. Configure the value for Console port idle timeout. Configure the login information. Configure the login password and super password. Save and delete a configuration file. Configure IP addresses for router interfaces. Test the connectivity between two routers that are connected
directly. Control a router after using Telnet to another router. Copy configuration files from one router to another using File
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
Topology
Figure 1.1 Lab topology of the basic operations on the VRP platform
Scenario
A company purchases two AR G3 routers. You need to commission the two AR G3 routers before using them. Items to be commissioned include configuration modes, device names, time, passwords, file management, and restart operations.
This step describes how to connect to a router using the Windows XP built-in HyperTerminal. Connect a PC to a router using a console cable. Run a terminal emulation program such as Windows XP HyperTerminal on the PC to create a connection, as shown in Figure 3.1. The name and icon provided in the figure are only examples.Creating a connection
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
If the PC has multiple COM ports, select a proper one. The serial port of a PC is usually COM1.Setting port communication parameters
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
In the COM1 Properties dialog box, click Restore Defaults to retain the default settings. Click OK. Turn on the power switch to start the router. If the preceding parameters are set properly, the terminal window displays the startup information until the startup process is complete, and the system asks you to press Enter. If the command prompt, such as <Huawei>, is displayed on the user interface, you have successfully entered the user view configuration environment.
Step 2
Run the display version command to view the software version and hardware information for the system.
<R1>display version Huawei Versatile Routing Platform Software VRP (R) software, Version 5.90 (AR2200 V200R001C01SPC300) Copyright (C) 2011 HUAWEI TECH CO., LTD Huawei AR2220 Router uptime is 0 week, 0 day, 0 hour, 2 minutes BKP 0 version information:
HUAWEI TECHNOLOGIES
HC Series
The command output includes the VRP operating system version, device model, and startup time.
Step 3
The system automatically saves the time. If the time is incorrect, run the clock datetime command in the user view to change the system time.
<Huawei>clock datetime 12:00:00 2011-09-15
Run the display clock command to check that the new system time has taken effect.
<Huawei>display clock 2011-09-15 12:00:21 Thursday Time Zone(Default Zone Name) : UTC+00:00
Step 4
commands.
The question mark (?) is a wildcard, and the Tab is used as a shortcut to enter commands.
<Huawei>display ? aaa access-user accounting-scheme acl adp-ipv4 adp-mpls anti-attack arp arp-limit atm authentication-scheme authorization-scheme AAA User access Accounting scheme <Group> acl command group Ipv4 information Adp-mpls module Specify anti-attack configurations <Group> arp command group Display the number of limitation ATM status and configuration information Authentication scheme Display AAA authorization scheme
If you want to display all the commands that start with a specific letter or string of letters, enter the desired letters and the question mark (?). The
HC Series HUAWEI TECHNOLOGIES 5
HCDA-HNTD
system displays all the commands that start with the letters you enter. For example, if you enter dis?, the system displays all the commands that start with dis. Make sure that there is a space between the string and the question mark (?). The system identifies the command corresponding to the string and displays the parameters of the command. For example, if you enter dis ? and only the display command starts with dis, the system displays the parameters of the display command. If multiple commands start with dis, the system displays an error. You can also press Tab to complete a command. For example, if you enter dis and press Tab, the system completes the display command. If multiple commands start with dis, you can select the appropriate one. If there are no other commands start with the same letters, you can type dis or disp to indicate display, and int or inter to indicate interface.
Step 5
Run the system-view command to access the system view where you configure interfaces and protocols.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]
Step 6
To more easily identify devices, set device names during the device configuration. Change device names based on the lab topology, as shown below: Change the name of the R1 router to R1.
[Huawei]sysname R1 [R1]
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 7
Run the preceding command to configure the login information. To check whether the login information has been changed, quit out of the router command line interface, and log back in to view the login information.
[R1]quit <R1>quit Configuration console exit, please retry to log on Password: Welcome to Huawei certification lab <R1>
Note: Login information usually provides warnings of illegal logins. Do not use words that are welcoming.
Step 8
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
Log out of the system and log back in to verify that you need to enter the password.
[R1-ui-console0]return <R1>quit Configuration console exit, please retry to log on Password: Welcome to Huawei certification lab <R1>
Step 9
interfaces.
Configure an IP address for the S1/0/0 interface of R1. The IP address can use the subnet mask length or use a complete subnet mask, such as 24 or 255.255.255.0.
[R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]description This interface connects to R2-S1/0/0
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Return
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.13% Output bandwidth utilization : 0.13% [R1-Serial1/0/0]
The command output shows that the physical status and protocol status of the interface are UP, and the corresponding physical layer and data link layer are functional. The interface link cables are V.35 DCE. Once you have verified the status, configure the IP address and description for the interface of R2.
[R2]interface Serial 1/0/0
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
[R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0 [R2-Serial1/0/0]description This interface connect to R1-S2/0/0 [R2-Serial1/0/0]
After completing the configuration, run the ping command to test the connection between R1 and R2.
[R1]ping 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=35 ms Reply from 10.0.12.2: bytes=56 Sequence=2 ttl=255 time=32 ms Reply from 10.0.12.2: bytes=56 Sequence=3 ttl=255 time=32 ms Reply from 10.0.12.2: bytes=56 Sequence=4 ttl=255 time=32 ms Reply from 10.0.12.2: bytes=56 Sequence=5 ttl=255 time=32 ms --- 10.0.12.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 32/32/35 ms
10
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # Return
Set the telnet login mode of R2 to user name and password authentication mode.
[R2]user-interface vty 0 4 [R2-ui-vty0-4]authentication-mode aaa [R2-ui-vty0-4]quit
Note: You can run the quit command to return to the previous view or the return command to return to the user view.
[R2]aaa [R2-aaa]local-user huawei password simple huawei [R2-aaa]local-user huawei privilege level 15 [R2-aaa]local-user huawei service-type telnet
HC Series
HUAWEI TECHNOLOGIES
11
HCDA-HNTD
Username:huawei Password: ---------------------------------------------------------------------------User last login information: ---------------------------------------------------------------------------Access Type: Telnet IP-Address : 10.0.12.1 Time : 2011-09-14 13:19:59+00:00
---------------------------------------------------------------------------<R2>
Based on the output above, the login is successful. Telnet to R1 from R2.
<R2>telnet 10.0.12.1 Press CTRL_] to quit telnet mode Trying 10.0.12.1 ... Connected to 10.0.12.1 ... Login authentication Password: Welcome to Huawei certification lab <R1>
12
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
As shown in the command output, the super password is stored in plain text, which is relatively unsecure and unsafe. Set a super password for R2. The super password is stored in cipher (cipher text) mode.
[R2]super password cipher huawei [R1]display current-configuration ......output omit...... # super password level 3 cipher Q;L]@C0S3[%;LEEP8+INFQ!! user-interface con 0 authentication-mode password ......output omit......
As shown in the command output, the super password is stored in cipher text, which is more secure and safe.
HC Series
HUAWEI TECHNOLOGIES
13
HCDA-HNTD
1,927,476 KB total (1,856,548 KB free) <R2>dir Directory of sd1:/ Idx Attr 0 -rw1 -rwSize(Byte) Date Time(LMT) FileName web.zip ar2220_V200R001C01SPC300.cc
14
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
If the [R1-ftp] prompt is displayed, you have successfully logged in to the R2 FTP server. Transfer a file from R1 to the R2 FTP server using FTP.
[R1-ftp]put hq-r.cfg file-from-R1.bak 200 Port command okay. 150 Opening ASCII mode data connection for file-from-R1.bak. 226 Transfer complete. FTP: 0 byte(s) sent in 0.627 second(s) 0.00byte(s)/sec. [R1-ftp]
Note: The source file names on the lab device may be different. You need to use the actual file name. Run the dir command in the R1 user view to check the file names in the file list. Run the dir command to view the result of the transfer.
[R1-ftp]dir 200 Port command okay. 150 Opening ASCII mode data connection for *. -rwxrwxrwx -rwxrwxrwx -rwxrwxrwx 1 noone 1 noone 1 noone nogroup 1738816 Sep 14 11:50 web.zip nogroup 68288896 Jul 12 14:19 nogroup 0 Sep 14 14:10 file-from-r1.bak
ar2220_V200R001C01SPC300.cc 226 Transfer complete. FTP: 551 byte(s) received in 0.619 second(s) 890.14byte(s)/sec.
The command output lists files on the R2 FTP server. Download the file-from-r1.bak file from the R2 FTP server to R1 and change the file name to file-from-r2.bak.
[R1-ftp]get file-from-r1.bak file-from-r2.bak 200 Port command okay. 150 Opening ASCII mode data connection for file-from-r1.bak. 226 Transfer complete. FTP: 0 byte(s) received in 0.591 second(s) 0.00byte(s)/sec.
Exit from the R2 FTP server and check the file list on R1. Make sure that the file-from-r2.bak file has been downloaded successfully.
[R1-ftp]quit 221 Server closing.
HC Series
HUAWEI TECHNOLOGIES
15
HCDA-HNTD <R1>dir
Directory of sd1:/ Idx Attr 0 -rw1 -rw2 -rwSize(Byte) Date Time(LMT) FileName web.zip ar2220_V200R001C01SPC300.cc file-from-r2.bak
1,738,816 Sep 16 2011 18:44:54 68,288,896 Jul 12 2011 14:17:58 0 Sep 16 2011 19:13:00
Delete the files on the devices. Warning: Delete only the two lab files file-from-r1.bak and file-from-r2.bak. Do not delete other files; otherwise, the devices may fail to boot. Delete the file-from-r1.bak file from R2.
<R2>dir Directory of sd1:/ Idx Attr 0 -rw1 -rw2 -rwSize(Byte) Date Time(LMT) FileName web.zip ar2220_V200R001C01SPC300.cc file-from-r1.bak
1,738,816 Sep 14 2011 11:50:58 68,288,896 Jul 12 2011 14:19:02 0 Sep 14 2011 14:10:08
1,927,476 KB total (1,855,076 KB free) <R2>delete /unreserved file-from-r1.bak Warning: The contents of file sd1:/file-from-r1.bak cannot be recycled. Continue? (y/n)[n]:y Info: Deleting file sd1:/file-from-r1.bak...succeed.
The /unreserved parameter indicates that the file is to be deleted permanently and cannot be restored. Use this parameter with caution.
<R2>dir Directory of sd1:/ Idx Attr 0 -rw1 -rwSize(Byte) Date Time(LMT) FileName web.zip ar2220_V200R001C01SPC300.cc
16
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Compare the file list with the preceding file list and make sure that the file-from-r1.bak file has been deleted. Delete the file-from-r2.bak file from R1.
<R1>delete /unreserved file-from-r2.bak Warning: The contents of file sd1:/file-from-r2.bak cannot be recycled. Continue? (y/n)[n]:y Info: Deleting file sd1:/file-from-r2.bak...succeed. <R1>dir Directory of sd1:/ Idx Attr 0 -rw1 -rwSize(Byte) Date Time(LMT) FileName web.zip ar2220_V200R001C01SPC300.cc
HC Series
HUAWEI TECHNOLOGIES
17
HCDA-HNTD
A router can store multiple configuration files. You can select the configuration file to be used after the next startup of the router as required.
<R1>startup saved-configuration iascfg.zip This operation will take several minutes, please wait......... Info: Succeeded in setting the file for booting system <R1>
Run the following command to select the configuration file to be used after the next startup:
<R1>display startup MainBoard: Startup system software: Next startup system software: Backup system software for next startup: Startup saved-configuration file: Next startup saved-configuration file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: Startup voice-files: Next startup voice-files: sd1:/ar2220_V200R001C01SPC300.cc sd1:/ar2220_V200R001C01SPC300.cc null null sd1:/iascfg.zip null null null null null null
18
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
The device configurations will be erased to reconfigure. Are you sure? (y/n)[n]:y Clear the configuration in the device successfully. <R1>
The system asks whether you want to save the current configuration. Determine whether to save the current configuration based on the requirements for the lab. If you are unsure whether you should save the current confirmation, do not save it.
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 tftp client-source -i Serial2/0/0 header shell information "Welcome to Huawei certification lab" # board add 0/1 1SA board add 0/2 1SA
HC Series
HUAWEI TECHNOLOGIES
19
HCDA-HNTD
board add 0/3 2FE # voice # http server enable # drop illegal-mac alarm # l2tp aging 0 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Ethernet3/0/0 # interface Ethernet3/0/1 # interface Serial1/0/0 link-protocol ppp description This interface connect to R2-S2/0/0 ip address 10.0.12.1 255.255.255.0 # interface Serial2/0/0 link-protocol ppp # interface GigabitEthernet0/0/0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface Cellular0/0/0 link-protocol ppp # interface Cellular0/0/1 link-protocol ppp #
20
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD interface NULL0 # super password level 3 simple huawei user-interface con 0 authentication-mode password set authentication password simple huawei idle-timeout 10 0 user-interface vty 0 4 user privilege level 3 set authentication password simple huawei user-interface vty 16 20 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 ftp server enable set default ftp-directory sd1:/ # board add 0/1 1SA board add 0/2 1SA board add 0/3 2FE # voice # http server enable # drop illegal-mac alarm # l2tp aging 0 # dhcp enable # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http
HC Series
HUAWEI TECHNOLOGIES
21
HCDA-HNTD
local-user ftpuser password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user ftpuser privilege level 15 local-user ftpuser service-type ftp local-user huawei password simple huawei local-user huawei privilege level 15 local-user huawei service-type telnet ftp # interface Ethernet3/0/0 # interface Ethernet3/0/1 # interface Serial1/0/0 link-protocol ppp description This interface connect to R1-S2/0/0 ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp # interface GigabitEthernet0/0/0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface Cellular0/0/0 link-protocol ppp # interface Cellular0/0/1 link-protocol ppp # interface NULL0 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa user-interface vty 16 20 # return
22
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
HC Series
HUAWEI TECHNOLOGIES
23
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company with a headquarters (HQ) and two branches. R1 is the router in the HQ, and the HQ has a network segment. R2 and R3 are the routers in the two branches. R1 is connected to R2 and R3 through the Ethernet and serial cables. R2 and R3 are connected through serial cables. Because the network scale is small, static routes and default routes are used to implement interworking. For the IP addressing information, see Figure 2.1.
24
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
addresses.
Configure the device names and IP addresses for R1, R2, and R3.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]description this port connect to R2-S1/0/0 [R1-Serial1/0/0]quit [R1]interface GigabitEthernet 0/0/0 [R1- GigabitEthernet 0/0/0]ip address 10.0.13.1 24 [R1- GigabitEthernet 0/0/0]description this port connect to R3-G0/0/0 [R1- GigabitEthernet 0/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 [R1-LoopBack0]
HC Series
HUAWEI TECHNOLOGIES
25
HCDA-HNTD #
......output omit...... <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]description this port connect to R1-S1/0/0 [R2-Serial1/0/0]interface serial 2/0/0 [R2-Serial2/0/0]ip address 10.0.23.2 24 [R2-Serial2/0/0]description this port connect to R3-S2/0/0 [R2-Serial2/0/0]interface loopback0 [R2-LoopBack0]ip address 10.0.2.2 24 [R2-LoopBack0]display current-configuration ......output omit...... interface Serial1/0/0 link-protocol ppp description this port connect to R1-S1/0/0 ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp description this port connect to R3-S1/0/0 ip address 10.0.23.2 255.255.255.0 # ......output omit...... # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface Serial 2/0/0 [R3-Serial2/0/0]ip address 10.0.23.3 24 [R3-Serial2/0/0]description this port connects to R2-S2/0/0 [R3-Serial2/0/0]quit [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24 [R3-GigabitEthernet0/0/0]description this port connects to R1-G0/0/0 [R3-GigabitEthernet0/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
26
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3-LoopBack0]display current-configuration ......output omit...... # interface Serial1/0/0 link-protocol ppp description this port connect to R2-S2/0/0 ip address 10.0.23.3 255.255.255.0 # interface GigabitEthernet0/0/0 description this port connect to R1-G0/0/0 ip address 10.0.13.3 255.255.255.0 # ......output omit...... interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ......output omit......
HC Series
HUAWEI TECHNOLOGIES
27
HCDA-HNTD
5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/6 ms <R2>ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=41 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 31/35/41 ms
Step 2
10.0.3.0/24.
[R2]ping 10.0.13.3 PING 10.0.13.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.13.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R2]ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out
28
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Request time out --- 10.0.3.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Note: If R2 needs to communicate with the network segment 10.0.3.0, the routes destined for this network segment must be configured on R2, and the routes destined for the R2 interface must be configured on R3. The preceding test result shows that R2 cannot communicate with 10.0.3.3 and 10.0.13.3. Run the display ip routing-table command to view the routing table of R2. The routing table does not contain the routes of the two networks.
[R2]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 15 Destination/Mask 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 Proto Routes : 15 Pre Cost 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D D D Flags NextHop 10.0.2.2 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
HC Series
HUAWEI TECHNOLOGIES
29
HCDA-HNTD
Step 3
Configure a static route for destination networks 10.0.13.0/24 and 10.0.3.0/24, with the next hop as R3 interface's IP address 10.0.23.3 , preference of 60 is the default and not needed to be set. Also in the example the preference is not set.
<R2>system-view Enter system view, return user view with Ctrl+Z. [R2]ip route-static 10.0.13.0 24 10.0.23.3 [R2]ip route-static 10.0.3.0 24 10.0.23.3
Note: In the ip route-static command, 24 indicates the subnet mask length, which can also be expressed in 255.255.255.0.
Step 4
The data exchanged between R2 and 10.0.13.3 and 10.0.3.3 is transmitted through the link between R2 and R3. R2 fails to communicate with 10.0.13.3 and 10.0.3.3 if the link between R2 and R3 is faulty. According to the topology, R2 can communicate with R3 through R1 after the link between R2 and R3 is faulty. You can configure a backup static route to solve the preceding problem. Backup static routes do not take effect in normal cases. If the link between R2 and R3 is faulty, backup static routes are used to transfer data. You must configure preferences for backup static routes to ensure that the backup static routes are used only when the primary link is faulty. In this example, the preference of the backup static route is set to 80.
[R1]ip route-static 10.0.3.0 24 10.0.13.3 [R2]ip route-static 10.0.13.0 255.255.255.0 Serial 1/0/0 preference 80 [R2]ip route-static 10.0.3.0 24 Serial 1/0/0 preference 80 [R3]ip route-static 10.0.12.0 24 10.0.13.1
30
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 5
LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Static 60 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
The routing table contains two static routes that are configured in step 3. The value of the Proto field is Static, indicating a static route. The value of the Pre field is 60, indicating the default preference of a route. Test network connectivity when the link between R2 and R3 works properly.
[R2]ping 10.0.13.3 PING 10.0.13.3: 56 data bytes, press CTRL_C to break Reply from 10.0.13.3: bytes=56 Sequence=1 ttl=255 time=34 ms Reply from 10.0.13.3: bytes=56 Sequence=2 ttl=255 time=34 ms Reply from 10.0.13.3: bytes=56 Sequence=3 ttl=255 time=34 ms Reply from 10.0.13.3: bytes=56 Sequence=4 ttl=255 time=34 ms Reply from 10.0.13.3: bytes=56 Sequence=5 ttl=255 time=34 ms
HC Series
HUAWEI TECHNOLOGIES
31
HCDA-HNTD
--- 10.0.13.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/34/34 ms <R2>ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=41 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=41 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=41 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=41 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=41 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 41/41/41 ms
The command output shows that communication is normal. You can also run the tracert command to view the routers through which data is transferred.
<R2>tracert 10.0.13.3 traceroute to 10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40, 31 ms 30 ms press CTRL_C to break 1 10.0.23.3 40 ms traceroute to <R2>tracert 10.0.3.3 10.0.3.3(10.0.3.3), max hops: 30 ,packet length: 40, 30 ms 30 ms press CTRL_C to break 1 10.0.23.3 40 ms <R2>
Step 6
Disable Serial2/0/0 on R2 and observe the changes in the routing tables. Compare the routing tables with the previous routing tables before
32
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Static 80 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
The next hops and preferences of the two routes in the preceding information are changed. Test connectivity between R2 and the destination addresses 10.0.13.3 and 10.0.3.3 on R2.
<R1>ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received
HC Series
HUAWEI TECHNOLOGIES
33
HCDA-HNTD
0.00% packet loss round-trip min/avg/max = 2/2/3 ms <R1>ping 10.0.13.3 PING 10.0.13.3: 56 data bytes, press CTRL_C to break Reply from 10.0.13.3: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 10.0.13.3: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.0.13.3: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.0.13.3: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.0.13.3: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.0.13.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms
The network is not disconnected when the link between R2 and R3 is shut down. You can also run the tracert command to view the routers through which data is transferred.
<R2>tracert 10.0.13.3 traceroute to to break 1 10.0.12.1 40 ms 2 10.0.13.3 30 ms traceroute to to break 1 10.0.12.1 40 ms 2 10.0.13.3 30 ms 21 ms 21 ms 21 ms 21 ms 21 ms 21 ms 21 ms 21 ms 10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40,press CTRL_C
The command output shows that the data sent by R2 reaches R3 through R1.
34
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 7
network connectivity.
Enable the interface that was disabled in step 6 on R2.
[R2]int Serial 2/0/0 [R2-Serial2/0/0]undo shutdown
R3 cannot be pinged because the route destined for 10.0.23.3 is not configured on R1. You can configure a default route on R1 to implement network connectivity.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.13.3
HC Series
HUAWEI TECHNOLOGIES
35
HCDA-HNTD
5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms
Step 8
If the link between R1 and R3 is faulty, R1 can communicate with 10.0.23.3 and 10.0.3.3 through R2. However, R1 does not learn about this route by default. You can also configure a backup default route in this step.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80 [R3]ip route-static 10.0.12.0 24 10.0.23.2 preference 80
Step 9
View the routes of R1 when the link between R1 and R3 works properly.
<R1>display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 16 Destination/Mask 0.0.0.0/0 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.3.0/24 Proto Routes : 16 Pre Cost 0 0 0 0 0 0 0 0 0 0 0 0 RD D D D RD D D D D D D D Flags NextHop 10.0.13.3 10.0.1.1 127.0.0.1 127.0.0.1 10.0.13.3 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.13.1 127.0.0.1 127.0.0.1 Interface GigabitEthernet0/0/0 LoopBack0 InLoopBack0 InLoopBack0 GigabitEthernet0/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Direct 0 10.0.13.1/32 Direct 0 10.0.13.255/32 Direct 0
36
HUAWEI TECHNOLOGIES
HC Series
Chapter 2 Configuring Static Routes and Default Routes 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
Disable GigabitEthernet0/0/0 on R1, and then view the routes of R1. Compare the current routes with the routes before GigabitEthernet0/0/0 was disabled.
[R1]interface GigabitEthernet0/0/0 [R1-GigabitEthernet0/0/0]shutdown [R1-GigabitEthernet0/0/0]quit [R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 12 Destination/Mask 0.0.0.0/0 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 Proto Routes : 12 Pre Cost 0 0 0 0 0 0 0 0 0 0 0 0 RD D D D D D D D D D D D Flags NextHop 10.0.12.2 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
According to the preceding routing table, the value of 80 in the Pre column indicates that backup default route 0.0.0.0 is valid. Test network connectivity on R1.
[R1]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=76 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=250 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=76 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=76 ms
HC Series
HUAWEI TECHNOLOGIES
37
HCDA-HNTD
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=76 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 76/110/250 ms [R1]tracert 10.0.23.3 traceroute to to break 1 10.0.12.2 30 ms 2 10.0.23.3 60 ms 26 ms 26 ms 53 ms 56 ms 10.0.23.3(10.0.23.2), max hops: 30 ,packet length: 40,press CTRL_C
38
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Final Configurations
<R1>display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp description this port connect to R2-S1/0/0 ip address 10.0.12.1 255.255.255.0 # interface GigabitEthernet0/0/0 description this port connect to R3-G0/0/0 ip address 10.0.13.1 255.255.255.0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # ip route-static 0.0.0.0 0.0.0.0 10.0.13.2 ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80 ip route-static 3.3.3.3 255.255.255.255 10.0.13.2 preference 80 # return <R2>display current-configuration [V200R001C01SPC300] # sysname R2 #
HC Series
HUAWEI TECHNOLOGIES
39
HCDA-HNTD
interface Serial1/0/0 link-protocol ppp description this port connect to R1-S1/0/0 ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp description this port connect to R3-S1/0/0 ip address 10.0.23.1 255.255.255.0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # ip route-static 3.3.3.3 255.255.255.255 10.0.23.2 ip route-static 3.3.3.3 255.255.255.255 Serial1/0/0 preference 80 ip route-static 10.0.13.0 255.255.255.0 10.0.23.2 ip route-static 10.0.13.0 255.255.255.0 Serial1/0/0 preference 80 # return <R3>display current-configuration [V200R001C01SPC300] # sysname R3 # interface Serial2/0/0 link-protocol ppp description this port connect to R2-S2/0/0 ip address 10.0.23.2 255.255.255.0 # interface GigabitEthernet0/0/0 description this port connect to R1-G0/0/0 ip address 10.0.13.2 255.255.255.0 # interface LoopBack0 ip address3.3.3.3 255.255.255.255 # ip route-static 10.0.12.0 255.255.255.0 10.0.13.1 preference 80 ip route-static 10.0.12.0 255.255.255.0 10.0.23.1 preference 80 # return
40
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
two routers Method of configuring RIPv1 Method of enabling RIP on a specified network and interface Method of using the display and debug commands to test RIP Procedure for testing connectivity of the RIP network Formats of the network prefixes sent to or received by RIP Method of configuring RIPv2 Differences between RIPv1 and RIPv2 Method of importing a static route to RIP
HC Series
HUAWEI TECHNOLOGIES
41
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company that has a small intranet with three routers and five networks. You want to use RIP to transfer routing information. Considering compatibility, you want to use RIPv1 at first, but you realize that RIPv2 also has many advantages. After certain tests, you finally select RIPv2.
