HCIA-Datacom V1.0 Lab Guide
HCIA-Datacom V1.0 Lab Guide
HCIA-Datacom V1.0 Lab Guide
HCIA-Datacom
Datacom Engineers’
Lab Guide
V1.0
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei
and the customer. All or part of the products, services and features described in this document may
not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS IS" without
warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in
the preparation of this document to ensure accuracy of the contents, but all statements, information,
and recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://e.huawei.com/
The Huawei certification system introduces the industry, fosters innovation, and imparts cutting-
edge datacom knowledge.
Introduction
This document is an HCIA-Datacom certification training course and is intended
for trainees who are going to take the HCIA-Datacom exam or readers who want
to understand routing and switching principles, basic WLAN principles, network
security basics, network management and O&M basics, SDN and programmability
and automation basics.
Symbol Conventions
Lab Environment
Network Description
This lab environment is intended for datacom engineers who are preparing for the
HCIA-Datacom exam. Each lab environment includes two switches (PoE not
supported), two PoE switches, two wireless access points (APs), and two routers.
Device Requirements
To meet exercise requirements, the recommended configurations of the
environment are as follows:
The port, output, and configuration information of devices in this document is provided
based on the recommended topology. The actual information may vary according to the
lab environment.
Contents
1.1 Introduction
1.1.1 About This Lab
In this lab activity, you will learn the basic operations of Huawei VRP system by
configuring Huawei devices.
1.1.2 Objectives
Upon completion of this task, you will be able to:
● Understand the meaning of command line views and how to access and exit
command line views
● Understand common commands
● Understand how to use the command line online help
● Learn how to negate a command
● Learn how to use command line shortcut keys
Figure 1-1 Lab topology for understanding the VRP operating system
Huawei devices provide a wide variety of functions and related configuration and
query commands. The commands are available in different command views based
on the functions of the commands. To use a function, enter the corresponding
command view first and then run corresponding commands.
# Enter the interface view and configure the IP address of the interface.
[Datacom-Router]inter //Press Tab to complete the command.
[Datacom-Router]interface //"interface" is the only optional keyword.
[Datacom-Router]interface g //Press Tab to complete the command.
[Datacom-Router]interface GigabitEthernet //"GigabitEthernet" is the only optional keyword.
Enter the first several letters of a keyword in a command and press Tab to display
a complete keyword. The first several letters, however, must uniquely identify the
keyword. If they do not identify a specific keyword, press Tab continuously until
the desired keyword is displayed. For example:
When you enter inter and press Tab, only the interface command starts with
inter. Therefore, the command is autocompleted as interface. The command does
not change if you press Tab multiple times.
[Datacom-Router-GigabitEthernet0/0/1]
The GigabitEthernet0/0/1 interface view is displayed.
[Datacom-Router-GigabitEthernet0/0/1]i?
icmp <Group> icmp command group
igmp Specify parameters for IGMP
ip <Group> ip command group
ipsec Specify IPSec(IP Security) configuration information
ipv6 <Group> ipv6 command group
isis Configure interface parameters for ISIS
If you enter only the first or first several characters of a command keyword, you
can use the context-sensitive help function to obtain all the keywords that begin
with a character or character string. The meaning of each keyword will also be
displayed. For example:
When you enter some keywords of a command and a question mark (?) separated
by a space, all keywords associated with this command, as well as simple
descriptions, are displayed. For example:
If you enter ip, a space, and a question mark (?), all commands containing
keyword ip and the corresponding descriptions are displayed.
[Datacom-Router-GigabitEthernet0/0/1]ip address ?
IP_ADDR<X.X.X.X> IP address
bootp-alloc IP address allocated by BOOTP
dhcp-alloc IP address allocated by DHCP
unnumbered Share an address with another interface
[Datacom-Router-GigabitEthernet0/0/1]ip address 192.168.1.1 ?
<cr> indicates that no keyword or parameter exists in this position. You can press
Enter to run the command.
[Datacom-Router-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
The display this command displays the running configuration in the current view.
Effective arguments set to their defaults are not displayed. Configured arguments
that are not committed successfully are not displayed, either. This command is
used to check the configuration.
You do not need to enter complete keywords if the entered characters can match
a unique keyword in the current view. This function improves efficiency. For
example:
The dis this command can be executed on an interface because only the display
this command matches the entered characters in the current view. Similarly, the
dis cu or d cu command can also be executed because they are equivalent to
display current-configuration command.
[Datacom-Router-GigabitEthernet0/0/1]quit
The quit command returns a device from the current view to a lower-level view. If
the current view is the user view, this command exits from the system.
To negate a command, use the undo keyword with the command. An undo
command is generally used to restore a default configuration, disable a function,
or delete a configuration. Almost each command line has a corresponding undo
command.
[Datacom-Router]interface GigabitEthernet 0/0/2
[Datacom-Router-GigabitEthernet0/0/2]ip address 192.168.1.1 24
[Datacom-Router-GigabitEthernet0/0/2]quit
#
sysname Datacom-Router
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
---- More ----
When the information cannot be completely displayed on one screen, the system
will pause for you can view the information. If ---- More ---- is displayed at the
bottom of the command output, you can
1. Run the return command to return to the user view from any view.
2. Press Ctrl+Z to return to the user view from any view.
# Save the running configuration and name the configuration file test.cfg.
<Datacom-Router>save test.cfg
Are you sure to save the configuration to test.cfg? (y/n)[n]:y //Enter y to confirm.
It will take several minutes to save configuration file, please wait.......
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
The display startup command displays the system software and configuration,
license, patch, and voice files.
----End
1.3 Verification
The details are not provided here.
1.5 Quiz
1. Familiarize yourself with the function keys of Huawei VRP system according
to section 2.6.
2. In step 5, the reset saved-configuration command is executed to clear the
configuration. Why is the configuration still retained after the device is
restarted?
1.6 Appendix
Table 1-1 System function keys
Key Function
Key Function
<Ctrl+W> Deletes the character string (word) to the left of the cursor.
<Ctrl+Y> Deletes the character at the cursor and all characters to the
right of the cursor.
In this lab activity, you will configure IPv4 addresses and static IPv4 routes, and
understand basic routing principles in the process.
2.1.1.2 Objectives
Upon completion of this task, you will be able to:
Step 2 Display the IP address of the current interface and the routing table of the router.
The display ip interface brief command displays the brief information about
interface IP addresses, including the IP addresses, subnet masks, physical status,
link-layer protocol status, and number of interfaces in different states.
InLoopBack0 uses the fixed loopback address 127.0.0.1/8 to receive data packets
destined for the host where InLoopBack0 resides. The IP address of the
InLoopBack0 interface cannot be changed or advertised using a routing protocol.
R1 GigabitEthernet0/0/1 10.0.13.1/24
GigabitEthernet0/0/3 10.0.12.1/24
R2 GigabitEthernet0/0/3 10.0.12.2/24
GigabitEthernet0/0/4 10.0.23.2/24
R3 GigabitEthernet0/0/1 10.0.13.3/24
GigabitEthernet0/0/3 10.0.23.3/24
<R1>system-view
[R1]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.13.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]interface GigabitEthernet0/0/3
<R2>system-view
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]ip address 10.0.12.2 24
[R2-GigabitEthernet0/0/3]quit
[R2]interface GigabitEthernet0/0/4
[R2-GigabitEthernet0/0/4]ip address 10.0.23.2 24
[R2-GigabitEthernet0/0/4]quit
<R3>system-view
[R3]interface GigabitEthernet0/0/1
[R3-GigabitEthernet0/0/1]ip address 10.0.13.3 24
[R3-GigabitEthernet0/0/1]quit
[R3]interface GigabitEthernet0/0/3
[R3-GigabitEthernet0/0/3]ip address 10.0.23.3 24
[R3-GigabitEthernet0/0/3]quit
[R1]ping 10.0.13.3
PING 10.0.13.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.13.3: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.0.13.3: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 10.0.13.3: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.13.3: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.0.13.3: bytes=56 Sequence=5 ttl=255 time=30 ms
Destinations : 10 Routes : 10
The preceding command output shows that three direct routes are automatically
generated for each interface after the IP addresses of the interfaces are
configured, which are
R1 LoopBack0 10.0.1.1/32
R2 LoopBack0 10.0.1.2/32
R3 LoopBack0 10.0.1.3/32
Loopback interfaces are logical interfaces manually configured and do not exist
physically. Logical interfaces can be used to exchange data. A loopback interface is
always Up at the physical layer and link layer unless it is manually shut down.
Generally, a loopback interface uses a 32-bit mask. Loopback interfaces are used
for the following purposes:
In this lab activity, the loopback interfaces are used to simulate clients.
[R1]interface LoopBack0
[R1-LoopBack0]ip address 10.0.1.1 32
[R2]interface LoopBack0
[R2-LoopBack0]ip address 10.0.1.2 32
[R3]interface LoopBack0
[R3-LoopBack0]ip address 10.0.1.3 32
# Test connectivity.
[R1]ping -a 10.0.1.1 10.0.1.2
PING 10.0.1.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
# Test connectivity.
<R1>ping -a 10.0.1.1 10.0.1.2
PING 10.0.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.1.2: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 10.0.1.2: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.0.1.2: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 10.0.1.2: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.0.1.2: bytes=56 Sequence=5 ttl=255 time=30 ms
Step 6 Configure a path from R1 to R2 via R3 as the backup path from LoopBack0 of R1
to LoopBack0 of R2.
[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 13
# Display the routing table on R1 and R2. The command output shows that the
routes with a lower priority are activated when the routes with a higher priority
are invalidated.
[R1]display IP routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
In this case, the original static route becomes invalid and the static route with a
lower priority is activated.
# Test connectivity.
[R1]ping -a 10.0.1.1 10.0.1.2
PING 10.0.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.1.2: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 10.0.1.2: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.0.1.2: bytes=56 Sequence=3 ttl=254 time=60 ms
Reply from 10.0.1.2: bytes=56 Sequence=4 ttl=254 time=110 ms
Reply from 10.0.1.2: bytes=56 Sequence=5 ttl=254 time=80 ms
1 10.0.13.3 40 ms 30 ms 50 ms
2 10.0.23.2 80 ms 80 ms 60 ms
The tracert command displays the path of packets from the source to the
destination.
The command output shows that the data packets pass through
GigabitEthernet0/0/1 and GigabitEthernet0/0/3 of R3 and are then forwarded to
GigabitEthernet0/0/4 of R2.
In some lab environments, the devices may not respond to ICMP packets for security
reasons. Therefore, the results may vary. You can press Ctrl+C to end the tracert operation.
