HCDA EN LAB-content PDF

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

Huawei Certification

HCDA-HNTD

Huawei Networking Technology and Device
Lab Guide

Huawei Technologies Co.,Ltd

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
Copyrght Huawe TechnoIoges Co., Ltd. 2I2. AII rghts reserved.
No part of this document may be reproduced or transmitted in any form or
by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permssons
and other Huawei trademarks are trademarks of Huawei Technologies
Co., Ltd. All other trademarks and trade names mentioned in this document
the property of their respective holders.
Notce
The information in this document is subject to change without notice. Every
effort has been made in the preparation of this document to ensure accuracy of
the contents, but all statements, information, and recommendations in this
document do not constitute the warranty of any kind, express or implied.

Huawe Certfcaton
HCDA-HNTD Huawe Networkng TechnoIogy and Devce
Lab Gude

Edton vI.6

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

Huawei Certification System
Relaying on its strong technical and professional training system, according to
different customers at different levels of ICT technology, Huawei certification is
committed to provide customs with authentic, professional certification.
Based on characteristics of ICT technologies and customersneeds at different
levels, Huawei certification provides customers with certification system of four
levels.
HCDA (Huawei Certification Datacom Associate) is primary for IP network
maintenance engineers, and any others who want to learn the IP network
knowledge. HCDA certification covers the TCP/IP basics, routing, switching
and other common foundational knowledge of IP networks, together with
Huawei communications products, versatile routing platform VRP
characteristics and basic maintenance.
HCDP (Huawei Certification Datacom Professional-Enterprise) is aimed at
enterprise-class network maintenance engineers, network design engineers,
and any others who want to in depth grasp routing, switching, network
adjustment and optimization technologies. HCDP-Enterprise is consist of IESN
(Implementing Enterprise Switch Networks), IERN (Implementing Enterprise
Routing Networks), and IENP (Improving Enterprise Network performance),
which includes advanced IPv4 routing and switching technology principle, IP
technology of network security, high availability and Qos, as well as the
implementation in Huawei products.
HCIE (Huawei Certified Internetwork Expert) is designed to endue engineers
with a variety of IP network technology and proficiency in maintenance,
diagnostics and troubleshooting of Huawei products, which equips the
engineers with competence in planning, design and optimization of large-scale
IP network.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

Referenced icon

RouIer L3 SwiIch L2 SwiIch Firewall NeI cloud
EIherneI line
Serial line
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

Lab environment specification
The Lab environmenI is suggesIed below:

IdenIiIier Device OS version
Rl AR 2220 Version 5.90 ( V200R00lC0lSPC300)
R2 AR 2220 Version 5.90 ( V200R00lC0lSPC300)
R3 AR 2220 Version 5.90 ( V200R00lC0lSPC300)
Sl S5700-28C-EI-24S Version 5.70 (Vl00R006C00SPC800)
S2 S5700-28C-EI-24S Version 5.70 (Vl00R006C00SPC800)
S3 S3700-28TP-EI-AC Version 5.70 (Vl00R006C00SPC800)
S4 S3700-28TP-EI-AC Version 5.70 (Vl00R006C00SPC800)
FW USG2l60 Version 5.30 (V300R00lC00SPC700)

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Content

HC Series HUAWEI TECHNOLOGIES Page1

CONTENTS
Chapter 1 Basic Operations on the VRP Platform ............................................................................................... 1
Lab 1-1 Basic Operations on the VRP Platform ............................................................................................... 1
Chapter 2 Configuring Static Routes and Default Routes .................................................................................. 23
Lab 2-1 Configuring Static Routes and Default Routes .................................................................................. 23
Chapter 3 RIP Configuration ............................................................................................................................. 41
Lab 3-1 Configuring RIPv1 and RIPv2 ............................................................................................................ 41
Lab 3-2 RIPv2 Route Aggregation and Authentication .................................................................................. 58
Chapter 4 OSPF Configuration .......................................................................................................................... 74
Lab 4-1 OSPF Single-area Configuration ....................................................................................................... 74
Lab 4-2 OSPF Multi-area and Authentication Configuration ......................................................................... 89
Chapter 5 RIP and OSPF Route Import ............................................................................................................ 103
Lab 5-1 RIP and OSPF Route Import ........................................................................................................... 103
Chapter 6 Ethernet and STP ........................................................................................................................... 114
Lab 6-1 Ethernet Interface and Link Configuration ..................................................................................... 114
Lab 6-2 STP Configuration .......................................................................................................................... 121
Lab 6-3 VLAN Configuration ....................................................................................................................... 134
Chapter 7 Layer3 Configuration and VRRP ...................................................................................................... 145
Lab 7-1 Configuring Layer 3 Switching ........................................................................................................ 145
Lab 7-2 Configuring the VRRP .................................................................................................................... 159
Chapter 8 WAN Configuration ........................................................................................................................ 174
Lab 8-1 HDLC and PPP Configuration .......................................................................................................... 174
Lab 8-2 FR Configuration (Back to Back) ..................................................................................................... 190
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD CONTENTS

Page2 HUAWEI TECHNOLOGIES HC Series

Lab 8-3 FR Configuration (Using FR Switch) ................................................................................................ 211
Chapter 9 Firewall Configuration .................................................................................................................... 228
Lab 9-1 USG Firewall Configuration ............................................................................................................ 228
Lab 9-2 USG Firewall Zone Configuration ................................................................................................... 241
Lab 9-3 NAT Configuration on the USG Firewall ......................................................................................... 257
Chapter 10 Comprehensive Exercise............................................................................................................... 270
Lab 10-1 Comprehensive Exercise .............................................................................................................. 270

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 1 Basic Operations on the VRP Platform


Chapter 1 Basic Operations on the VRP Platform
Lab 1-1 Basic Operations on the VRP Platform
Learning Objectives
The objectives of this lab are to learn and understand how to perform the
following operations:
x Configure the connection from a personal computer (PC) to a
router using the Windows built-in terminal software.
x Configure a device name, time, and time zone.
x Configure the value for Console port idle timeout.
x Configure the login information.
x Configure the login password and super password.
x Save and delete a configuration file.
x Configure IP addresses for router interfaces.
x Test the connectivity between two routers that are connected directly.
x Control a router after using Telnet to another router.
x Copy configuration files from one router to another using File Transfer
Protocol (FTP).
x Restart a router.
Topology