42
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Configure basic device information and set IP addresses based on the topology.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]description this port connect to R2-S1/0/0 [R1- Serial1/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 [R1-LoopBack0]quit
HC Series
HUAWEI TECHNOLOGIES
43
HCDA-HNTD
[R2-Serial2/0/0]description this port connect to R3-S1/0/0 [R2-Serial2/0/0]interface loopback0 [R2-LoopBack0]ip address 10.0.2.2 24 [R2-LoopBack0]display current-configuration ......output omit...... # interface Serial1/0/0 link-protocol ppp description this port connect to R1-S1/0/0 ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp description this port connect to R3-S1/0/0 ip address 10.0.23.2 255.255.255.0 # ......output omit...... # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface Serial 1/0/0 [R3-Serial1/0/0]ip address 10.0.23.3 24 [R3-Serial1/0/0]description this port connect to R2-S2/0/0 [R3- Serial1/0/0]interface loop0 [R3-LoopBack0]ip address 10.0.3.3 24 [R3-LoopBack0]display current-configuration ......output omit...... # interface Serial1/0/0 link-protocol ppp description this port connect to R2-S2/0/0 ip address 10.0.23.3 255.255.255.0 # ......output omit...... interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ......output omit......
44
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 2
Configure RIPv1.
Enable RIP on R1, and then advertise the 10.0.0.0 network segment to RIP.
[R1]rip 1 [R1-rip-1]network 10.0.0.0
Enable RIP on R2, and then advertise the 10.0.0.0 network segment to RIP.
[R2]rip 1
HC Series
HUAWEI TECHNOLOGIES
45
HCDA-HNTD
[R2-rip-1]network 10.0.0.0
Enable RIP on R3, and then advertise the 10.0.0.0 network segment to RIP.
[R3]rip 1 [R3-rip-1]net 10.0.0.0
Step 3
View the routing tables of R1, R2, and R3. Make sure that these routers have learned the RIP routes that are highlighted in gray in the following command output.
[R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 Proto Routes : 14 Pre Cost 0 0 0 Flags NextHop D D D D D D D D D D D D 0 0 D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 17 Destination/Mask Proto Routes : 17 Pre Cost Flags NextHop Interface
46
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
RIP
100 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
D D D D D D D D D D D D D D D D D
10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.23.3 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
100 1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 [R3]display ip routing-table
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto RIP RIP Routes : 14 Pre Cost 100 2 100 1 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.23.2 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial2/0/0 Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 RIP
100 1
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
HCDA-HNTD
You can run the debug command to view RIP periodic updates. Run the debug command to enable the RIP debugging function. The debug command can be used only in the user view. Then run the terminal debugging and terminal monitor commands to display the debugging information. The information about RIP interactions between routers is displayed.
<R1>debug rip 1 <R1>terminal debugging Info: Current terminal debugging is on. <R1>terminal monitor Info: Current terminal monitor is on. Sep 19 2011 19:15:22.630.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1 response on Serial1/0/0 from 10.0.12.2 with 2 RTEs Sep 19 2011 19:15:22.630.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response from 10.0.12.2 on Serial1/0/0 Sep 19 2011 19:15:22.630.3+00:00 R1 RM/6/RMDEBUG: 6: 11709: Packet: Version 1, Cmd response, Length 44 Sep 19 2011 19:15:22.630.4+00:00 R1 RM/6/RMDEBUG: 6: 11758: Dest 10.0.3.0, Cost 2 Sep 19 2011 19:15:22.630.5+00:00 R1 RM/6/RMDEBUG: 6: 11758: Dest 10.0.23.0, Cost 1 Sep 19 2011 19:15:52.650.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1 response on Serial1/0/0 from 10.0.12.2 with 2 RTEs Sep 19 2011 19:15:52.650.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response from 10.0.12.2 on Serial1/0/0
48
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Sep 19 2011 19:15:52.650.3+00:00 R1 RM/6/RMDEBUG: 6: 11709: Packet: Version 1, Cmd response, Length 44 Sep 19 2011 19:15:52.650.4+00:00 R1 RM/6/RMDEBUG: 6: 11758: Dest 10.0.2.0, Cost 1
You can run the undo debug rip or undo debug all command to disable debugging functions.
<R1>undo debug rip 1
In addition, you can run the commands that have more parameters to view the debugging information of a certain type. For example, run the debug rip 1 event command to view the periodical update events sent or received by routers. You can add the question mark (?) to the command to query other parameters.
<R1>debug rip 1 event Sep 19 2011 19:23:44.200.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update queue Sep 19 2011 19:23:44.210.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue <R1>undo debug all Info: All possible debugging has been turned off
Warning: If too many debugging functions are enabled, a large number of router resources are used. This may lead to break down. Therefore, use the commands (such as debug all) for enabling debugging functions in batches with caution.
Step 4
Configure RIPv2.
After the preceding configuration, you need to configure only version 2 in the RIP sub view.
[R1]rip 1 [R1-rip-1]version 2 [R2]rip 1 [R2-rip-1]version 2 [R3]rip 1 [R3-rip-1]version 2
HC Series
HUAWEI TECHNOLOGIES
49
HCDA-HNTD
Step 5
View the routing tables of R1, R2, and R3. Run the display ip routing-table command to view the routing tables of R1, R2, and R3. Compare the routes that are highlighted in gray with RIPv1 routes.
[R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 Proto Routes : 14 Pre Cost 0 0 0 Flags NextHop D D D D D D D D D D D D 0 0 D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 17 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 Proto RIP Routes : 17 Pre Cost 100 1 0 0 0 Flags NextHop D D D D 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 Interface Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0
50
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 10.0.3.0/24 RIP 100 1 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D 10.0.23.3 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Chapter 3 RIP Configuration Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 [R3]display ip routing-table
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto RIP RIP Routes : 14 Pre Cost 100 2 100 1 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.23.2 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial2/0/0 Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 RIP
100 1
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
Note: The route learning of RIPv1 is the same of the route learning of RIPv2. Why is this true? Test connectivity from R1 to 10.0.23.3.
[R1]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break
HC Series
HUAWEI TECHNOLOGIES
51
HCDA-HNTD
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=74 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=75 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=75 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=75 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=75 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 74/74/75 ms
You can run the debug command to view the RIPv2 periodic updates.
<R1>terminal debugging Info: Current terminal debugging is on. <R1>terminal monitor Info: Current terminal monitor is on. <R1>debug rip 1 event Sep 19 2011 19:55:46.600.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update queue Sep 19 2011 19:55:46.610.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue <R1>undo debug rip 1 <R1>debug rip 1 packet Sep 19 2011 20:31:34.230.1+00:00 R1 RM/6/RMDEBUG: 6: 11689: RIP 1: Sending response on interface Serial1/0/0 from 10.0.12.1 to 224.0.0.9 Sep 19 2011 20:31:34.230.2+00:00 R1 RM/6/RMDEBUG: 6: 11709: Packet: Version 2, Cmd response, Length 24 Sep 19 2011 20:31:34.230.3+00:00 R1 RM/6/RMDEBUG: 6: 11777: Dest 10.0.1.0/24, Nexthop 0.0.0.0, Cost 1, Tag 0 <R1>undo debug all Info: All possible debugging has been turned off
Step 6
Add a loopback interface on R3, and then set the IP address to 172.16.3.3/24. Configure a static route to the network segment on R2. Import the static route to the RIP routing information so that R1 can communicate with 172.16.3.3.
52 HUAWEI TECHNOLOGIES HC Series
HCDA-HNTD
R1 does not have a route to 172.16.3.3. Therefore, the address cannot be pinged successfully. Configure the static route on R2.
<R2>system-view [R2]ip route-static 172.16.3.0 24 10.0.23.3
Step 7
successfully.
View the routing tables of R1, R2, and R3. The route to 172.16.3.0/24 exists in the routing table of R1; the static route to 172.16.3.0/24 exists in the routing table of R2; no change occurs in the routing table of R3.
[R1]display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------
HC Series
HUAWEI TECHNOLOGIES
53
HCDA-HNTD
Routing Tables: Public Destinations : 15 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 Proto Routes : 15 Pre Cost 0 0 0 Flags NextHop D D D D D D D D D D D D 0 0 D D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 10.0.12.2 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.3.0/24 RIP 255.255.255.255/32 Direct 0 [R2]display ip routing-table
100 1
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 18 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.0/24 Proto RIP Routes : 18 Pre Cost 100 1 0 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.23.3 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 Interface Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0
100 1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0
54
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.3.0/24 Static 60 255.255.255.255/32 Direct 0 [R3]display ip routing-table Route Flags: R - relay, D - download to fib 0 0 0 0 D D RD D 127.0.0.1 127.0.0.1 10.0.23.3 127.0.0.1
---------------------------------------------------------------------------Routing Tables: Public Destinations : 17 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto RIP RIP Routes : 17 Pre Cost 100 2 100 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D D D D 10.0.23.2 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 172.16.3.3 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial2/0/0 Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 LoopBack1 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 RIP
100 1
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.3.0/24 172.16.3.3/32 172.16.3.255/32 Direct 0 Direct 0 Direct 0
255.255.255.255/32 Direct 0
HC Series
HUAWEI TECHNOLOGIES
55
HCDA-HNTD
5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 63/69/74 ms
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial1/0/0
56
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD link-protocol ppp ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp ip address 10.0.23.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # rip 1 version 2 network 10.0.0.0 import-route static # ip route-static 172.16.3.0 255.255.255.0 10.0.23.3 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface Serial2/0/0 link-protocol ppp ip address 10.0.23.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # interface LoopBack1 ip address 172.16.3.3 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return
HC Series
HUAWEI TECHNOLOGIES
57
HCDA-HNTD
Topology
58
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network engineer of a company. The company is small; therefore, RIPv2 is used. There are too many routes; therefore, route aggregation is required to control and advertise routes. Malicious attackers may forge a valid router to receive and modify valid routes, so RIPv2 authentication is used to protect the network.
Configure device names and IP addresses for R1, R2, and R3.
<Huawei>system <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1- Serial1/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]interface serial 2/0/0 [R2-Serial2/0/0]ip address 10.0.23.2 24 [R2-Serial2/0/0]interface loopback0 [R2-LoopBack0]ip address 10.0.2.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3
HC Series
HUAWEI TECHNOLOGIES
59
HCDA-HNTD
[R3]interface Serial 1/0/0 [R3-Serial1/0/0]ip address 10.0.23.3 24 [R3- Serial1/0/0]interface loopback0 [R3-LoopBack0]ip address 10.0.3.3 24 [R3-LoopBack0]interface loopback 2 [R3-LoopBack2]ip address 172.16.0.1 24 [R3-LoopBack2]interface loopback 3 [R3-LoopBack3]ip address 172.16.1.1 24 [R3-LoopBack3]interface loopback 4 [R3-LoopBack4]ip address 172.16.2.1 24 [R3-LoopBack4]interface loopback 5 [R3-LoopBack5]ip address 172.16.3.1 24 [R3-LoopBack5]quit
After you have configured the IP addresses for the interfaces, test network connectivity.
<R1>ping 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=30 ms Reply from 10.0.12.2: bytes=56 Sequence=2 ttl=255 time=30 ms Reply from 10.0.12.2: bytes=56 Sequence=3 ttl=255 time=30 ms Reply from 10.0.12.2: bytes=56 Sequence=4 ttl=255 time=30 ms Reply from 10.0.12.2: bytes=56 Sequence=5 ttl=255 time=30 ms --- 10.0.12.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/30/30 ms <R2>ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=31 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=41 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
60
HUAWEI TECHNOLOGIES
HC Series
Step 2
Configure RIPv2.
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
HC Series
HUAWEI TECHNOLOGIES
61
HCDA-HNTD
Chapter 3 RIP Configuration RIP RIP RIP RIP 100 2 100 2 100 2 100 2 0 D D D D D 10.0.12.2 10.0.12.2 10.0.12.2 10.0.12.2 127.0.0.1 Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0
255.255.255.255/32 Direct 0
The information in grey shows that R1 has learned specific routes but not aggregated routes. Test network connectivity.
<R1>ping 172.16.0.1 PING 172.16.0.1: 56 data bytes, press CTRL_C to break Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=254 time=80 ms Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=254 time=79 ms Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=254 time=79 ms Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=254 time=79 ms Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=254 time=79 ms --- 172.16.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 79/79/80 ms
Step 3
Run the rip summary-address command on S1/0/0 of R2 to configure RIP route aggregation. The four routes (172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24) are aggregated into one route (172.16.0.0/16).
[R2]interface serial1/0/0 [R2-Serial1/0/0]rip summary-address 172.16.0.0 255.255.0.0
62
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 Direct 0 Direct 0 Direct 0 RIP RIP 0 0 0 D D D D D D D D D D D D 0 0 D D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 10.0.12.2 127.0.0.1
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
100 2
The information in grey shows an aggregated route. No specific route is listed in the routing table. Test network connectivity.
<R1>ping 172.16.0.1 PING 172.16.0.1: 56 data bytes, press CTRL_C to break Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=254 time=60 ms Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=254 time=59 ms Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=254 time=80 ms Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=254 time=60 ms Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=254 time=60 ms --- 172.16.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 59/63/80 ms
The preceding information shows that route aggregation does not affect network connectivity.
Step 4
Configure plain text authentication between R1 and R2 and MD5 authentication between R2 and R3. Set the authentication password to huawei.
HC Series
HUAWEI TECHNOLOGIES
63
HCDA-HNTD
[R1]interface serial 1/0/0 [R1-Serial1/0/0]rip authentication-mode simple huawei [R2]interface serial 1/0/0 [R2-Serial1/0/0]rip authentication-mode simple huawei [R2-Serial1/0/0]quit [R2]interface serial 2/0/0 [R2-Serial2/0/0]rip authentication-mode md5 usual huawei [R3]interface serial 2/0/0 [R3-Serial2/0/0]rip authentication-mode md5 usual huawei
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
100 2
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 21 Routes : 21
64
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Proto RIP
Flags NextHop 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.23.3 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 10.0.23.3 10.0.23.3 10.0.23.3 10.0.23.3 127.0.0.1
Interface
Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0
100 1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 172.16.3.0/24 RIP RIP RIP RIP
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 26 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto RIP RIP Routes : 26 Pre Cost 100 2 100 1 0 0 0 0 0 0 0 D D D D D D D D D D Flags NextHop 10.0.23.2 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 Interface
Serial2/0/0 Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0
10.0.12.0/24 RIP
100 1
HC Series
HUAWEI TECHNOLOGIES
65
HCDA-HNTD
Chapter 3 RIP Configuration Direct 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D D D D 127.0.0.1 127.0.0.1 127.0.0.1 172.16.0.1 127.0.0.1 127.0.0.1 172.16.1.1 127.0.0.1 127.0.0.1 172.16.2.1 127.0.0.1 127.0.0.1 172.16.3.1 127.0.0.1 127.0.0.1 127.0.0.1 InLoopBack0 InLoopBack0 InLoopBack0 LoopBack2 InLoopBack0 InLoopBack0 LoopBack3 InLoopBack0 InLoopBack0 LoopBack4 InLoopBack0 InLoopBack0 LoopBack5 InLoopBack0 InLoopBack0 InLoopBack0
127.0.0.0/8
127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/24 172.16.0.1/32 172.16.0.255/32 172.16.1.0/24 172.16.1.1/32 172.16.1.255/32 172.16.2.0/24 172.16.2.1/32 172.16.2.255/32 172.16.3.0/24 172.16.3.1/32 172.16.3.255/32 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0
255.255.255.255/32 Direct 0
Step 5
Run the following command to delete the routes learned by R1 from R2 before the authentication password on R2 is changed.
<R1>reset ip routing-table statistics protocol rip
66
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 0 0 0 0 0 0 D D D D D D 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Because R1 and R2 use different RIP authentication passwords, R1 cannot receive any RIP route from R2. Restore the authentication password on S1/0/0 of R2 to huawei.
[R2]interface serial1/0/0 [R2-Serial1/0/0]rip authentication-mode simple huawei
Run the following command to delete the routes learned by R3 from R2 before you change the authentication password.
<R3>reset ip routing-table statistics protocol rip
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/24 Direct 0
HC Series
HUAWEI TECHNOLOGIES
67
HCDA-HNTD
Chapter 3 RIP Configuration Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D 127.0.0.1 127.0.0.1 172.16.1.1 127.0.0.1 127.0.0.1 172.16.2.1 127.0.0.1 127.0.0.1 172.16.3.1 127.0.0.1 127.0.0.1 127.0.0.1 InLoopBack0 InLoopBack0 LoopBack3 InLoopBack0 InLoopBack0 LoopBack4 InLoopBack0 InLoopBack0 LoopBack5 InLoopBack0 InLoopBack0 InLoopBack0
172.16.0.1/32 172.16.0.255/32 172.16.1.0/24 172.16.1.1/32 172.16.1.255/32 172.16.2.0/24 172.16.2.1/32 172.16.2.255/32 172.16.3.0/24 172.16.3.1/32 172.16.3.255/32
255.255.255.255/32 Direct 0
Because R2 and R3 use different RIP authentication modes, R3 cannot receive any RIP route from R2. Restore the authentication mode on S2/0/0 of R2 to MD5.
[R2]interface serial2/0/0 [R2-Serial2/0/0]rip authentication-mode md5 usual huawei
Verify that routes in routing tables of R1, R2, and R3 are correct.
<R1>display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 15 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 Proto Pre 0 0 0 Routes : 15 Cost D D D D D D D D D D D D 0 D Flags NextHop 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 Interface
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0
100 1 100 2 0 0 0 0 0 0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
68
HUAWEI TECHNOLOGIES
HC Series
Serial1/0/0 InLoopBack0
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 21 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.0/24 Proto RIP Routes : 21 Pre Cost 100 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D D D D D D D D D Flags NextHop 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.23.3 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 10.0.23.3 10.0.23.3 10.0.23.3 10.0.23.3 127.0.0.1 Interface
Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0
100 1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 127.0.0.1/32 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 172.16.3.0/24 Direct 0 Direct 0 RIP RIP RIP RIP
127.255.255.255/32 Direct 0
255.255.255.255/32 Direct 0
<R3>display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 26 Destination/Mask 10.0.1.0/24 Proto RIP Routes : 26 Pre Cost 100 2 D Flags NextHop 10.0.23.2 Interface
Serial2/0/0
HC Series
HUAWEI TECHNOLOGIES
69
HCDA-HNTD
Chapter 3 RIP Configuration RIP 100 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D D D D D D D D D D D D D 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 172.16.0.1 127.0.0.1 127.0.0.1 172.16.1.1 127.0.0.1 127.0.0.1 172.16.2.1 127.0.0.1 127.0.0.1 172.16.3.1 127.0.0.1 127.0.0.1 127.0.0.1 Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 LoopBack2 InLoopBack0 InLoopBack0 LoopBack3 InLoopBack0 InLoopBack0 LoopBack4 InLoopBack0 InLoopBack0 LoopBack5 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 RIP
100 1
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/24 172.16.0.1/32 172.16.0.255/32 172.16.1.0/24 172.16.1.1/32 172.16.1.255/32 172.16.2.0/24 172.16.2.1/32 172.16.2.255/32 172.16.3.0/24 172.16.3.1/32 172.16.3.255/32 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0
255.255.255.255/32 Direct 0
Appendix A: Routers
<Huawei>debugging rip 1 ? brief error event Brief information about RIP events Information about RIP Errors Information about RIP events
70
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD packet receive route-processing send timer <cr> All RIP packets
Received RIP packet information Information about RIP Route-Processing Sent RIP packet information Information about RIP timers Please press ENTER to execute command
The preceding lists some debugging commands, which can be used for reference.
Final Configurations
<R1>display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 rip authentication-mode simple huawei # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # Return <R2>display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 rip authentication-mode simple huawei rip summary-address 172.16.0.0 255.255.0.0 #
HC Series
HUAWEI TECHNOLOGIES
71
HCDA-HNTD
interface Serial2/0/0 link-protocol ppp ip address 10.0.23.2 255.255.255.0 rip authentication-mode simple huawei # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return
<R3>display current-configuration [V200R001C01SPC300] # sysname R3 # interface Serial2/0/0 link-protocol ppp ip address 10.0.23.3 255.255.255.0 rip authentication-mode md5 usual gg^dP=F.[>=H)H2[EInB~.2# # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # interface LoopBack2 ip address 172.16.0.1 255.255.255.0 # interface LoopBack3 ip address 172.16.1.1 255.255.255.0 # interface LoopBack4 ip address 172.16.2.1 255.255.255.0 # interface LoopBack5 ip address 172.16.3.1 255.255.255.0 # rip 1 version 2 network 10.0.0.0
72
HUAWEI TECHNOLOGIES
HC Series
HC Series
HUAWEI TECHNOLOGIES
73
HCDA-HNTD
74
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company. The company will use OSPF to exchange routes. All the routers belong to OSPF area 0. OSPF is required to advertise default routes and the DR or BDR will be elected.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface serial1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]interface GigabitEthernet 0/0/0
HC Series
HUAWEI TECHNOLOGIES
75
HCDA-HNTD
[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24 [R1- GigabitEthernet 0/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24 [R3-GigabitEthernet0/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 [R3-LoopBack0]interface loopback 2 [R3-LoopBack2]ip address 172.16.0.1 24
Step 2
Configure OSPF.
Use Loopback0's IP address 10.0.1.1 as the router ID, use OSPF process 1 (default OSPF process), and specify network segments 10.0.12.0/24, 10.0.13.0/24, and 10.0.1.0/24 in OSPF area 0.
[R1]ospf 1 router-id 10.0.1.1 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
A router can run multiple OSPF processes and different routers in a routing domain can use identical or different OSPF process IDs. You must specify the wildcard mask in the network command. Use Loopback0's IP address 10.0.2.2 as the router ID, use OSPF process 10, and specify network segments 10.0.12.0/24 and 10.0.2.0/24 in OSPF area 0.
[R2]ospf 10 router-id 10.0.2.2
76
HUAWEI TECHNOLOGIES
HC Series
Use Loopback0's IP address 10.0.3.3 as the router ID, use OSPF process 100, and specify network segments 10.0.13.0/24 and 10.0.3.0/24 in OSPF area 0.
[R3]ospf 100 router-id 10.0.3.3 [R3-ospf-100]area 0 [R3-ospf-100-area-0.0.0.0]network 10.0.13.0 0.0.0.255 [R3-ospf-100-area-0.0.0.0]network 10.0.3.0 0.0.0.255
Step 3
After OSPF route convergence is complete, view routing tables of R1, R2, and R3.
<R1>display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 16 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.2/32 10.0.3.3/32 Proto Routes : 16 Pre Cost 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D D D D Flags NextHop 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.13.3 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.13.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface
LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 GigabitEthernet0/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
1562 D
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Direct 0 10.0.13.1/32 Direct 0 10.0.13.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
HC Series
HUAWEI TECHNOLOGIES
77
HCDA-HNTD
<R2>display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.1/32 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.3/32 Proto OSPF Routes : 14 Pre Cost 10 1562 0 0 0 1563 0 0 0 0 1563 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.12.1 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.12.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 OSPF 127.0.0.0/8 10 Direct 0
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 16 Destination/Mask 10.0.1.1/32 10.0.2.2/32 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto OSPF OSPF Routes : 16 Pre Cost 10 10 1 0 0 0 0 0 0 0 0 0 D D D D D D D D D D Flags NextHop 10.0.13.1 10.0.13.1 10.0.3.3 127.0.0.1 127.0.0.1 10.0.13.1 10.0.13.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface
GigabitEthernet0/0/0 GigabitEthernet0/0/0 LoopBack0 InLoopBack0 InLoopBack0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
1563 D
10.0.12.0/24 OSPF
1563 D
10.0.13.0/24 Direct 0 10.0.13.3/32 Direct 0 10.0.13.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0
78
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 172.16.0.0/24 172.16.0.1/32 172.16.0.255/32 Direct 0 Direct 0 Direct 0 0 0 0 0 D D D D 172.16.0.1 127.0.0.1 127.0.0.1 127.0.0.1
255.255.255.255/32 Direct 0
Test network connectivity between R2 and R1 at 10.0.1.1 and between R2 and R3 at 10.0.3.3.
[R2]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=37 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=255 time=42 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=255 time=42 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=45 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=42 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 37/41/45 ms [R2]ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=37 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=42 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=42 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=42 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=42 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 37/41/42 ms
Use display commands to view OSPF routing tables. Run the display ip routing-table protocol ospf command to view the learned routes. Use the display on R1 as an example. The configurations on R2 and R3 are similar.
[R1]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib
HC Series
HUAWEI TECHNOLOGIES
79
HCDA-HNTD
OSPF routing table status : <Active> Destinations : 2 Destination/Mask 10.0.2.2/32 10.0.3.3/32 Proto OSPF OSPF Routes : 2 Pre Cost 10 10 1562 D 1 D Flags NextHop 10.0.12.2 10.0.13.3 Interface
Serial1/0/0 GigabitEthernet0/0/0
Run the display ospf peer command to view the OSPF neighbor status.
[R1]display ospf peer OSPF Process 1 with Router ID 10.0.1.1 Neighbors Area 0.0.0.0 interface 10.0.12.1(Serial1/0/0)'s neighbors Router ID: 10.0.2.2 State: Full DR: None BDR: None Address: 10.0.12.2 MTU: 0 Mode:Nbr is Master Priority: 1
Dead timer due in 30 sec Retrans timer interval: 4 Neighbor is up for 00:09:19 Authentication Sequence: [ 0 ] Neighbors Area 0.0.0.0 interface 10.0.13.1(GigabitEthernet0/0/0)'s neighbors Router ID: 10.0.3.3 State: Full DR: 10.0.13.1 Address: 10.0.13.3 Mode:Nbr is Master Priority: 1 BDR: 10.0.13.3 MTU: 0
Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:10:04 Authentication Sequence: [ 0 ]
80
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
The display ospf peer command displays detailed information about neighbors. The preceding information shows that R1 has two neighbors: R2 (router ID: 10.0.2.2) and R3 (10.0.3.3). The neighbors are in full state. You can also run the display ospf peer brief command to view brief information about neighbors.