Step 7 Configure default routes to connect the LoopBack0 interface of R1 and the
LoopBack0 interface of R2.
----End
2.1.3 Verification
You can run the ping and tracert commands to test the connectivity between
loopback0 interfaces on different devices.
Configuration on R2
#
sysname R2
#
interface GigabitEthernet0/0/3
Configuration on R3
#
sysname R3
#
interface GigabitEthernet0/0/1
ip address 10.0.13.3 255.255.255.0
#
interface GigabitEthernet00/3
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.3 255.255.255.255
#
ip route-static 10.0.1.1 255.255.255.255 10.0.13.1
ip route-static 10.0.1.2 255.255.255.255 10.0.23.2
#
return
2.1.5 Quiz
1. In what situations will the configured static route be added to the IP routing
table? Can a route be added to the IP routing table if the configured next hop
is unreachable?
2. In step 3, if the -a argument is not specified during the connectivity test
between loopback interfaces, what is the source IP address of ICMP packets?
Why?
● Multicast packet transmission to reduce load on the switches that are not
running OSPF
● Classless Inter-Domain Routing (CIDR)
● Load balancing among equal-cost routes
● Packet authentication
With the preceding advantages, OSPF is widely accepted and used as an IGP.
In the lab activity, you will understand basic OSPF configurations and principles by
configuring single-area OSPF.
2.2.1.2 Objectives
Upon completion of this task, you will be able to:
# Follow steps 1, 2, 3, and 4 in lab 1 to name the routers and configure the IP
addresses of the physical and loopback interfaces.
You can set OSPF parameters only after creating an OSPF process. OSPF supports
multiple independent processes on one device. Route exchange between different
OSPF processes is similar to that between different routing protocols. You can
specify a process ID when creating an OSPF process. If no process ID is specified,
the default process ID 1 is used.
# Create an OSPF area and specify the interfaces on which OSPF is to be enabled.
[R1-ospf-1]area 0
The area command creates an OSPF area and displays the OSPF area view.
[R1-ospf-1-area-0.0.0.0]network 10.0.12.1 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.13.1 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.1.1 0.0.0.0
1. The mask length of the interface's IP address is not shorter than that specified
in the network command. OSPF uses reverse mask. For example 0.0.0.255
indicates that the mask length is 24 bits.
2. The address of the interface must be within the network range specified in
the network command.
In this example, OSPF can be enabled on the three interfaces, and they are all
added to area 0.
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.23.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.1.2 0.0.0.0
If the wildcard mask in the network command is all 0s and the IP address of the
interface is the same as the IP address specified in the network-address
command, the interface also runs OSPF.
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.13.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.23.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 10.0.1.3 0.0.0.0
Neighbors
The display ospf peer command displays information about neighbors in each
OSPF area. The information includes the area to which the neighbor belongs,
router ID of the neighbor, neighbor status, DR, and BDR.
The password is displayed in cipher text when you view the configuration because
cipher means cipher-text.
Step 5 Assume that R1 is the egress of all networks. Therefore, R1 advertises the default
route to OSPF.
[R3]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 16
Step 6 Change the cost values of interfaces on R1 so that LoopBack0 on R1 can reach
LoopBack0 on R2 via R3.
# According to the routing table of R1, the cost of the route from R1 to
LoopBack0 of R2 is 1, and the cost of the route from R1 to R2 via R3 is 2.
Therefore, you only need to change the cost of the route from R1 to LoopBack0 of
R2 to ensure that the value is greater than 2.
[R1]interface GigabitEthernet0/0/3
[R1- GigabitEthernet0/0/3]ospf cost 10
1 10.0.13.3 40 ms 50 ms 50 ms
2 10.0.23.2 60 ms 110 ms 70 ms
----End
2.2.3 Verification
1. Test the connectivity between interfaces on different devices using Ping.
2. Shut down interfaces to simulate link faults and check the changes in routing
tables.
Configuration on R2
#
sysname R2
#
interface GigabitEthernet0/0/3
ip address 10.0.12.2 255.255.255.0
ospf authentication-mode md5 1 cipher %^%#z+72ZaTk2+v/g7E~AmR"NFYAKC>LZ8~Y`[**Gh=&%^%#
#
interface GigabitEthernet0/0/4
ip address 10.0.23.2 255.255.255.0
ospf authentication-mode md5 1 cipher %^%#=@2jEBu!{&UYoB*(RDVLc5t~<1B_a-PwC$WH%jQ3%^%#
#
interface LoopBack0
ip address 10.0.1.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.0.1.2 0.0.0.0
network 10.0.12.2 0.0.0.0
Configuration on R3
#
sysname R3
#
interface GigabitEthernet0/0/1
ip address 10.0.13.3 255.255.255.0
#
interface GigabitEthernet0/0/3
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.3 255.255.255.255
#
ospf 1
area 0.0.0.0
authentication-mode md5 1 cipher %^%#Rl<:SVln1M>[Gk"v/OeSEW|:0:4*h;b|-d:N"s{>%^%#
network 10.0.1.3 0.0.0.0
network 10.0.13.3 0.0.0.0
network 10.0.23.3 0.0.0.0
#
return
2.2.5 Quiz
1. In step 6, what is the path for R2 to return ICMP packets to R1? Try to explain
the reason.
In this lab activity, you will learn how to configure VLAN on Huawei switches.
3.1.1.2 Objectives
Upon completion of this task, you will be able to:
# Shut down GE0/0/11 and GE0/0/12 on S1. This step applies only to the
environment described in HCIA-Datacom Lab Construction Guide V1.0.
[S1]interface GigabitEthernet 0/0/11
[S1-GigabitEthernet0/0/11]shutdown
[S1-GigabitEthernet0/0/11]quit
[S1]interface GigabitEthernet 0/0/12
[S1-GigabitEthernet0/0/12]shutdown
[S1-GigabitEthernet0/0/12]quit
[R3]interface GigabitEthernet0/0/2
[R3-GigabitEthernet0/0/2]ip address 10.1.10.1 24
The undo portswitch command changes the working mode of Ethernet interfaces
from Layer 2 mode to Layer 3 mode.
[S3-GigabitEthernet0/0/1]ip address 10.1.3.1 24
[S4]interface GigabitEthernet0/0/2
[S4-GigabitEthernet0/0/2]undo portswitch
[S4-GigabitEthernet0/0/2]ip address 10.1.3.2 24
[S4]vlan 3
[S4-vlan3]
[S4]interface GigabitEthernet0/0/2
The interface vlanif vlan-id command creates a VLANIF interface and displays the
VLANIF interface view.
[S3-Vlanif3]ip address 10.1.3.1 24
The vlan vlan-id command creates a VLAN and displays the VLAN view. If the
VLAN exists, the VLAN view is displayed.
The port link-type { access | hybrid | trunk } command specifies the link type of
an interface, which can be Access, Trunk, or Hybrid.
[S1-GigabitEthernet0/0/1]port default vlan 2
The port default vlan vlan-id command configures the default VLAN of an
interface and assigns the interface to the VLAN.
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet0/0/13
[S1-GigabitEthernet0/0/13]port link-type access
[S1-GigabitEthernet0/0/13]port default vlan 3
[S1-GigabitEthernet0/0/13]quit
[S2]interface GigabitEthernet0/0/14
[S2-GigabitEthernet0/0/14]port link-type access
# Configure the ports connecting S1 and S2 as trunk ports and allow only packets
from VLAN 2 and VLAN 3 to pass through.
[S1]interface GigabitEthernet0/0/10
[S1-GigabitEthernet0/0/10]port link-type trunk
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan 2 3
The port trunk allow-pass vlan command assigns a trunk port to the specified
VLANs.
[S1-GigabitEthernet0/0/10]undo port trunk allow-pass vlan 1
The undo port trunk allow-pass vlan command deletes a trunk port from the
specified VLANs.
By default, VLAN 1 is in the allowed list. If VLAN 1 is not used for any service, it
needs to be deleted for security purposes.
[S2]interface GigabitEthernet0/0/10
[S2-GigabitEthernet0/0/10]port link-type trunk
[S2-GigabitEthernet0/0/10]port trunk allow-pass vlan 2 3
[S2-GigabitEthernet0/0/10]undo port trunk allow-pass vlan 1
The VLAN membership depends on the source MAC addresses of packets, and
VLAN tags are added accordingly. This VLAN assignment method is independent
of the location, providing a higher level of security and flexibility.
[S2] vlan 10
[S2-vlan10] mac-vlan mac-address a008-6fe1-0c46
On access and trunk ports, MAC address-based VLAN assignment can be used
only when the VLAN is the same as the PVID. Therefore, it is recommended that
you configure MAC address-based VLAN assignment on a hybrid port to receive
untagged packets from multiple VLANs.
[S2]interface GigabitEthernet0/0/1
[S2-GigabitEthernet0/0/1]port link-type hybrid
[S2-GigabitEthernet0/0/1]port hybrid untagged vlan 10
The port hybrid untagged vlan command assigns a hybrid port to the specified
VLANs to allow untagged frames to pass through.
[S2-GigabitEthernet0/0/1]quit
[S2]interface GigabitEthernet0/0/2
[S2-GigabitEthernet0/0/2]port link-type hybrid
[S2-GigabitEthernet0/0/2]port hybrid untagged vlan 10
[S2-GigabitEthernet0/0/2]quit
[S2]interface GigabitEthernet0/0/3
[S2-GigabitEthernet0/0/3]port link-type hybrid
[S2-GigabitEthernet0/0/3]port hybrid untagged vlan 10
[S2-GigabitEthernet0/0/3]quit
The ports need to allow tagged frames from multiple VLANs to pass through.
Therefore, the ports can be configured as trunk ports.
[S1]interface GigabitEthernet0/0/10
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan 10
[S1-GigabitEthernet0/0/10]quit
[S2]interface GigabitEthernet0/0/10
[S2-GigabitEthernet0/0/10]port trunk allow-pass vlan 10
[S2-GigabitEthernet0/0/10]quit
[S2]display vlan
The total number of vlans is : 4
------------------------------------------------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
------------------------------------------------------------------------------------------------------------------------
TG: GE0/0/10(U)
3.1.3 Verification
Test the device connectivity and verify the VLAN configuration.
shutdown
#
interface GigabitEthernet0/0/12
shutdown
#
interface GigabitEthernet0/0/13
port link-type access
port default vlan 3
#
return
Configuration on S2
#
sysname S2
#
vlan batch 2 to 3 10
#
vlan 10
mac-vlan mac-address a008-6fe1-0c46 priority 0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet0/0/3
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet0/0/10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 3 10
#
interface GigabitEthernet0/0/11
shutdown
#
interface GigabitEthernet0/0/12
shutdown
#
interface GigabitEthernet0/0/14
port link-type access
port default vlan 3
#
return
3.1.5 Quiz
1. As shown in the following figure, to ensure the information security of a
special service, only some special PCs can access the network through VLAN
10. How can this requirement be implemented on S1?
STP defined in IEEE 802.1D has evolved to the Rapid Spanning Tree Protocol
(RSTP) defined in IEEE 802.1W, and the Multiple Spanning Tree Protocol (MSTP)
defined in IEEE 802.1S.