Figure 1.1 Lab topology of the basic operations on the VRP platform
Scenario
A company purchases two AR G3 routers. You need to commission the two
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


AR G3 routers before using them. Items to be commissioned include
configuration modes, device names, time, passwords, file management, and
restart operations.
Tasks
Step 1 Connect devices.
This step describes how to connect to a router using the Windows XP
built-in HyperTerminal.
Connect a PC to a router using a console cable. Run a terminal emulation
program such as Windows XP HyperTerminal on the PC to create a
as shown in Figure 3.1. The name and icon provided in the figure are only
examples.Creating a connection.

Select a COM port.Selecting a COM port.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


If the PC has multiple COM ports, select a proper one. The serial port of a
PC is usually COM1.Setting port communication parameters.

In the COM1 Properties dialog box, click Restore Defaults to retain the
default settings. Click OK.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Turn on the power switch to start the router. If the preceding parameters
are set properly, the terminal window displays the startup information until the
startup process is complete, and the system asks you to press Enter. If the
command prompt, such as <Huawei>, is displayed on the user interface, you
have successfully entered the user view configuration environment.
Step 2 View the system information.
Run the display version command to view the software version and
hardware information for the system.
<Huawei>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.90 (AR2200 V200R001C01SPC300)
Copyright (C) 2011 HUAWEI TECH CO., LTD
Huawei AR2220 Router uptime is 0 week, 0 day, 0 hour, 2 minutes
BKP 0 version information:
......output omit......

The command output includes the VRP operating system version, device
model, and startup time.
Step 3 Change the system time parameter.
The system automatically saves the time. If the time is incorrect, run the
clock datetime command in the user view to change the system time.
<Huawei>clock datetime 12:00:00 2011-09-15

Run the display clock command to check that the new system time has
taken effect.
<Huawei>display clock
2011-09-15 12:00:21
Thursday
Time Zone(Default Zone Name) : UTC+00:00

Step 4 Use the question mark (?) or press Tab to enter
commands.
The question mark (?) is a wildcard, and the Tab is used as a shortcut to
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


enter commands.
<Huawei>display ?
aaa AAA
access-user User access
accounting-scheme Accounting scheme
acl <Group> acl command group
adp-ipv4 Ipv4 information
adp-mpls Adp-mpls module
anti-attack Specify anti-attack configurations
arp <Group> arp command group
arp-limit Display the number of limitation
atm ATM status and configuration information
authentication-scheme Authentication scheme
authorization-scheme Display AAA authorization scheme

If you want to display all the commands that start with a specific letter or
string of letters, enter the desired letters and the question mark (?). The
system displays all the commands that start with the letters you enter. For
example, if you enter dis?, the system displays all the commands that start
with dis.
Make sure that there is a space between the string and the question mark
(?). The system identifies the command corresponding to the string and
displays the parameters of the command. For example, if you enter dis ? and
only the display command starts with dis, the system displays the parameters
of the display command. If multiple commands start with dis, the system
displays an error.
You can also press Tab to complete a command. For example, if you enter
dis and press Tab, the system completes the display command. If multiple
commands start with dis, you can select the appropriate one.
If there are no other commands start with the same letters, you can type
dis or disp to indicate display, and int or inter to indicate interface.
Step 5 Access the system view.
Run the system-view command to access the system view where you
configure interfaces and protocols.
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 6 Change device names.
To more easily identify devices, set device names during the device
configuration. Change device names based on the lab topology, as shown
below:
Change the name of the R1 router to R1.
[Huawei]sysname R1
[R1]

Change the name of the R2 router to R2.
[Huawei]sysname R2
[R2]

Step 7 Configure the login information.
Configure the login information to indicate the login result.
[R1]header shell information "Welcome to Huawei certification lab"

Run the preceding command to configure the login information. To check
whether the login information has been changed, quit out of the router
command line interface, and log back in to view the login information.
[R1]quit
<R1>quit

Configuration console exit, please press any key to log on
Welcome to Huawei certification lab
<R1>

Note: Login information usually provides warnings of illegal logins. Do not
use words that are welcoming.
Step 8 Configure the login authentication mode and timeout
interval of the console port.
The console port by default does not have a login password. Therefore,
users can log in to the device without passwords.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


This presents a serious risk to the device. You need to change the login
mode of the console port to the password authentication mode. The password
in the password authentication mode is huawei in plain text.
If there is no activity on the console port for the period of time specified by
the timeout interval, the system automatically exits. When this occurs, you
need to log in to the system again using the password.
The default timeout interval is 10 minutes. If 10 minutes are not a
reasonable amount of time for the timeout interval, change the timeout interval
to 20 minutes.
[R1]user-interface console 0
[R1-ui-console0]authentication-mode password
[R1-ui-console0]set authentication password simple huawei
[R1-ui-console0]idle-timeout 20 0

Run the display this command to check the configuration results.
[R1-ui-console0]display this
[V200R001C01SPC300]
#
user-interface con 0
authentication-mode password
set authentication password simple huawei
idle-timeout 20 0

Log out of the system and log back in to verify that you need to enter the
password.
[R1-ui-console0]return
<R1>quit

Configuration console exit, please press any key to log on
<R1>

Step 9 Configure IP addresses and descriptions for the
interfaces.
Configure an IP address for the S1/0/0 interface of R1. The IP address can
use the subnet mask length or use a complete subnet mask, such as 24 or
255.255.255.0.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]description This interface connects to R2-S1/0/0

[R1-Serial1/0/0]display this
[V200R001C01SPC300]
#
interface Serial1/0/0
link-protocol ppp
description This interface connect to R2-S1/0/0
ip address 10.0.12.1 255.255.255.0
#
Return