[R1]display ospf peer brief OSPF Process 1 with Router ID 10.0.1.1 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 0.0.0.0 Interface Serial1/0/0 GigabitEthernet0/0/0 Neighbor id 10.0.2.2 10.0.3.3 State Full Full
---------------------------------------------------------------------------[R2]display ospf peer brief OSPF Process 10 with Router ID 10.0.2.2 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 Interface Serial1/0/0 Neighbor id 10.0.1.1 State Full
---------------------------------------------------------------------------[R3]display ospf peer brief OSPF Process 100 with Router ID 10.0.3.3 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 Interface GigabitEthernet0/0/0 Neighbor id 10.0.1.1 State Full
----------------------------------------------------------------------------
Step 4
Run the display ospf interface GigabitEthernet 0/0/0 command on R1 to view the default OSPF hello interval and dead interval.
[R1]display ospf interface GigabitEthernet 0/0/0 OSPF Process 1 with Router ID 10.0.1.1 Interfaces
HC Series
HUAWEI TECHNOLOGIES
81
HCDA-HNTD
Interface: 10.0.13.1 (GigabitEthernet0/0/0) Cost: 1 Priority: 1 Designated Router: 10.0.13.1 Backup Designated Router: 10.0.13.3 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1 State: DR Type: Broadcast MTU: 1500
Run the ospf timer command to change the OSPF hello interval and dead interval on GE0/0/0 of R1 to 15s and 60s respectively.
[R1]interface GigabitEthernet 0/0/0 [R1- GigabitEthernet 0/0/0]ospf timer hello 15 [R1- GigabitEthernet 0/0/0]ospf timer dead 60 [R1- GigabitEthernet 0/0/0]display ospf interface GigabitEthernet 0/0/0 OSPF Process 1 with Router ID 10.0.1.1 Interfaces
Interface: 10.0.13.1 (GigabitEthernet0/0/0) Cost: 1 Priority: 1 Designated Router: 10.0.13.1 Backup Designated Router: 10.0.13.3 Timers: Hello 15 , Dead 60 , Poll 120 , Retransmit 5 , Transmit Delay 1 State: DR Type: Broadcast MTU: 1500
----------------------------------------------------------------------------
The preceding information shows that R1 has only one neighbor, R2. Because OSPF hello intervals and dead intervals on R1 and R3 are different, R1 and R3 cannot establish an OSPF neighbor relationship. Run the ospf timer command to change the OSPF hello interval and
82 HUAWEI TECHNOLOGIES HC Series
HCDA-HNTD
Interface: 10.0.13.3 (GigabitEthernet0/0/0) Cost: 1 Priority: 1 Designated Router: 10.0.13.3 Backup Designated Router: 10.0.13.1 Timers: Hello 15 , Dead 60 , Poll 120 , Retransmit 5 , Transmit Delay 1 State: DR Type: Broadcast MTU: 1500
Step 5
View routing tables of R1 and R2. You can see that R1 and R2 have learned the default routes advertised by R3.
[R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 17 Destination/Mask 0.0.0.0/0 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.2/32 10.0.3.3/32 Proto O_ASE Routes : 17 Pre Cost 150 1 0 0 0 1 D D D D D Flags NextHop 10.0.13.3 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.13.3 Interface
1562 D
HC Series
HUAWEI TECHNOLOGIES
83
HCDA-HNTD
Chapter 4 OSPF Configuration 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.13.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Direct 0 10.0.13.1/32 Direct 0 10.0.13.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 [R2]display ip routing-table
Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 15 Destination/Mask 0.0.0.0/0 10.0.1.1/32 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.3/32 Proto O_ASE OSPF Routes : 15 Pre Cost 150 10 1 1562 0 0 0 1563 0 0 0 0 1563 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D D 10.0.12.1 10.0.12.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.12.1 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.12.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 OSPF 127.0.0.0/8 10 Direct 0
Run the ping command to test connectivity between R2 and Loopback2 at 172.16.0.1.
<R2>ping 172.16.0.1 PING 172.16.0.1: 56 data bytes, press CTRL_C to break Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=254 time=47 ms Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=254 time=37 ms
84
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=254 time=37 ms Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=254 time=37 ms Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=254 time=37 ms --- 172.16.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 37/39/47 ms
Step 6
Run the display ospf peer command to view the DR and BDR of R1 and R3.
[R1]display ospf peer 10.0.3.3 OSPF Process 1 with Router ID 10.0.1.1 Neighbors Area 0.0.0.0 interface 10.0.13.1(GigabitEthernet0/0/0)'s neighbors Router ID: 10.0.3.3 State: Full DR: 10.0.13.3 Address: 10.0.13.3 Mode:Nbr is Master Priority: 1 BDR: 10.0.13.1 MTU: 0
Dead timer due in 49 sec Retrans timer interval: 5 Neighbor is up for 00:17:40 Authentication Sequence: [ 0 ]
The preceding information shows that R3 is the DR and R1 is the BDR. This is because R3's router ID 10.0.3.3 is greater than R1's router ID 10.0.1.1. R1 and R3 use the default priority of 1, so their router IDs are used for DR or BDR election. Run the ospf dr-priority command to change DR priorities of R1 and R3.
[R1]interface GigabitEthernet 0/0/0 [R1- GigabitEthernet 0/0/0]ospf dr-priority 200 [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ospf dr-priority 100
HC Series
HUAWEI TECHNOLOGIES
85
HCDA-HNTD
By default, a DR or BDR is elected in non-preemption mode. After router priorities are changed, a DR is not re-elected, so you must reset the OSPF neighbor relationship between R1 and R3. Shut down and re-enable GE0/0/0 interfaces on R1 or R3 to reset the OSPF neighbor relationship between R1 and R3.
[R1]interface GigabitEthernet0/0/0 [R1-GigabitEthernet0/0/0]shutdown [R1-GigabitEthernet0/0/0]undo shutdown
Run the display ospf peer command to view the DR and BDR of R1 and R3.
[R1-GigabitEthernet 0/0/0]display ospf peer 10.0.3.3 OSPF Process 1 with Router ID 10.0.1.1 Neighbors Area 0.0.0.0 interface 10.0.13.1(GigabitEthernet0/0/0)'s neighbors Router ID: 10.0.3.3 State: Full DR: 10.0.13.1 Address: 10.0.13.3 Mode:Nbr is Master Priority: 100 BDR: 10.0.13.3 MTU: 0
Dead timer due in 52 sec Retrans timer interval: 5 Neighbor is up for 00:00:25 Authentication Sequence: [ 0 ]
According to the preceding information, R1's priority is higher than R3's priority, so R1 becomes DR and R3 becomes the BDR.
86
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 # interface GigabitEthernet0/0/0 ip address 10.0.13.1 255.255.255.0 ospf dr-priority 200 ospf timer hello 15 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ospf 1 router-id 10.0.1.1 area 0.0.0.0 network 10.0.1.0 0.0.0.255 network 10.0.13.0 0.0.0.255 network 10.0.12.0 0.0.0.255 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ospf 10 router-id 10.0.2.2 area 0.0.0.0 network 10.0.2.0 0.0.0.255
HC Series
HUAWEI TECHNOLOGIES
87
HCDA-HNTD
network 10.0.12.0 0.0.0.255 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/0 ip address 10.0.13.3 255.255.255.0 ospf dr-priority 100 ospf timer hello 15 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # interface LoopBack2 ip address 172.16.0.1 255.255.255.0 # ospf 100 router-id 10.0.3.3 default-route-advertise area 0.0.0.0 network 10.0.13.0 0.0.0.255 network 10.0.3.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 LoopBack2 # return
88
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
HC Series
HUAWEI TECHNOLOGIES
89
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. The company will use OSPF to advertise routes. As the network scale increases, OSPF multi-area is used to plan the company network. OSPF authentication is required to ensure security. During this configuration, you will learn about OSPF LSA types and functions.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface serial1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]interface GigabitEthernet 0/0/0 [R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24 [R1- GigabitEthernet 0/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24 [R3-GigabitEthernet0/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 [R3-LoopBack0]interface loopback 2
90
HUAWEI TECHNOLOGIES
HC Series
Step 2
R1 functions as the ABR. Specify network segment 10.0.12.0/24 in area 0 and network segments 10.0.13.0/24 and 10.0.1.0/24 in area 1.
[R1]ospf 1 router-id 10.0.1.1 [R1-ospf-1]area 0 [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]quit [R1-ospf-1]area 1 [R1-ospf-1-area-0.0.0.1]network 10.0.13.0 0.0.0.255 [R1-ospf-1-area-0.0.0.1]network 10.0.1.0 0.0.0.255
R3 functions as the ASBR. Specify network segments 10.0.13.0/24 and 10.0.3.0 in area 1. The network segment 172.16.0.0/24 does not belong to any OSPF area.
[R3]ospf 1 router-id 10.0.3.3 [R3-ospf-1]area 1 [R3-ospf-1-area-0.0.0.1]network 10.0.3.0 0.0.0.255 [R3-ospf-1-area-0.0.0.1]network 10.0.13.0 0.0.0.255
Step 3
View routing tables of R1, R2, and R3. Verify that each router has learned the following routes marked in grey.
[R1]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 2 Routes : 2
HC Series
HUAWEI TECHNOLOGIES
91
HCDA-HNTD
Proto 10 10
Interface
Serial1/0/0 GigabitEthernet0/0/0
[R2]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 3 Routes : 3
OSPF routing table status : <Active> Destinations : 3 Destination/Mask 10.0.1.1/32 10.0.3.3/32 Proto OSPF OSPF Routes : 3 Pre Cost 10 10 10 1562 1563 1563 Flags NextHop D D D 10.0.12.1 10.0.12.1 10.0.12.1 Interface Serial1/0/0 Serial1/0/0 Serial1/0/0
10.0.13.0/24 OSPF
[R3]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 3 Routes : 3
OSPF routing table status : <Active> Destinations : 3 Destination/Mask 10.0.1.1/32 OSPF 10.0.2.2/32 OSPF 10.0.12.0/24 OSPF Proto 10 10 10 1 1563 1563 Routes : 3 Pre Cost D D D Flags NextHop 10.0.13.1 10.0.13.1 10.0.13.1 Interface
92
HUAWEI TECHNOLOGIES
HC Series
HC Series
HUAWEI TECHNOLOGIES
93
HCDA-HNTD
---------------------------------------------------------------------------[R2]display ospf peer brief OSPF Process 1 with Router ID 10.0.2.2 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 Interface Serial1/0/0 Neighbor id 10.0.1.1 State Full
---------------------------------------------------------------------------[R3]display ospf peer brief OSPF Process 1 with Router ID 10.0.3.3 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.1 Interface GigabitEthernet0/0/0 Neighbor id 10.0.1.1 State Full
----------------------------------------------------------------------------
Verify that the OSPF process ID and router ID of each router is correct and the neighbor relationships are in full state.
Step 4
Import
external
routes
and
verify
the
configuration.
Run the import-route command on R3 to import direct routes.
[R3]ospf 1 [R3-ospf-1]import-route direct
View routing tables of R1 and R2. R1 and R2 have learned the route 10.0.3.0/24 and 172.16.0.0/24.
[R1]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 4 Routes : 4
94
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Proto 10 10
Interface
150 1 150 1
172.16.0.0/24 O_ASE
[R2]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 5 Routes : 5
OSPF routing table status : <Active> Destinations : 5 Destination/Mask 10.0.1.1/32 10.0.3.0/24 10.0.3.3/32 172.16.0.0/24 Proto OSPF O_ASE OSPF O_ASE Routes : 5 Pre Cost 10 150 10 10 150 1562 1 1563 1563 1 Flags NextHop D D D D D 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 Interface Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0
10.0.13.0/24 OSPF
The routes in grey are imported routes. The value of Proto is O_ASE, indicating an external route. Run the ping command with the source address specified to test network connectivity.
[R2]ping -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=35 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=33 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=33 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=33 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=33 ms
HC Series
HUAWEI TECHNOLOGIES
95
HCDA-HNTD
--- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 33/33/35 ms [R2]ping -a 10.0.2.2 172.16.0.1 PING 172.16.0.1: 56 data bytes, press CTRL_C to break Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=254 time=35 ms Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=254 time=33 ms Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=254 time=33 ms Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=254 time=33 ms Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=254 time=33 ms --- 172.16.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 33/33/35 ms
Run the display ospf lsdb command to view the LSDB of R1.
[R1]display ospf lsdb OSPF Process 1 with Router ID 10.0.1.1 Link State Database Area: 0.0.0.0 Type Router Router Sum-Net Sum-Net Sum-Net Sum-Asbr LinkState ID 10.0.2.2 10.0.1.1 10.0.13.0 10.0.3.3 10.0.1.1 10.0.3.3 AdvRouter 10.0.2.2 10.0.1.1 10.0.1.1 10.0.1.1 10.0.1.1 10.0.1.1 Area: 0.0.0.1 Type Router Router Network Sum-Net LinkState ID 10.0.3.3 10.0.1.1 10.0.13.1 10.0.12.0 AdvRouter 10.0.3.3 10.0.1.1 10.0.1.1 10.0.1.1 Age Len 394 48 719 48 719 32 1022 28 Sequence 80000005 80000006 80000002 80000001 Metric 1 1 0 1562 Age Len 908 60 918 48 1022 28 720 28 1016 28 393 28 Sequence 80000003 80000003 80000001 80000001 80000001 80000001 Metric 1562 1562 1 1 0 1
96
HUAWEI TECHNOLOGIES
HC Series
80000001
AS External Database Type External External External LinkState ID 10.0.3.0 10.0.13.0 172.16.0.0 AdvRouter 10.0.3.3 10.0.3.3 10.0.3.3 Age Len 395 36 395 36 395 36 Sequence 80000001 80000001 80000001 Metric 1 1 1
The preceding information is the brief information about the LSDB. The LSDB contains one ASBR-summary-LSA (Type4 LSA) and three AS-external-LSAs (Type5 LSAs). You can also run the following commands to view detailed information about LSAs. The following three commands display the Type3 LSA, Type4 LSA, and Type5 LSA respectively.
[R1]display ospf lsdb summary 10.0.3.3 OSPF Process 1 with Router ID 10.0.1.1 Area: 0.0.0.0 Link State Database
Net mask : 255.255.255.255 Tos 0 metric: 1 Priority : Low Area: 0.0.0.1 Link State Database
[R1]display ospf lsdb asbr OSPF Process 1 with Router ID 10.0.1.1 Area: 0.0.0.0 Link State Database
HC Series
HUAWEI TECHNOLOGIES
97
HCDA-HNTD
: Sum-Asbr : 10.0.3.3 : 10.0.1.1 : 591 : 28 : E : 80000001 : 0x3e01 Area: 0.0.0.1 Link State Database
Tos 0 metric: 1
[R1]display ospf lsdb ase 172.16.0.0 OSPF Process 1 with Router ID 10.0.1.1 Link State Database
Net mask : 255.255.255.0 TOS 0 Metric: 1 E type Tag : 2 : 1 Forwarding Address : 0.0.0.0 Priority : Low
Step 5
configuration.
Configure S1/0/0 on R1 in interface authentication mode, use the plain text, and set the password to Huawei.
98 HUAWEI TECHNOLOGIES HC Series
----------------------------------------------------------------------------
R1 and R2 cannot establish an OSPF neighbor relationship because they use different OSPF authentication modes. Configure S1/0/0 on R2 in interface authentication mode, use the plain text, and set the password to Huawei.
[R2]interface Serial 1/0/0 [R2-Serial1/0/0]ospf authentication-mode simple plain huawei
----------------------------------------------------------------------------
R1 and R2 can reestablish an OSPF neighbor relationship because they use the same authentication modes and passwords. Configure area authentication, MD5 encryption, and password Huawei in cipher text in area 1 on R1.
[R1]ospf 1 [R1-ospf-1]area 1 [R1-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei
HCDA-HNTD
[R1]display ospf peer brief OSPF Process 1 with Router ID 10.0.1.1 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 Interface Serial1/0/0 Neighbor id 10.0.2.2 State Full
----------------------------------------------------------------------------
R1 and R3 cannot establish an OSPF neighbor relationship because they use different OSPF authentication modes. Configure area authentication, MD5 encryption, and password Huawei in cipher text in area 1 on R3.
[R3]ospf 1 [R3-ospf-1]area 1 [R3-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei
----------------------------------------------------------------------------
R1 and R3 can reestablish an OSPF neighbor relationship because they use the same authentication modes and passwords.
The preceding routes have the same source interface, Loopback0 on R3. Other routers learn two routes. Does this lead to any problem and how to solve this problem? Analyze Type4 LSA generation, transfer, and conversion.
100
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 ospf authentication-mode simple plain huawei # interface GigabitEthernet0/0/0 ip address 10.0.13.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ospf 1 router-id 10.0.1.1 area 0.0.0.0 network 10.0.12.0 0.0.0.255 area 0.0.0.1 authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2# network 10.0.13.0 0.0.0.255 network 10.0.1.0 0.0.0.255 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 ospf authentication-mode simple plain huawei # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ospf 1 router-id 10.0.2.2
HC Series
HUAWEI TECHNOLOGIES
101
HCDA-HNTD
area 0.0.0.0 network 10.0.12.0 0.0.0.255 network 10.0.2.0 0.0.0.255 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/0 ip address 10.0.13.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # interface LoopBack2 ip address 172.16.0.1 255.255.255.0 # ospf 1 router-id 10.0.3.3 import-route direct area 0.0.0.1 authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2# network 10.0.3.0 0.0.0.255 network 10.0.13.0 0.0.0.255 # return
102
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
HC Series
HUAWEI TECHNOLOGIES
103
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company, and the company network uses RIPv2 and OSPF. RIP needs to import OSPF routes and OSPF needs to import RIP routes to enable communication between RIP-enabled devices and OSPF-enabled devices. The metrics of different routing protocols are different.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]interface GigabitEthernet 0/0/0 [R1- GigabitEthernet 0/0/0]ip address 10.0.13.1 24 [R1- GigabitEthernet 0/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface serial1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/0 [R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24 [R3-GigabitEthernet0/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 [R3-LoopBack0]interface loopback 2
104
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [R3-LoopBack1]ip address 172.16.0.1 24 [R3-LoopBack2]interface LoopBack 3 [R3-LoopBack3]ip address 172.16.1.1 24 [R3-LoopBack3]interface LoopBack 4 [R3-LoopBack4]ip address 172.16.2.1 24 [R3-LoopBack4]interface LoopBack 5 [R3-LoopBack5]ip address 172.16.3.1 24
Step 2
View routing tables of R1 and R2. The following information shows that R1 has learned a route to another network segment using OSPF.
[R1]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 1 Routes : 1
OSPF routing table status : <Active> Destinations : 1 Destination/Mask 10.0.2.2/32 Proto OSPF Routes : 1 Pre Cost 10 1562 Flags NextHop D 10.0.12.2 Interface Serial1/0/0
R2 is directly connected to network segments in the OSPF area; therefore, R2 does not learn other routes using OSPF.
HC Series
HUAWEI TECHNOLOGIES
105
HCDA-HNTD
Step 3
Configure
RIPv2
and
verify
the
RIPv2
configuration.
Enable RIPv2 process 1 on R1, and specify the network segment 10.0.0.0 in RIP process 1.
[R1]rip 1 [R1-rip-1]version 2 [R1-rip-1]network 10.0.0.0
Enable RIPv2 process 1 on R3, and specify network segments 172.16.0.0 and 10.0.0.0 in RIP process 1.
[R3]rip 1 [R3-rip-1]version 2 [R3-rip-1]network 10.0.0.0 [R3-rip-1]network 172.16.0.0
View routing tables of R1 and R3. The following information shows that R1 has learned the corresponding routes using RIP.
[R1]display ip routing-table protocol rip Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : RIP Destinations : 5 Routes : 5
RIP routing table status : <Active> Destinations : 5 Destination/Mask 10.0.3.0/24 RIP 172.16.0.0/24 RIP 172.16.1.0/24 RIP 172.16.2.0/24 RIP 172.16.3.0/24 RIP Proto 100 1 100 1 100 1 100 1 100 1 Routes : 5 Pre Cost D D D D D Flags NextHop 10.0.13.3 10.0.13.3 10.0.13.3 10.0.13.3 10.0.13.3 Interface
106
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
RIP routing table status : <Active> Destinations : 2 Destination/Mask 10.0.1.0/24 RIP 10.0.12.0/24 RIP Proto 100 1 100 1 Routes : 2 Pre Cost D D Flags NextHop 10.0.13.1 10.0.13.1 Interface
GigabitEthernet0/0/0 GigabitEthernet0/0/0
Step 4
configuration.
R2 and R3 do not learn routes from each other because they belong to different routing areas. On R1, import RIP routes into the OSPF routing table.
[R1]ospf 1 [R1-ospf-1]import-route rip 1 cost 100
HC Series
HUAWEI TECHNOLOGIES
107
HCDA-HNTD
Chapter 5 RIP and OSPF Route Import OSPF RIP 10 1562 D D D D D D D D D D D 0 D D D D D D 0 0 0 0 0 0 0 0 0 10.0.12.2 10.0.13.3 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 10.0.13.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 10.0.13.3 10.0.13.3 10.0.13.3 10.0.13.3 127.0.0.1 Serial1/0/0 GigabitEthernet0/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 InLoopBack0
10.0.2.2/32 10.0.3.0/24
100 1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Direct 0 10.0.13.1/32 Direct 0 10.0.13.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 172.16.3.0/24 RIP RIP RIP RIP
255.255.255.255/32 Direct 0
The R1 routing table remains unchanged after route import. This is because R1 is located in both OSPF and RIP routing domains. Before routes are imported, R1 has learned all the routes. R2 and R3 have learned the following routes.
[R2]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : OSPF Destinations : 7 Routes : 7
OSPF routing table status : <Active> Destinations : 7 Destination/Mask 10.0.1.0/24 10.0.3.0/24 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 172.16.3.0/24 Proto O_ASE O_ASE O_ASE O_ASE O_ASE O_ASE Routes : 7 Pre Cost 150 150 150 150 150 150 150 100 100 100 100 100 100 100 Flags NextHop D D D D D D D 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 10.0.12.1 Interface Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0 Serial1/0/0
10.0.13.0/24 O_ASE
108
HUAWEI TECHNOLOGIES
HC Series
[R3]display ip routing-table protocol rip Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : RIP Destinations : 3 Routes : 3
RIP routing table status : <Active> Destinations : 3 Destination/Mask 10.0.1.0/24 10.0.2.2/32 Proto RIP RIP Routes : 3 Pre Cost 100 1 100 2 100 1 D D D Flags NextHop 10.0.13.1 10.0.13.1 10.0.13.1 Interface
10.0.12.0/24 RIP
Test network connectivity. On R2, run the ping command specifying the source address.
[R2]ping -c 1 -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=44 ms --- 10.0.3.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 44/44/44 ms [R2]ping -c 1 -a 10.0.2.2 172.16.0.1 PING 172.16.0.1: 56 data bytes, press CTRL_C to break Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=254 time=44 ms --- 172.16.0.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 44/44/44 ms
HC Series
HUAWEI TECHNOLOGIES
109
HCDA-HNTD
View routing tables of R1 and R2 and compare routing tables in this step with the routing tables in step 3.
[R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 17 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.2/32 10.0.3.0/24 RIP Proto Routes : 17 Pre Cost 0 0 0 1562 D 0 0 0 0 D 0 0 0 0 0 D 0 Flags NextHop D D D D D D D D D D D D D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.1 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 InLoopBack0 Serial1/0/0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 GigabitEthernet0/0/0 InLoopBack0
10.0.13.3
GigabitEthernet0/0/0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.13.0/24 Direct 0 0 10.0.13.1/32 Direct 0 10.0.13.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 172.16.0.0/22 RIP 100 1 255.255.255.255/32 Direct 0
10.0.13.1
10.0.13.3
[R2]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------Public routing table : OSPF Destinations : 4 Routes : 4
110
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Pre Cost 150 150 150 150 100 100 100 100
10.0.13.0/24 O_ASE
R1 and R2 learn the aggregated route 172.16.0.0/22 but not the specific route 172.16.0.0/24.
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 # interface GigabitEthernet0/0/0 ip address 10.0.13.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0
HC Series
HUAWEI TECHNOLOGIES
111
HCDA-HNTD #
ospf 1 router-id 10.0.1.1 import-route rip 1 cost 100 area 0.0.0.0 network 10.0.12.0 0.0.0.255 # rip 1 version 2 network 10.0.0.0 import-route ospf 1 cost 1 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ospf 1 router-id 10.0.2.2 area 0.0.0.0 network 10.0.12.0 0.0.0.255 network 10.0.2.0 0.0.0.255 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/0 ip address 10.0.13.3 255.255.255.0 rip summary-address 172.16.0.0 255.255.252.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0
112
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # interface LoopBack2 ip address 172.16.0.1 255.255.255.0 # interface LoopBack3 ip address 172.16.1.1 255.255.255.0 # interface LoopBack4 ip address 172.16.2.1 255.255.255.0 # interface LoopBack5 ip address 172.16.3.1 255.255.255.0 # rip 1 version 2 network 10.0.0.0 network 172.16.0.0 # return
HC Series
HUAWEI TECHNOLOGIES
113
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company that has two Huawei S5700 switches. You need to commission the switches. The Ethernet interface rate and duplex mode will be tested.
114
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
switches.
Auto-negotiation is enabled on Huawei switch interfaces by default. In this example, the rate and duplex mode of G0/0/9 and G0/0/10 on S1 and S2 are set manually. Change the system name and view detailed information about G0/0/9 and G0/0/10 on S1.