In this lab activity, you will learn the basic STP configuration and understand its
principles and some features of RSTP.
3.2.1.2 Objectives
Upon completion of this task, you will be able to:
The stp enable command enables STP, RSTP, or MSTP on a switching device or a
port. By default, STP, RSTP, or MSTP is enabled on switches.
The stp mode{mstp | rstp | stp} command sets the operation mode of the
spanning tree protocol on a switching device. By default, the switching device
operates in MSTP mode. The spanning tree mode of the current device has been
changed to STP.
[S2]stp mode stp
Info: This operation may take a few seconds. Please wait for a moment...done.
# Based on the root bridge ID and port information on each switch, the current
topology is as follows:
The dotted line indicates that the link does not forward service data.
This topology is for reference only and may not be the same as the actual spanning tree
topology in the lab environment.
Step 3 Modify device parameters to make S1 the root bridge and S2 the secondary root
bridge.
Owning to the importance of the root bridge, the switch with high performance
and network hierarchy is generally chosen as a root bridge. The priority of such a
device, however, may be not that high. Therefore, setting a high priority for the
switch is necessary so that the switch can be elected as the root bridge. The stp
root command configures the switch as a root bridge or secondary root bridge of
a spanning tree.
● The stp root primary command specifies a switch as the root switching
device. In this case, the priority value of the switch is 0 in the spanning tree
and the priority cannot be changed.
● The stp root secondary command specifies a switch as the secondary root
bridge. In this case, the priority value of the switch is 4096 and the priority
cannot be changed.
[S2]stp root secondary
# Based on the root bridge ID and port information on each switch, the current
topology is as follows:
BPDU-Protection :Disabled
TC or TCN received :93
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:9m:5s
Number of TC :18
Last TC occurred :GigabitEthernet0/0/1
The cost of the root path from S4 to S1 is 20000.
A device provides multiple Ethernet ports, many of which have the same
configuration. Configuring them one by one is tedious and error-prone. An easy
way is to add such ports to a port group and configure the group. The system will
automatically execute the commands on all ports in the group.
The stp edged-port enable command sets the current port as an edge port. If a
port of a switching device receives a BPDU after being configured as an edge port,
the switching device will automatically set the port as a non-edge port and
recalculate the spanning tree.
----End
3.2.3 Verification
1. Mark the root bridge and the role of each port in the lab environment based
on the actual network convergence.
2. Disable any port on any switch and check whether the traffic can reach all
other switches through the backup links.
Configuration on S2
#
sysname S2
#
stp mode rstp
stp instance 0 root secondary
#
interface GigabitEthernet0/0/12
shutdown
#
return
Configuration on S3
#
sysname S3
#
stp mode rstp
#
interface GigabitEthernet0/0/10
stp edged-port enable
#
interface GigabitEthernet0/0/11
stp edged-port enable
#
interface GigabitEthernet0/0/12
stp edged-port enable
#
interface GigabitEthernet0/0/13
stp edged-port enable
#
interface GigabitEthernet0/0/14
stp edged-port enable
#
interface GigabitEthernet0/0/15
stp edged-port enable
#
interface GigabitEthernet0/0/16
stp edged-port enable
#
interface GigabitEthernet0/0/17
stp edged-port enable
#
interface GigabitEthernet0/0/18
stp edged-port enable
#
interface GigabitEthernet0/0/19
stp edged-port enable
#
interface GigabitEthernet0/0/20
stp edged-port enable
#
interface GigabitEthernet0/0/21
stp edged-port enable
#
interface GigabitEthernet0/0/22
stp edged-port enable
#
interface GigabitEthernet0/0/23
stp edged-port enable
#
interface GigabitEthernet0/0/24
stp edged-port enable
#
return
Configuration on S4
#
sysname S4
#
stp mode rstp
#
interface GigabitEthernet0/0/1
stp instance 0 cost 5000
#
return
3.2.5 Quiz
1. In step 3, if the cost of GigabitEthernet 0/0/14 on S1 is changed to 50000, can
the desired result be achieved? Why?
2. In the current topology, modify the configuration to make
GigabitEthernet0/0/11 of S2 the root port.
3. Can the two links between S1 and S2 be in the forwarding state at the same
time? Why?
3.3.1.2 Objectives
Upon completion of this task, you will be able to:
# Create an Eth-Trunk.
[S1]interface Eth-Trunk 1
The mode command configures the working mode of the Eth-Trunk, which can be
LACP or manual load balancing. By default, the manual load balancing mode is
used. Therefore, the preceding operation is unnecessary and is provided for
demonstration purpose only.
You can enter the interface view of an individual port and add it to an Eth-Trunk.
You can also run the trunkport command in the Eth-Trunk interface view to add
multiple ports to the Eth-Trunk.
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 to 0/0/12
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]undo trunkport GigabitEthernet 0/0/10 to 0/0/12
Info: This operation may take a few seconds. Please wait for a moment...done.
Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk
has no member port.
The mode lacp command sets the working mode of an Eth-Trunk to LACP.
[S1]interface Eth-Trunk 1
[S1-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 to 0/0/12
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 to 0/0/12
Info: This operation may take a few seconds. Please wait for a moment...done.
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/10 32768 4c1f-ccc1-4a02 32768 11 305 10111100
GigabitEthernet0/0/11 32768 4c1f-ccc1-4a02 32768 12 305 10111100
GigabitEthernet0/0/12 32768 4c1f-ccc1-4a02 32768 13 305 10111100
Link Aggregation Control Protocol data units (LACPDUs) are sent and received by
both endpoints of a link aggregation group in LACP mode.
1. The system priority field is compared. The default priority value is 32768, and
a lower value indicates a higher priority. The endpoint with a higher priority is
elected as the LACP actor.
2. If there is a tie in priority, the endpoint with a smaller MAC address becomes
the actor.
After the actor is elected, the devices at both ends select active ports according to
the port priority settings on the actor.
The bandwidth and status of an Eth-Trunk depend on the number of active ports.
The bandwidth of an Eth-Trunk is the total bandwidth of all member ports in Up
state. You can set the following thresholds to stabilize an Eth-Trunk's status and
bandwidth as well as reduce the impact brought by frequent changes of member
link status.
● Lower threshold: When the number of active ports falls below this threshold,
the Eth-Trunk goes Down. This threshold determines the minimum bandwidth
of an Eth-Trunk and is configured using the least active-linknumber
command.
● Upper threshold: When the number of active ports reaches this threshold, the
bandwidth of the Eth-Trunk will not increase even if more member links go
Up. The upper threshold ensures network availability and is configured using
the max active-linknumber command.
In LACP mode, when an active link fails, the system selects the backup link with
the highest priority to replace the faulty one. If the faulty link is recovered and has
a higher priority than the backup link, the recovered link can restore the active
status if preemption is enabled. The lacp preempt enable command enables
LACP preemption. By default, this function is disabled.
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/10 32768 4c1f-ccc1-4a02 32768 11 305 10110000
GigabitEthernet0/0/11 32768 4c1f-ccc1-4a02 32768 12 305 10111100
GigabitEthernet0/0/12 32768 4c1f-ccc1-4a02 32768 13 305 10111100
GigabitEthernet0/0/11 and GigabitEthernet0/0/12 are in active state.
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/10 32768 4c1f-ccc1-4a02 32768 11 305 10111100
GigabitEthernet0/0/11 32768 4c1f-ccc1-4a02 32768 12 305 10111100
GigabitEthernet0/0/12 0 0000-0000-0000 0 0 0 10100011
GigabitEthernet 0/0/10 has become active.
[S1]display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay Time: 30 Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 4c1f-cc33-7359
Least Active-linknumber: 2 Max Active-linknumber: 2
Operate status: down Number Of Up Port In Trunk: 0
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/10 Unselect 1GE 40000 11 305 10100000 1
GigabitEthernet0/0/11 Unselect 1GE 32768 12 305 10100010 1
GigabitEthernet0/0/12 Unselect 1GE 32768 13 305 10100010 1
Partner:
--------------------------------------------------------------------------------
The lower threshold for the number of active links is set to 2. Therefore, the Eth-
Trunk is shut down. Although GigabitEthernet0/0/10 is Up, it is still in Unselect
state.
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/10 32768 4c1f-ccc1-4a02 32768 11 305 10110000
GigabitEthernet0/0/11 0 0000-0000-0000 0 0 0 10100011
GigabitEthernet0/0/12 0 0000-0000-0000 0 0 0 10100011
To ensure proper load balancing between physical links of an Eth-Trunk and avoid
link congestion, use the load-balance command to set the load balancing mode
of the Eth-Trunk. Load balancing is valid only for outgoing traffic; therefore, the
load balancing modes for the ports at both ends can be different.
----End
3.3.3 Verification
The details are not provided here.
Configuration on S2
#
sysname S2
#
interface Eth-Trunk1
mode lacp
#
interface GigabitEthernet0/0/10
eth-trunk 1
#
interface GigabitEthernet0/0/11
eth-trunk 1
#
interface GigabitEthernet0/0/12
eth-trunk 1
#
return
3.3.5 Quiz
1. What are the requirements for the values of least active-linknumber and
max active-linknumber?
3.4.1.2 Objectives
Upon completion of this task, you will be able to:
[R2-GigabitEthernet0/0/1]quit
[R2]ip route-static 0.0.0.0 0 192.168.2.254
Configure a default route (equivalent to a gateway) for the device.
<R3>system-view
Enter system view, return user view with Ctrl+Z.
[R3]interface GigabitEthernet 0/0/1
[R3-GigabitEthernet0/0/1]ip address 192.168.3.1 24
[R3-GigabitEthernet0/0/1]quit
[R3]ip route-static 0.0.0.0 0 192.168.3.254
The dot1q termination vid vlan-id command configures the VLAN ID for Dot1q
termination on a subinterface.
Subinterfaces for VLAN tag termination cannot forward broadcast packets and
automatically discard them upon receiving. To allow such subinterfaces to forward
broadcast packets, the ARP broadcast function must be enabled using the arp
broadcast enable command. By default, this function is enabled on some devices.