Run the display interface command to view the interface description.
[R1-Serial1/0/0]display interface Serial2/0/0
Serial1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2011-09-15 17:38:48
Description:This interface connect to R2-S1/0/0
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is PPP
LCP opened, IPCP stopped
Last physical up time : 2011-09-16 17:38:45
Last physical down time : 2011-09-16 17:38:34
Current system time: 2011-09-16 17:42:58
Physical layer is synchronous, Baudrate is 64000 bps
Interface is DCE, Cable type is V35, Clock mode is DCECLK
Last 300 seconds input rate 2 bytes/sec 16 bits/sec 0 packets/sec
Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec
Input: 212 packets, 2944 bytes
broadcasts: 0, multicasts: 0
errors: 0, runts: 0, giants: 0
CRC: 0, align errors: 0, overruns: 0
dribbles: 0, aborts: 0, no buffers: 0
frame errors: 0
Output: 216 packets, 2700 bytes
errors: 0, underruns: 0, collisions: 0
deferred: 0
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Input bandwidth utilization : 0.13%
Output bandwidth utilization : 0.13%
[R1-Serial1/0/0]

The command output shows that the physical status and protocol status of
the interface are UP, and the corresponding physical layer and data link layer
are functional.
The interface link cables are V.35 DCE.
Once you have verified the status, configure the IP address and description
for the interface of R2.
[R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0
[R2-Serial1/0/0]description This interface connect to R1-S1/0/0
[R2-Serial1/0/0]

After completing the configuration, run the ping command to test the
connection between R1 and R2.
[R1]ping 10.0.12.2
PING 10.0.12.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=35 ms
--- 10.0.12.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/32/35 ms

Step 10 Configure the telnet login mode.
Set the telnet login mode of R1 to password authentication mode,
password to huawei, and user privilege level to 3.
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode password
[R1-ui-vty0-4]set authentication password simple huawei
[R1-ui-vty0-4]user privilege level 3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1-ui-vty0-4]display this
[V200R001C01SPC300]
#
idle-timeout 20 0
user-interface vty 0 4
user privilege level 3
#
Return

Set the telnet login mode of R2 to user name and password authentication
mode.
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]quit

Note: You can run the quit command to return to the previous view or the
return command to return to the user view.
[R2]aaa
[R2-aaa]local-user huawei password simple huawei
[R2-aaa]local-user huawei privilege level 15
[R2-aaa]local-user huawei service-type telnet

[R2-aaa]display this
[V200R001C01SPC300]
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


local-user admin service-type http
local-user huawei password simple huawei
local-user huawei privilege level 15
local-user huawei service-type telnet
#
Return

Telnet to R2 from R1.
<R1>telnet 10.0.12.2
Press CTRL_] to quit telnet mode
Trying 10.0.12.2 ...
Connected to 10.0.12.2 ...

Login authentication

Username:huawei
Password:

----------------------------------------------------------------------------
User last login information:

----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 10.0.12.1
Time : 2011-09-14 13:19:59+00:00

----------------------------------------------------------------------------
<R2>

Based on the output above, the login is successful.
Telnet to R1 from R2.
<R2>telnet 10.0.12.1
Trying 10.0.12.1 ...


Password:
<R1>
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Based on the output above, the login is successful.

Step 11 Configure a super password for the device.
When there are low user rights, for example, the value of user privilege
level is 0 or 1 for the telnet login, you can use the super command to increase
the user rights. To minimize risks caused by illegal right elevations, set super
passwords.
Set a super password for R1. The super password is stored in simple (plain
text) mode.
[R1]super password simple Huawei

Run the display current-configuration command to check the
configuration results.
[R1]display current-configuration
#
super password level 3 simple huawei

As shown in the command output, the super password is stored in plain text,
which is relatively unsecure and unsafe.
Set a super password for R2. The super password is stored in cipher
(cipher text) mode.
[R2]super password cipher huawei
#
super password level 3 cipher Q;L]@C0S3[%;LEEP8+INFQ!!

As shown in the command output, the super password is stored in cipher
text, which is more secure and safe.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 12 View the file list stored on the current device.
Run the dir command in the user view to display the list of files in the
current directory.
<R1>dir
Directory of sd1:/

Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 1,738,816 Sep 14 2011 11:50:24 web.zip
1 -rw- 68,288,896 Jul 12 2011 14:17:58 ar2220_V200R001C01SPC300.cc

1,927,476 KB total (1,856,548 KB free)

<R2>dir
Directory of sd1:/

0 -rw- 1,738,816 Sep 14 2011 11:50:58 web.zip

1,927,476 KB total (1,855,076 KB free)

Step 13 Upload and download files between R1 and R2 using
FTP.
Routers are considered as FTP clients by default. In this lab, R1 is
considered as an FTP client, and R2 is considered as an FTP server.
Enable the FTP server function on R2.
[R2]ftp server enable
Info: Succeeded in starting the FTP server
[R2]set default ftp-directory sd1:/

Create a local account ftpuser as the FTP login account on R2.
[R2]aaa
[R2-aaa]local-user ftpuser password cipher huawei
[R2-aaa]local-user ftpuser service-type ftp
[R2-aaa]local-user ftpuser privilege level 15
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Log in to R2 from R1 using FTP.
<R1>ftp 10.0.12.2
Trying 10.0.12.2 ...
Press CTRL+K to abort
Connected to 10.0.12.2.
220 FTP service ready.
User(10.0.12.2:(none)):ftpuser
331 Password required for ftpuser.
Enter password:
230 User logged in.