<Quidway>system-view [Quidway]sysname S1 [S1]display interface GigabitEthernet 0/0/9 GigabitEthernet0/0/1 current state : UP Line protocol current state : UP Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface Switch Port,PVID : 1,The Maximum Frame Length is 1600 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6 Port Mode: COMMON COPPER Speed : 1000, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi : AUTO Last 300 seconds input rate 752 bits/sec, 0 packets/sec Last 300 seconds output rate 720 bits/sec, 0 packets/sec Input peak rate 1057259144 bits/sec,Record time: 2008-10-01 00:08:58 Output peak rate 1057267232 bits/sec,Record time: 2008-10-01 00:08:58 Input: 11655141 packets, 960068100 bytes Unicast Broadcast CRC Jabbers Runts Alignments Ignoreds Discard Unicast Broadcast Collisions : : : : : : : : : : : 70,Multicast 6643714,Jumbo 0,Giants 0,Throttles 0,DropEvents 0,Symbols 0,Frames 69,Total Error 345,Multicast 6642808,Jumbo 0,Deferreds : : : : : : : : : : : 0 0 0 0 0 0 5009016 0 0 5011357 0
HC Series
HUAWEI TECHNOLOGIES
115
HCDA-HNTD
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.01% Output bandwidth utilization : 0.00% [S1]display interface GigabitEthernet 0/0/10 GigabitEthernet0/0/10 current state : UP Line protocol current state : UP Description:HUAWEI, Quidway Series, GigabitEthernet0/0/10 Interface Switch Port,PVID : 1,The Maximum Frame Length is 1600 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6 Port Mode: COMMON COPPER Speed : 1000, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi : AUTO Last 300 seconds input rate 1312 bits/sec, 0 packets/sec Last 300 seconds output rate 72 bits/sec, 0 packets/sec Input peak rate 1057256792 bits/sec,Record time: 2008-10-01 00:08:58 Output peak rate 1057267296 bits/sec,Record time: 2008-10-01 00:08:58 Input: 11651829 packets, 959852817 bytes Unicast Broadcast CRC Jabbers Runts Alignments Ignoreds Discard Unicast Broadcast Collisions : : : : : : : : : : : 115,Multicast 6642648,Jumbo 3,Giants 0,Throttles 0,DropEvents 0,Symbols 0,Frames 218,Total Error 245,Multicast 6643751,Jumbo 0,Deferreds 0 107,Total Error : 0 : : : : : : : : : : : 0 0 0 4 0 7 5011284 0 0 0 5009062 0
0,ExcessiveCollisions:
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.01% Output bandwidth utilization : 0.00%
116
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Set the rate of G0/0/9 and G0/0/10 on S1 to 100 Mbit/s and configure them to work in full duplex mode.
[S1]interface GigabitEthernet 0/0/9 Info: Please undo negotiation first. [S1-GigabitEthernet0/0/9]undo negotiation auto [S1-GigabitEthernet0/0/9]speed 100 [S1-GigabitEthernet0/0/9]duplex full Warning:Configuration is repeated. [S1-GigabitEthernet0/0/9]quit [S1]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]undo negotiation auto [S1-GigabitEthernet0/0/10]speed 100 [S1-GigabitEthernet0/0/10]duplex full Warning:Configuration is repeated. [S1-GigabitEthernet0/0/10]
Before changing the interface rate and duplex mode, disable auto-negotiation. If the interface has been configured to work in full duplex mode, the preceding alarm is displayed when you enter the duplex full command. Set the rate of G0/0/9 and G0/0/10 on S2 to 100 Mbit/s and configure them to work in full duplex mode.
[S2]interface GigabitEthernet 0/0/9 [S2-GigabitEthernet0/0/9]undo negotiation auto [S2-GigabitEthernet0/0/9]speed 100 [S2-GigabitEthernet0/0/9]duplex full Warning:Configuration is repeated. [S2-GigabitEthernet0/0/9]quit [S2]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]undo negotiation auto [S2-GigabitEthernet0/0/10]speed 100 [S2-GigabitEthernet0/0/10]duplex full Warning:Configuration is repeated.
Verify the rate and duplex mode of G0/0/9 and G0/0/10 on S1.
[S1]display interface GigabitEthernet 0/0/9 GigabitEthernet0/0/9 current state : UP Line protocol current state : UP Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface Switch Port,PVID : 1,The Maximum Frame Length is 1600 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
HC Series
HUAWEI TECHNOLOGIES
117
HCDA-HNTD
Port Mode: COMMON COPPER Speed : 100, Loopback: NONE Duplex: FULL, Negotiation: DISABLE Mdi : AUTO output omit [S1]display interface GigabitEthernet 0/0/10 GigabitEthernet0/0/10 current state : UP Line protocol current state : UP Description:HUAWEI, Quidway Series, GigabitEthernet0/0/10 Interface Switch Port,PVID : 1,The Maximum Frame Length is 1600 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6 Port Mode: COMMON COPPER Speed : 100, Loopback: NONE Duplex: FULL, Negotiation: DISABLE Mdi : AUTO output omit
Step 2
Create Eth-Trunk 1 on S1 and S2. Delete the default configurations from G0/0/9 and G0/0/10 on S1 and S2, and then add G0/0/9 and G0/0/10 to Eth-Trunk 1.
[S1]interface Eth-Trunk 1 [S1-Eth-Trunk1]quit [S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]undo ntdp enable [S1-GigabitEthernet0/0/9]undo ndp enable [S1-GigabitEthernet0/0/9]bpdu disable [S1-GigabitEthernet0/0/9]eth-trunk 1 [S1-GigabitEthernet0/0/9]int GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]undo ntdp enable [S1-GigabitEthernet0/0/10]undo ndp enable [S1-GigabitEthernet0/0/10]bpdu disable [S1-GigabitEthernet0/0/10]eth-trunk 1 [S2]interface Eth-Trunk 1 [S2-Eth-Trunk1]quit [S2]interface GigabitEthernet 0/0/9 [S2-GigabitEthernet0/0/9]undo ntdp enable [S2-GigabitEthernet0/0/9]undo ndp enable [S2-GigabitEthernet0/0/9]bpdu disable
118
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S2-GigabitEthernet0/0/9]eth-trunk 1 [S2-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]undo ntdp enable [S2-GigabitEthernet0/0/10]undo ndp enable [S2-GigabitEthernet0/0/10]bpdu disable [S2-GigabitEthernet0/0/10]eth-trunk 1
The greyed lines in the preceding information indicate that the Eth-Trunk works properly.
Final Configurations
[S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1
HC Series
HUAWEI TECHNOLOGIES
119
HCDA-HNTD #
vlan batch 1 # stp mode rstp stp enable # cluster enable ntdp enable ndp enable # interface Eth-Trunk1 # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable undo negotiation auto speed 100 # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable undo negotiation auto speed 100 # return [S2]display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 1 # stp mode rstp stp enable # cluster enable ntdp enable ndp enable # interface Eth-Trunk1
120
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable undo negotiation auto speed 100 # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable undo negotiation auto speed 100 # return
HC Series
HUAWEI TECHNOLOGIES
121
HCDA-HNTD
the root port and designated port Method used to configure an edge port
Topology
122
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. The company network consists of two layers: core layer and access layer. The network uses a redundancy design. STP will be used to prevent loops. STP has different modes. You can set the bridge priority to control STP root bridge election, and configure features to speed up STP route convergence at the edge network.
Irrelevant interfaces must be disabled to ensure test result accuracy. Shut down E0/0/1 on S3 before starting STP configuration. Ensure that the devices start without any configuration files. If STP is disabled, run the stp enable command to enable STP.
[S1]stp enable [S2]stp enable [S3]stp enable [S4]stp enable
HC Series
HUAWEI TECHNOLOGIES
123
HCDA-HNTD
<Quidway>system-view Enter system view, return user view with Ctrl+Z. [Quidway]sysname S4 [S4]stp mode stp
Run the display stp brief command to view brief information about STP.
[S1]display stp brief MSTID 0 0 0 0 Port GigabitEthernet0/0/9 GigabitEthernet0/0/10 GigabitEthernet0/0/23 GigabitEthernet0/0/24 Role STP State ROOT FORWARDING ALTE DISCARDING DESI FORWARDING DESI FORWARDING Protection NONE NONE NONE NONE
[S2]display stp brief MSTID 0 0 0 0 Port GigabitEthernet0/0/9 GigabitEthernet0/0/10 GigabitEthernet0/0/13 GigabitEthernet0/0/14 Role STP State DESI FORWARDING DESI FORWARDING DESI FORWARDING DESI FORWARDING Protection NONE NONE NONE NONE
[S3]display stp brief MSTID 0 0 Port Ethernet0/0/13 Ethernet0/0/23 Role STP State ROOT FORWARDING ALTE DISCARDING Protection NONE NONE
[S4]display stp brief MSTID 0 0 Port Ethernet0/0/14 Ethernet0/0/24 Role STP State ROOT FORWARDING ALTE DISCARDING Protection NONE NONE
Run the display stp interface command to view the STP status of a port.
[S1]display stp interface GigabitEthernet 0/0/10 ----[CIST][Port10(GigabitEthernet0/0/10)][DISCARDING]---Port Protocol Port Role Port Priority Port Cost(Dot1T ) Desg. Bridge/Port Port Edged :enabled :Alternate Port :128 :Config=auto / Active=20000 :0.0018-82e1-aea6 / 128.10 :Config=default / Active=disabled
124
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Point-to-point Transit Limit Protection Type Port Stp Mode Port Protocol Type PortTimes TC or TCN send BPDU Sent BPDU Received :2 :64 :24 :350601 TC or TCN received :Config=auto / Active=true :147 packets/hello-time :None :STP :Config=auto / Active=dot1s :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TCN: 0, Config: 0, RST: 24, MST: 0 TCN: 0, Config: 0, RST: 350601, MST: 0
Step 2
Run the display stp command to view information about the root bridge.
[S2]display stp -------[CIST Global Info][Mode STP]------CIST Bridge Bridge Times CIST Root/ERPC CIST RegRoot/IRPC CIST RootPortId BPDU-Protection CIST Root Type :0 :0 :0 :0.0 :disabled :PRIMARY root .0018-82e1-aea6 .0018-82e1-aea6 / 0 .0018-82e1-aea6 / 0 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
TC or TCN received :41 TC count per hello :0 STP Converge Mode :Nomal Time since last TC :0 days 0h:1m:6s
Configure S2 as the root bridge and S1 as the backup root bridge. The device with the same value of CIST Bridge and CIST Root/ERPC is the root bridge. A smaller bridge priority value indicates a higher bridge priority. Change the priorities of S1 and S2 to 4096 and 8192 respectively so that S1 becomes the root bridge.
[S1]undo stp root [S1]stp priority 4096
HC Series
HUAWEI TECHNOLOGIES
125
HCDA-HNTD
Run the display stp command to view information about the new root bridge.
[S1]display stp -------[CIST Global Info][Mode STP]------CIST Bridge Bridge Times CIST Root/ERPC CIST RegRoot/IRPC CIST RootPortId BPDU-Protection :4096 .0018-82e1-aea6 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :4096 .0018-82e1-aea6 / 0 :4096 .0018-82e1-aea6 / 0 :0.0 :disabled
TC or TCN received :62 TC count per hello :0 STP Converge Mode :Nomal Time since last TC :0 days 0h:0m:3s [S2]display stp -------[CIST Global Info][Mode STP]------CIST Bridge Bridge Times CIST Root/ERPC CIST RegRoot/IRPC CIST RootPortId BPDU-Protection :8192 .0018-82e1-ae82 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :4096 .0018-82e1-aea6 / 20000 :8192 .0018-82e1-ae82 / 0 :128.9 :disabled
TC or TCN received :174 TC count per hello :2 STP Converge Mode :Nomal Time since last TC :0 days 0h:0m:1s
The greyed lines in the preceding information indicate that S1 has become the new root bridge. Shut down G0/0/9, G0/0/10, G0/0/13, and G0/0/14 on S1 to isolate S1.
[S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]shutdown [S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]shutdown [S1-GigabitEthernet0/0/10]interface GigabitEthernet 0/0/13 [S1-GigabitEthernet0/0/13]shutdown [S1-GigabitEthernet0/0/13]interface GigabitEthernet 0/0/14 [S1-GigabitEthernet0/0/14]shutdown
126
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[S2]display stp -------[CIST Global Info][Mode STP]------CIST Bridge Bridge Times CIST Root/ERPC CIST RegRoot/IRPC CIST RootPortId BPDU-Protection :8192 .0018-82e1-ae82 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :8192 .0018-82e1-ae82 / 0 :8192 .0018-82e1-ae82 / 0 :0.0 :disabled
TC or TCN received :197 TC count per hello :0 STP Converge Mode :Nomal Time since last TC :0 days 0h:0m:3s
The greyed lines in the preceding information indicate that S2 becomes the root bridge when S1 is faulty. Start the shutdown interfaces on S1.
[S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]undo shutdown [S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]undo shutdown [S1-GigabitEthernet0/0/10]interface GigabitEthernet 0/0/13 [S1-GigabitEthernet0/0/13]undo shutdown [S1-GigabitEthernet0/0/13]interface GigabitEthernet 0/0/14 [S1-GigabitEthernet0/0/14]undo shutdown [S1]display stp -------[CIST Global Info][Mode STP]------CIST Bridge Bridge Times CIST Root/ERPC CIST RegRoot/IRPC CIST RootPortId BPDU-Protection :4096 .0018-82e1-aea6 :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :4096 .0018-82e1-aea6 / 0 :4096 .0018-82e1-aea6 / 0 :0.0 :disabled
TC or TCN received :63 TC count per hello :0 STP Converge Mode :Nomal Time since last TC :0 days 0h:1m:6s [S2]display stp -------[CIST Global Info][Mode STP]------CIST Bridge :8192 .0018-82e1-ae82
HC Series
HUAWEI TECHNOLOGIES
127
HCDA-HNTD
Chapter 6 Ethernet and STP :Hello 2s MaxAge 20s FwDly 15s MaxHop 20 :4096 .0018-82e1-aea6 / 20000 :8192 .0018-82e1-ae82 / 0 :128.9 :disabled
TC or TCN received :251 TC count per hello :0 STP Converge Mode :Nomal Time since last TC :0 days 0h:0m:1s
The greyed lines in the preceding information indicate that S1 has restored and became the root bridge.
Step 3
Run the display stp brief command on S2 to view the roles of interfaces.
[S2]display stp brief MSTID 0 0 0 0 Port GigabitEthernet0/0/9 GigabitEthernet0/0/10 GigabitEthernet0/0/23 GigabitEthernet0/0/24 Role STP State ROOT FORWARDING ALTE DISCARDING DESI FORWARDING DESI FORWARDING Protection NONE NONE NONE NONE
The preceding information shows that G0/0/9 is the root port and G0/0/10 is the alternate port. You can change port priorities so that G0/0/10 becomes the root port and G0/0/9 becomes the alternate port. Change priorities of G0/0/9 and G0/0/10 on S1. The default port priority is 128. A larger port priority value indicates a lower priority. The priorities of G0/0/9 and G0/0/10 on S1 are set to 32 and 16; therefore, G0/0/10 on S2 becomes the root port.
[S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]stp port priority 32 [S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]stp port priority 16
Note that the port priorities are changed on S1, not S2.
[S1]display stp interface GigabitEthernet 0/0/9 ----[CIST][Port9(GigabitEthernet0/0/9)][FORWARDING]----
128
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Port Protocol Port Role Port Priority Port Cost(Dot1T ) Desg. Bridge/Port Port Edged Point-to-point Transit Limit Protection Type Port Stp Mode Port Protocol Type PortTimes TC or TCN send BPDU Sent BPDU Received :0 :0 :229 :3 TC or TCN received :enabled :Designated Port :32 :Config=auto / Active=20000 :4096.0018-82e1-aea6 / 32.9 :Config=default / Active=disabled :Config=auto / Active=true :147 packets/hello-time :None :STP :Config=auto / Active=dot1s
TCN: 0, Config: 229, RST: 0, MST: 0 TCN: 1, Config: 2, RST: 0, MST: 0 [S1]display stp interface GigabitEthernet 0/0/10 ----[CIST][Port10(GigabitEthernet0/0/10)][FORWARDING]---Port Protocol Port Role Port Priority Port Cost(Dot1T ) Desg. Bridge/Port Port Edged Point-to-point Transit Limit Protection Type Port Stp Mode Port Protocol Type PortTimes TC or TCN send BPDU Sent BPDU Received :0 :0 :210 :3 TC or TCN received :enabled :Designated Port :16 :Config=auto / Active=20000 :4096.0018-82e1-aea6 / 16.10 :Config=default / Active=disabled :Config=auto / Active=true :147 packets/hello-time :None :STP :Config=auto / Active=dot1s :Hello 2s MaxAge 20s FwDly 15s RemHop 20
Run the display stp brief command on S2 to view the role of interfaces..
[S2]display stp brief
HC Series
HUAWEI TECHNOLOGIES
129
HCDA-HNTD MSTID 0 0 0
0
Chapter 6 Ethernet and STP Role STP State ALTE DISCARDING ROOT FORWARDING DESI FORWARDING
DESI FORWARDING NONE
The greyed lines in the preceding information indicate that G0/0/10 on S2 has become the root port and G0/0/9 has become the alternate port. Shut down G0/0/10 on S2 and view the port roles.
[S2]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]shutdown <S2>display stp brief MSTID 0 0 0 Port GigabitEthernet0/0/9 GigabitEthernet0/0/23 GigabitEthernet0/0/24 Role STP State ROOT FORWARDING DESI FORWARDING DESI FORWARDING Protection NONE NONE NONE
The greyed line in the preceding information indicates that G0/0/9 has become the root port.
Step 4
Configure ports connected to the user terminals as edge ports. An edge port can transition to the forwarding state without participating in the STP calculation. In this example, E0/0/3 and E0/0/4 on S3 are configured as edge ports.
[S3]interface Ethernet0/0/3 [S3-Ethernet0/0/3]stp edged-port enable [S3-Ethernet0/0/3]interface Ethernet0/0/4 [S3-Ethernet0/0/4]stp edged-port enable
After the configurations are complete, connect the network cable of a computer to E0/0/3 on S3 and run the display stp brief command to view the port status. You can see that E0/0/2 enters the forwarding state immediately. When the network cable of the computer is connected to a non-edge port such as E0/0/5, the port enters the forwarding state about 30s after the link becomes Up.
130
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Final Configurations
[S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 1 # stp mode stp stp instance 0 priority 4096 stp enable # interface GigabitEthernet0/0/9 stp instance 0 port priority 32 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/10 stp instance 0 port priority 16 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/13 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/14 ntdp enable
HC Series
HUAWEI TECHNOLOGIES
131
[S2]display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 1 # stp mode stp stp instance 0 priority 8192 stp enable # interface GigabitEthernet0/0/9 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/10 shutdown ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/23 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/24 ntdp enable ndp enable bpdu enable # return [S3]display current-configuration # !Software Version V100R006C00SPC800
132
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD sysname S3 # stp mode stp stp enable # interface Ethernet0/0/1 shutdown bpdu enable # interface Ethernet0/0/3 stp edged-port enable bpdu enable # interface Ethernet0/0/4 stp edged-port enable bpdu enable # interface Ethernet0/0/13 bpdu enable # interface Ethernet0/0/23 bpdu enable # return [S4]display current-configuration # !Software Version V100R005C01SPC100 sysname S4 # stp mode stp stp enable # interface Ethernet0/0/1 bpdu enable # interface Ethernet0/0/14 bpdu enable # interface Ethernet0/0/24 bpdu enable # return
HC Series
HUAWEI TECHNOLOGIES
133
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company and need to configure VLANs on the network. Your company has two switches.
134
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Irrelevant interfaces must be disabled to ensure test result accuracy. In this lab, Ethernet0/0/1 and Ethernet0/0/23 on S3 and Ethernet0/0/14 on S4 need to be shut down. Two links exist between S1 and S2. If STP is enabled, one link will be disabled, which wastes bandwidth. If STP is not used, loops may occur. In this situation, you can configure an Eth-Trunk. Before configuring an Eth-Trunk, delete the original configurations on the member interfaces. You can add physical interfaces to an Eth-Trunk in the interface view or in the Eth-Trunk view. On S1, add interfaces to an Eth-Trunk in the interface view.
<Quidway>system-view [Quidway]sysname S1 [S1] interface eth-trunk 1 [S1-Eth-Trunk1]quit [S1]interface gigabitethernet0/0/9 [S1- gigabitethernet0/0/9]bpdu disable [S1- gigabitethernet0/0/9]eth-trunk 1 [S1- gigabitethernet0/0/9]quit [S1]interface gigabitethernet0/0/10 [S1- gigabitethernet0/0/10]bpdu disable [S1- gigabitethernet0/0/10]eth-trunk 1
HC Series
HUAWEI TECHNOLOGIES
135
HCDA-HNTD
[S2- gigabitethernet0/0/10]eth-trunk 1
Step 2
By default, the link type of a interface is hybrid. You can change the link type to trunk. By default, a interface of trunk type rejects data from any VLANs. Enable STP on the Eth-Trunk.
[S1] interface Eth-Trunk 1 [S1-Eth-Trunk1]port link-type trunk [S1-Eth-Trunk1]port trunk allow-pass vlan all [S1-Eth-Trunk1]bpdu enable [S2] interface Eth-Trunk 1 [S2-Eth-Trunk1]port link-type trunk [S2-Eth-Trunk1]port trunk allow-pass vlan all [S2-Eth-Trunk1]bpdu enable
Step 3
Configure VLANs.
Use S3, R1, R3, and S4 as hosts to perform the VLAN configuration. S3 belongs to VLAN 3, R1 and R3 belong to VLAN 4, and S4 belongs to VLAN 5. There are two methods to configure VLANs with consecutive IDs. There are two methods to define mapping between VLANs and interfaces.
[S1]interface GigabitEthernet0/0/13 [S1-GigabitEthernet0/0/13]port link-type access [S1-GigabitEthernet0/0/13]quit [S1]interface GigabitEthernet0/0/1 [S1-GigabitEthernet0/0/1]port link-type access [S1-GigabitEthernet0/0/1]quit [S1]vlan 3 [S1-vlan3]port GigabitEthernet0/0/13 [S1-vlan3]quit [S1]vlan 4 [S1-vlan4]port GigabitEthernet0/0/1 [S1-vlan4]quit [S1]vlan 5
136
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S1-vlan5]quit [S1] [S2]vlan batch 3 to 5 [S2]interface GigabitEthernet 0/0/3 [S2-GigabitEthernet0/0/3]port link-type access [S2-GigabitEthernet0/0/3]port default vlan 4 [S2-GigabitEthernet0/0/3]quit [S2]interface GigabitEthernet 0/0/24 [S2-GigabitEthernet0/0/24]port link-type access [S2-GigabitEthernet0/0/24]port default vlan 5
Step 4
Plan IP addresses.
Use S3, R1, R3, and S4 as clients to perform the VLAN configuration. Configure IP addresses for interfaces. Physical interfaces on switches cannot be configured with IP addresses, so VLANIF 1 is assigned an IP address.
<Quidway>system-view [Quidway]sysname S3 [S3]interface vlanif 1 [S3-vlanif1]ip address 10.0.3.3 24 [S3-vlanif1]quit <Huawei>system-view [Huawei]sysname R1 [R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24 [R1-GigabitEthernet0/0/1]quit <Huawei>system-view [Huawei]sysname R3 [R3]interface GigabitEthernet0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.4.3 24 [R3-GigabitEthernet0/0/2]quit <Quidway>system-view [Quidway]sysname S4 [S4]interface vlanif 1 [S4-vlanif1]ip address 10.0.5.4 24 [S4-vlanif1]quit
HC Series
HUAWEI TECHNOLOGIES
137
HCDA-HNTD
Step 5
Perform a test.
Run the ping command. R1 and R3 in VLAN 4 can communicate with each other, and devices in different VLANs cannot communicate.
[R3]ping 10.0.4.1 PING 10.0.4.1: 56 data bytes, press CTRL_C to break Reply from 10.0.4.1: bytes=56 Sequence=1 ttl=255 time=6 ms Reply from 10.0.4.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.0.4.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/6 ms
Test communication between R1 and S3, and between R3 and S4. Configure a management address for each VLAN on S1. By doing this, S1 connects to three clients that belong to VLAN 3, VLAN 4, and VLAN 5 respectively.
[S1]interface Vlanif 3 [S1-Vlanif3]ip address 10.0.3.11 24 [S1-Vlanif3]quit [S1]interface Vlanif 4 [S1-Vlanif4]ip address 10.0.4.11 24 [S1-Vlanif4]quit [S1]interface Vlanif 5 [S1-Vlanif5]ip address 10.0.5.11 24
After the configurations are complete, test communication between clients in VLANs on S1.
[S1]ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=10 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=1 ms
138
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=10 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/4/10 ms [S1]ping 10.0.4.1 PING 10.0.4.1: 56 data bytes, press CTRL_C to break Reply from 10.0.4.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.4.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.4.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.4.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.4.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.4.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S1]ping 10.0.4.3 PING 10.0.4.3: 56 data bytes, press CTRL_C to break Reply from 10.0.4.3: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.4.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.4.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.4.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.4.3: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.4.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S1]ping 10.0.5.4 PING 10.0.5.4: 56 data bytes, press CTRL_C to break Reply from 10.0.5.4: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.5.4: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.5.4: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.5.4: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.5.4: bytes=56 Sequence=5 ttl=255 time=1 ms
HC Series
HUAWEI TECHNOLOGIES
139
HCDA-HNTD
--- 10.0.5.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Run the ping command. R1 and R3 in VLAN 4 can communicate with each other, and devices in different VLANs cannot communicate.
[R3]ping 10.0.4.1 PING 10.0.4.1: 56 data bytes, press CTRL_C to break Reply from 10.0.4.1: bytes=56 Sequence=1 ttl=255 time=6 ms Reply from 10.0.4.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.0.4.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.0.4.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/6 ms
Step 6
A hybrid interface is similar to a trunk interface, but it allows users in different VLANs to communicate if these users are on the same network segment. Change IP addresses of S3 and R3.
[S3]interface Vlanif 1 [S3-Vlanif3]ip address 10.0.6.3 24 [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.6.4 24
Set the link type of G0/0/13 on S1 to hybrid and configure VLAN 3 as its default VLAN. Add G0/0/13 to VLAN 3 and VLAN 4 in untagged mode. Before changing the interface type, delete any existing configuration on the interface.
[S1] interface GigabitEthernet0/0/13
140
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S1-GigabitEthernet0/0/13]undo port default vlan [S1-GigabitEthernet0/0/13]port link-type hybrid [S1-GigabitEthernet0/0/13]port hybrid pvid vlan 3 [S1-GigabitEthernet0/0/13]port hybrid untagged vlan 3 to 4 [S1-GigabitEthernet0/0/13]quit
Set the link type of G0/0/3 on S2 to hybrid and configure VLAN 4 as its default VLAN. Add G0/03 to VLAN 3 and VLAN 4 in untagged mode.