[R1-GigabitEthernet0/0/1.2]ip address 192.168.2.254 24
[R1-GigabitEthernet0/0/1.2]quit
[R1]interface GigabitEthernet 0/0/1.3
[R1-GigabitEthernet0/0/1.3]dot1q termination vid 3
[R1-GigabitEthernet0/0/1.3]arp broadcast enable
[R1-GigabitEthernet0/0/1.3]ip address 192.168.3.254 24
[R1-GigabitEthernet0/0/1.3]quit
<R2>tracert 192.168.3.1
traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 192.168.2.254 30 ms 50 ms 50 ms
2 192.168.3.1 70 ms 60 ms 60 ms
VLAN 2 and VLAN 3 can communicate with each other.
The interface vlanif vlan-id command creates a VLANIF interface and displays the
VLANIF interface view. You must create a VLAN before configuring a VLANIF
interface.
[S1-Vlanif2]ip address 192.168.2.254 24
[S1-Vlanif2]quit
[S1]interface Vlanif 3
[S1-Vlanif3]ip address 192.168.3.254 24
[S1-Vlanif3]quit
<R2>tracert 192.168.3.1
1 192.168.2.254 40 ms 30 ms 20 ms
2 192.168.3.1 40 ms 30 ms 40 ms
VLAN 2 and VLAN 3 can communicate with each other.
----End
3.4.3 Verification
The details are not provided here.
return
Configuration on R2
#
sysname R2
#
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.2.254
#
return
Configuration on R3
#
sysname R3
#
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.254
#
return
3.4.5 Quiz
1. If R2 needs to access the network connected to R1, what configuration needs
to be performed on S1?
2. As a Layer 3 interface, when will a VLANIF interface go Up?
An ACL is a rule-based packet filter. Packets matching an ACL are processed based
on the policy defined in the ACL.
4.1.1.2 Objectives
Upon completion of this task, you will be able to:
One user (Loopback 1 of R1) needs to remotely manage R3. You can configure
Telnet on the server, configure password protection, and configure an ACL to
ensure that only the user that meets the security policy can log in to R3.
[R2-GigabitEthernet0/0/4]quit
[R3]interface GigabitEthernet0/0/3
[R3-GigabitEthernet0/0/3]ip address 10.1.3.1 24
[R3-GigabitEthernet0/0/3]quit
# Configure OSPF on R1, R2, and R3 and assign them to area 0 to enable
connectivity.
[R1]ospf
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.2.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.4.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]return
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.1.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.1.3.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]return
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.1.3.1 0.0.0.0
[R3-ospf-1-area-0.0.0.0]return
<R3>ping 10.1.2.1
PING 10.1.2.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=254 time=50 ms
--- 10.1.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/50 ms
<R3>ping 10.1.4.1
PING 10.1.4.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.4.1: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 10.1.4.1: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.1.4.1: bytes=56 Sequence=3 ttl=254 time=40 ms
Reply from 10.1.4.1: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.1.4.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 10.1.4.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/50 ms
# Enable the Telnet function on R3, set the user level to 3, and set the login
password to Huawei@123.
[R3]telnet server enable
The Virtual Type Terminal (VTY) user interface manages and monitors users
logging in using Telnet or SSH.
[R3-ui-vty0-4]user privilege level 3
[R3-ui-vty0-4] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly recommended to use "aaa"
authentication mode.
Enter Password(<8-128>):Huawei@123
Confirm password:Huawei@123
[R3-ui-vty0-4] quit
Rule 5 allows matched traffic to pass through. If no packet matches the rule, the
matches field is not displayed.
rule 10 deny tcp
Rule 5 allows matched traffic to pass through, and 21 packets have matched the
rule.
rule 10 deny tcp (1 matches)
----End
4.1.3 Verification
Test the Telnet access and verify the ACL configuration.
1. On R1, telnet to the server with the source IP address 10.1.1.1 specified.
<R1>telnet -a 10.1.1.1 10.1.3.1
The telnet command enables a user to use the Telnet protocol to log in to
another device.
2. On R1, telnet to the server with the source IP address 10.1.4.1 specified.
<R1>telnet -a 10.1.4.1 10.1.3.1
Press CTRL_] to quit telnet mode
Trying 10.1.3.1 ...
Connected to 10.1.3.1 ...
Login authentication
Password:
<R3>quit
Configuration on R2
#
sysname R2
#
interface GigabitEthernet0/0/3
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/4
ip address 10.1.3.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.2 0.0.0.0
network 10.1.3.2 0.0.0.0
#
return
Configuration on R3
#
sysname R3
#
acl number 3000
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet
rule 10 deny tcp
#
interface GigabitEthernet0/0/3
ip address 10.1.3.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.3.1 0.0.0.0
#
telnet server enable
#
user-interface vty 0 4
acl 3000 inbound
authentication-mode password
user privilege level 3
set authentication password
cipher %^%#Z5)H#8cE(YJ6YZ:='}c-;trp&784i>HtKl~pLnn>2zL16cs<6E}xj.FmK5(8%^%#
#
return
return
Configuration on R2
#
sysname R2
#
acl number 3001
rule 5 permit tcp source 10.1.4.1 0 destination 10.1.3.1 0 destination-port eq telnet
rule 10 deny tcp
#
interface GigabitEthernet0/0/3
ip address 10.1.2.2 255.255.255.0
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/4
ip address 10.1.3.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.2 0.0.0.0
network 10.1.3.2 0.0.0.0
#
return
Configuration on R3
#
sysname R3
#
interface GigabitEthernet0/0/3
ip address 10.1.3.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.3.1 0.0.0.0
#
telnet server enable
#
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %^%#Z5)H#8cE(YJ6YZ:='}c-;trp&784i>HtKl~pLnn>2zL16cs<6E}xj.FmK5(8%^%#
#
return
4.1.6 Quiz
R3 functions as both a Telnet server and an FTP server, the IP address of loopback
0 on R1 must be used to access only the FTP service, and the IP address of
loopback 1 on R1 must be used to remotely manage R3 using Telnet.
Users can use one or more security services provided by AAA. For example, if a
company wants to authenticate employees that access certain network resources,
the network administrator only needs to configure an authentication server. If the
company also wants to record operations performed by employees on the
network, an accounting server is needed.
In summary, AAA authorizes users to access specific resources and records user
operations. AAA is widely used because it features good scalability and facilitates
centralized user information management. AAA can be implemented using
multiple protocols. RADIUS is most frequently used in actual scenarios.
In this lab activity, you will configure local AAA to manage and control resources
for remote Telnet users.
4.2.1.2 Objectives
Upon completion of this task, you will be able to:
A device functioning as an AAA server is called a local AAA server, which can
perform authentication and authorization, but not accounting.
The local AAA server requires a local user database, containing the user name,
password, and authorization information of local users. A local AAA server is
faster and cheaper than a remote AAA server, but has a smaller storage capacity.
Step 3 Create a domain and apply the AAA scheme to the domain.
[R2]aaa
[R2-aaa]domain datacom
The devices manage users based on domains. A domain is a group of users and
each user belongs to a domain. The AAA configuration for a domain applies to the
users in the domain. Create a domain named datacom.
[R2-aaa-domain-datacom]authentication-scheme datacom
The authentication scheme named datacom is used for users in the domain.
[R2-aaa-domain-datacom]authorization-scheme datacom
The authorization scheme named datacom is used for users in the domain.
If the user name contains a delimiter of at sign (@), the character string before
the at sign is the user name and the character string following the at sign is the
domain name. If the value does not contain the at sign, the entire character string
represents the user name and the domain name is the default one.
# Configure the parameters for the local user, such as access type and privilege
level.
[R2-aaa]local-user hcia@datacom service-type telnet
The local-user service-type command configures the access type for a local user.
After you specify the access type of a user, the user can successfully log in only
when the configured access type is used. If the access type is set to telnet, the user
cannot access the device through a web page. Multiple access types can be
configured for a user.
[R2-aaa]local-user hcia@datacom privilege level 3
The privilege level of the local user is specified. Only commands within the
specified privilege level or a lower level are available for a user.
Login authentication
Username:hcia@datacom
Password:
<R2>
R1 has logged in to R2.
----End
4.2.3 Verification
The details are not provided here.
Configuration on R2
#
sysname R2
#
aaa
uthentication-scheme datacom
authorization-scheme datacom
domain datacom
authentication-scheme datacom
authorization-scheme datacom
local-user hcia@datacom password irreversible-
cipher %^%#.}hB'1"=&=:FWx!Ust(3s^_<.[Z}kEc/>==P56gUVU*cE^|]5@|8/O5FC$9A%^%#
local-user hcia@datacom privilege level 3
local-user hcia@datacom service-type telnet
#
interface GigabitEthernet0/0/3
ip address 10.0.12.2 255.255.255.0
#
telnet server enable
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
4.2.5 Quiz
The details are not provided here.
4.3.1.2 Objectives
Upon completion of this task, you will be able to:
network and provide services for external users. In this case, you need to configure
NAT to meet these requirements.
[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode aaa
[R3-ui-vty0-4]quit
[R3]aaa
[R3-aaa]local-user test password irreversible-cipher Huawei@123
Info: Add a new user.
[R3-aaa]local-user test service-type telnet
[R3-aaa]local-user test privilege level 15
[R3-aaa]quit
# Test connectivity.
[R1]ping 1.2.3.254
PING 1.2.3.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
[R2]ping 1.2.3.254
PING 1.2.3.254: 56 data bytes, press CTRL_C to break
Reply from 1.2.3.254: bytes=56 Sequence=1 ttl=255 time=40 ms
Reply from 1.2.3.254: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 1.2.3.254: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 1.2.3.254: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 1.2.3.254: bytes=56 Sequence=5 ttl=255 time=20 ms
Step 2 The enterprise obtains the public IP addresses ranging from 1.2.3.10 to 1.2.3.20
and needs the dynamic NAT function.
The nat address-group command configures a NAT address pool. In this example,
1 indicates the number of the address pool. The address pool must be a set of
consecutive IP addresses. When internal data packets reach the edge of the
private network, the private source IP addresses will be translated into public IP
addresses.
# Configure an ACL.
[R2]acl 2000
[R2-acl-basic-2000]rule 5 permit source any
The nat outbound command associates an ACL with an NAT address pool. The IP
addresses of packets matching the ACL will be translated into an address in the
address pool. If the address pool has sufficient addresses, you can add the no-pat
argument to enable one-to-one address translation. In this case, only the IP
addresses of data packets are translated, and the ports are not translated.