[R1-ftp]

If the [R1-ftp] prompt is displayed, you have successfully logged in to the
R2 FTP server.
Transfer a file from R1 to the R2 FTP server using FTP.
[R1-ftp]put hq-r.cfg file-from-R1.bak
200 Port command okay.
150 Opening ASCII mode data connection for file-from-R1.bak.
226 Transfer complete.
FTP: 0 byte(s) sent in 0.627 second(s) 0.00byte(s)/sec.
[R1-ftp]

Note: The source file names on the lab device may be different. You need
to use the actual file name. Run the dir command in the R1 user view to check
the file names in the file list.
Run the dir command to view the result of the transfer.
[R1-ftp]dir
150 Opening ASCII mode data connection for *.
-rwxrwxrwx 1 noone nogroup 1738816 Sep 14 11:50 web.zip
-rwxrwxrwx 1 noone nogroup 68288896 Jul 12 14:19
ar2220_V200R001C01SPC300.cc
-rwxrwxrwx 1 noone nogroup 0 Sep 14 14:10 file-from-r1.bak
FTP: 551 byte(s) received in 0.619 second(s) 890.14byte(s)/sec.

The command output lists files on the R2 FTP server.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Download the file-from-r1.bak file from the R2 FTP server to R1 and
change the file name to file-from-r2.bak.
[R1-ftp]get file-from-r1.bak file-from-r2.bak
150 Opening ASCII mode data connection for file-from-r1.bak.

FTP: 0 byte(s) received in 0.591 second(s) 0.00byte(s)/sec.

Exit from the R2 FTP server and check the file list on R1. Make sure that
the file-from-r2.bak file has been downloaded successfully.
[R1-ftp]quit
221 Server closing.
<R1>dir
Directory of sd1:/

0 -rw- 1,738,816 Sep 16 2011 18:44:54 web.zip
2 -rw- 0 Sep 16 2011 19:13:00 file-from-r2.bak

1,927,476 KB total (1,856,548 KB free)
<R1>

Delete the files on the devices.
x Warning: Delete only the two lab files file-from-r1.bak and
file-from-r2.bak. Do not delete other files; otherwise, the devices may fail
to boot.
Delete the file-from-r1.bak file from R2.
<R2>dir
Directory of sd1:/

0 -rw- 1,738,816 Sep 14 2011 11:50:58 web.zip
2 -rw- 0 Sep 14 2011 14:10:08 file-from-r1.bak

1,927,476 KB total (1,855,076 KB free)
<R2>delete /unreserved file-from-r1.bak
Warning: The contents of file sd1:/file-from-r1.bak cannot be recycled. Continue?
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


(y/n)[n]:y
Info: Deleting file sd1:/file-from-r1.bak...succeed.

The /unreserved parameter indicates that the file is to be deleted
permanently and cannot be restored. Use this parameter with caution.
<R2>dir
Directory of sd1:/

0 -rw- 1,738,816 Sep 14 2011 11:50:58 web.zip

1,927,476 KB total (1,855,076 KB free)

Compare the file list with the preceding file list and make sure that the
file-from-r1.bak file has been deleted.
Delete the file-from-r2.bak file from R1.
<R1>delete /unreserved file-from-r2.bak
Warning: The contents of file sd1:/file-from-r2.bak cannot be recycled. Continue?
(y/n)[n]:y
Info: Deleting file sd1:/file-from-r2.bak...succeed.
<R1>dir
Directory of sd1:/

0 -rw- 1,738,816 Sep 16 2011 18:44:54 web.zip

1,927,476 KB total (1,856,548 KB free)
<R1>

Step 14 Manage configuration files of a device.
Save the current configuration file.
<R1>save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please wait............
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Run the following command to view the saved configuration information:
<R1>display saved-configuration
[V200R001C01SPC300]
#
sysname R1
header shell information "Welcome to Huawei certification lab"
#
board add 0/1 1SA
board add 0/2 1SA
output omit

Run the following command to view the current configuration information:
<R1>display current-configuration
[V200R001C01SPC300]
#
sysname R1
#
board add 0/1 1SA
board add 0/2 1SA
board add 0/3 2FE
output omit

A router can store multiple configuration files. You can select the
configuration file to be used after the next startup of the router as required.
<R1>startup saved-configuration iascfg.zip
This operation will take several minutes, please wait.........
Info: Succeeded in setting the file for booting system
<R1>

Run the following command to select the configuration file to be used after
the next startup:
<R1>display startup
MainBoard:
Startup system software: sd1:/ar2220_V200R001C01SPC300.cc
Next startup system software: sd1:/ar2220_V200R001C01SPC300.cc
Backup system software for next startup: null
Startup saved-configuration file: null
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Next startup saved-configuration file: sd1:/iascfg.zip
Startup license file: null
Next startup license file: null
Startup patch package: null
Next startup patch package: null
Startup voice-files: null
Next startup voice-files: null

Delete configuration files from the flash memory.
<R1>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
<R1>

Step 15 Restart a router.
Run the reboot command to restart a router.
<R1>reboot
Info: The system is now comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...

The system asks whether you want to save the current configuration.
Determine whether to save the current configuration based on the
requirements for the lab. If you are unsure whether you should save the
current confirmation, do not save it.
Additional Exercises: Analyzing and Verifying
1. You can use USB cables to connect to the USB ports of AR G3 routers
to perform configuration management. For more information, see the related
product guide.
2. Currently, most laptops do not have COM ports. How do we configure
routers without laptop COM ports? List all the methods you have in mind.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Final Configurations
[V200R001C01SPC300]
#
sysname R1
tftp client-source -i Serial2/0/0
#
voice
#
http server enable
#
drop illegal-mac alarm
#
l2tp aging 0
#
aaa
domain default
#
interface Ethernet3/0/0
#
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
interface Cellular0/0/0
link-protocol ppp
#
link-protocol ppp
#
interface NULL0
#
super password level 3 simple huawei
idle-timeout 10 0
user privilege level 3
#
return

[V200R001C01SPC300]
#
sysname R2
ftp server enable
set default ftp-directory sd1:/
#
board add 0/1 1SA
board add 0/2 1SA
board add 0/3 2FE
#
voice
#
http server enable
#
drop illegal-mac alarm
#
l2tp aging 0
#
dhcp enable
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


aaa
domain default
local-user ftpuser password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user ftpuser privilege level 15
local-user ftpuser service-type ftp
local-user huawei password simple huawei
local-user huawei privilege level 15
local-user huawei service-type telnet ftp
#
#
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
#
#
#
#
link-protocol ppp
#
link-protocol ppp
#
interface NULL0
#
super password level 3 cipher Q;L]@C0S3[%;LEEP8+INFQ!!
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


authentication-mode aaa
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 2 Configuring Static Routes and Default Routes