[S2]interface GigabitEthernet0/0/3 [S2-GigabitEthernet0/0/3]undo port default vlan [S2-GigabitEthernet0/0/3]port link-type hybrid [S2-GigabitEthernet0/0/3]port hybrid pvid vlan 4 [S2-GigabitEthernet0/0/3]port hybrid untagged vlan 3 to 4 [S2-GigabitEthernet0/0/3]quit
S3 and R3 can communicate even though they are located in different network segments.
[S3]ping 10.0.6.4 PING 10.0.6.4: 56 data bytes, press CTRL_C to break Reply from 10.0.6.4: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.6.4: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.6.4: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.6.4: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.6.4: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.6.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Final Configurations
[S1]display current-configuration # !Software Version V100R006C00SPC800
HC Series
HUAWEI TECHNOLOGIES
141
HCDA-HNTD sysname S1 #
vlan batch 1 3 to 5 # interface Vlanif1 # interface Vlanif3 ip address 10.0.3.11 255.255.255.0 # interface Vlanif4 ip address 10.0.4.11 255.255.255.0 # interface Vlanif5 ip address 10.0.5.11 255.255.255.0 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094 bpdu enable # interface GigabitEthernet0/0/1 port link-type access port default vlan 4 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/13 port hybrid pvid vlan 3 port hybrid untagged vlan 3 to 4 ntdp enable
142
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD ndp enable bpdu enable # interface NULL0 # return [S2]display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 1 3 to 5 # interface Vlanif1 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094 bpdu enable # interface GigabitEthernet0/0/3 port hybrid pvid vlan 4 port hybrid untagged vlan 3 to 4 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/24 port link-type access port default vlan 5
HC Series
HUAWEI TECHNOLOGIES
143
HCDA-HNTD
ntdp enable ndp enable bpdu enable # return [S3]display current-configuration # !Software Version V100R006C00SPC800 sysname S3 # interface Vlanif1 ip address 10.0.6.3 255.255.255.0 # interface Ethernet0/0/13 bpdu enable # return [S4]display current-configuration # !Software Version V100R006C00SPC800 sysname S4 # interface Vlanif1 ip address 10.0.5.4 255.255.255.0 # interface Ethernet0/0/24 bpdu enable # return [R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.4.1 255.255.255.0 # return [R3]display current-configuration
144
HUAWEI TECHNOLOGIES
HC Series
HC Series
HUAWEI TECHNOLOGIES
145
HCDA-HNTD
3 routing Method of configuring VLANIF interfaces Method of configuring communication between VLANs Method of configuring Open Shortest Path First (OSPF) between
VLANIF interfaces
Topology
146
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company and the current network of your company has four users: S3, R1, R3, and S4. The users belong to different virtual local area networks (VLANs). S3 belongs to VLAN 3, R1 belongs to VLAN 4, R3 belongs to VLAN 6, and S4 belongs to VLAN 7. Users in these VLANs can communicate with each other. S1 and S2 communicate with each other through a Layer 3 link, so routing protocols are used.
Eth-Trunk links.
Irrelevant interfaces must be disabled to ensure test result accuracy. In this example, Ethernet0/0/1 and Ethernet0/0/23 of S3 and Ethernet0/0/14 of S4 must be disabled.
<Quidway>system-view [Quidway]sysname S1 [S1]interface Eth-Trunk 1 [S1-Eth-Trunk1]quit [S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]bpdu disable [S1-GigabitEthernet0/0/9]undo ndp enable [S1-GigabitEthernet0/0/9]undo ntdp enable [S1-GigabitEthernet0/0/9]eth-trunk 1 [S1-GigabitEthernet0/0/9]quit [S1]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]bpdu disable [S1-GigabitEthernet0/0/10]undo ndp enable [S1-GigabitEthernet0/0/10]undo ntdp enable [S1-GigabitEthernet0/0/10]eth-trunk 1 <Quidway>system-view [Quidway]sysname S2 [S2]interface Eth-Trunk 1 [S2-Eth-Trunk1]quit [S2]interface GigabitEthernet 0/0/9
HC Series
HUAWEI TECHNOLOGIES
147
HCDA-HNTD
[S2-GigabitEthernet0/0/9]bpdu disable [S2-GigabitEthernet0/0/9]undo ndp enable [S2-GigabitEthernet0/0/9]undo ntdp enable [S2-GigabitEthernet0/0/9]eth-trunk 1 [S2-GigabitEthernet0/0/9]quit [S2]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]bpdu disable [S2-GigabitEthernet0/0/10]undo ndp enable [S2-GigabitEthernet0/0/10]undo ntdp enable [S2-GigabitEthernet0/0/10]eth-trunk 1
Step 2 S2.
---------------------------------------------------------------------------VID Type 1 Ports GE0/0/2(U) GE0/0/6(D) GE0/0/10(U) GE0/0/14(U) GE0/0/18(D) GE0/0/22(U) GE0/0/3(U) GE0/0/7(D) GE0/0/11(D) GE0/0/15(D) GE0/0/19(D) GE0/0/23(U) GE0/0/4(D) GE0/0/8(D) GE0/0/12(D) GE0/0/16(D) GE0/0/20(D) GE0/0/24(D)
--------------------------------------------------------------------------common UT:GE0/0/1(U) GE0/0/5(D) GE0/0/9(U) GE0/0/13(U) GE0/0/17(D) GE0/0/21(U) 3 4 5 6 7 common common common common common
148
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD VID Status Property 1 3 4 5 6 7 enable default enable default enable default enable default enable default enable default
MAC-LRN Statistics Description enable disable enable disable enable disable enable disable enable disable enable disable VLAN 0001 VLAN 0003 VLAN 0004 VLAN 0005 VLAN 0006 VLAN 0007
---------------------------------------------------------------------------
[S2]display vlan The total number of vlans is : 6 ---------------------------------------------------------------------------U: Up; D: Down; TG: Tagged; UT: Untagged; MP: Vlan-mapping; #: ProtocolTransparent-vlan; ST: Vlan-stacking; *: Management-vlan;
---------------------------------------------------------------------------VID Type 1 Ports GE0/0/2(U) GE0/0/6(D) GE0/0/10(U) GE0/0/14(D) GE0/0/18(D) GE0/0/22(D) GE0/0/3(U) GE0/0/7(D) GE0/0/11(D) GE0/0/15(D) GE0/0/19(D) GE0/0/23(U) GE0/0/4(D) GE0/0/8(D) GE0/0/12(D) GE0/0/16(D) GE0/0/20(D) GE0/0/24(U)
---------------------------------------------------------------------------common UT:GE0/0/1(U) GE0/0/5(D) GE0/0/9(U) GE0/0/13(D) GE0/0/17(D) GE0/0/21(D) 3 4 5 6 7 common common common common common MAC-LRN Statistics Description enable disable enable disable enable disable enable disable enable disable enable disable VLAN 0001 VLAN 0003 VLAN 0004 VLAN 0005 VLAN 0006 VLAN 0007
VID Status Property 1 3 4 5 6 7 enable default enable default enable default enable default enable default enable default
----------------------------------------------------------------------------
HC Series
HUAWEI TECHNOLOGIES
149
HCDA-HNTD
Step 3
Step 4
S1 and S2.
S1 provides gateway services for VLAN 3 to VLAN 5, while S2 provides gateway services for VLAN 5 to VLAN 7. Therefore, configure IP addresses for VLANIF 3, VLANIF 4, and VLANIF 5 on S1, and configure IP addresses for VLANIF 5, VLANIF 6, and VLANIF 7 on S2.
[S1]interface Vlanif 3 [S1-Vlanif3]ip address 10.0.3.1 24 [S1-Vlanif3]quit [S1]interface Vlanif 4 [S1-Vlanif4]ip address 10.0.4.1 24 [S1-Vlanif4]quit [S1]interface Vlanif 5 [S1-Vlanif5]ip address 10.0.5.1 24 [S2]interface Vlanif 5 [S2-Vlanif5]ip address 10.0.5.2 24 [S2-Vlanif5]quit [S2]interface Vlanif 6
150
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S2-Vlanif6]ip address 10.0.6.1 24 [S2-Vlanif6]quit [S2]interface Vlanif 7 [S2-Vlanif7]ip address 10.0.7.1 24
Step 5
Note: Physical interfaces on switches cannot be configured with IP addresses, so IP addresses are configured for VLANIF interfaces. S3 belongs to VLAN 3 on S1; however, E0/0/13 on S3 belongs to VLAN 1. In this case, configure an IP address for VLANIF 1 on S3 so that S3 belongs to VLAN 3. The configuration of S4 is similar.
<Huawei>system-view [Huawei]sysname R1 [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.4.11 24 [R1-GigabitEthernet0/0/1]quit [R1]ip route-static 0.0.0.0 0 10.0.4.1 <Huawei>system-view [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.6.33 24 [R3-GigabitEthernet0/0/2]quit [R3]ip route-static 0.0.0.0 0 10.0.6.1 <Quidway>system-view [Quidway]sysname S4 [S4]interface Vlanif 1 [S4-Vlanif1]ip address 10.0.7.44 24 [S4-Vlanif1]quit [S4]ip route-static 0.0.0.0 0 10.0.7.1
HC Series
HUAWEI TECHNOLOGIES
151
HCDA-HNTD
Step 6
R1 and R3 fail to communicate with each other. Run the tracert command to troubleshoot the fault:
[R1]tracert 10.0.6.33 traceroute to to break 1 10.0.4.1 61 ms !N 3 ms !N 3 ms !N 10.0.6.33(10.0.6.33), max hops: 30 ,packet length: 40,press CTRL_C
According to the command output, R1 has sent the data packet to the destination address 10.0.6.33, but the gateway at 10.0.4.1 responds
152 HUAWEI TECHNOLOGIES HC Series
HCDA-HNTD
that the network is unreachable. Then check whether the network is unreachable on the gateway (S1).
[S1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Destination/Mask 10.0.3.0/24 10.0.3.1/32 10.0.4.0/24 10.0.4.1/32 10.0.5.0/24 10.0.5.1/32 127.0.0.0/8 Routes : 8 Flags NextHop D D D D D D D D 10.0.3.1 127.0.0.1 10.0.4.1 127.0.0.1 10.0.5.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Vlanif3 InLoopBack0 Vlanif4 InLoopBack0 Vlanif5 InLoopBack0 InLoopBack0 InLoopBack0
Proto Pre Cost Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 0 0 0 0 0 0 0 0
127.0.0.1/32 Direct 0
According to the command output, S1 does not have a route to the network segment 10.0.6.0 because the network segment is not directly connected to S1. In addition, no static route or dynamic routing protocol is configured.
Step 7
[S1]ospf 1
After the configuration, wait until S1 and S2 exchange OSPF routes. View the routing table of S1.
[S1]display ip routing-table Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------
HC Series
HUAWEI TECHNOLOGIES
153
HCDA-HNTD
Routing Tables: Public Destinations : 10 Destination/Mask 10.0.3.0/24 10.0.3.1/32 10.0.4.0/24 10.0.4.1/32 10.0.5.0/24 10.0.5.1/32 10.0.6.0/24 10.0.7.0/24 127.0.0.0/8 Routes : 10 Flags NextHop D D D D D D D D D D 10.0.3.1 127.0.0.1 10.0.4.1 127.0.0.1 10.0.5.1 127.0.0.1 10.0.5.2 10.0.5.2 127.0.0.1 127.0.0.1 Interface Vlanif3 InLoopBack0 Vlanif4 InLoopBack0 Vlanif5 InLoopBack0 Vlanif5 Vlanif5 InLoopBack0 InLoopBack0
Proto Pre Cost Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 OSPF OSPF 10 10 0 0 0 0 0 0 2 2 0 0
Direct 0
127.0.0.1/32 Direct 0
S1 has learned two routes using OSPF. Test connectivity between R1 and R3.
[R1]ping 10.0.6.33 PING 10.0.6.33: 56 data bytes, press CTRL_C to break Reply from 10.0.6.33: bytes=56 Sequence=1 ttl=253 time=8 ms Reply from 10.0.6.33: bytes=56 Sequence=2 ttl=253 time=2 ms Reply from 10.0.6.33: bytes=56 Sequence=3 ttl=253 time=2 ms Reply from 10.0.6.33: bytes=56 Sequence=4 ttl=253 time=2 ms Reply from 10.0.6.33: bytes=56 Sequence=5 ttl=253 time=2 ms --- 10.0.6.33 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/8 ms [R1]ping 10.0.7.44 PING 10.0.7.44: 56 data bytes, press CTRL_C to break Reply from 10.0.7.44: bytes=56 Sequence=1 ttl=252 time=12 ms Reply from 10.0.7.44: bytes=56 Sequence=2 ttl=253 time=4 ms Reply from 10.0.7.44: bytes=56 Sequence=3 ttl=253 time=4 ms Reply from 10.0.7.44: bytes=56 Sequence=4 ttl=253 time=4 ms Reply from 10.0.7.44: bytes=56 Sequence=5 ttl=253 time=4 ms --- 10.0.7.44 ping statistics --5 packet(s) transmitted 5 packet(s) received
154
HUAWEI TECHNOLOGIES
HC Series
Final Configurations
[S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 1 3 to 7 # interface Vlanif1 # interface Vlanif3 ip address 10.0.3.1 255.255.255.0 #
HC Series
HUAWEI TECHNOLOGIES
155
HCDA-HNTD
interface Vlanif4 ip address 10.0.4.1 255.255.255.0 # interface Vlanif5 ip address 10.0.5.1 255.255.255.0 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type access port default vlan 5 # interface GigabitEthernet0/0/1 port link-type access port default vlan 4 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/13 port link-type access port default vlan 3 ntdp enable ndp enable bpdu enable # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return
156
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S2]display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 1 3 to 7 # interface Vlanif1 # interface Vlanif5 ip address 10.0.5.2 255.255.255.0 # interface Vlanif6 ip address 10.0.6.1 255.255.255.0 # interface Vlanif7 ip address 10.0.7.1 255.255.255.0 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type access port default vlan 5 # interface GigabitEthernet0/0/3 port link-type access port default vlan 6 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/9 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/10 eth-trunk 1 undo ntdp enable undo ndp enable # interface GigabitEthernet0/0/24 port link-type access
HC Series
HUAWEI TECHNOLOGIES
157
HCDA-HNTD
port default vlan 7 ntdp enable ndp enable bpdu enable # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return
[S3]display current-configuration # !Software Version V100R006C00SPC800 sysname S3 # interface Vlanif1 ip address 10.0.3.33 255.255.255.0 # interface Ethernet0/0/13 bpdu enable # ip route-static 0.0.0.0 0.0.0.0 10.0.3.1 # return
[S4]display current-configuration # !Software Version V100R006C00SPC800 sysname S4 # interface Vlanif1 ip address 10.0.7.44 255.255.255.0 # interface Ethernet0/0/24 bpdu enable # ip route-static 0.0.0.0 0.0.0.0 10.0.7.1 # return
158
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.4.11 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.4.1 # return
[R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/2 ip address 10.0.6.33 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.6.1 # return
HC Series
HUAWEI TECHNOLOGIES
159
HCDA-HNTD
network Method of configuring VRRP authentication Method of configuring VRRP to trace the interface status Method of using VRRP to implement load balancing
160
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
R1
G0/0/1 G0/0/2
S1
G0/0/1
S2
G0/0/2
G0/0/3
G0/0/1
R2
R3
G0/0/2
Scenario
Assume that you are a network administrator of a company and the current network of your company has two users: R2 and R3. A loopback interface of R1 simulates an Internet server. The network has two gateways, and you use VRRP to implement gateway redundancy.
Irrelevant interfaces must be disabled to ensure test result accuracy. In this lab, GigabitEthernet0/0/9, GigabitEthernet0/0/13 and GigabitEthernet0/0/14 on S1 need to be shut down. The user network uses VLAN 1; S1 connects to R1 using VLAN 2; S2 connects to R1 using VLAN 3; a loopback interface has been configured
HC Series HUAWEI TECHNOLOGIES 161
HCDA-HNTD
on R1; IP addresses and default gateways have been configured on R2 and R3. The router R1 simulates a wide area network (WAN), while its loopback interface simulates a server on the WAN.
[Huawei]sysname R1 [R1]interface LoopBack 0 [R1-LoopBack0]ip address 10.0.1.1 24 [R1-LoopBack0]quit [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.11.2 24 [R1-GigabitEthernet0/0/1]quit [R1]interface GigabitEthernet 0/0/2 [R1-GigabitEthernet0/0/2]ip address 10.0.12.2 24
The router R2 simulates one PC on a local area network (LAN), using the network segment 10.0.123.0/24 and the gateway 10.0.123.1. The router R3 simulates another PC on the LAN, using the network segment 10.0.123.0/24 and the gateway 10.0.123.1.
<Huawei>system-view [Huawei]sysname R2 [R2]interface GigabitEthernet 0/0/1 [R2-GigabitEthernet0/0/1]ip address 10.0.123.4 24 [R2-GigabitEthernet0/0/1]quit [R2]ip route-static 0.0.0.0 0 10.0.123.1 <Huawei>system-view [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.123.5 24 [R3-GigabitEthernet0/0/2]quit [R3]ip route-static 0.0.0.0 0 10.0.123.1
Create VLAN 1 to VLAN 3 on the switch S1. The default link type of interfaces is hybrid. Configure G0/0/10 as a Trunk interface and configure it to allow all VLANs. Configure G0/0/1 as an access interface and add it to VLAN 2. Configure G0/0/2 as an access interface and add it to VLAN 1. Create VLANIF 1 to provide gateway for VLAN 1 and assign IP address 10.0.123.2/24 to VLANIF 1. Create VLANIF 2 as a Layer 3 link connecting to R1 and assign IP address 10.0.11.1/24 to VLANIF 2.
<Huawei>system-view
162
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [Huawei]sysname S1 [S1]vlan batch 1 to 3 [S1]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]port link-type trunk
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan all [S1-GigabitEthernet0/0/10]quit [S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]port link-type access [S1-GigabitEthernet0/0/1]port default vlan 2 [S1-GigabitEthernet0/0/1]quit [S1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]port link-type access [S1-GigabitEthernet0/0/2]port default vlan 1 [S1-GigabitEthernet0/0/2]quit [S1]interface Vlanif 1 [S1-Vlanif1]ip address 10.0.123.2 24 [S1-Vlanif1]quit [S1]interface vlanif 2 [S1-Vlanif2]ip address 10.0.11.1 24
Create VLAN 1 to VLAN 3 for the switch S2. The interfaces by default adopt the hybrid mode. Define G0/0/10 as a Trunk interface to allow the access of all VLANs. Define G0/0/1 as an access interface belonging to VLAN 3. Define G0/0/3 as an access interface belonging to VLAN 1. Set the IP address of VLANIF 1 to 10.0.123.3/24 and use VLANIF 1 to provide gateway services for VLAN 1. Set the IP address of VLANIF 2 to 10.0.12.1/24 and use VLANIF 2 as a Layer 3 link for connecting to R1.
<Huawei>system-view [Huawei]sysname S2 [S2]vlan batch 1 to 3 [S2]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]port link-type trunk [S2-GigabitEthernet0/0/10]port trunk allow-pass vlan all [S2-GigabitEthernet0/0/10]quit [S2]interface GigabitEthernet 0/0/1 [S2-GigabitEthernet0/0/1]port link-type access [S2-GigabitEthernet0/0/1]port default vlan 3 [S2-GigabitEthernet0/0/1]quit [S2]interface GigabitEthernet 0/0/3 [S2-GigabitEthernet0/0/3]port link-type access [S2-GigabitEthernet0/0/3]port default vlan 1 [S2-GigabitEthernet0/0/3]quit
HC Series
HUAWEI TECHNOLOGIES
163
HCDA-HNTD
[S2]interface Vlanif 1 [S2-Vlanif1]ip address 10.0.123.3 24 [S2-Vlanif1]quit [S2]interface Vlanif 3 [S2-Vlanif3]ip address 10.0.12.1 24
After completing the configuration, test connectivity of direct links. Use the ping command to test the connections to S1, R1, R2, and R3 on S2. Use -c 1 in the ping command to configure the system to send only one ping packet. If you do not use this parameter, the system sends five packets by default.
[S2]ping -c 1 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=10 ms --- 10.0.12.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/10/10 ms [S2]ping -c 1 10.0.123.2 PING 10.0.123.2: 56 data bytes, press CTRL_C to break Reply from 10.0.123.2: bytes=56 Sequence=1 ttl=255 time=1 ms --- 10.0.123.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S2]ping -c 1 10.0.123.4 PING 10.0.123.4: 56 data bytes, press CTRL_C to break Reply from 10.0.123.4: bytes=56 Sequence=1 ttl=255 time=1 ms --- 10.0.123.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S2]ping -c 1 10.0.123.5
164
HUAWEI TECHNOLOGIES
HC Series
Reply from 10.0.123.5: bytes=56 Sequence=1 ttl=255 time=1 ms --- 10.0.123.5 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 2
Configure
the
OSPF
routing
protocol
to
After completing the configuration, wait until the network convergence is complete. Then test the network connectivity.
[S2]ping -c 1 10.0.11.1 PING 10.0.11.1: 56 data bytes, press CTRL_C to break Reply from 10.0.11.1: bytes=56 Sequence=1 ttl=255 time=1 ms --- 10.0.11.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
HC Series
HUAWEI TECHNOLOGIES
165
HCDA-HNTD
[S2]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=254 time=1 ms --- 10.0.1.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S2]ping -c 1 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms --- 10.0.12.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 3
Configure
VRRP
to
implement
gateway
redundancy.
Configure VRRP on S1. Create VRRP group 1 and set its priority to 105. By default, the priority is 100.
[S1]interface Vlanif 1 [S1-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1 [S1-Vlanif1]vrrp vrid 1 priority 105 [S2]interface Vlanif 1 [S2-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1
After the configuration, run the ping command on R2 and R3 to test whether they can communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms --- 10.0.1.1 ping statistics ---
166
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms [R3]ping -c 1 10.0.1.1
PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=7 ms --- 10.0.1.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 7/7/7 ms
Currently, R2 and R3 send data packets to the Internet server through S1. Shut down VLANIF 1 on S1, and then test whether the traffic can be switched to S2.
[S1]interface Vlanif 1 [S1-Vlanif1]shutdown
Run the ping command on R2 and R3 to test whether they can communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1
HC Series
HUAWEI TECHNOLOGIES
167
HCDA-HNTD
PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms --- 10.0.1.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms [R3]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms --- 10.0.1.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms
168
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD MasterPriority : 100 Preempt : YES TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0101 Check TTL : YES Config type : normal-vrrp Config track link-bfd down-number : 0 Delay Time : 0
Step 4
Enable the VLANIF 1 interface on S1. Specify G0/0/1 for S1 and S2 to track.
[S1]interface Vlanif 1 [S1-Vlanif1]undo shutdown
Currently, R2 and R3 send data to the Internet server through S1. If G0/0/1 of S1 or G0/0/1 of R1 is disabled, traffic cannot be switched to S2. Disable G0/0/1 of S1.
[S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]shutdown
HC Series
HUAWEI TECHNOLOGIES
169
HCDA-HNTD
Note: You can use the brief parameter to display only the brief information. Test connectivity between R2 and the Internet server.
[R2]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out --- 10.0.1.1 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss
The command output shows that R2 cannot communicate with the Internet server. Enable G0/0/1 of S1.
[S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]undo shutdown
Configure VRRP to track G0/0/1 on S1 and S2. If G0/0/1 of S1 is disabled, the VRRP priority of S1 is reduced by 10. In this case, S2 replaces S1 as the VRRP master device.
[S1]interface Vlanif 1 [S1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10 [S2]interface Vlanif 1 [S2-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10
Test the network connectivity. R2 can communicate with the Internet server.
[R2]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms
170
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
--- 10.0.1.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
R2 can communicate with the Internet server. Check the VRRP state on S1.
[S1]display vrrp Vlanif1 | Virtual Router 1 State : Backup Virtual IP : 10.0.123.1 PriorityRun : 95 PriorityConfig : 105 MasterPriority : 100 Preempt : YES TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0101 Check TTL : YES Config type : normal-vrrp Track IF : GigabitEthernet0/0/1 IF State : DOWN Config track link-bfd down-number : 0 priority reduced : 10 Delay Time : 0
HC Series
HUAWEI TECHNOLOGIES
171
HCDA-HNTD
Final Configurations
[S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 1 to 3 # interface Vlanif1 ip address 10.0.123.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.123.1 vrrp vrid 1 priority 105 vrrp vrid 1 track interface GigabitEthernet0/0/1 # interface Vlanif2 ip address 10.0.11.1 255.255.255.0 # interface GigabitEthernet0/0/1 shutdown port link-type access port default vlan 2 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/2
172
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD port link-type access ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/10 port link-type trunk port trunk allow-pass vlan 2 to 4094 ntdp enable ndp enable bpdu enable # interface NULL0 # ospf 1 silent-interface Vlanif1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # user-interface con 0 user-interface vty 0 4 # return
[S2]display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 1 to 3 # interface Vlanif1 ip address 10.0.123.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.123.1 vrrp vrid 1 track interface GigabitEthernet0/0/1 # interface Vlanif3 ip address 10.0.12.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 3
HC Series
HUAWEI TECHNOLOGIES
173
HCDA-HNTD
ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/3 port link-type access ntdp enable ndp enable bpdu enable # ospf 1 silent-interface Vlanif1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # user-interface con 0 user-interface vty 0 4 # return
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.11.2 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.0.12.2 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 #
174
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD return
[R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.123.4 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.123.1 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return
[R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/2 ip address 10.0.123.5 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.123.1 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return
HC Series
HUAWEI TECHNOLOGIES
175
HCDA-HNTD
Topology
176
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are routers. R1 is located in the headquarters, and R2 and R3 are located in two branches. The headquarters and branches need to be interconnected. Use HDLC and PPP on WAN links and use different authentication modes to ensure security.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface Serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]quit [R2]interface Serial 2/0/0 [R2-Serial2/0/0]ip address 10.0.23.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface Serial 2/0/0 [R3-Serial2/0/0]ip address 10.0.23.3 24
Step 2
[R1]interface Serial 1/0/0 [R1-Serial1/0/0]link-protocol hdlc Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R1-Serial1/0/0]
HC Series
HUAWEI TECHNOLOGIES
177
HCDA-HNTD
[R2]interface Serial 1/0/0 [R2-Serial1/0/0]link-protocol hdlc Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R2-Serial1/0/0]quit [R2]interface Serial 2/0/0 [R2-Serial2/0/0]link-protocol hdlc Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R2-Serial2/0/0] [R3]interface Serial 2/0/0 [R3-Serial2/0/0]link-protocol hdlc Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R3-Serial2/0/0]
After HDLC is enabled the on serial interfaces, view the serial interface status. Use the display on R1 as an example.