# Test connectivity.
[R1]ping 1.2.3.254
PING 1.2.3.254: 56 data bytes, press CTRL_C to break
Reply from 1.2.3.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 1.2.3.254: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 1.2.3.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=5 ttl=254 time=20 ms
Login authentication
Username:test
Password:
<R3>
Total : 1
Although R3 does not have a route to R1, R3 sends the data to the translated
source address 1.2.3.11. After receiving the data, R2 translates the source address
to the address of R1 based on the data in the NAT session table and forwards the
data. Therefore, R1 can initiate access to R3.
# Test connectivity.
[R1]ping 1.2.3.254
PING 1.2.3.254: 56 data bytes, press CTRL_C to break
Reply from 1.2.3.254: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 1.2.3.254: bytes=56 Sequence=5 ttl=254 time=30 ms
Total : 1
Step 4 R3 needs to provide network services (telnet in this example) for users on the
public network. Because R3 does not have a public IP address, you need to
configure NAT server on the outbound interface of R2.
The nat server command defines a mapping table of internal servers so that
external users can access internal servers through address and port translation.
You can configure an internal server so that users on an external network can
initiate access to the internal server. When a host on an external network sends a
connection request to the public address (global-address) of the internal NAT
server, the NAT server translates the destination address of the request into a
private address (inside-address) and forwards the request to the server on the
private network.
Login authentication
Username:test
Password:
<R1>
Total : 1
----End
4.3.3 Verification
The details are not provided here.
Configuration on R2
#
sysname R2
#
acl number 2000
rule 5 permit
#
nat address-group 1 1.2.3.10 1.2.3.20
#
interface GigabitEthernet0/0/3
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/4
ip address 1.2.3.4 255.255.255.0
nat server protocol tcp global current-interface 2323 inside 192.168.1.1 telnet
nat outbound 2000
#
return
Configuration on R3
#
sysname R3
#
aaa
local-user test password irreversible-cipher %^%#s<LQ(8-
ZC6FNGG1#)n=.GgU|@)n`Z'n%$43+2>7,I>#XBkfcu(}-3y+o:`UD%^%#
local-user test privilege level 15
local-user test service-type telnet
#
interface GigabitEthernet0/0/3
ip address 1.2.3.254 255.255.255.0
#
telnet server enable
#
user-interface vty 0 4
authentication-mode aaa
#
return
4.3.5 Quiz
1. When configuring NAT Server, should the destination ports before translation
be the same as those after translation?
such as File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and
Secure File Transfer Protocol (SFTP). You can select one based on service and
security requirements.
● If the device works as a server, you can access the device from a client to
manage files on the device and transfer files between the client and device.
● If the device works as a client, you can access another device (the server)
from the device to manage and transfer files.
5.1.1.2 Objectives
Upon completion of this task, you will be able to:
<R2>save test2.cfg
Are you sure to save the configuration to test2.cfg? (y/n)[n]:y
It will take several minutes to save configuration file, please wait.......
<R2>dir
Directory of flash:/
The ftp server enable command enables the FTP server function. By default, the
FTP function is disabled.
Other optional configuration parameters include the port number of the FTP
server, source IP address of the FTP server, and maximum idle time of FTP
connections.
The user level is specified. The user level must be set to 3 or higher to ensure
successful connection establishment.
[R2-aaa]local-user ftp-client ftp-directory flash:/
The authorized directory of the FTP user is specified. This directory must be
specified. Otherwise, the FTP user cannot log in to the system.
[R1-ftp]
You have logged in to the file system of R2.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer
application files, such as system software, images, video files, compressed files,
and database files. The configuration file to be downloaded is a text file.
Therefore, you need to set the mode to ASCII. The default file transfer mode is
ASCII. This operation is for demonstration purpose only.
<R1>
----End
5.1.3 Verification
Display the file directories of R1 and R2.
<R1>dir
Directory of flash:/
<R2>dir
Directory of flash:/
Configuration on R2
#
sysname R2
#
aaa
local-user ftp-client password irreversible-
cipher %^%#'XqV;f=C;/1!\sQ6LA+Ow8GBO;W%0HBf0`>p(`[SpV]J%Amom!na3:4RvFv@%^%#
local-user ftp-client privilege level 15
local-user ftp-client ftp-directory flash:/
local-user ftp-client service-type ftp
#
interface GigabitEthernet0/0/3
ip address 10.0.12.2 255.255.255.0
#
ftp server enable
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
5.1.5 Quiz
1. Does FTP work in active or passive mode by default?
DHCP is defined in RFC 2131 and uses the client/server communication mode. A
client (DHCP client) requests configuration information from a server (DHCP
server), and the server returns the configuration information allocated to the
client.
5.2.1.2 Objectives
Upon completion of this task, you will be able to:
The dhcp enable command must be executed before executing any other DHCP-
related commands, regardless for DHCP servers or clients.
[R2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[R3]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
The dhcp select interface command enables an interface to use the interface
address pool. If you do not run this command, parameters related to the interface
address pool cannot be configured.
[R2-GigabitEthernet0/0/3]dhcp server dns-list 10.0.12.2
The dhcp server dns-list command configures DNS server addresses for an
interface address pool. A maximum of eight DNS server addresses can be
configured. These IP addresses are separated by spaces.
The network command specifies a network address for a global address pool.
[R2-ip-pool-GlobalPool]dns-list 10.0.23.2
[R2-ip-pool-GlobalPool]gateway-list 10.0.23.2
The gateway-list command configures a gateway address for a DHCP client. After
R3 obtains an IP address, it generates a default route with the next-hop address
being 10.0.23.2.
[R2-ip-pool-GlobalPool]lease day 2 hour 2
The lease command specifies the lease for IP addresses in a global IP address
pool. If the lease is set to unlimited, the lease is unlimited. By default, the lease of
IP addresses is one day.
[R2-ip-pool-GlobalPool]static-bind ip-address 10.0.23.3 mac-address 00e0-fc6f-6d1f
The dhcp select global command enables an interface to use the global address
pool. After receiving a request from a DHCP client, the interface searches the
global address pool for an available IP address and assigns the IP address to the
DHCP client.
----End
5.2.3 Verification
5.2.3.1 Display the IP addresses and routes of R1 and R3.
[R1]display ip interface brief
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/3 10.0.12.254/24 up up
Only key information is provided here. The command output shows that R1 has obtained an IP address.
[R1]display dns server
Type:
D:Dynamic S:Static
When an interface address pool is configured, the name of the address pool is the
interface name. The allocated gateway address is the IP address of the interface
and cannot be changed.
#
dhcp enable
#
interface GigabitEthernet0/0/3
ip address dhcp-alloc
#
return
Configuration on R2
#
sysname R2
#
dhcp enable
#
ip pool GlobalPool
gateway-list 10.0.23.2
network 10.0.23.0 mask 255.255.255.0
static-bind ip-address 10.0.23.3 mac-address a008-6fe1-0c47
lease day 2 hour 2 minute 0
dns-list 10.0.23.2
#
interface GigabitEthernet0/0/3
ip address 10.0.12.2 255.255.255.0
dhcp select interface
dhcp server dns-list 10.0.12.2
#
interface GigabitEthernet0/0/4
ip address 10.0.23.2 255.255.255.0
dhcp select global
#
return
Configuration on R3
#
sysname R3
#
dhcp enable
#
interface GigabitEthernet0/0/3
ip address dhcp-alloc
#
return
5.2.5 Quiz
1. What are the differences between the application scenarios of a global
address pool and those of an interface address pool?
2. If there are multiple global address pools, how do you determine the global
address pool for a DHCP client?
6 Creating a WLAN
6.1 Introduction
6.1.1 About This Lab
Wired LANs are expensive and lack mobility. The increasing demand for portability
and mobility requires WLAN technologies. WLAN is now the most cost-efficient
and convenient network access mode. WLAN allows users to move within the
covered area.
In this lab activity, you will configure a WLAN using an AC and fit APs.
6.1.2 Objectives
Upon completion of this task, you will be able to:
Item Configuration
Item Configuration
Password: HCIA-Datacom
# Shut down unnecessary ports between S1 and the AC. This step applies only to
the environment described in HCIA-Datacom Lab Construction Guide V1.0.
[S1] interface GigabitEthernet 0/0/11
[S1-GigabitEthernet0/0/11]shutdown
[S1-GigabitEthernet0/0/11]quit
[S1] interface GigabitEthernet 0/0/12
[S1-GigabitEthernet0/0/12]shutdown
[S1-GigabitEthernet0/0/12]quit
The poe enable command enables the PoE function on a port. When a port
detects a powered device (PD) connected to it, the port supplies power to the PD.
By default, the PoE function is enabled. Therefore, this command is unnecessary
and is provided for demonstration purpose only.
[S4]interface GigabitEthernet 0/0/4
[S4-GigabitEthernet0/0/4]poe enable
# Configure VLANs.
[S1]vlan batch 100 101
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1]interface GigabitEthernet 0/0/13
[S1-GigabitEthernet0/0/13]port link-type trunk
[S1-GigabitEthernet0/0/13]port trunk allow-pass vlan 100 101
[S1-GigabitEthernet0/0/13]quit
[S1]interface GigabitEthernet 0/0/14
[S1-GigabitEthernet0/0/14]port link-type trunk
[S1-GigabitEthernet0/0/14]port trunk allow-pass vlan 100 101
[S1-GigabitEthernet0/0/14]quit
[S1]interface GigabitEthernet 0/0/10
[S1-GigabitEthernet0/0/10]port link-type trunk
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan 100 101
[S1-GigabitEthernet0/0/10]quit
# Configure DHCP.
[S1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[S1]ip pool sta
Info:It's successful to create an IP address pool.
IP address pool for STAs
[S1-ip-pool-sta]network 192.168.101.0 mask 24
[S1-ip-pool-sta]gateway-list 192.168.101.254
[S1-ip-pool-sta]quit
[S1]interface Vlanif 101
[S1-Vlanif101]dhcp select global
[S1-Vlanif101]quit
[AC]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[AC]ip pool ap
Info: It is successful to create an IP address pool.
S1 is the DHCP server for STAs and the AC is the DHCP server for APs.
# Create a regulatory domain profile, and set the AC country code in the profile.
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name default
The default regulatory domain profile is named default. Therefore, the default
profile is displayed.
[AC-wlan-regulate-domain-default]country-code cn
Info: The current country code is same with the input country code.
A country code identifies the country in which the APs are deployed. Different
countries require different AP radio attributes, including the transmit power and
supported channels. Correct country code configuration ensures that radio
attributes of APs comply with local laws and regulations. By default, the country
code CN is configured.