Chapter 2 Configuring Static Routes and Default
Routes
Lab 2-1 Configuring Static Routes and Default Routes
Learning Objectives
The objectives of this lab are to learn and understand:
x Advantages of static routes and default routes over dynamic routes
x Routing functions and operation processes
x Procedure for configuring a static route with the next hop as an
interface x Procedure for configuring a static route with the next hop as an IP
address
x Method of testing connectivity of a static route
x Method of implementing interconnection between the distal network
and external network by configuring a default route
x Procedure for testing a default route
x Procedure for configuring a backup static route on a router with
redundant links
x Method of testing a backup static route
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Topology

Figure 2.1 Lab topology of static routes and default routes
Scenario
Assume that you are a network administrator of a company with a
headquarters (HQ) and two branches. R1 is the router in the HQ, and the HQ
has a network segment. R2 and R3 are the routers in the two branches. R1 is
connected to R2 and R3 through the Ethernet and serial cables. R2 and R3
are connected through serial cables.
Because the network scale is small, static routes and default routes are
used to implement interworking. For the IP addressing information, see Figure
2.1.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 16 Perform basic configurations and configure IP
addresses.
Configure the device names and IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1
[R1-Serial1/0/0]description this port connect to R2-S1/0/0
[R1-Serial1/0/0]quit
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
[R1-GigabitEthernet0/0/0]description this port connect to R3-G0/0/0
[R1-GigabitEthernet0/0/0]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24

configurations.
[R1-LoopBack0]display current-configuration
#
interface GigabitEthernet 0/0/0
description this port connect to R3-G0/0/0
ip address 10.0.13.1 255.255.255.0
#
#
link-protocol ppp
description this port connect to R2-S1/0/0
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



<Huawei>system-view
[Huawei]sysname R2
[R2]interface serial 1/0/0
[R2-Serial1/0/0]interface serial 2/0/0
[R2-Serial2/0/0]interface loopback0
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0

<Huawei>system-view
[Huawei]sysname R3
[R3-GigabitEthernet0/0/0]description this port connect to R1-G0/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
ip address 10.0.13.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#

Run the ping command to test network connectivity.
<R1>ping 10.0.12.2

0.00% packet loss

<R1>ping 10.0.13.3

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

<R2>ping 10.0.23.3

0.00% packet loss

Step 17 Test connectivity from R2 to 10.0.13.0/24 and
10.0.3.0/24.
[R2]ping 10.0.13.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

[R2]ping 10.0.3.3
Request time out
Request time out
Request time out
Request time out
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Request time out

100.00% packet loss

Note: If R2 needs to communicate with the network segment 10.0.3.0, the
routes destined for this network segment must be configured on R2, and the
routes destined for the R2 interface must be configured on R3.
The preceding test result shows that R2 cannot communicate with 10.0.3.3
and 10.0.13.3.
Run the display ip routing-table command to view the routing table of R2.
The routing table does not contain the routes of the two networks.
[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.0.2.0/24 Direct 0 0 D 10.0.2.2 LoopBack0
10.0.2.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 18 Configure static routes on R2.
Configure a static route for destination networks 10.0.13.0/24 and
10.0.3.0/24, with the next hop as R3 interface's IP address 10.0.23.3 ,
preference of 60 is the default and not needed to be set. Also in the example
the preference is not set.
<R2>system-view
[R2]ip route-static 10.0.13.0 24 10.0.23.3
[R2]ip route-static 10.0.3.0 24 10.0.23.3

Note: In the ip route-static command, 24 indicates the subnet mask length,
which can also be expressed in 255.255.255.0.
Step 19 Configure backup static routes.
The data exchanged between R2 and 10.0.13.3 and 10.0.3.3 is transmitted
through the link between R2 and R3. R2 fails to communicate with 10.0.13.3
and 10.0.3.3 if the link between R2 and R3 is faulty.
According to the topology, R2 can communicate with R3 through R1 after
the link between R2 and R3 is faulty. You can configure a backup static route
to solve the preceding problem. Backup static routes do not take effect in
normal cases. If the link between R2 and R3 is faulty, backup static routes are
used to transfer data.
You must configure preferences for backup static routes to ensure that the
backup static routes are used only when the primary link is faulty. In this
example, the preference of the backup static route is set to 80.
[R1]ip route-static 10.0.3.0 24 10.0.13.3

[R2]ip route-static 10.0.13.0 255.255.255.0 Serial 1/0/0 preference 80
[R2]ip route-static 10.0.3.0 24 Serial 1/0/0 preference 80

[R3]ip route-static 10.0.12.0 24 10.0.13.1

Step 20 Test the static routes.
View the routing table of R2.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------


10.0.3.0/24 Static 60 0 RD 10.0.23.3 Serial2/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 Static 60 0 RD 10.0.23.3 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

The routing table contains two static routes that are configured in step 3.
The value of the Proto field is Static, indicating a static route. The value of the
Pre field is 60, indicating the default preference of a route.
Test network connectivity when the link between R2 and R3 works
properly.
[R2]ping 10.0.13.3

0.00% packet loss
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


<R2>ping 10.0.3.3

0.00% packet loss

The command output shows that communication is normal.
You can also run the tracert command to view the routers through which
data is transferred.
<R2>tracert 10.0.13.3
traceroute to 10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40,
press CTRL_C to break
1 10.0.23.3 40 ms 31 ms 30 ms

<R2>tracert 10.0.3.3
traceroute to 10.0.3.3(10.0.3.3), max hops: 30 ,packet length: 40,
press CTRL_C to break
1 10.0.23.3 40 ms 30 ms 30 ms

The command output shows that R2 directly sends data to R3.