[R1]display interface Serial1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-09 14:42:26 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.12.1/24 Link layer protocol is nonstandard HDLC Last physical up time : 2011-10-09 14:39:44 Last physical down time : 2011-10-09 14:39:43 Current system time: 2011-10-09 14:43:14 Physical layer is synchronous, Baudrate is 64000 bps Interface is DCE, Cable type is V35, Clock mode is DCECLK Last 300 seconds input rate 2 bytes/sec 16 bits/sec 0 packets/sec Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec Input: 257 packets, 3856 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: deferred: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0 0, collisions: 0 0 0, giants: 0, overruns: 0 0 0, no buffers: 0
178
HUAWEI TECHNOLOGIES
HC Series
Test connectivity of the directly connected link after verifying that the physical status and protocol status of the interface are Up.
[R2]ping 10.0.12.1 PING 10.0.12.1: 56 data bytes, press CTRL_C to break Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=44 ms Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=39 ms Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=39 ms Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=40 ms Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=39 ms --- 10.0.12.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 39/40/44 ms [R2]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=44 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=39 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=39 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=40 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=39 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 39/40/44 ms
Step 3
[R1]rip
Configure RIPv2.
HC Series
HUAWEI TECHNOLOGIES
179
HCDA-HNTD [R3]rip
After the configurations are complete, check whether all the routes are learned. Verify that corresponding routes are learned by RIP.
[R1]disp ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Destination/Mask Proto 0 0 0 0 0 0 0 0 D D D D D Routes : 8 Pre Cost D D D Flags NextHop 10.0.12.1 127.0.0.1 127.0.0.1 10.0.12.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 InLoopBack0 InLoopBack0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.255/32 Direct 10.0.23.0/24 RIP 127.0.0.0/8 Direct 0
100 1
127.0.0.1/32 Direct 0
On R1, run the ping command to test connectivity between R1 and R3.
[R1]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=44 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=39 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=39 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=40 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=39 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 39/40/44 ms
180
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 4
interface, interface status, and clock frequency, and change the clock frequency.
[R2]display interface Serial1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-09 16:25:55 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.12.2/24 Link layer protocol is nonstandard HDLC Last physical up time : 2011-10-09 16:25:55 Last physical down time : 2011-10-09 16:25:55 Current system time: 2011-10-09 16:52:14 Physical layer is synchronous, Virtualbaudrate is 64000 bps Interface is DTE, Cable type is V35, Clock mode is TC Last 300 seconds input rate 4 bytes/sec 32 bits/sec 0 packets/sec Last 300 seconds output rate 4 bytes/sec 32 bits/sec 0 packets/sec Input: 223 packets, 7152 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: deferred: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0 0, collisions: 0 0 0, giants: 0, overruns: 0, no buffers: 0 0 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.05% Output bandwidth utilization : 0.19%
The preceding information shows that S1/0/0 on R1 connects to a DCE cable and the clock frequency is 64000 bit/s. The DCE controls the clock frequency and bandwidth. Change the clock frequency on the link between R1 and R2 to 128000 bit/s. This operation must be performed on the DCE, R1.
[R1]interface Serial 1/0/0
HC Series
HUAWEI TECHNOLOGIES
181
HCDA-HNTD
[R1-Serial1/0/0]baudrate 128000
After the configurations are complete, view the serial interface status.
[R1-Serial1/0/0]display interface Serial1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-10 11:56:41 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.12.1/24 Link layer protocol is PPP LCP opened, IPCP opened Last physical up time : 2011-10-10 11:56:38 Last physical down time : 2011-10-10 11:53:32 Current system time: 2011-10-10 13:58:43 Physical layer is synchronous, Baudrate is 128000 bps Interface is DCE, Cable type is V35, Clock mode is DCECLK Last 300 seconds input rate 5 bytes/sec 40 bits/sec 0 packets/sec Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec Input: 3471 packets, 66408 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: deferred: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0 0, collisions: 0 0 0, giants: 0, overruns: 0, no buffers: 0 0 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.03% Output bandwidth utilization : 0.03%
Step 5
182
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [R1-Serial1/0/0]link-protocol ppp [R2]interface Serial 1/0/0 [R2-Serial1/0/0]link-protocol ppp [R2-Serial1/0/0]quit [R2]interface Serial 2/0/0 [R2-Serial2/0/0]link-protocol ppp [R3]interface Serial 2/0/0 [R3-Serial2/0/0]link-protocol ppp
If the ping operation fails, check the interface status and check whether the link layer protocol type is correct.
[R1]display interface Serial1/0/0
HC Series
HUAWEI TECHNOLOGIES
183
HCDA-HNTD
Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-10 16:26:28 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.12.1/24 Link layer protocol is PPP LCP opened, IPCP opened Last physical up time : 2011-10-10 16:26:25 Last physical down time : 2011-10-10 16:26:04 Current system time: 2011-10-10 16:31:06 Physical layer is synchronous, Baudrate is 128000 bps Interface is DCE, Cable type is V35, Clock mode is DCECLK Last 300 seconds input rate 5 bytes/sec 40 bits/sec 0 packets/sec Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec Input: 5600 packets, 116506 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: deferred: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0 0, collisions: 0 0 0, giants: 0, overruns: 0, no buffers: 0 0 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.03% Output bandwidth utilization : 0.03%
Step 6
After PPP configurations are complete, routers establish connections at the data link layer. The local device sends a route to the peer device. The route contains the interface IP address and a 32-bit mask. The following information uses R2 as an example. You can see the routes to R1 and R3.
[R2]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 12 Routes : 12
184
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Destination/Mask
Proto
Pre Cost 0 0 0 0 0 0 0 0 0 0 0 0
Flags NextHop D D D D D D D D D D D D 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Interface Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
Think about the origin and functions of the two routes. Check the following items: If HDLC is used, do the two routes exist? Can R1 and R2 communicate using HDLC or PPP when the IP addresses of S1/0/0 interfaces on R1 and R2 are located on different network segments?
Step 7
HC Series
HUAWEI TECHNOLOGIES
185
HCDA-HNTD
[R1-aaa-domain-system]authentication-scheme system_a [R1-aaa-domain-system]quit [R1-aaa]local-user user1@system password simple huawei info: A new user added [R1-aaa]local-user user1@system service-type ppp [R1-aaa]quit
After the configurations are complete, test connectivity between R1 and R2.
Step 8
186
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
The greyed line indicates that authentication failed. Configure R2 as the CHAP client.
[R2]interface Serial 2/0/0 [R2-Serial2/0/0]ppp authentication-mode chap [R2-Serial2/0/0]ppp chap user user1@system [R2-Serial2/0/0]ppp chap password simple Huawei
After the configurations are complete, the interface becomes Up. The ping command output is as follows:
[R2-Serial2/0/0]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=35 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=41 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 35/39/41 ms
Step 9
the PPP connection between R2 and R3. The PPP connection is established by CHAP.
Use R2 as an example. View the PPP negotiation process between R2 and R3. Disable S2/0/0 on R2, run the debug command, and enable S2/0/0 on R2.
HC Series HUAWEI TECHNOLOGIES 187
HCDA-HNTD
Run the debugging ppp chap all command. By default, the debugging information is displayed. Run the terminal debugging command to display the debugging information on the console port.
[R2-Serial2/0/0]return <R2>debugging ppp chap all <R2>terminal debugging Info: Current terminal debugging is on.
188
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Oct 10 2011 17:54:48.850.1+00:00 R2 PPP/7/debug2: PPP Packet: Serial2/0/0 Input CHAP(c223) Pkt, Len 20 State SendResponse, code SUCCESS(03), id 1, len 16 Message: Welcome to . Oct 10 2011 17:54:48.850.2+00:00 R2 PPP/7/debug2: PPP Event: Serial2/0/0 CHAP Receive Success Event state SendResponse Oct 10 2011 17:54:48.850.3+00:00 R2 PPP/7/debug2: PPP State Change: Serial2/0/0 CHAP : SendResponse --> ClientSuccess
The greyed line shows the interface status change. Run the debugging ppp pap all command to view PPP negotiation when PAP authentication is used between R1 and R2. Compare the debugging ppp pap all command output with the debugging ppp chap all command output to learn about difference between PAP authentication and CHAP authentication.
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # aaa authentication-scheme default authentication-scheme system_a authorization-scheme default authorization-scheme system_a accounting-scheme default domain default domain default_admin domain system authorization-scheme system_a
HC Series
HUAWEI TECHNOLOGIES
189
HCDA-HNTD
local-user admin password simple admin local-user admin service-type http local-user user1@system password simple huawei local-user user1@system service-type ppp local-user user@system password simple huawei local-user user@system service-type ppp # interface Serial1/0/0 link-protocol ppp ppp authentication-mode pap domain system ip address 10.0.12.1 255.255.255.0 baudrate 128000 # rip 1 version 2 network 10.0.0.0 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Serial1/0/0 link-protocol ppp ppp pap local-user user@system password simple huawei ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol ppp ppp authentication-mode chap ppp chap user user1@system ppp chap password simple Huawei
190
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD ip address 10.0.23.2 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return <R3>display current-configuration [V200R001C01SPC300] # sysname R3 # aaa authentication-scheme default authentication-scheme system authorization-scheme default accounting-scheme default domain default domain default_admin domain system local-user admin password simple admin local-user admin service-type http local-user user1@system password simple huawei local-user user1@system service-type ppp # interface Serial2/0/0 link-protocol ppp ip address 10.0.23.3 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return
HC Series
HUAWEI TECHNOLOGIES
191
HCDA-HNTD
DLCIs on the FR network Method used to configure RIP on the FR network Method used to configure OSPF on the FR network
Topology
Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are routers. R1 is located in the headquarters, and R2 and R3 are located in two branches. The headquarters and branches need to be interconnected. You need to configure FR on WAN links and mapping between DLCIs and IP addresses.
192
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
<Huawei>system-view [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]int loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view [Huawei]sysname R2 [R2]int Serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]int loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 [R2-LoopBack0]int Serial 2/0/0 [R2-Serial2/0/0]ip address 10.0.23.2 24 <Huawei>system-view [Huawei]sysname R3 [R3]int Serial 2/0/0 [R3-Serial2/0/0]ip address 10.0.23.3 24 [R3-Serial2/0/0]int loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
HC Series
HUAWEI TECHNOLOGIES
193
HCDA-HNTD
[R2]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=41 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=37 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=37 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=37 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=37 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 37/37/41 ms
Step 2
194
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD CRC: dribbles: frame errors: errors: deferred: 0, align errors: 0, aborts: 0 0, underruns: 0
0, overruns: 0, no buffers:
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.28% Output bandwidth utilization : 0.28%
The preceding information shows that S1/0/0 on R1 connects to the DCE port of the serial interface cable.
[R1]interface Serial 1/0/0 [R1-Serial1/0/0]link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R1-Serial1/0/0]fr interface-type dce [R1-Serial1/0/0]fr dlci 102 [R1-fr-dlci-Serial1/0/0-102]quit [R1-Serial1/0/0]fr map ip 10.0.12.2 102 broadcast
After the configurations are complete, test link connectivity between R1 and R2.
[R2-Serial1/0/0]ping 10.0.12.1 PING 10.0.12.1: 56 data bytes, press CTRL_C to break Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=38 ms Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=34 ms Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=34 ms Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=34 ms Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=34 ms --- 10.0.12.1 ping statistics ---
HC Series
HUAWEI TECHNOLOGIES
195
HCDA-HNTD
5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/34/38 ms
If communication between R1 and R2 is abnormal before step 1 is performed, the FR configuration is incorrect. Perform the following operations to troubleshoot the fault. Compare the display fr map-info command output on R1 with that on R2. Use R1 as an example.
[R1]display fr map-info Map Statistics for interface Serial1/0/0 (DCE) DLCI = 102, IP 10.0.12.2, Serial1/0/0 create time = 2011/10/11 14:44:45, status = ACTIVE encapsulation = ietf, vlink = 6, broadcast [R1]display interface Serial1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-11 14:44:35 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.12.1/24 Link layer protocol is FR IETF LMI DLCI is 0, LMI type is Q.933a, frame relay DCE LMI status enquiry received 21, LMI status sent 21 LMI status enquiry timeout 9, LMI message discarded 2 Last physical up time : 2011-10-11 14:44:25 Last physical down time : 2011-10-11 14:44:25 Current system time: 2011-10-11 14:48:04 Physical layer is synchronous, Baudrate is 64000 bps Interface is DCE, Cable type is V35, Clock mode is DCECLK Last 300 seconds input rate 12 bytes/sec 96 bits/sec 0 packets/sec Last 300 seconds output rate 10 bytes/sec 80 bits/sec 0 packets/sec Input: 3712 packets, 54496 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0, collisions: 0 0 0, giants: 0, overruns: 0, no buffers: 0 0 0
196
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD deferred: 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.08% Output bandwidth utilization : 0.08% [R1]display fr lmi-info interface Serial 1/0/0 Frame relay LMI statistics for interface Serial1/0/0 (DCE, Q933) T392DCE = 15, N392DCE = 3, N393DCE = 4 in status enquiry = 31, out status = 31 status enquiry timeout = 9, discarded messages = 2
Step 3
HC Series
HUAWEI TECHNOLOGIES
197
HCDA-HNTD deferred:
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.06% Output bandwidth utilization : 0.05%
The greyed line indicates that S2/0/0 on R3 connects to the DCE port.
[R2]interface Serial 2/0/0 [R2-Serial2/0/0]link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R2-Serial2/0/0]fr interface-type dte [R2-Serial2/0/0]fr inarp
After the configurations are complete, test connectivity between R2 and R3.
[R3]ping 10.0.23.2 PING 10.0.23.2: 56 data bytes, press CTRL_C to break Reply from 10.0.23.2: bytes=56 Sequence=1 ttl=255 time=40 ms Reply from 10.0.23.2: bytes=56 Sequence=2 ttl=255 time=35 ms Reply from 10.0.23.2: bytes=56 Sequence=3 ttl=255 time=35 ms Reply from 10.0.23.2: bytes=56 Sequence=4 ttl=255 time=35 ms Reply from 10.0.23.2: bytes=56 Sequence=5 ttl=255 time=35 ms --- 10.0.23.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 35/36/40 ms
If R2 fails to communicate with R3, locate the fault using the following command output.
[R3]display interface Serial2/0/0
198
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Serial2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-10-11 15:02:01 Description:HUAWEI, AR Series, Serial2/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.0.23.3/24 Link layer protocol is FR IETF LMI DLCI is 0, LMI type is Q.933a, frame relay DCE LMI status enquiry received 28, LMI status sent 28 LMI status enquiry timeout 0, LMI message discarded 8 Last physical up time : 2011-10-11 15:01:31 Last physical down time : 2011-10-11 15:01:30 Current system time: 2011-10-11 15:06:36 Physical layer is synchronous, Baudrate is 64000 bps Interface is DCE, Cable type is V24, Clock mode is DCECLK Last 300 seconds input rate 12 bytes/sec 96 bits/sec 0 packets/sec Last 300 seconds output rate 12 bytes/sec 96 bits/sec 0 packets/sec Input: 3974 packets, 58123 bytes broadcasts: errors: CRC: dribbles: frame errors: errors: deferred: 0, multicasts: 0, runts: 0, align errors: 0, aborts: 0 0, underruns: 0 0, collisions: 0 0 0, giants: 0, overruns: 0, no buffers: 0 0 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP Input bandwidth utilization : 0.11% Output bandwidth utilization : 0.10% [R3]display fr lmi-info Frame relay LMI statistics for interface Serial2/0/0 (DCE, Q933) T392DCE = 15, N392DCE = 3, N393DCE = 4 in status enquiry = 31, out status = 31 status enquiry timeout = 0, discarded messages = 8 [R3]display fr map-info Map Statistics for interface Serial2/0/0 (DCE) DLCI = 203, IP INARP 10.0.23.2, Serial2/0/0 create time = 2011/10/11 15:02:21, status = ACTIVE encapsulation = ietf, vlink = 2, broadcast
Pay attention to the greyed lines. Compare the information on R1 with that on R2.
HC Series HUAWEI TECHNOLOGIES 199
HCDA-HNTD
Step 4
Configure
RIPv2
between
R1
and
R2
and
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
The preceding information shows that R1 has learned routes. Test network connectivity on R1.
[R1]ping 10.0.23.2 PING 10.0.23.2: 56 data bytes, press CTRL_C to break
200
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Reply from 10.0.23.2: bytes=56 Sequence=1 ttl=255 time=33 ms Reply from 10.0.23.2: bytes=56 Sequence=2 ttl=255 time=39 ms Reply from 10.0.23.2: bytes=56 Sequence=3 ttl=255 time=39 ms Reply from 10.0.23.2: bytes=56 Sequence=4 ttl=255 time=39 ms Reply from 10.0.23.2: bytes=56 Sequence=5 ttl=255 time=39 ms --- 10.0.23.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 33/37/39 ms
The preceding information shows that communication between R1 and R2 is normal. R1 fails to communicate with R3 because R3 is not running any protocol. R1 and R2 run RIPv2. They can learn routes from each other because the network supports broadcast. Run the display fr map-info interface Serial 1/0/0 command on R2 to check whether R2 supports broadcast. Use R2 as an example.
[R2]display fr map-info interface Serial 1/0/0 Map Statistics for interface Serial1/0/0 (DTE) DLCI = 102, IP 10.0.12.1, Serial1/0/0 create time = 2011/10/11 15:12:15, status = ACTIVE encapsulation = ietf, vlink = 11, broadcast
To enable R1 and R2 to update routes, run shutdown and undo shutdown on an interface of R1 or R2. Use R2 as an example.
[R2-Serial1/0/0]shutdown [R2-Serial1/0/0]undo shutdown
HC Series
HUAWEI TECHNOLOGIES
201
HCDA-HNTD
After the configurations are complete, check the routes. Use R2 as an example.
[R2]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 15 Destination/Mask 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 Proto Routes : 15 Pre Cost 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D D 10.0.2.2 127.0.0.1 127.0.0.1 10.0.12.2 10.0.12.1 127.0.0.1 127.0.0.1 10.0.23.2 127.0.0.1 10.0.23.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 Serial2/0/0 InLoopBack0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
R1 and R2 cannot exchange routes because broadcast is disabled. Run the ping command on R2.
[R2]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
202
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Run the display fr map-info interface Serial 1/0/0 command on R2 to check whether R2 supports broadcast.
[R2]display fr map-info interface Serial 1/0/0 Map Statistics for interface Serial1/0/0 (DTE) DLCI = 102, IP 10.0.12.1, Serial1/0/0 create time = 2011/10/11 15:22:22, status = ACTIVE encapsulation = ietf, vlink = 13
There is no broadcast field, indicating that R2 does not support broadcast. Configure a RIP neighbor relationship between R1 and R2 and configure them to exchange routes in unicast mode.
[R1]rip [R1-rip-1]peer 10.0.12.2 [R2]rip [R2-rip-1]peer 10.0.12.1
10.0.12.0/24 Direct 0 10.0.12.1/32 Direct 0 10.0.12.2/32 Direct 0 10.0.12.255/32 Direct 0 10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0
HC Series
HUAWEI TECHNOLOGIES
203
HCDA-HNTD
By default, route aggregation is enabled in RIPv2; therefore, there is only one RIP route on R1.
Step 5
204
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Destinations : 11 Destination/Mask 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto Routes : 11 Pre Cost 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Interface LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
The preceding information shows that R3 does not learn the routes sent by R2. By default, OSPF considers that the network mode on the FR-enabled port is NBMA and devices do not detect neighbors.
[R3]display ospf interface Serial 2/0/0 OSPF Process 1 with Router ID 10.0.3.3 Interfaces
Interface: 10.0.23.3 (Serial2/0/0) Cost: 1562 Priority: 1 Designated Router: 0.0.0.0 Backup Designated Router: 0.0.0.0 Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1 State: Waiting Type: NBMA MTU: 1500
R3 does not discover a neighbor. You must manually configure an OSPF neighbor relationship.
[R2]ospf 1
HC Series
HUAWEI TECHNOLOGIES
205
HCDA-HNTD
After the configurations are complete, check the OSPF neighbor relationship on R3.
[R3]disp ospf peer OSPF Process 1 with Router ID 10.0.3.3 Neighbors Area 0.0.0.0 interface 10.0.23.3(Serial2/0/0)'s neighbors Router ID: 10.0.2.2 State: Full DR: 10.0.23.2 BDR: None Dead timer due in 116 sec Retrans timer interval: 5 Neighbor is up for 00:00:04 Authentication Sequence: [ 0 ] Address: 10.0.23.2 MTU: 0 Mode:Nbr is Slave Priority: 1
The preceding information shows that the OSPF neighbor relationship has been set up. Check the routing tables. Use R3 as an example.
[R3]disp ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 13 Destination/Mask 10.0.2.2/32 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto OSPF Routes : 13 Pre Cost 10 1562 0 0 0 3124 0 0 0 0 Flags NextHop D D D D D D D D D 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 Interface Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0
10.0.12.0/24 OSPF
206
HUAWEI TECHNOLOGIES
HC Series
Step 6
HC Series
HUAWEI TECHNOLOGIES
207
HCDA-HNTD
Interface: 10.0.23.3 (Serial2/0/0) Cost: 1562 Priority: 1 Designated Router: 10.0.23.3 Backup Designated Router: 10.0.23.2 Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1 State: DR Type: NBMA MTU: 1500
Run the shutdown and undo shutdown commands on S2/0/0 of R3 to update neighbors.
[R3-Serial2/0/0]shutdown [R3-Serial2/0/0]undo shutdown
After the OSPF neighbor relationship is established, check the OSPF neighbor relationship.
[R3]display ospf peer OSPF Process 1 with Router ID 10.0.3.3 Neighbors Area 0.0.0.0 interface 10.0.23.3(Serial2/0/0)'s neighbors Router ID: 10.0.2.2 State: Full DR: 10.0.23.3 Address: 10.0.23.2 Mode:Nbr is Slave Priority: 1 BDR: 10.0.23.2 MTU: 0
208
HUAWEI TECHNOLOGIES
HC Series
Check the routing table of R3 and test connectivity between R3 and R2. Use R3 as an example.
[R3]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 13 Destination/Mask 10.0.2.2/32 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 Proto OSPF Routes : 13 Pre Cost 10 1562 0 0 0 3124 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D 10.0.23.2 10.0.3.3 127.0.0.1 127.0.0.1 10.0.23.2 10.0.23.3 10.0.23.2 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial2/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.12.0/24 OSPF
10.0.23.0/24 Direct 0 10.0.23.2/32 Direct 0 10.0.23.3/32 Direct 0 10.0.23.255/32 Direct 0 127.0.0.0/8 Direct 0 127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0
[R3]display ospf interface Serial 2/0/0 OSPF Process 1 with Router ID 10.0.3.3 Interfaces
Interface: 10.0.23.3 (Serial2/0/0) Cost: 1562 Priority: 1 Designated Router: 10.0.23.3 Backup Designated Router: 10.0.23.2 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1 [R3]ping 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=35 ms State: DR Type: Broadcast MTU: 1500
HC Series
HUAWEI TECHNOLOGIES
209
HCDA-HNTD
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=255 time=30 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=255 time=30 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=255 time=30 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=255 time=30 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/31/35 ms
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial1/0/0 link-protocol fr fr interface-type dce fr dlci 102 fr map ip 10.0.12.2 102 ip address 10.0.12.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # rip 1 undo summary version 2 peer 10.0.12.2 network 10.0.0.0 #
210
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # router id 10.0.2.2 # interface Serial1/0/0 link-protocol fr fr dlci 102 fr map ip 10.0.12.1 102 ip address 10.0.12.2 255.255.255.0 # interface Serial2/0/0 link-protocol fr ip address 10.0.23.2 255.255.255.0 ospf network-type broadcast # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # rip 1 undo summary version 2 peer 10.0.12.1 network 10.0.0.0 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # router id 10.0.3.3 # interface Serial2/0/0
HC Series
HUAWEI TECHNOLOGIES
211
HCDA-HNTD
link-protocol fr fr interface-type dce fr dlci 203 ip address 10.0.23.3 255.255.255.0 ospf network-type broadcast # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # Return
212
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
switch is used on the network How to configure RIP in hub-spoke mode How to configure OSPF in hub-spoke mode How to configure FR interfaces when the OSPF network type is
set to point-to-multipoint
Topology
HC Series
HUAWEI TECHNOLOGIES
213
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. R1, R2, R3 in Figure 8.3 are routers. R1 is located at the company headquarters, and R2 and R3 are located in two branches. To interconnect the headquarters and branches, you need to configure FR on WAN links in hub-spoke mode.
Set basic parameters, such as IP addresses. When configuring FR encapsulation, you must disable the Inarp function and manually define mapping between the PVC DLCI numbers and IP addresses.
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 2/0/0 [R1-Serial2/0/0]link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R1-Serial2/0/0]ip address 10.0.123.1 24 [R1-Serial2/0/0]undo fr inarp [R1-Serial2/0/0]fr map ip 10.0.123.2 102 broadcast [R1-Serial2/0/0]fr map ip 10.0.123.3 103 broadcast [R1-Serial2/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface Serial 3/0/0 [R2-Serial3/0/0]link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R2-Serial3/0/0]ip address 10.0.123.2 24 [R2-Serial3/0/0]undo fr inarp [R2-Serial3/0/0]fr map ip 10.0.123.1 201 broadcast [R2-Serial3/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24
214
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface Serial 1/0/0 [R3-Serial1/0/0]link-protocol fr
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y [R3-Serial1/0/0]ip address 10.0.123.3 24 [R3-Serial1/0/0]undo fr inarp [R3-Serial1/0/0]fr map ip 10.0.123.1 301 broadcast [R3-Serial1/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
HC Series
HUAWEI TECHNOLOGIES
215
HCDA-HNTD
Step 2
Configure RIPv2 and ensure that all network segments are in the RIP area. By default, static neighbors are not configured. The automatic summary function must be disabled. In addition, the RIP split horizon function for FR interfaces is disabled by default because an FR network has its own unique features. You do not need to modify the split horizon configurations for this exercise.