[AC-wlan-regulate-domain-default]quit
[AC-wlan-ap-group-ap-group1]quit
The capwap source interface command configures the interface used by the AC
to set up CAPWAP tunnels with APs.
● Manual configuration: Specify the MAC addresses and serial numbers (SNs) of
APs on the AC in advance. When APs are connected the AC, the AC finds that
their MAC addresses and SNs match the preconfigured ones and establish
connections with them.
● Automatic discovery: When the AP authentication mode is set to no
authentication, or the AP authentication mode is set to MAC or SN
authentication and the MAC addresses or SNs are whitelisted, the AC
automatically discovers connected APs and establish connections with them.
● Manual confirmation: If the AP authentication mode is set to MAC or SN
authentication and MAC address or SN of a connected AP is not included in
the whitelist on the AC, the AC adds the AP to the list of unauthorized APs.
You can manually confirm the identify of such an AP to bring it online.
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth
Note: For MAC address and SN information of an AP, check the MAC address label
and SN label in the package.
[AC-wlan-view]ap-id 0 ap-mac 60F1-8A9C-2B40
The ap-mac argument specifies MAC address authentication, and the ap-sn
argument specifies SN authentication.
In the AP view, you can enter ap-id to enter the corresponding AP view.
[AC-wlan-ap-0]ap-name ap1
The ap-name command configures the name of an AP. AP names must be unique.
If the AP name is not configured, the default name is the MAC address of the AP.
[AC-wlan-ap-0]ap-group ap-group1
The ap-group command configures the group for an AP. The AC delivers the
configuration to the APs. For example, if AP1 is added to ap-group1, the
regulatory domain profile, radio profile, and VAP profile associated with ap-
group1 are delivered to AP1. By default, an AP is not added to any group. When
an AP is added to a group or the group of an AP changes, the group configuration
will be delivered automatically by the AC, and the AP will automatically restart to
join the group.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, Whether to continue? [Y/N]:y //Enter y to confirm.
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-0]quit
[AC-wlan-view]ap-id 1 ap-mac B4FB-F9B7-DE40
[AC-wlan-ap-1]ap-name ap2
[AC-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, Whether to continue? [Y/N]:y //Enter y to confirm.
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-1]quit
In addition, you can add by-state state or by-ssid ssid to filter APs in a specified
state or using a specified SSID.
The command output shows that the two APs are working properly. (For more
status description, see the appendix of this lab.)
Currently, both WPA and WPA2 are used. User terminals can be authenticated
using either WPA or WPA2. The PSK is set to HCIA-Datacom. User data is
encrypted using the AES encryption algorithm.
[AC-wlan-sec-prof-HCIA-WLAN]quit
# Create SSID profile HCIA-WLAN and set the SSID name to HCIA-WLAN.
[AC]wlan
[AC-wlan-view]ssid-profile name HCIA-WLAN
SSID profile HCIA-WLAN is created.
[AC-wlan-ssid-prof-HCIA-WLAN]ssid HCIA-WLAN
The SSID name is set to HCIA-WLAN.
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-HCIA-WLAN]quit
# Create VAP profile HCIA-WLAN, configure the data forwarding mode and
service VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC]wlan
[AC-wlan-view]vap-profile name HCIA-WLAN
You can configure the data forwarding mode in a VAP profile and bind the SSID
profile, security profile, and traffic profile to the VAP profile.
[AC-wlan-vap-prof-HCIA-WLAN]forward-mode direct-forward
The service-vlan command configures the service VLAN of a VAP. After a STA
accesses a WLAN, the user data forwarded by the AP carries the service-VLAN
tag.
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-HCIA-WLAN]security-profile HCIA-WLAN
Security profile HCIA-WLAN is bound.
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-HCIA-WLAN]ssid-profile HCIA-WLAN
SSID profile HCIA-WLAN is bound.
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-HCIA-WLAN]quit
# Bind the VAP profile to the AP group and apply configurations in VAP profile
HCIA-WLAN to radio 0 and radio 1 of the APs in the AP group.
[AC]wlan
[AC-wlan-view]ap-group name ap-group1
[AC-wlan-ap-group-ap-group1]vap-profile HCIA-WLAN wlan 1 radio all
The vap-profile command binds a VAP profile to a radio. After this command is
executed, all configurations in the VAP, including the configurations in the profiles
bound to the VAP, are delivered to the radios of APs.
----End
6.3 Verification
1. Use an STA to access the WLAN with the SSID of HCIA-WLAN. Check the IP
address obtained by the STA and ping the IP address (10.0.1.1) of LoopBack0
on S1.
2. When the STA is connected to the AC, run the display station all command
on the AC to check the STA information.
Configuration on the AC
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
ip pool ap
gateway-list 192.168.100.254
network 192.168.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.254 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
wlan
security-profile name HCIA-WLAN
security wpa-wpa2 psk pass-phrase %^%#V-rr;CTW$X%,nJ/0jcmO!tRQ(pt;^8IN,z1||UU)%^%# aes
ssid-profile name HCIA-WLAN
ssid HCIA-WLAN
vap-profile name HCIA-WLAN
service-vlan vlan-id 101
ssid-profile HCIA-WLAN
security-profile HCIA-WLAN
ap-group name ap-group1
radio 0
vap-profile HCIA-WLAN wlan 1
radio 1
vap-profile HCIA-WLAN wlan 1
radio 2
vap-profile HCIA-WLAN wlan 1
ap-id 0 type-id 75 ap-mac 60f1-8a9c-2b40 ap-sn 21500831023GJ9022622
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 75 ap-mac b4fb-f9b7-de40 ap-sn 21500831023GJ2001889
ap-name ap2
ap-group ap-group1
provision-ap
#
return
Configuration on S3
#
sysname S3
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
Configuration on S4
#
sysname S4
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
6.5 Quiz
1. In the current networking, if GigabitEthernet0/0/10 of the AC does not allow
packets from VLAN 101 to pass through, what is the impact on the access of
STAs to S1? Why? What if tunnel forwarding is used?
2. If STAs connected to AP1 and AP2 need to be assigned to different VLANs,
what operations need to be performed on the AC?
6.6 Appendix
AP State Description
AP State Description
7.1 Introduction
7.1.1 About This Lab
Internet Protocol Version 6 (IPv6) is also called IP Next Generation (IPng).
Designed by the Internet Engineering Task Force (IETF), IPv6 is an upgraded
version of IPv4.
This chapter describes how to set up an IPv6 network to help you understand the
basic principles and address configuration of IPv6.
7.1.2 Objectives
Upon completion of this task, you will be able to:
The ipv6 command enables the device to forward IPv6 unicast packets, including
sending and receiving local IPv6 packets.
[R2]ipv6
[R3]ipv6
Step 3 Configure a link-local address for the interface and test the configuration.
The ipv6 address auto link-local command enables the generation of a link-local
address for an interface.
Only one link-local address can be configured for each interface. To prevent link-
local address conflict, automatically generated link-local addresses are
recommended. After an IPv6 global unicast address is configured for an interface,
a link-local address will be automatically generated.
[R1-GigabitEthernet0/0/3]ipv6 address auto link-local
[R1-GigabitEthernet0/0/3]quit
# Display the IPv6 status of the interface and test the connectivity.
<R1>display ipv6 interface GigabitEthernet 0/0/3
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
When you ping a link-local address, you must specify the source interface or
source IPv6 address.
Step 5 Configure the DHCPv6 server function on R2 and configure R3 to obtain IPv6
addresses through DHCPv6.
The DHCPv6 server does not allocate an IPv6 gateway address to a client.
When the DHCPv6 stateful mode is configured, DHCPv6 clients learn the default
route of the IPv6 gateway using the ipv6 address auto global default command.
When the DHCPv6 stateless mode is configured, DHCPv6 clients learn the global
unicast IPv6 address and the default route to the IPv6 gateway through this
command. Ensure that the interface of the peer device connected to the local
device has been enabled to send RA packets using the undo ipv6 nd ra halt
command.
The ipv6 nd autoconfig other-flag command sets the "Other Configuration" flag
(O flag) in RA messages. By default, the flag is not set.
Destination : :: PrefixLength :0
NextHop : FE80::A2F4:79FF:FE5A:CDAE Preference : 64
Cost :0 Protocol : Unr
RelayNextHop : :: TunnelID : 0x0
Interface : GigabitEthernet0/0/3 Flags :D
# Test connectivity.
[R1]ping ipv6 2000:23::1
PING 2000:23::1 : 56 data bytes, press CTRL_C to break
Reply from 2000:23::1
bytes=56 Sequence=1 hop limit=63 time = 20 ms
Reply from 2000:23::1
bytes=56 Sequence=2 hop limit=63 time = 20 ms
Reply from 2000:23::1
bytes=56 Sequence=3 hop limit=63 time = 30 ms
Reply from 2000:23::1
bytes=56 Sequence=4 hop limit=63 time = 20 ms
Reply from 2000:23::1
bytes=56 Sequence=5 hop limit=63 time = 30 ms
R1 has a static route to the network 2000:23::/64. R3 obtains the default route
through DHCPv6. Therefore, GigabitEthernet0/0/3 on R1 and GigabitEthernet0/0/3
on R3 can communicate with each other.
----End
7.3 Verification
The details are not provided here.
Configuration on R2
#
sysname R2
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
address prefix 2000:23::/64
dns-server 2000:23::2
#
interface GigabitEthernet0/0/3
ipv6 enable
ipv6 address 2000:12::2/64
ipv6 address auto link-local
undo ipv6 nd ra halt
interface GigabitEthernet0/0/4
#
ipv6 enable
ipv6 address 2000:23::2/64
ipv6 address auto link-local
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
dhcpv6 server pool1
#
return
Configuration on R3
#
sysname R3
#
ipv6
#
dhcp enable
#
interface GigabitEthernet0/0/3
ipv6 enable
ipv6 address auto link-local
ipv6 address auto global default
ipv6 address auto dhcp
#
return
7.5 Quiz
1. Why the source interface must be specified in Step 3 (testing the connectivity
between link-local addresses) but not in Step 7 (testing the connectivity
between GUA addresses)?
2. Describe the difference between stateful address configuration and stateless
address configuration and explain why.
8.1 Introduction
8.1.1 About This Lab
After completing this lab activity, you will be able to learn how to use the Python
telnetlib.
8.1.2 Objectives
● Learn the basic Python syntax
● Learn how to use telnetlib
Before using a Python script to log in to a device through Telnet, you need to
create a Telnet password and enable the Telnet function on the device. Set the
Telnet login password to Huawei@123.