Step 21 Test the backup static routes.
Disable Serial2/0/0 on R2 and observe the changes in the routing tables.
Compare the routing tables with the previous routing tables before
Serial2/0/0 was disabled.
[R2]int Serial 2/0/0
[R2-Serial2/0/0]shutdown
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------


10.0.3.0/24 Static 80 0 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 Static 80 0 D 10.0.12.2 Serial1/0/0

The next hops and preferences of the two routes in the preceding
information are changed.
Test connectivity between R2 and the destination addresses 10.0.13.3 and
10.0.3.3 on R2.
<R2>ping 10.0.3.3

0.00% packet loss

<R2>ping 10.0.13.3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

The network is not disconnected when the link between R2 and R3 is shut
down.
You can also run the tracert command to view the routers through which
data is transferred.
<R2>tracert 10.0.13.3
traceroute to 10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.0.12.1 40 ms 21 ms 21 ms
2 10.0.13.3 30 ms 21 ms 21 ms

<R2>tracert 10.0.3.3
to break
1 10.0.12.1 40 ms 21 ms 21 ms
2 10.0.13.3 30 ms 21 ms 21 ms

The command output shows that the data sent by R2 reaches R3 through
R1.

Step 22 Configure a default route on R1 to implement
network connectivity.
Enable the interface that was disabled in step 6 on R2.
[R2]int Serial 2/0/0
[R2-Serial2/0/0]undo shutdown

Test connectivity between R1 and R3.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]ping 10.0.23.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

R3 cannot be pinged because the route destined for 10.0.23.3 is not
configured on R1.
You can configure a default route on R1 to implement network connectivity.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.13.3

After the configuration is complete, test connectivity between R1 and
10.0.23.3.
[R1]ping 10.0.23.3

0.00% packet loss

Step 23 Configure a backup default route.
If the link between R1 and R3 is faulty, R1 can communicate with 10.0.23.3
and 10.0.3.3 through R2.
However, R1 does not learn about this route by default. You can also
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


configure a backup default route in this step.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80

[R3]ip route-static 10.0.12.0 24 10.0.23.2 preference 80

Step 24 Test the backup default route.
View the routes of R1 when the link between R1 and R3 works properly.
<R1>display ip routing-table
----------------------------------------------------------------------------


0.0.0.0/0 Static 60 0 RD 10.0.13.3 GigabitEthernet0/0/0
10.0.3.0/24 Static 60 0 RD 10.0.13.3 GigabitEthernet0/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.13.0/24 Direct 0 0 D 10.0.13.1 GigabitEthernet0/0/0

Disable GigabitEthernet0/0/0 on R1 and disable GigabitEthernet0/0/0 on
R3, and then view the routes of R1. Compare the current routes with the routes
before GigabitEthernet0/0/0 was disabled.
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]shutdown
[R1-GigabitEthernet0/0/0]quit

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



----------------------------------------------------------------------------


0.0.0.0/0 Static 80 0 RD 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0

According to the preceding routing table, the value of 80 in the Pre column
indicates that backup default route 0.0.0.0 is valid.
Test network connectivity on R1.
[R1]ping 10.0.23.3

0.00% packet loss
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]tracert 10.0.23.3
to break
1 10.0.12.2 30 ms 26 ms 26 ms
2 10.0.23.3 60 ms 53 ms 56 ms

The data packets reach R3 through R2.
AddtonaI Exercses: AnaIyzng and Verfyng
You can run the ping command to control other information about
forwarded data packets, such as the source address, data packet size, and
data packet quantity. Consider the following questions:
1. What is the source address of the ping data packets sent from a router
by default?
2. In this lab, is connectivity implemented for all the network segments?
3. What is the simplest static route configuration for this lab topology if only
static route are configured to implement connectivity?
4. You can specify the next hop address or an interface when configuring a
static route. Consider the differences between the two configurations. How do
non-Huawei vendors configure static routes?

Appendx A: DefauIt Preference of Each Routng ProtocoI
of Huawe Routers

Routing Protocol and Routing Type Preference
Direct 0
OSPF 10
IS-IS 15
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Static 60
RIP 100
OSPF ASE 150
BGP 255

FnaI Confguratons
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.13.3
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80
ip route-static 10.0.3.0 255.255.255.0 10.0.13.3
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol ppp
ip address 10.0.23.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 10.0.3.0 255.255.255.0 10.0.23.3
ip route-static 10.0.3.0 255.255.255.0 Serial1/0/0 preference 80
ip route-static 10.0.13.0 255.255.255.0 10.0.23.3
ip route-static 10.0.13.0 255.255.255.0 Serial1/0/0 preference 80
#
return

[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
ip address 10.0.13.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 10.0.12.0 255.255.255.0 10.0.13.1
ip route-static 10.0.12.0 255.255.255.0 10.0.23.2 preference 80
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 3 RIP Configuration


Chapter 3 RIP Configuration
Lab 3-1 Configuring RIPv1 and RIPv2
Learning Objectives
x Loop prevention mechanism of the Routing Information Protocol (RIP).
x Method of using RIP to exchange routing information between two
routers.
x Method of configuring RIPv1.
x Method of enabling RIP on a specified network and interface.
x Method of using the display and debug commands to test RIP.
x Procedure for testing connectivity of the RIP network.
x Formats of the network prefixes sent to or received by RIP.
x Method of configuring RIPv2.
x Differences between RIPv1 and RIPv2.
x Method of importing a static route to RIP.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Topology

Figure 3.1 Lab topology of RIPv1 and RIPv2
Scenario
Assume that you are a network administrator of a company that has a small
intranet with three routers and five networks. You want to use RIP to transfer
routing information. Considering compatibility, you want to use RIPv1 at first,
but you realize that RIPv2 also has many advantages. After certain tests, you
finally select RIPv2.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 1 Perform basic configurations and IP addressing.
Configure basic device information and set IP addresses based on the
topology.
<Huawei>system-view
[Huawei]sysname R1
[R1-Serial1/0/0]interface loopback 0
[R1-LoopBack0]quit

configuration results.
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#

<Huawei>system-view
[Huawei]sysname R2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#

<Huawei>system-view
[Huawei]sysname R3
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