[R1]rip 1 [R1-rip-1]version 2 [R1-rip-1]network 10.0.0.0 [R1-rip-1]undo summary [R2]rip 1 [R2-rip-1]version 2 [R2-rip-1]network 10.0.0.0 [R2-rip-1]undo summary [R3]rip 1 [R3-rip-1]version 2 [R3-rip-1]network 10.0.0.0 [R3-rip-1]undo summary
View the routing tables on R1, R2, and R3 to check the learned routes.
[R1]display ip routing-table protocol rip Route Flags: R - relay, D - download to fib ----------------------------------------------------------------------------
216
HUAWEI TECHNOLOGIES
HC Series
RIP routing table status : <Active> Destinations : 2 Destination/Mask 10.0.2.0/24 10.0.3.0/24 Proto RIP RIP Routes : 2 Pre Cost 100 1 100 1 Flags NextHop D D 10.0.123.2 10.0.123.3 Interface Serial2/0/0 Serial2/0/0
[R2]display ip routing-table protocol rip Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : RIP Destinations : 2 Routes : 2
RIP routing table status : <Active> Destinations : 2 Destination/Mask 10.0.1.0/24 10.0.3.0/24 Proto RIP RIP Routes : 2 Pre Cost 100 1 100 2 Flags NextHop D D 10.0.123.1 10.0.123.1 Interface Serial3/0/0 Serial3/0/0
[R3]display ip routing-table protocol rip Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Public routing table : RIP Destinations : 2 Routes : 2
RIP routing table status : <Active> Destinations : 2 Destination/Mask 10.0.1.0/24 Proto RIP Routes : 2 Pre Cost 100 1 Flags NextHop D 10.0.123.1 Interface Serial1/0/0
HC Series
HUAWEI TECHNOLOGIES
217
HCDA-HNTD
10.0.2.0/24
The preceding test results indicate that R3 and R2 are disconnected. Check the routes to find out why R3 and R2 are disconnected. The procedure for diagnosing this fault is as follows: View the R3 routing table and check whether any route is destined for the IP address 10.0.2.2. If there is such a route, find out the next hop IP address of this route. Then check whether R3 can reach the next hop and whether there is mapping between Layer-3 IP addresses and Layer-2 PVCs.
218
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
If R3 can reach the next hop and there is mapping between Layer-3 IP addresses and Layer-2 PVCs, check the devices on the route to determine whether there is any route that can reach IP address 10.0.2.2, whether the next hop of this route is reachable, and whether there is mapping between Layer-3 IP addresses and Layer-2 PVCs. If there is a route that can reach IP address 10.0.2.2 and there is mapping between Layer-3 IP addresses and Layer-2 PVCs, check R2 to determine whether there is any route that reaches the destination IP address of response packets and whether the next hop of this route is reachable. If the next hop of this route is unreachable and the destination IP address of the response packets is 10.0.123.3, R2 has the route that reaches this address but there is no mapping between Layer-3 IP addresses and Layer-2 PVCs. The following is the output of the commands used in the preceding fault diagnosis procedure.
[R3]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 13 Destination/Mask 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 10.0.123.0/24 10.0.123.1/32 10.0.123.3/32 10.0.123.255/32 127.0.0.0/8 Proto RIP RIP Routes : 13 Pre Cost 100 1 100 2 0 0 0 0 0 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D 10.0.123.1 10.0.123.1 10.0.3.3 127.0.0.1 127.0.0.1 10.0.123.3 10.0.123.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
[R3]display fr map-info interface Serial 1/0/0 Map Statistics for interface Serial1/0/0 (DTE) DLCI = 301, IP 10.0.123.1, Serial1/0/0 create time = 2011/11/16 09:22:30, status = ACTIVE
HC Series
HUAWEI TECHNOLOGIES
219
HCDA-HNTD
encapsulation = ietf, vlink = 1, broadcast [R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask Proto Routes : 14 Pre Cost 0 0 0 Flags NextHop D D D D D D D D D D D D 0 0 D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.123.2 10.0.123.3 10.0.123.1 127.0.0.1 10.0.123.2 10.0.123.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 Serial2/0/0 Serial2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
10.0.1.0/24 Direct 0 10.0.1.1/32 10.0.1.255/32 10.0.2.0/24 10.0.3.0/24 10.0.123.0/24 10.0.123.1/32 10.0.123.2/32 10.0.123.3/32 10.0.123.255/32 127.0.0.0/8 Direct 0 Direct 0 RIP RIP
100 1 100 1 0 0 0 0 0 0 0
[R1]display fr map-info interface Serial 2/0/0 Map Statistics for interface Serial2/0/0 (DTE) DLCI = 102, IP 10.0.123.2, Serial2/0/0 create time = 2011/11/16 09:28:49, status = ACTIVE encapsulation = ietf, vlink = 1, broadcast DLCI = 103, IP 10.0.123.3, Serial2/0/0 create time = 2011/11/16 09:28:56, status = ACTIVE encapsulation = ietf, vlink = 2, broadcast [R2]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 13 Destination/Mask 10.0.1.0/24 Proto RIP Routes : 13 Pre Cost 100 1 Flags NextHop D 10.0.123.1 Interface Serial3/0/0
220
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.0/24 10.0.123.0/24 10.0.123.1/32 10.0.123.2/32 10.0.123.255/32 127.0.0.0/8 Direct 0 Direct 0 Direct 0 RIP Direct 0 Direct 0 Direct 0 Direct 0 Direct 0 0 0 0 0 0 0 0 0 0 0 0 D D D D D D D D D D D D 10.0.2.2 127.0.0.1 127.0.0.1 10.0.123.1 10.0.123.2 10.0.123.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
Chapter 8 WAN Configuration LoopBack0 InLoopBack0 InLoopBack0 Serial3/0/0 Serial3/0/0 Serial3/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
100 2
[R2]display fr map-info interface Serial 3/0/0 Map Statistics for interface Serial3/0/0 (DTE) DLCI = 201, IP 10.0.123.1, Serial3/0/0 create time = 2011/11/16 09:21:10, status = ACTIVE encapsulation = ietf, vlink = 1, broadcast
Step 3
Modify
network
parameters
to
enable
the
After you configure the mapping between IP addresses and PVCs, check the IP address-PVC mapping tables on R2 and R3 and detect network connectivity.
[R3]display fr map-info interface Serial 1/0/0 Map Statistics for interface Serial1/0/0 (DTE) DLCI = 301, IP 10.0.123.1, Serial1/0/0
HC Series
HUAWEI TECHNOLOGIES
221
HCDA-HNTD
create time = 2011/11/16 09:22:30, status = ACTIVE encapsulation = ietf, vlink = 1, broadcast DLCI = 301, IP 10.0.123.2, Serial1/0/0 create time = 2011/11/16 09:55:23, status = ACTIVE encapsulation = ietf, vlink = 2, broadcast [R3]ping 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=118 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=123 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=123 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=123 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=123 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 118/122/123 ms
Step 4
Delete the RIP configurations added in step 2 and the IP address-PVC mapping of R2 and R3 that is established in step 3.
[R1]undo rip 1 Warning: The RIP process will be deleted. Continue?[Y/N]y [R1] [R2]interface Serial 3/0/0 [R2-Serial3/0/0]undo fr map ip 10.0.123.3 201 [R2-Serial3/0/0]quit [R2]undo rip 1 Warning: The RIP process will be deleted. Continue?[Y/N]y [R2] [R3]interface Serial 1/0/0 [R3-Serial1/0/0]undo fr map ip 10.0.123.2 301 [R3-Serial1/0/0]quit [R3]undo rip 1 Warning: The RIP process will be deleted. Continue?[Y/N]y [R3]
222
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
After basic parameters are set, OSPF cannot establish neighbor relationships. By default, OSPF determines that the FR network can identify the NBMA network. As a result, OSPF does not support broadcast and cannot automatically discover neighbors.
[R3]display ospf interface Serial 1/0/0 verbose OSPF Process 1 with Router ID 10.0.3.3 Interfaces
Interface: 10.0.123.3 (Serial1/0/0) Cost: 1562 Priority: 1 Designated Router: 10.0.123.3 Backup Designated Router: 0.0.0.0 Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1 IO Statistics Type Hello DB Description Link-State Req Link-State Update Link-State Ack OpaqueId: 0 Input 0 0 0 0 0 Output 0 0 0 0 0 State: DR Type: NBMA MTU: 1500
PrevState: Waiting
There are various methods for running OSPF on an FR network. This exercise demonstrates how to run OSPF on the FR network by setting the OSPF network type of the interface to point-to-multipoint.
HC Series
HUAWEI TECHNOLOGIES
223
HCDA-HNTD
Step 5
point-to-multipoint.
[R1]interface Serial 2/0/0 [R1-Serial2/0/0]ospf network-type p2mp [R2]interface Serial 3/0/0 [R2-Serial3/0/0]ospf network-type p2mp [R3]interface Serial 1/0/0 [R3-Serial1/0/0]ospf network-type p2mp
After you set the OSPF network type, wait until the neighbor relationship is established. Then check the neighbor relationship and route information.
[R1]display ospf peer brief OSPF Process 1 with Router ID 10.0.1.1 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 0.0.0.0 Interface Serial2/0/0 Serial2/0/0 Neighbor id 10.0.2.2 10.0.3.3 State Full Full
---------------------------------------------------------------------------[R1]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.0/24 10.0.1.1/32 10.0.1.255/32 10.0.2.2/32 10.0.3.3/32 10.0.123.0/24 10.0.123.1/32 10.0.123.2/32 Proto Routes : 14 Pre Cost 0 0 0 1562 1562 0 0 0 Flags NextHop D D D D D D D D 10.0.1.1 127.0.0.1 127.0.0.1 10.0.123.2 10.0.123.3 10.0.123.1 127.0.0.1 10.0.123.2 Interface LoopBack0 InLoopBack0 InLoopBack0 Serial2/0/0 Serial2/0/0 Serial2/0/0 InLoopBack0 Serial2/0/0
224
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 10.0.123.3/32 10.0.123.255/32 127.0.0.0/8 Direct 0 Direct 0 Direct 0 0 0 0 0 0 0 D D D D D D 10.0.123.3 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 [R2]display ospf peer brief
OSPF Process 1 with Router ID 10.0.2.2 Peer Statistic Information ---------------------------------------------------------------------------Area Id 0.0.0.0 Interface Serial3/0/0 Neighbor id 10.0.1.1 State Full
---------------------------------------------------------------------------[R2]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.1/32 10.0.2.0/24 10.0.2.2/32 10.0.2.255/32 10.0.3.3/32 10.0.123.0/24 10.0.123.1/32 10.0.123.2/32 10.0.123.3/32 10.0.123.255/32 127.0.0.0/8 Proto OSPF Routes : 14 Pre Cost 10 1562 0 0 0 3124 0 0 0 3124 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.123.1 10.0.2.2 127.0.0.1 127.0.0.1 10.0.123.1 10.0.123.2 10.0.123.1 127.0.0.1 10.0.123.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial3/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial3/0/0 Serial3/0/0 Serial3/0/0 InLoopBack0 Serial3/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
Direct 0 Direct 0 Direct 0 OSPF 10 Direct 0 Direct 0 Direct 0 OSPF 10 Direct 0 Direct 0
127.0.0.1/32 Direct 0 127.255.255.255/32 Direct 0 255.255.255.255/32 Direct 0 [R3]display ospf peer brief
HC Series
HUAWEI TECHNOLOGIES
225
---------------------------------------------------------------------------[R3]display ip routing-table Route Flags: R - relay, D - download to fib ---------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 10.0.1.1/32 10.0.2.2/32 10.0.3.0/24 10.0.3.3/32 10.0.3.255/32 10.0.123.0/24 10.0.123.1/32 10.0.123.2/32 10.0.123.3/32 10.0.123.255/32 127.0.0.0/8 Proto OSPF OSPF Routes : 14 Pre Cost 10 10 1562 3124 0 0 0 0 0 3124 0 0 0 0 0 0 Flags NextHop D D D D D D D D D D D D D D 10.0.123.1 10.0.123.1 10.0.3.3 127.0.0.1 127.0.0.1 10.0.123.3 10.0.123.1 10.0.123.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 Interface Serial1/0/0 Serial1/0/0 LoopBack0 InLoopBack0 InLoopBack0 Serial1/0/0 Serial1/0/0 Serial1/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0
226
HUAWEI TECHNOLOGIES
HC Series
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=116 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=121 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=121 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=120 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=120 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 116/119/121 ms [R3]ping 10.0.123.2 PING 10.0.123.2: 56 data bytes, press CTRL_C to break Reply from 10.0.123.2: bytes=56 Sequence=1 ttl=254 time=115 ms Reply from 10.0.123.2: bytes=56 Sequence=2 ttl=254 time=119 ms Reply from 10.0.123.2: bytes=56 Sequence=3 ttl=254 time=119 ms Reply from 10.0.123.2: bytes=56 Sequence=4 ttl=254 time=119 ms Reply from 10.0.123.2: bytes=56 Sequence=5 ttl=254 time=119 ms --- 10.0.123.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 115/118/119 ms
HC Series
HUAWEI TECHNOLOGIES
227
HCDA-HNTD
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface Serial2/0/0 link-protocol fr undo fr inarp fr map ip 10.0.123.2 102 broadcast fr map ip 10.0.123.3 103 broadcast ip address 10.0.123.1 255.255.255.0 ospf network-type p2mp # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ospf 1 router-id 10.0.1.1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface Serial3/0/0 link-protocol fr undo fr inarp fr map ip 10.0.123.1 201 broadcast ip address 10.0.123.2 255.255.255.0 ospf network-type p2mp # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ospf 1 router-id 10.0.2.2 area 0.0.0.0 network 10.0.0.0 0.255.255.255
228
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface Serial1/0/0 link-protocol fr undo fr inarp fr map ip 10.0.123.1 301 broadcast ip address 10.0.123.3 255.255.255.0 ospf network-type p2mp # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ospf 1 router-id 10.0.3.3 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return
HC Series
HUAWEI TECHNOLOGIES
229
HCDA-HNTD
Topology
230
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. The company bought a Eudemon 200E firewall and intends to connect it to S1, the core switch, to filter packets transmitted across different VLANs. You need to familiarize yourself with various operations of the firewall.
Like a router, a firewall provides a console interface, which can connect to the COM interface on a computer. The computer can connect to the firewall using the super terminal software that comes with the Windows operating system. For details, see "Lab 1-1 Basic Operations on the VRP Platform." The firewall provides default configurations and the default user name and password are admin and Admin@123. Enter the case-sensitive user name and password when logging in to the firewall.
*********************************************************** * * All rights reserved 2008-2011 Without the owner's prior written consent, * * * * *
* no decompiling or reverse-engineering shall be allowed. * * Notice: * * This is a private communication system. Unauthorized access or use may lead to prosecution.
Login authentication
HC Series
HUAWEI TECHNOLOGIES
231
HCDA-HNTD
Username:admin Password: NOTICE:This is a private communication system. Unauthorized access or use may lead to prosecution. <Eudemon 200E>
The method for changing the firewall name is the same as that for changing the router name. Because both the firewall and router use the VRP operating system, the command level and help operations for them are the same.
<Eudemon 200E>system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]
Step 2
By default, the time zone is not defined on the firewall. Therefore, the firewall system time may be inconsistent with the actual time. You should change the time and time zone information based on the actual information for your location. During the exercise, the time zone GMT+8 is used and the standard time is defined.
<FW>clock timezone 1 add 08:00:00 <FW>dis clock 2011-11-17 18:39:48 Thursday Time Zone : 1 minus 08:00:00 <FW>clock datetime 10:36:00 2011/11/17 <FW>display clock 2011-11-17 10:36:09 Thursday Time Zone : 1 minus 08:00:00
Step 3
Change the login banner information. The following login banner information is displayed by default after you successfully log in to the fire wall.
Please Press ENTER.
232
HUAWEI TECHNOLOGIES
HC Series
Username:admin Password: NOTICE:This is a private communication system. Unauthorized access or use may lead to prosecution. <FW>
The firewall device warns about unauthorized access using the banner information. The administrator can change the login banner information as needed. Different banner information is displayed before and after you log in to the firewall.
[FW]header login information ^ Info: The banner text supports 220 characters max, including the start and the end character. If you want to enter more than this, use banner file instead. Input banner text, and quit with the character '^': Welcome to Eudemon 200E ^ [FW]header shell information ^ Info: The banner text supports 220 characters max, including the start and the end character. If you want to enter more than this, use banner file instead. Input banner text, and quit with the character '^': Welcome to Eudemon 200E You are logining in system Please donot delete system config files ^
Log out of the firewall system and then log in to the system again to check whether the change takes effect.
Please Press ENTER. Welcome to Eudemon 200E Login authentication
Username:admin Password: Welcome to Eudemon 200E You are logining in system Please donot delete system config files
HC Series
HUAWEI TECHNOLOGIES
233
HCDA-HNTD
NOTICE:This is a private communication system. Unauthorized access or use may lead to prosecution. <FW>
If the preceding information is displayed, the banner information is successfully changed. Note that the default notice information cannot be deleted or replaced.
Step 4
The default user name and password are admin and Admin@123. You can change them as needed. For this exercise, create a level-3 user. The user name and password are user1 and huawei@123. By default, only the user admin is allowed to log in to the firewall system using the console interface. Therefore, a newly created user is allowed to log in to the system using the console interface only after the authentication mode is set to aaa. In addition, specify the applicable scope of the newly created user. In this exercise, the applicable scope is set to terminal, indicating that this user is allowed to log in to the system using the console interface.
[FW]aaa [FW-aaa]local-user user1 password simple huawei@123 [FW-aaa]local-user user1 service-type terminal [FW-aaa]local-user user1 level 3 [FW-aaa]quit [FW]user-interface console 0 [FW-ui-console0]authentication-mode aaa
After you set the authentication mode to aaa, log out of the system and check whether the newly created user name and password take effect.
[FW-ui-console0]return <FW>quit
************************************************************************* * * * * Copyright(C) 2008-2011 Huawei Technologies Co., Ltd. All rights reserved Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. * * * *
*************************************************************************
234
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Username:user1 Password: Welcome to Eudemon 200E You are logining in system Please donot delete system config files NOTICE:This is a private communication system. Unauthorized access or use may lead to prosecution. <FW>
To save time during the exercise, you can set the authentication mode that does not require a user name and password.
[FW]user-interface console 0 [FW-ui-console0]authentication-mode none
After setting this authentication mode, you can log in to the system directly.
Please Press ENTER. Welcome to Eudemon 200E You are logining in system Please donot delete system config files <FW>
Step 5
On a firewall, run the display current-configuration command to view the configurations that are running and run the display saved-configuration
HC Series
HUAWEI TECHNOLOGIES
235
HCDA-HNTD
As shown in the preceding example, if no configurations are saved, the related information is unavailable. If the configurations have been saved, information similar to the following is displayed.
<FW>save 15:05:50 2011/11/17 The current configuration will be written to the device. Are you sure to continue?[Y/N]y Info:Please input the file name(*.cfg,*.zip)[vrpcfg.zip]: Now saving the current configuration to the device................. Info:The current configuration was saved to the device successfully.. <FW>display saved-configuration # Last configuration was changed at 2011/11/17 15:05:59 from console0 #*****BEGIN****public****# # sysname FW
236
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # undo firewall ipv6 session link-state check # vlan batch 1 # undo firewall session link-state check # # runmode firewall # update schedule ips daily 7:40 update schedule av daily 7:40 security server domain sec.huawei.com # output omit
Run the delete flash:/vrpcfg.zip command to delete the configurations that have been saved.
<FW>delete flash:/vrpcfg.zip Be Careful! Deleting the next startup config file will lose your configuration. Delete flash:/vrpcfg.zip?[Y/N]:y %Deleting file flash:/vrpcfg.zip...
Step 6
On the firewall, E0/0/0 is a Layer-3 interface and E1/0/0 to E1/0/7 are Layer-2 interfaces. Layer-2 interface IP addresses cannot be configured directly but must be configured on the related VLANIF interfaces. By default, VLAN1 is available on the firewall device and the VLANIF1 IP address has been assigned. Create VLAN2 and VLANIF2 and configure their IP addresses as 10.0.2.1/24. In addition, delete VLANIF1.
[FW]undo interface Vlanif 1 [FW]vlan 2 [FW-vlan-2]interface vlanif 2 [FW-Vlanif2]ip address 10.0.2.1 24
HC Series
HUAWEI TECHNOLOGIES
237
HCDA-HNTD
Configure the IP address for E0/0/0 as 10.0.1.1/24 and the IP address for E2/0/0 as 10.0.3.1/24.
[FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.1.1 24 [FW-Ethernet0/0/0]interface Ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.3.1 24
On S1, configure G0/0/21, G0/0/22, and G0/0/23 to access VLAN1, VLAN2, and VLAN3, respectively. Configure the IP addresses of VLANIF1, VLANIF2 and VLANIF3 as 10.0.2.2/24, 10.0.2.2/24, and 10.0.3.2/24.
<Quidway>system-view Enter system view, return user view with Ctrl+Z. [Quidway]sysname S1 [S1]vlan batch 2 3 [S1]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 1 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22 [S1-GigabitEthernet0/0/22]port link-type access [S1-GigabitEthernet0/0/22]port default vlan 2 [S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 3 [S1-GigabitEthernet0/0/23]interface vlanif 1 [S1-Vlanif1]ip address 10.0.1.2 24 [S1-Vlanif1]interface vlanif 2 [S1-Vlanif2]ip address 10.0.2.2 24 [S1-Vlanif2]interface vlanif 3 [S1-Vlanif3]ip address 10.0.3.2 24
238
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S1-Vlanif3]ping 10.0.2.1 PING 10.0.2.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.0.2.1: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.0.2.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.2.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.2.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms [S1-Vlanif3]ping 10.0.3.1 PING 10.0.3.1: 56 data bytes, press CTRL_C to break Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.3.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 7
After all configurations are complete and the test is successful, delete the configuration files and restart the firewall to clear the configurations. After you restart the firewall, a message is displayed, asking you whether to save the current configuration. Delete the current configuration.
<FW>reboot Info:Reading saved configuration failed. System will reboot, could you want to save current configuration [Y/N]?n System will reboot, continue?[Y/N]:y
HC Series
HUAWEI TECHNOLOGIES
239
HCDA-HNTD
Final Configurations
[FW]display current-configuration # sysname FW # undo firewall ipv6 session link-state check # vlan batch 1 to 2 # undo firewall session link-state check # runmode firewall # update schedule ips daily 6:12 update schedule av daily 6:12 security server domain sec.huawei.com # web-manager enable # l2fwdfast enable # interface Vlanif2 ip address 10.0.2.1 255.255.255.0 # interface Cellular5/0/0 link-protocol ppp # interface Ethernet0/0/0 ip address 10.0.1.1 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 2 #
240
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD interface Ethernet1/0/1 portswitch port link-type access # interface Ethernet1/0/2 portswitch port link-type access # interface Ethernet1/0/3 portswitch port link-type access # interface Ethernet1/0/4 portswitch port link-type access # interface Ethernet1/0/5 portswitch port link-type access # interface Ethernet1/0/6 portswitch port link-type access # interface Ethernet1/0/7 portswitch port link-type access # interface Ethernet2/0/0 ip address 10.0.3.1 255.255.255.0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 # firewall zone untrust set priority 5 # firewall zone dmz
HC Series
HUAWEI TECHNOLOGIES
241
HCDA-HNTD
set priority 50 # aaa local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!! local-user admin service-type web terminal local-user admin level 3 local-user user1 password simple huawei@123 local-user user1 service-type terminal local-user user1 level 3 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default domain dot1x # # nqa-jitter tag-version 1 # header shell information "Welcome to Eudemon 200E You are logining in system Please donot delete system config files " header login information "Welcome to Eudemon 200E " banner enable # user-interface con 0 authentication-mode none user-interface tty 2 authentication-mode none modem both user-interface vty 0 4 # slb # cwmp # right-manager server-group # return
242
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # dns resolve # vlan batch 2 to 3 # stp enable # interface Vlanif1 ip address 10.0.1.2 255.255.255.0 # interface Vlanif2 ip address 10.0.2.2 255.255.255.0 # interface Vlanif3 ip address 10.0.3.2 255.255.255.0 # interface GigabitEthernet0/0/21 port link-type access ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/22 port link-type access port default vlan 2 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/23 port link-type access port default vlan 3 ntdp enable ndp enable bpdu enable # interface NULL0 # return
HC Series
HUAWEI TECHNOLOGIES
243
HCDA-HNTD
244
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Figure 9.2 Lab topology for packet filtering configuration on the Eudemon firewall
Scenario
Assume that you are a network administrator of a company. The company's network at the headquarters is divided into three zones. You
HC Series HUAWEI TECHNOLOGIES 245
HCDA-HNTD
intend to control inter-zone traffic using the firewall. On S1, you need to configure three network segments: G0/0/1 and G0/0/21 for accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3 to G0/0/23 for accessing VLAN13. You need to achieve the following configurations to meet work requirements: The Telnet and ICMP ping services at the IP address 10.0.3.3 are available for all other network segments. The 10.0.2.0/24 network segment can access the 10.0.1.0/24 network segment. Other access modes are not allowed.
246
HUAWEI TECHNOLOGIES
HC Series
Note that E1/0/0 is an interface on the Layer-2 switch and you cannot directly set an IP address for it. In this exercise, configure the VLAN12 and VLANIF12 on the firewall. In addition, configure the IP address 10.0.20.254/24 for the gateway in the 10.0.20.0/24 network segment. By default, the firewall automatically assigns an IP address for its VLANIF1. Delete this configuration to prevent any interference during the exercise.