Password:
Info: The max number of VTY users is 5, and the number of current VTY users on line is 1.
The current login time is 2020-01-15 21:12:57.
<Huawei>
host = '192.168.56.101'
password = 'Huawei@123'
tn = telnetlib.Telnet(host)
tn.read_until(b"Password:")
tn.write(password.encode('ascii') + b"\n")
tn.write(b'display cu \n')
time.sleep(1)
print(tn.read_very_eager().decode('ascii'))
tn.close()
The Python script invokes the telnetlib module to log in to S1, runs the display
current-configuration command, and displays the command output.
The compiler used in this lab environment is Jupyter Notebook. You can also use
other compilers.
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
ip address 192.168.56.101 255.255.255.0
---- More ----
----End
Import the telnetlib and time modules. The two modules are provided by Python
and do not need to be installed.
This section describes the common classes and methods of the Telnetlib as the
client, for example, the read_until, read_very_eager(), and write() methods in the
Telnet class. For more Telnet methods, see the official telnetlib document at
https://docs.python.org/3/library/telnetlib.html#telnet-example.
By default, Python executes all code in sequence without intervals. When you use
Telnet to send configuration commands to a switch, the switch may not respond
in time or the command output may be incomplete. In this case, you can use the
sleep method in the time module to manually pause the program.
Create two variables. host and password are the login address and password of
the device respectively, which are the same as those configured on the device. In
this example, only the Telnet password is configured for login. Therefore, no user
name is required.
When you log in to the device at 192.168.56.101 through Telnet, the following
information is displayed:
Note that the program does not know what information needs to be read.
Therefore, read_until() is used to indicate that the information in the brackets
needs to be read.
After Password: is displayed in the code, the program enters the password. This
parameter has been defined and is used as the Telnet login password. Use write()
to write the password.
After logging in to the device through Telnet, use the Python script to issue
commands on the device.
tn.write(b'display cu \n')
write() is used to enter commands to the device. The display cu command is the
abbreviated form of the display current-configuration command, which displays
the current configuration of the device.
time.sleep(1)
time.sleep(1) is used to pause the program for one second to wait for the output
of the switch before executing subsequent code. If the waiting time is not
specified, the program directly executes the next line of code. As a result, no data
can be read.
print(tn.read_very_eager().decode('ascii'))
print() indicates that the contents in the brackets are displayed on the console.
In this example, the code is used to display the output by S1 within one second on
the console after the display cu command is executed.
The session is closed by invoking close(). The number of VTY connections on the
device is limited. Therefore, you need to close the Telnet session after running the
script.
----End
8.3 Verification
The details are not provided here.
8.5 Quiz
1. How do you use telnetlib to configure a device, for example, configuring the
IP address of the device management interface?
2. How do you save the configuration file to a local directory?
References:
Reference links:
1. http://support.huawei.com/
2. http://e.huawei.com/
9.2 Introduction
9.2.1 About This Lab
Communication networks are ubiquitous in the information society, and campus
networks are always a core part. Campuses are everywhere, including factories,
government buildings and facilities, shopping malls, office buildings, school
campuses, and parks. According to statistics, 90% of urban residents work and live
in campuses, 80% of gross domestic product (GDP) is created in campuses, and
each person stays in campuses for 18 hours every day. Campus networks, as the
infrastructure for campuses to connect to the digital world, are an indispensable
part of campus construction and play an increasingly important role in daily
working, R&D, production, and operation management.
In this lab activity, you will create a campus network to understand common
technologies and their applications on campus networks.
9.2.2 Objectives
Upon completion of this task, you will be able to:
1.
2.
3.
4.
5.
1. Project Budget
The budget is tight. The requirements need to be implemented at minimum
costs.
3. Number of Terminals
First floor: 10 wired terminals and 100 wireless terminals Second and third
floors: 200 wired terminals and 50 wireless terminals
6. Availability Requirements
The Layer 3 network needs some redundancy and failover capabilities.
7. Security Requirements
Network traffic needs to be controlled.
The following table lists the total number of terminals on the network.
The traffic from wireless terminals is the Internet access traffic. Each client has a
rate of 2 Mbit/s.
Ensure that computers have a rate of 100 Mbit/s and servers have a rate of 1000
Mbit/s.
To improve wireless access quality, at least three dual-band APs are required on
each floor.
Task:
Design the physical topology of the network in the sequence of access layer,
aggregation layer, core layer, and egress area and select devices accordingly.
Reference answer:
Device Interfaces
AC GE0/0/1~GE0/0/8
Router GE0/0/0~GE0/0/2
Task:
Fill in the Layer 2 network planning table based on the existing information and
requirements.
VLAN ID Description
VLAN ID Description
Reference answer:
VLAN ID Description
VLAN ID Description
204 VLAN for the interconnection between CORE1 and the router
Task:
Fill in the Layer 3 network planning table based on the existing information and
requirements.
Reference answer:
● All APs are managed by the AC in a unified manner, and the AC has limited
forwarding performance.
− APs on the first floor are registered at Layer 2.
− All APs on the second and third floors register with the AC at Layer 3. The
AC's gateway is CORE1.
● Create an SSID for each floor.
− The WPA-WPA2+PSK+AES security policy is used.
− Each floor has a different SSID and password.
Task:
Fill in the WLAN network planning table based on the existing information and
requirements.
AP management VLAN
Service VLAN
DHCP server
AP group
SSID profile
Security profile
VAP profile
Other configurations
Reference answer:
● The guest SSID is not allowed to access the intranet of the company.
● Only wireless terminals can access the Internet.
● The router uses a static IP address to access the Internet. The carrier assigns
IP addresses 1.1.1.1 to 1.1.1.10 (with a 24-bit mask) to the router. The next-
hop IP address for the router to access the Internet is 1.1.1.254.
● A web server in the enterprise needs to provide services for external users.
The private IP address of the web server is 192.168.100.1 and the port number
is 80. To ensure server security, NAT mapping is provided only for web
services.
Task:
Fill in the security and egress planning table based on the existing information
and requirements.
Requirement Implementation
Reference answer:
Requirement Implementation
Task:
9.3.3 Implementation
Router:
Item Configuration
Basic configuration
IP address configuration
OSPF
Egress configuration
SNMP configuration
Other configurations
CORE1:
Item Configuration
Basic configuration
VLAN configuration
OSPF configuration
DHCP configuration
Access control
SNMP configuration
Other configurations
F2-AGG1:
Item Configuration
Basic configuration
VLAN configuration
OSPF configuration
DHCP configuration
SNMP configuration
Other configurations
F3-AGG1:
Item Configuration
Basic configuration
VLAN configuration
OSPF configuration
DHCP configuration
SNMP configuration
Other configurations
AC:
Item Configuration
Basic configuration
SNMP configuration
Other configurations
F1-ACC1:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F2-ACC1:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F2-ACC2:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F2-ACC3:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F3-ACC1:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F3-ACC2:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
F3-ACC3:
Item Configuration
Basic configuration
VLAN configuration
Routing configuration
SNMP configuration
Other configurations
Configuration
Set up the lab environment and complete related configurations according to the
preceding configuration schemes within 40 minutes.
1.
2.
3.
4.
5.
Reference answer:
1. Verify whether the wireless clients can detect wireless signals and access the
network successfully.
2. Verify whether the OSPF neighbor relationship is normal.
3. Verify the connectivity within networks.
4. Verify the connectivity between networks.
5. Verify the access control for wireless guests.
6. Verify the Internet access control.
7. Verify whether the NMS can manage network devices.
1.
2.
3.
4.
5.
Reference answer:
Reference answer:
1. You can add physical links between F2-AGG1 and F3-AGG1 and configure
Ethernet link aggregation.
2. Change the OSPF costs to implement load balancing so that some traffic can
be forwarded through CORE1.
9.4 Verification
The details are not provided here.
Configuration on CORE1
#
sysname CORE1
#
vlan batch 100 105 201 to 202 204 to 205
#
dhcp enable
#
acl number 3000
rule 5 deny ip source 192.168.105.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 10 permit ip
#
ip pool ap-f1
gateway-list 192.168.205.254
network 192.168.205.0 mask 255.255.255.0
excluded-ip-address 192.168.205.253
#
ip pool sta-f1
gateway-list 192.168.105.254
network 192.168.105.0 mask 255.255.255.0
#
interface Vlanif1
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.254 255.255.255.0
#
interface Vlanif105
ip address 192.168.105.254 255.255.255.0
dhcp select global
#
interface Vlanif201
ip address 192.168.201.1 255.255.255.252
#
interface Vlanif202
ip address 192.168.202.1 255.255.255.252
#
interface Vlanif204
ip address 192.168.204.2 255.255.255.252
#
interface Vlanif205
ip address 192.168.205.254 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 105 205
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 201
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 202
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 205
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 204
#
ospf 1
area 0.0.0.0
Configuration on F2-AGG1
#
sysname F2-AGG1
#
vlan batch 2 101 to 102 106 201 203 206
#
dhcp enable
#
ip pool admin
gateway-list 192.168.102.254
network 192.168.102.0 mask 255.255.255.0
#
ip pool ap-f2
gateway-list 192.168.206.254
network 192.168.206.0 mask 255.255.255.0
option 43 sub-option 3 ascii 192.168.205.253
#
ip pool manager
gateway-list 192.168.101.254
network 192.168.101.0 mask 255.255.255.0
#
ip pool sta-f2
gateway-list 192.168.106.254
network 192.168.106.0 mask 255.255.255.0
#
interface Vlanif2
ip address 192.168.2.254 255.255.255.0
#
interface Vlanif101
ip address 192.168.101.254 255.255.255.0
dhcp select global
#
interface Vlanif102
ip address 192.168.102.254 255.255.255.0
Configuration on F3-AGG1
#
sysname F3-AGG1
#
vlan batch 3 103 to 104 107 202 to 203 207
#
ip pool ap-f3
gateway-list 192.168.207.254
network 192.168.207.0 mask 255.255.255.0
option 43 sub-option 3 ascii 192.168.205.253
#
ip pool marketing
gateway-list 192.168.103.254
network 192.168.103.0 mask 255.255.255.0
#
ip pool rd
gateway-list 192.168.104.254
network 192.168.104.0 mask 255.255.255.0
#
ip pool sta-f3
gateway-list 192.168.107.254
network 192.168.107.0 mask 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
#
interface Vlanif103
ip address 192.168.103.254 255.255.255.0
dhcp select global
#
interface Vlanif104
ip address 192.168.104.254 255.255.255.0
dhcp select global
#
interface Vlanif107
ip address 192.168.107.254 255.255.255.0
dhcp select global
#
interface Vlanif202
ip address 192.168.202.2 255.255.255.252
#
interface Vlanif203
ip address 192.168.203.2 255.255.255.252
#
interface Vlanif207
ip address 192.168.207.254 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 202
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 203
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 3
port trunk allow-pass vlan 3 103 to 104
#
interface GigabitEthernet0/0/12
port link-type trunk
port trunk pvid vlan 3
port trunk allow-pass vlan 3 103 107 207
#
interface GigabitEthernet0/0/13
port link-type trunk
port trunk pvid vlan 3
port trunk allow-pass vlan 3 103 to 104
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.103.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.107.0 0.0.0.255
network 192.168.202.0 0.0.0.3
network 192.168.203.0 0.0.0.3
network 192.168.207.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB034C1FCCFB0564
snmp-agent sys-info version v3
snmp-agent group v3 datacom privacy
snmp-agent target-host trap address udp-domain 192.168.100.2 params securityname
datacom v3
snmp-agent usm-user v3 test datacom authentication-mode md5 5>5W!8N^H,L8E-@(C*:@
AQ!! privacy-mode des56 5>5W!8N^H,L8E-@(C*:@AQ!!