R1 and R2 can communicate with each other.
<R1>ping 10.0.12.2

0.00% packet loss

R2 can successfully ping the IP address 10.0.23.3 of R3.
<R2>ping 10.0.23.3

0.00% packet loss

Step 2 Configure RIPv1.
Enable RIP on R1, and then advertise the 10.0.0.0 network segment to
RIP.
[R1]rip 1
[R1-rip-1]network 10.0.0.0

RIP.
[R2]rip 1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


RIP.
[R3]rip 1
[R3-rip-1]net 10.0.0.0

Step 3 Verify RIPv1 routes.
View the routing tables of R1, R2, and R3. Make sure that these routers
have learned the RIP routes that are highlighted in gray in the following
command output.
----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------


h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 2 D 10.0.23.2 Serial2/0/0
10.0.2.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

Test connectivity from R1 to IP address 10.0.23.3. R1 and R3 can
communicate with each other.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]ping 10.0.23.3

0.00% packet loss

You can run the debug command to view RIP periodic updates.
Run the debug command to enable the RIP debugging function. The
debug command can be used only in the user view. Then run the terminal
debugging and terminal monitor commands to display the debugging
information.
The information about RIP interactions between routers is displayed.
<R1>debug rip 1
<R1>terminal debugging
Info: Current terminal debugging is on.
<R1>terminal monitor
Info: Current terminal monitor is on.
Sep 19 2011 19:15:22.630.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1
response on Serial1/0/0 from 10.0.12.2 with 2 RTEs
Sep 19 2011 19:15:22.630.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response
from 10.0.12.2 on Serial1/0/0
Sep 19 2011 19:15:22.630.3+00:00 R1 RM/6/RMDEBUG: 6: 11709: Packet: Version 1,
Cmd response, Length 44
Sep 19 2011 19:15:22.630.4+00:00 R1 RM/6/RMDEBUG: 6: 11758: Dest 10.0.3.0, Cost
2
1
Sep 19 2011 19:15:52.650.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1
response on Serial1/0/0 from 10.0.12.2 with 2 RTEs
Sep 19 2011 19:15:52.650.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response
from 10.0.12.2 on Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


1

You can run the undo debug rip or undo debug all command to disable
debugging functions.
<R1>undo debug rip 1

In addition, you can run the commands that have more parameters to view
the debugging information of a certain type. For example, run the debug rip 1
event command to view the periodical update events sent or received by
routers. You can add the question mark (?) to the command to query other
parameters.
<R1>debug rip 1 event
Sep 19 2011 19:23:44.200.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer
expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update
queue
Sep 19 2011 19:23:44.210.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface
Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue
<R1>undo debug all
Info: All possible debugging has been turned off

Warning: If too many debugging functions are enabled, a large number of
router resources are used. This may lead to break down. Therefore, use the
commands (such as debug all) for enabling debugging functions in batches
with caution.

After the preceding configuration, you need to configure only version 2 in
the RIP sub view.
[R1]rip 1
[R1-rip-1]version 2

[R2]rip 1
[R2-rip-1]version 2

[R3]rip 1
[R3-rip-1]version 2

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 5 Verify RIPv2 routes.
View the routing tables of R1, R2, and R3.
Run the display ip routing-table command to view the routing tables of R1,
R2, and R3. Compare the routes that are highlighted in gray with RIPv1 routes.
----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 2 D 10.0.23.2 Serial2/0/0
10.0.2.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

Note: The route learning of RIPv1 is the same of the route learning of
RIPv2. Why is this true?
Test connectivity from R1 to 10.0.23.3.
[R1]ping 10.0.23.3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

You can run the debug command to view the RIPv2 periodic updates.
<R1>terminal monitor
Info: Current terminal monitor is on.
<R1>debug rip 1 event
Sep 19 2011 19:55:46.600.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer
expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update
queue
Sep 19 2011 19:55:46.610.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface
Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue
<R1>undo debug rip 1
<R1>debug rip 1 packet
Sep 19 2011 20:31:34.230.1+00:00 R1 RM/6/RMDEBUG: 6: 11689: RIP 1: Sending response
on interface Serial1/0/0 from 10.0.12.1 to 224.0.0.9
Sep 19 2011 20:31:34.230.3+00:00 R1 RM/6/RMDEBUG: 6: 11777: Dest 10.0.1.0/24,
Nexthop 0.0.0.0, Cost 1, Tag 0
<R1>undo debug all
Info: All possible debugging has been turned off

Step 6 Import a static route to RIPv2.
Add a loopback interface on R3, and then set the IP address to
172.16.3.3/24. Configure a static route to the network segment on R2. Import
the static route to the RIP routing information so that R1 can communicate with
172.16.3.3.
Configure the loopback interface on R3.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3]interface LoopBack 1

[R1]ping 172.16.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

R1 does not have a route to 172.16.3.3. Therefore, the address cannot be
pinged successfully.
Configure the static route on R2.
<R2>system-view
[R2]ip route-static 172.16.3.0 24 10.0.23.3

Import the static route to RIPv2.
[R2]rip 1
[R2-rip-1]import-route static

Step 7 Verify that the static routes are imported to RIPv2
successfully.
View the routing tables of R1, R2, and R3. The route to 172.16.3.0/24
exists in the routing table of R1; the static route to 172.16.3.0/24 exists in the
routing table of R2; no change occurs in the routing table of R3.
----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
172.16.3.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


172.16.3.0/24 Static 60 0 RD 10.0.23.3 Serial2/0/0

----------------------------------------------------------------------------
10.0.1.0/24 RIP 100 2 D 10.0.23.2 Serial2/0/0
10.0.2.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

R1 can communicate with 172.16.3.3.
[R1]ping 172.16.3.3

0.00% packet loss
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


AddtonaI Exercses: AnaIyzng and Verfyng
When you use RIPv1, a router sends network IDs and other route update
information to its neighbor routers without sending subnet masks. How do
neighbor routers process the route update information and generate the
corresponding subnet masks?
How are RIPv1 and RIPv2 compatible with each other?