<Eudemon 200E>system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]vlan 12 [FW-vlan-12]quit [FW]interface Vlanif 12 [FW-Vlanif12]ip address 10.0.20.254 24 [FW-Vlanif12]interface ethernet 1/0/0 [FW-Ethernet1/0/0]port access vlan 12 [FW-Ethernet1/0/0]undo interface Vlanif 1 [FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.10.254 24 [FW-Ethernet0/0/0]interface ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.30.254 24
On S1, configure the VLAN and map the VLAN and associated interface.
[Quidway]sysname S1 [S1]vlan batch 11 to 13 [S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]port link-type access [S1-GigabitEthernet0/0/1]port default vlan 11 [S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]port link-type access [S1-GigabitEthernet0/0/2]port default vlan 12 [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]port link-type access [S1-GigabitEthernet0/0/3]port default vlan 13 [S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 11 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22
HC Series
HUAWEI TECHNOLOGIES
247
HCDA-HNTD
[S1-GigabitEthernet0/0/22]port link-type access [S1-GigabitEthernet0/0/22]port default vlan 12 [S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 13
After the configurations are complete, perform a test on the firewall to detect the network connectivity in the same zone.
[FW]ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.2 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.30.3 PING 10.0.30.3: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.30.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=3 ttl=255 time=1 ms
248
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Reply from 10.0.30.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.30.3 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 2
connectivity.
Configure default routes on R1, R2, and R3 and specific static routes on the firewall to implement the connectivity between the three network segments that are connected by three Loopback0 interfaces.
[R1]ip route-static 0.0.0.0 0 10.0.10.254 [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [FW]ip route-static 10.0.1.0 24 10.0.10.1 [FW]ip route-static 10.0.2.0 24 10.0.20.2 [FW]ip route-static 10.0.3.0 24 10.0.30.3
After the configurations are complete, perform a connectivity test on R1 to find out whether the network segments that connect to R1 using Loopback0 interfaces can communicate with other network segments.
[R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/4 ms
HC Series
HUAWEI TECHNOLOGIES
249
HCDA-HNTD
[R1]ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
Step 3
Before you configure the access control, you should analyze the traffic direction in advance based on the following requirements: The 10.0.20.0/24 and 10.0.2.0/24 network segments can access all applications in the 10.0.10.0/24 and 10.0.1.0/24 network segments. The Telnet and ping functions on the host (IP address: 10.0.3.3/24) are available for the 10.0.20.0/24 and 10.0.2.0/24 network segments. The Telnet and ping functions for the host (IP address: 10.0.3.3/24) are available for 10.0.10.0/24 and 10.0.1.0/24 network segments. Other access modes are not allowed.
Use the following methods to meet the requirements: Use an ACL to disable the 10.0.30.0/24 and 10.0.3.0/24 network segments from accessing other network segments. Use an ACL to disable other network segments from accessing the 10.0.20.0/24 and 10.0.2.0/24 network segments. Use an ACL to enable other network segments to access the Telnet and ping functions at IP address 10.0.3.3. Note that the session link-state check function on the firewall must be enabled and the ACL must be deployed on the egress.
250 HUAWEI TECHNOLOGIES HC Series
HCDA-HNTD
To enable other network segments to access the Telnet and ping functions at IP address 10.0.3.3, deploy ACL3000 on the E2/0/0 egress. To disable other network segments from accessing the 10.0.20.0/24 and 10.0.2.0/24 network segments, deploy ACL3001 on the VLANIF12 egress. To disable the 10.0.30.0/24 and 10.0.3.0/24 network segments from accessing other network segments, deploy ACL3002 on the E/2/0/0 egress.
[FW]interface Vlanif 12 [FW-Vlanif12]firewall packet-filter 3001 outbound [FW-Vlanif12]quit [FW]interface Ethernet 2/0/0 [FW-Ethernet2/0/0]firewall packet-filter 3000 outbound [FW-Ethernet2/0/0]firewall packet-filter 3002 inbound
After the configurations are complete, test network connectivity. Enable the Telnet function on R3 for the test.
[R3]user-interface vty 0 4 [R3-ui-vty0-4]authentication-mode none
Information similar to the following indicates that the Telnet and ping access between R1 and the IP address 10.0.3.3 is available but other access modes are unavailable.
HC Series
HUAWEI TECHNOLOGIES
251
HCDA-HNTD
PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=6 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/6 ms [R1]ping -a 10.0.1.1 10.0.30.3 PING 10.0.30.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.30.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.2.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R1]ping -a 10.0.1.1 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out Request time out
252
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Request time out Request time out Request time out --- 10.0.20.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R1]quit <R1>telnet 10.0.3.3 Press CTRL_] to quit telnet mode Trying 10.0.3.3 ... Connected to 10.0.3.3 ... <R3>quit Configuration console exit, please retry to log on The connection was closed by the remote host <R1>
Information similar to the following indicates that the Telnet and ping access between R2 and the IP address 10.0.3.3 is available. R2 can access the 10.0.1.0/24 and 10.0.10.0/24 network segments. Other access modes are unavailable.
<R2>ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms <R2>ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=254 time=3 ms
HC Series
HUAWEI TECHNOLOGIES
253
HCDA-HNTD
Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms <R2>ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=11 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/5/11 ms <R2>ping 10.0.30.3 PING 10.0.30.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.30.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss <R2>telnet 10.0.3.3 Press CTRL_] to quit telnet mode Trying 10.0.3.3 ... Connected to 10.0.3.3 ... <R3>quit
254
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD Configuration console exit, please retry to log on The connection was closed by the remote host <R2>
Information similar to the following indicates that R3 cannot access other network segments.
[R3]ping -c 1 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out --- 10.0.1.1 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R3]ping -c 1 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out --- 10.0.10.1 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R3]ping -c 1 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out --- 10.0.20.2 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R3]ping -c 1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out --- 10.0.2.2 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
255
HCDA-HNTD
[R3]ping -c 1 10.0.30.254 PING 10.0.30.254: 56 Request time out --- 10.0.30.254 ping statistics --1 packet(s) transmitted 0 packet(s) received 100.00% packet loss data bytes, press CTRL_C to break
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.10.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.10.254 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.20.2 255.255.255.0
256
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/1 ip address 10.0.30.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.30.254 # user-interface vty 0 4 authentication-mode none # return [FW]display current-configuration # sysname FW # vlan batch 1 12 # firewall session link-state check # # runmode firewall # acl number 3000
rule 5 permit tcp destination 10.0.3.3 0 destination-port eq telnet rule 10 permit icmp destination 10.0.3.3 0 rule 15 deny ip # acl number 3001
HC Series
HUAWEI TECHNOLOGIES
257
HCDA-HNTD
rule 5 deny ip # acl number 3002 rule 5 deny ip # interface Vlanif12 ip address 10.0.20.254 255.255.255.0 firewall packet-filter 3001 outbound # interface Ethernet0/0/0 ip address 10.0.10.254 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 12 # interface Ethernet2/0/0 ip address 10.0.30.254 255.255.255.0 firewall packet-filter 3002 inbound firewall packet-filter 3000 outbound # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.2 ip route-static 10.0.3.0 255.255.255.0 10.0.30.3 # return [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # dns resolve # vlan batch 11 to 13 # stp enable # drop illegal-mac alarm # interface GigabitEthernet0/0/1 port link-type access
258
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD port default vlan 11 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/3 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/21 port link-type access port default vlan 11 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/22 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/23 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # return
HC Series
HUAWEI TECHNOLOGIES
259
HCDA-HNTD
Topology
260
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. The company's network at headquarters is divided into three zones: trust, untrust, and DMZ. You intend to control inter-zone traffic using the firewall. On S1, configure three network segments: G0/0/1 to G0/0/21 for accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3 to G0/0/23 for accessing VLAN13. You need to achieve the following configurations to meet work requirements: Users in the trust zone can access users in the untrust zone. Users in the trust and untrust zones can access users in the DMZ zone. Users in the untrust zone cannot directly access users in the trust zone. Users in the DMZ zone cannot directly access users in the trust and untrust zones.
HC Series
HUAWEI TECHNOLOGIES
261
HCDA-HNTD
[R2-LoopBack0]ip address 10.0.2.2 24 <Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/1 [R3-GigabitEthernet0/0/1]ip address 10.0.30.3 24 [R3-GigabitEthernet0/0/1]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
Note that E1/0/0 is an interface on the Layer-2 switch and you cannot directly set an IP address for it. In this exercise, configure the VLAN12, the VLANIF12 interface, and the IP address 10.0.20.254/24 for the gateway in the inside zone. By default, the firewall automatically assigns an IP address for its VLANIF1. Delete this configuration to prevent any interference during the exercise.
<Eudemon 200E>system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]vlan 12 [FW-vlan-12]quit [FW]interface Vlanif 12 [FW-Vlanif12]ip address 10.0.20.254 24 [FW-Vlanif12]interface ethernet 1/0/0 [FW-Ethernet1/0/0]port access vlan 12 [FW-Ethernet1/0/0]undo interface Vlanif 1 [FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.10.254 24 [FW-Ethernet0/0/0]interface ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.30.254 24
262
HUAWEI TECHNOLOGIES
HC Series
[S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 11 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22 [S1-GigabitEthernet0/0/22]port link-type access [S1-GigabitEthernet0/0/22]port default vlan 12 [S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 13
After the configurations are complete, perform a test on the firewall to detect the network connectivity in the same zone.
[FW]ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.2 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms
HC Series
HUAWEI TECHNOLOGIES
263
HCDA-HNTD
[FW]ping 10.0.30.3 PING 10.0.30.3: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.30.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.30.3 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 2
connectivity.
Configure default routes on R1, R2, and R3 and specific static routes on the firewall to implement the connectivity between the three network segments that are connected by three Loopback0 interfaces.
[R1]ip route-static 0.0.0.0 0 10.0.10.254 [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [FW]ip route-static 10.0.1.0 24 10.0.10.1 [FW]ip route-static 10.0.2.0 24 10.0.20.2 [FW]ip route-static 10.0.3.0 24 10.0.30.3
After the configurations are complete, test the connectivity between the network segments that connect to each other using Loopback0 interfaces.
[R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms
264
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/4 ms [R1]ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
Step 3
By default, the firewall isolates the network into four zones: local, trust, untrust, and DMZ. In this exercise, only trust, untrust, and DMZ zones are involved.
[FW]firewall zone dmz [FW-zone-dmz]add interface Ethernet 2/0/0 [FW-zone-dmz]firewall zone trust [FW-zone-trust]add interface Vlanif 12 [FW-zone-trust]firewall zone untrust [FW-zone-untrust]add interface Ethernet 0/0/0
By default, devices in all zones can communicate with each other. Information similar to the following indicates that the communication from the untrust zone to the trust zone is normal.
<R1>ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=3 ms
HC Series
HUAWEI TECHNOLOGIES
265
HCDA-HNTD
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
Information similar to the following indicates that communication from the untrust zone to the DMZ zone is normal.
<R1>ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
Information similar to the following indicates that communication from the trust zone to the untrust zone is normal.
<R2>ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
266
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Information similar to the following indicates that communication from the DMZ zone to the untrust zone is normal.
<R3>ping -a 10.0.3.3 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
Information similar to the following indicates that communication from the DMZ zone to the trust zone is normal.
<R3>ping -a 10.0.3.3 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms
HC Series
HUAWEI TECHNOLOGIES
267
HCDA-HNTD
--- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
Configure the inter-zone policies to allow users in the trust zone to access other zones but not allow other zones to access each other.
[FW]firewall packet-filter default deny all [FW]firewall packet-filter default permit interzone trust untrust direction outbound [FW]firewall packet-filter default permit interzone trust dmz direction outbound [FW]firewall session link-state check
After the configurations are complete, test the inter-zone connectivity. Information similar to the following indicates that communication from the untrust zone to the trust zone is normal.
[R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.2.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Information similar to the following indicates that communication from the untrust zone to the DMZ zone is normal.
[R1]ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out
268
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
--- 10.0.3.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Information similar to the following indicates that communication from the trust zone to the untrust zone is normal.
[R2]ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
Information similar to the following indicates that communication from the trust zone to the DMZ zone is normal.
[R2]ping -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
Information similar to the following indicates that communication from the DMZ zone to the untrust zone is normal.
[R3]ping -a 10.0.3.3 10.0.1.1
HC Series
HUAWEI TECHNOLOGIES
269
HCDA-HNTD
PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Information similar to the following indicates that communication from the DMZ zone to the trust zone is normal.
[R3]ping -a 10.0.3.3 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.2.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Step 4
270
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
You must enable the Telnet function on R3 before performing the Telnet test.
[R3]user-interface vty 0 4 [R3-ui-vty0-4]authentication-mode none
HC Series
HUAWEI TECHNOLOGIES
271
HCDA-HNTD
Request time out Request time out Request time out Request time out Request time out --- 10.0.30.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss <R1>telnet 10.0.3.3 Press CTRL_] to quit telnet mode Trying 10.0.3.3 ... Connected to 10.0.3.3 ... <R3>quit Configuration console exit, please retry to log on The connection was closed by the remote host <R1>telnet 10.0.30.3 Press CTRL_] to quit telnet mode Trying 10.0.30.3 ...
The preceding test results indicate how the data transmitted between zones is filtered. Except for the permitted data, all other data is filtered out.
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1
272
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # interface GigabitEthernet0/0/1 ip address 10.0.10.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.10.254 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.20.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/1 ip address 10.0.30.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.30.254 # user-interface vty 0 4 authentication-mode none # return
HC Series
HUAWEI TECHNOLOGIES
273
HCDA-HNTD
[FW]display current-configuration # sysname FW # firewall packet-filter default deny interzone local trust direction inbound firewall packet-filter default deny interzone local trust direction outbound firewall packet-filter default deny interzone local untrust direction inbound firewall packet-filter default deny interzone local untrust direction outbound firewall packet-filter default deny interzone local dmz direction inbound firewall packet-filter default deny interzone local dmz direction outbound firewall packet-filter default deny interzone trust untrust direction inbound firewall packet-filter default deny interzone trust dmz direction inbound firewall packet-filter default deny interzone dmz untrust direction inbound firewall packet-filter default deny interzone dmz untrust direction outbound # vlan batch 1 12 # firewall session link-state check # # runmode firewall # interface Vlanif12 ip address 10.0.20.254 255.255.255.0 # interface Ethernet0/0/0 ip address 10.0.10.254 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 12 # interface Ethernet2/0/0 ip address 10.0.30.254 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif12
274
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD # firewall zone untrust set priority 5 add interface Ethernet0/0/0 # firewall zone dmz set priority 50 add interface Ethernet2/0/0 # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.2 ip route-static 10.0.3.0 255.255.255.0 10.0.30.3 # policy interzone dmz untrust inbound policy 1 action permit policy service service-set icmp policy destination 10.0.3.3 0 policy 2 action permit policy service service-set telnet policy destination 10.0.3.3 0 policy 3 action deny # return [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # dns resolve # vlan batch 11 to 13 # stp enable # drop illegal-mac alarm # interface GigabitEthernet0/0/1
HC Series
HUAWEI TECHNOLOGIES
275
HCDA-HNTD
port link-type access port default vlan 11 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/3 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/21 port link-type access port default vlan 11 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/22 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/23 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # return
276
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
the Eudemon firewall. How to configure the Easy IP feature on the Eudemon firewall.
Topology
Figure 9.4 Lab topology for NAT configuration on the Eudemon firewall
HC Series
HUAWEI TECHNOLOGIES
277
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. The company network is isolated into three zones by the Eudemon firewall: untrust zone, trust zone, and demilitarized zone (DMZ). You need to release the Telnet service that is provided by a server with IP address 10.0.3.3 in the DMZ zone. The external IP address of the server is 10.0.10.20/24. Users in the trust zone can access the untrust zone by means of Easy IP. Other access methods are not allowed. On S1, you need to configure three network segments: G0/0/1 to G0/0/21 for accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3 to G0/0/23 for accessing VLAN13.
278
HUAWEI TECHNOLOGIES
HC Series
Note that E1/0/0 is an interface on the Layer-2 switch and you cannot directly set an IP address for it. In this exercise, you need to configure VLAN12, the VLANIF12 interface, and the IP address 10.0.20.254/24 for the gateway in the trust zone. By default, the firewall automatically assigns an IP address for its VLANIF1. You need to delete this configuration to prevent any interference during the experiment.
<Eudemon 200E>system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]vlan 12 [FW-vlan-12]quit [FW]interface Vlanif 12 [FW-Vlanif12]ip address 10.0.20.254 24 [FW-Vlanif12]interface ethernet 1/0/0 [FW-Ethernet1/0/0]port access vlan 12 [FW-Ethernet1/0/0]undo interface Vlanif 1 [FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.10.254 24 [FW-Ethernet0/0/0]interface ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.30.254 24
HC Series
HUAWEI TECHNOLOGIES
279
HCDA-HNTD
After the configurations are complete, test link connectivity in the same zone on the firewall.
[FW]ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.2 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.30.3 PING 10.0.30.3: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.30.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.3: bytes=56 Sequence=5 ttl=255 time=1 ms
280
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD --- 10.0.30.3 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 2
connectivity.
Configure default routes on R2 and R3 and specific static routes on the firewall to implement the connectivity between the three network segments that are connected by three Loopback0 interfaces. R1, an Internet device, does not require you to define default routes because R1 does not need to know any private network information about the trust and DMZ zones.
[R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [FW]ip route-static 10.0.1.0 24 10.0.10.1 [FW]ip route-static 10.0.2.0 24 10.0.20.2 [FW]ip route-static 10.0.3.0 24 10.0.30.3
Test the link connectivity of the three network segments on the firewall: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24.
[FW]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break
HC Series
HUAWEI TECHNOLOGIES
281
HCDA-HNTD
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 3
By default, the firewall has four zones: local, trust, untrust, and DMZ zones. In this experiment, only trust, untrust, and DMZ zones are involved.
[FW]firewall zone dmz [FW-zone-dmz]add interface Ethernet 2/0/0 [FW-zone-dmz]firewall zone trust [FW-zone-trust]add interface Vlanif 12 [FW-zone-trust]firewall zone untrust [FW-zone-untrust]add interface Ethernet 0/0/0
By default, devices in all zones can communicate with each other. Currently, however, devices in the untrust zone and in the trust and DMZ
282
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 4
Packets can be sent from 10.0.2.0 in the trust zone to the untrust zone. Telnet requests can be sent from the untrust zone to the target server with IP address 10.0.3.3 in the DMZ zone.
[FW]firewall session link-state check [FW]policy interzone trust untrust outbound [FW-policy-interzone-trust-untrust-outbound]policy 0 [FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255 [FW-policy-interzone-trust-untrust-outbound-0]action permit [FW-policy-interzone-trust-untrust-outbound-0]quit [FW-policy-interzone-trust-untrust-outbound]quit [FW]policy interzone dmz untrust inbound [FW-policy-interzone-dmz-untrust-inbound]policy 0 [FW-policy-interzone-dmz-untrust-inbound-0]policy destination 10.0.3.3 0 [FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet [FW-policy-interzone-dmz-untrust-inbound-0]action permit [FW-policy-interzone-dmz-untrust-inbound-0]quit
Step 5
After the configurations are complete, check whether the trust and untrust zones can access each other.
[R2]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out
HC Series
HUAWEI TECHNOLOGIES
283
HCDA-HNTD
Request time out Request time out Request time out --- 10.0.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R2]ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
The preceding information shows that the connectivity between R2 and 10.0.1.1 is not working. After you perform the expanded ping and specify the source IP address of packets as 10.0.2.2, the connectivity is implemented. The cause of this problem is that packets are directly sent to 10.0.1.1 and the source IP address of packets is 10.0.20.2, which is not within the client IP address range of NAT translation.
Step 6
Enable the Telnet function on R3 and test it on R1. Note that the external IP address of R3 is 10.0.10.20. When R1 needs to access 10.0.3.3, the destination address must be 10.0.10.20.
284
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD [R3]user-interface vty 0 4 [R3-ui-vty0-4]authentication-mode none <R1>telnet 10.0.10.20 Press CTRL_] to quit telnet mode Trying 10.0.10.20 ... Connected to 10.0.10.20 ... <R3>
Final Configurations
[R1]display current-configuration [V200R001C01SPC300] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.10.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # return [R2]display current-configuration [V200R001C01SPC300] # sysname R2 # interface GigabitEthernet0/0/1
HC Series
HUAWEI TECHNOLOGIES
285
HCDA-HNTD
ip address 10.0.20.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # return [R3]display current-configuration [V200R001C01SPC300] # sysname R3 # interface GigabitEthernet0/0/1 ip address 10.0.30.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.30.254 # user-interface vty 0 4 authentication-mode none # return [FW]display current-configuration # sysname FW # nat server 0 protocol tcp global 10.0.10.20 telnet inside 10.0.3.3 telnet # vlan batch 1 12 # firewall session link-state check # # runmode firewall # interface Vlanif12 ip address 10.0.20.254 255.255.255.0 #
286
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD interface Ethernet0/0/0 ip address 10.0.10.254 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 12 # interface Ethernet2/0/0 ip address 10.0.30.254 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif12 # firewall zone untrust set priority 5 add interface Ethernet0/0/0 # firewall zone dmz set priority 50 add interface Ethernet2/0/0 # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.2 ip route-static 10.0.3.0 255.255.255.0 10.0.30.3 # policy interzone trust untrust outbound policy 0 action permit policy source 10.0.2.0 0.0.0.255 # policy interzone dmz untrust inbound policy 0 action permit policy service service-set telnet policy destination 10.0.3.3 0 # nat-policy interzone trust untrust outbound policy 0
HC Series
HUAWEI TECHNOLOGIES
287
HCDA-HNTD
action source-nat policy source 10.0.2.0 0.0.0.255 easy-ip Ethernet0/0/0 # return [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # dns resolve # vlan batch 11 to 13 # stp enable # drop illegal-mac alarm # interface GigabitEthernet0/0/1 port link-type access port default vlan 11 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/3 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/21 port link-type access port default vlan 11
288
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/22 port link-type access port default vlan 12 ntdp enable ndp enable bpdu enable # interface GigabitEthernet0/0/23 port link-type access port default vlan 13 ntdp enable ndp enable bpdu enable # return
HC Series
HUAWEI TECHNOLOGIES
289
HCDA-HNTD
network Dynamic Host Configuration Protocol (DHCP) function DHCP relay Firewall Network Address Translation (NAT)
290
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Scenario
Assume that you are a network administrator of a company. The company network is divided into three areas: headquarters network area, company branch network area, and branch office network area. Router R1 on which a firewall is installed resides in the headquarters network area. The firewall divides this area into three zones: Demilitarized Zone (DMZ), internal network zone consisting of five network segments, and external network zone. Router R2 resides in the company branch network area that consists of three network segments. Router R3 resides in the branch office network area that consists of only one network segment. The three network areas communicate with each other using the FR function. Private lines are leased to provide line backups for network services. For details about interface and IP address configurations, see the preceding figure.
HC Series HUAWEI TECHNOLOGIES 291
HCDA-HNTD
Tasks
The purpose of this comprehensive exercise is to test whether you have understood the configuration methods described in the previous 19 labs. Therefore, only a brief description of the configuration procedures and verification methods, not specific commands, is provided.
Step 1
Set IP addresses and configure VLANs based on the topology, and configure the FR function to achieve communication between different network areas. Test the network connectivity.
Layer 3 switching needs to be configured only for S1. The IP addresses of VLANIFs on S1 must be the same as those displayed in the preceding topology. R3 uses physical interface G0/0/2 to provide services for VLAN21, VLAN22, and VLAN23. Inverse Address Resolution Protocol (InARP) must be disabled on FR interfaces. The mapping between Data Link Connection Identifiers (DLCIs) of permanent virtual circuits (PVCs) on the FR interfaces and the peer IP addresses for the PVCs must be defined on R1, R2, and R3. No virtual circuit exists between R2 and R3. E1/0/0 on the firewall must be connected to the DMZ, but no IP address can be configured for this interface. This comprehensive exercise requires that an IP address be configured for VLANIF100 and the default interface VLANIF1 be deleted from the firewall.
Step 2
Configure OSPF.
Configure OSPF on R1, R2, R3, S1, and the firewall. Ensure that all the network segments belong to area 0. On FR interfaces, configure OSPF to operate in NBMA mode, the default mode. Configure all of the interfaces that do not need to send OSPF messages as silent interfaces. Enable MD5 authentication on the 10.0.123.0/24 network segment and set the authentication password to
292
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
huawei. On the firewall, configure a default route with the next hop of 10.0.200.2. Set the route type to Type 1 and cost value to 20, and import this route to the OSPF area in permanent advertisement mode.
Step 3
Configure the DHCP service on R1 to serve the devices on network segments including 10.0.11.0/24, 10.0.12.0/24, 10.0.13.0/24, 10.0.21.0/24, 10.0.22.0/24, and 10.0.23.0/24. Set the IP address of the Domain Name Server (DNS) to 10.0.200.200 and the IP address validity to three hours. Configure the DHCP relay function on R3 and ensure that the users in VLAN21, VLAN22, and VLAN23 can automatically obtain IP addresses. Configure VLANIF23 on S4 and test the DHCP service on the 10.0.23.0/24 segment. Configure VLANIF13 on S3 and test the DHCP service on the 10.0.13.0/24 segment.
Step 4
Configure firewall functions and ensure that users on the internal network can access the external network, but users on the external network cannot access the internal network or the DMZ and users in the DMZ cannot access any network. By default, users on the internal network cannot access the DMZ. A server with IP address 10.0.100.11/24 resides in the DMZ to provide Telnet, File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP) services. The HTTP service is available to all areas, the FTP service is available to all addresses on the internal network, and the Telnet service is available only to 10.0.13.100/24.
Step 5
Configure NAT on the firewall and enable the Easy-IP function so that users in the headquarters network area, company branch network area, and branch office network area can access the external network by means of NAT.
HC Series
HUAWEI TECHNOLOGIES
293
HCDA-HNTD
Final Configurations
[R1]display current-configuration
[R2]display current-configuration
[R3]display current-configuration
[S1]display current-configuration
[S2]display current-configuration
[S3]display current-configuration
[S4]display current-configuration
[FW]display current-configuration
294
HUAWEI TECHNOLOGIES
HC Series