snmp-agent trap source Vlanif3
snmp-agent trap enable
#
return
Configuration on the AC
#
sysname AC
#
vlan batch 205
#
interface Vlanif205
ip address 192.168.205.253 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 205
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent group v3 datacom privacy
snmp-agent target-host trap-hostname nms address 192.168.100.2 udp-port 162 trap-paramsname datacom
snmp-agent target-host trap-paramsname datacom v3 securityname %^%#TvvWF~zi>Sgp
XL=P81^I^*^,(P&`UR97&h,l`eK8%^%# privacy
snmp-agent trap source Vlanif205
snmp-agent trap enable
snmp-agent
#
ip route-static 0.0.0.0 0.0.0.0 192.168.205.254
#
capwap source interface vlanif205
#
wlan
security-profile name WLAN-F1
security wpa-wpa2 psk pass-phrase %^%#53mQ@x*]z+u72&YdCR7A=11u&USV+9^Qw"'O43X>%^%# aes
security-profile name WLAN-F2
security wpa-wpa2 psk pass-phrase %^%#YKB4ZI%zFQxmOS76yL08],Z41lhJV"S[db(kar0X%^%# aes
security-profile name WLAN-F3
security wpa-wpa2 psk pass-phrase %^%#|8)z/PyjU1ssX8Cr(3M=%x\{CP*t,BCahW84sqvK%^%# aes
ssid-profile name WLAN-F1
ssid WLAN-F1
ssid-profile name WLAN-F2
ssid WLAN-F2
ssid-profile name WLAN-F3
ssid WLAN-F3
vap-profile name WLAN-F1
service-vlan vlan-id 105
ssid-profile WLAN-F1
security-profile WLAN-F1
vap-profile name WLAN-F2
service-vlan vlan-id 106
ssid-profile WLAN-F2
security-profile WLAN-F2
vap-profile name WLAN-F3
service-vlan vlan-id 107
ssid-profile WLAN-F3
security-profile WLAN-F3
ap-group name WLAN-F1
radio 0
vap-profile WLAN-F1 wlan 1
radio 1
vap-profile WLAN-F1 wlan 1
radio 2
vap-profile WLAN-F1 wlan 1
ap-group name WLAN-F2
radio 0
vap-profile WLAN-F2 wlan 2
radio 1
vap-profile WLAN-F2 wlan 2
radio 2
Configuration on F1-ACC1
#
sysname F1-ACC1
#
vlan batch 100 105 205
#
interface Vlanif1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 105 205
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/7
port link-type access
Configuration on F2-ACC1
#
sysname F2-ACC1
#
vlan batch 2 102
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 102
#
interface Ethernet0/0/2
port link-type access
port default vlan 102
#
interface Ethernet0/0/3
port link-type access
port default vlan 102
#
interface Ethernet0/0/4
interface Ethernet0/0/18
port link-type access
port default vlan 102
#
interface Ethernet0/0/19
port link-type access
port default vlan 102
#
interface Ethernet0/0/20
port link-type access
port default vlan 102
#
interface Ethernet0/0/21
port link-type access
port default vlan 102
#
interface Ethernet0/0/22
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 2
port trunk allow-pass vlan 2 102
#
snmp-agent
snmp-agent local-engineid 800007DB034C1FCC456509
snmp-agent sys-info version v3
snmp-agent group v3 datacom privacy
snmp-agent target-host trap address udp-domain 192.168.100.2 params securityname
datacom v3
snmp-agent usm-user v3 test datacom authentication-mode md5 (H\O$K,P78:9;\H&H"Ma
+A!! privacy-mode des56 (H\O$K,P78:9;\H&H"Ma+A!!
snmp-agent trap source Vlanif2
snmp-agent trap enable
#
return
Configuration on F2-ACC2
#
sysname F2-ACC2
#
vlan batch 2 101 106 206
#
interface Vlanif1
#
interface Vlanif2
ip address 192.168.2.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 101
#
interface Ethernet0/0/2
port link-type access
Configuration on F2-ACC3
#
sysname F2-ACC3
#
vlan batch 2 102
#
interface Vlanif2
ip address 192.168.2.3 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 102
#
interface Ethernet0/0/2
port link-type access
Configuration on F3-ACC1
#
sysname F3-ACC1
#
vlan batch 3 103 to 104
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 103
#
interface Ethernet0/0/2
port link-type access
port default vlan 103
#
interface Ethernet0/0/3
port link-type access
port default vlan 103
#
interface Ethernet0/0/4
port link-type access
port default vlan 103
#
interface Ethernet0/0/5
port link-type access
port default vlan 103
#
interface Ethernet0/0/6
port link-type access
port default vlan 103
#
interface Ethernet0/0/7
port link-type access
port default vlan 103
#
interface Ethernet0/0/8
port link-type access
port default vlan 103
#
interface Ethernet0/0/9
port link-type access
port default vlan 103
#
interface Ethernet0/0/10
port link-type access
port default vlan 103
#
interface Ethernet0/0/11
port link-type access
port default vlan 104
#
interface Ethernet0/0/12
port link-type access
port default vlan 104
#
interface Ethernet0/0/13
port link-type access
port default vlan 104
#
interface Ethernet0/0/14
port link-type access
Configuration on F3-ACC2
#
sysname F3-ACC2
#
vlan batch 3 103 107 207
#
interface Vlanif3
ip address 192.168.3.2 255.255.255.0
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 103
#
interface Ethernet0/0/2
port link-type access
port default vlan 103
#
interface Ethernet0/0/3
port link-type access
port default vlan 103
#
interface Ethernet0/0/4
port link-type access
port default vlan 103
#
interface Ethernet0/0/5
port link-type access
port default vlan 103
#
interface Ethernet0/0/6
port link-type access
port default vlan 103
#
interface Ethernet0/0/7
port link-type access
port default vlan 103
#
interface Ethernet0/0/8
port link-type access
port default vlan 103
#
interface Ethernet0/0/9
port link-type access
port default vlan 103
#
interface Ethernet0/0/10
port link-type access
port default vlan 103
#
interface Ethernet0/0/11
port link-type access
port default vlan 103
#
interface Ethernet0/0/12
port link-type access
port default vlan 103
#
interface Ethernet0/0/13
port link-type access
port default vlan 103
#
interface Ethernet0/0/14
Configuration on F3-ACC3
#
sysname F3-ACC3
#
vlan batch 3 103 to 104
#
interface Vlanif3
9.6 Quiz
1. In this project, CORE1, F2-AGG1, and F3-AGG1 form a physical ring. However,
in the network planning and design phase, the interconnection links between
the three devices are assigned to different VLANs. Therefore, there is no loop.
However, during the lab, you may find that the neighbor relationship between
two devices cannot be correctly established. Please find out the root cause
and solution.
2. What have you learned in this lab? How can the knowledge help you in your
future study or work?
Reference Answers
1. Omitted.
2. The reset saved-configuration command clears the startup configuration file
and cancels the previous startup configuration file configuration. The current
startup configuration file is test.cfg. Therefore, after this command is
executed, the content in test.cfg is cleared and the default configuration file
vrpcfg.zip is used as the startup configuration file. In step 4, the running
configuration is saved. Therefore, the configuration remains unchanged after
the device is restarted.
1. A static route is added to the routing table when the following conditions are
met:
a The next hop of the route is reachable.
b This route is the optimal route to the destination network or host.
Therefore, when the next hop is unreachable, the route is not added to the IP
routing table.
2. When a ping operation is performed on a Huawei device, the device searches
the routing table to determine the outgoing interface. The IP address of the
outgoing interface is used as the source IP address of ICMP packets.
OSPF Routing
Configuration Roadmap:
Configuration Procedure:
# Create VLANs.
[S1]vlan 10
Spanning Tree
1. No. After receiving STP BPDUs, all bridges add the local port cost to the RPC
in the BPDUs to calculate the root path cost of the port. Therefore, when the
cost of GigabitEthernet 0/0/14 on S1 changes, the root path cost of S4 is not
affected.
2. Change the priority of GigabitEthernet0/0/11 on S1.
3. No. The link between S1 and S2 will form a loop. Therefore, one link must be
blocked.
Inter-VLAN Communication
ACL Configuration
Configuration Roadmap:
Configuration Procedure:
NAT Configuration
1. Not required.
FTP Configuration
1. Active mode
DHCP Configuration
Creating a WLAN
1. There is no impact. Direct forwarding is performed, and the data does not
pass through GigabitEthernet0/0/10 of the AC. If tunnel forwarding is used,
1. The router has multiple interfaces on the FE80::/10 network. When the
destination IPv6 address is a link-local address, the outgoing interface cannot
be determined by querying the routing table. Therefore, the source interface
must be specified.
2. In stateful mode, all the 128 bits in an IPv6 interface address are specified by
the DHCPv6 server. In stateless mode, a 64-bit interface ID is generated based
on the EUI-64 specification.
1. Although loop prevention has been implemented at the VLAN layer, physical
loops still exist. STP BPDUs do not carry VLAN tags. Therefore, one of the
links between the three switches must be blocked. As a result, the neighbor
relationship cannot be established between two of the switches. In actual
deployment, loop prevention has been implemented at VLAN level. Therefore,
you can disable STP on interfaces between the devices.
2. Omitted.
1. Use the write() function of telnetlib to write the script for configuring device
interfaces line by line.
2. For details, see the Python I/O standard library.