[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
import-route static
#
ip route-static 172.16.3.0 255.255.255.0 10.0.23.3
#
return

[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
description this port connects to R2-S2/0/0
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack1
ip address 172.16.3.3 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
Return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 3-2 RIPv2 Route Aggregation and Authentication
Learning Objectives
x Route aggregation advantages
x Method used to configure RIPv2 route aggregation
x RIP authentication method
x Method used to troubleshoot an RIP authentication failure
Topology

Figure 3.2 RIPv2 topology

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Scenario
Assume that you are a network engineer of a company. The company is
small; therefore, RIPv2 is used. There are too many routes; therefore, route
aggregation is required to control and advertise routes.
Malicious attackers may forge a valid router to receive and modify valid
routes, so RIPv2 authentication is used to protect the network.
Tasks
Step 1 Configure IP addresses for interfaces.
Configure device names and IP addresses for R1, R2, and R3.
<Huawei>system
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3
[R3-LoopBack0]interface loopback 2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



After you have configured the IP addresses for the interfaces, test network
connectivity.
<R1>ping 10.0.12.2

0.00% packet loss

<R2>ping 10.0.23.3

0.00% packet loss

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Configure RIPv2 on R1, R2, and R3.
[R1]rip 1
[R1-rip-1]version 2

[R2]rip 1
[R2-rip-1]version 2

[R3]rip 1
[R3-rip-1]network 172.16.0.0
[R3-rip-1]version 2

----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
172.16.0.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
172.16.1.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
172.16.2.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


172.16.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0

The information in grey shows that R1 has learned specific routes but not
aggregated routes.
Test network connectivity.
<R1>ping 172.16.0.1

0.00% packet loss

Step 3 Configure RIP manual route aggregation on R2.
Run the rip summary-address command on S1/0/0 of R2 to configure RIP
route aggregation. The four routes (172.16.0.0/24, 172.16.1.0/24,
172.16.2.0/24, and 172.16.3.0/24) are aggregated into one route
(172.16.0.0/16).
[R2]interface serial1/0/0
[R2-Serial1/0/0]rip summary-address 172.16.0.0 255.255.0.0

View the routing table and the aggregated route.
----------------------------------------------------------------------------


h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
172.16.0.0/16 RIP 100 2 D 10.0.12.2 Serial1/0/0

The information in grey shows an aggregated route. No specific route is
listed in the routing table.
<R1>ping 172.16.0.1

0.00% packet loss

The preceding information shows that route aggregation does not affect
network connectivity.
Step 4 Configure RIP authentication.
Configure plain text authentication between R1 and R2 and MD5
authentication between R2 and R3. Set the authentication password to
huawei.
[R1-Serial1/0/0]rip authentication-mode simple huawei
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2-Serial2/0/0]rip authentication-mode md5 usual huawei


After the configurations are complete, test network connectivity.
----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
172.16.0.0/16 RIP 100 2 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0
172.16.0.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.1.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.2.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 2 D 10.0.23.2 Serial2/0/0
10.0.2.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Step 5 Rectify the RIPv2 fault.
Change the authentication password on S1/0/0 of R2 to huawei2.
[R2-Serial1/0/0]rip authentication-mode simple huawei2

Run the following command to delete the routes learned by R1 from R2
before the authentication password on R2 is changed.
<R1>reset ip routing-table statistics protocol rip

----------------------------------------------------------------------------


10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Because R1 and R2 use different RIP authentication passwords, R1 cannot
receive any RIP route from R2.
Restore the authentication password on S1/0/0 of R2 to huawei.

Change the authentication mode on S2/0/0 of R2 to plain text
authentication.

Run the following command to delete the routes learned by R3 from R2
before you change the authentication password.
<R3>reset ip routing-table statistics protocol rip

----------------------------------------------------------------------------


10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Because R2 and R3 use different RIP authentication modes, R3 cannot
receive any RIP route from R2.
Restore the authentication mode on S2/0/0 of R2 to MD5.

Verify that routes in routing tables of R1, R2, and R3 are correct.
----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.3.0/24 RIP 100 2 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


172.16.0.0/16 RIP 100 2 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0
172.16.0.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.1.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.2.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0
172.16.3.0/24 RIP 100 1 D 10.0.23.3 Serial2/0/0

----------------------------------------------------------------------------


h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.1.0/24 RIP 100 2 D 10.0.23.2 Serial2/0/0
10.0.2.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 RIP 100 1 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

You can use debug commands to troubleshoot faults. In step 5, the
authentication passwords or authentication modes on two routers are different.
Use debug commands to view relevant information.
Appendix A: RIP Debugging Commands on Huawei Routers
<Huawei>debugging rip 1 ?
brief Brief information about RIP events
error Information about RIP Errors
event Information about RIP events
packet All RIP packets
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


receive Received RIP packet information
route-processing Information about RIP Route-Processing
send Sent RIP packet information
timer Information about RIP timers
<cr> Please press ENTER to execute command

The preceding lists some debugging commands, which can be used for
reference.
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
rip authentication-mode simple huawei
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
Return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
rip authentication-mode simple huawei
rip summary-address 172.16.0.0 255.255.0.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


link-protocol ppp
ip address 10.0.23.2 255.255.255.0
rip authentication-mode md5 usual gg^dP=F.[>=H)H2[EInB~.2#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return

[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
rip authentication-mode md5 usual gg^dP=F.[>=H)H2[EInB~.2#
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.3.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
Return
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 4 OSPF Configuration


Chapter 4 OSPF Configuration
Lab 4-1 OSPF Single-area Configuration
Learning Objectives
x Router ID usage.
x Method used to enable OSPF on a specified interface or network.
x Method used to view OSPF operations using display commands.
x Method to use OSPF to advertise default routes.
x Method used to change the OSPF hello interval and dead interval.
x Method used to change the OSPF route priority.
x DR or BDR election on the Ethernet.
Topology

Figure 4.1 OSPF single area topology
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Scenario
Assume that you are a network administrator of a company. The company
will use OSPF to exchange routes. All the routers belong to OSPF area 0.
OSPF is required to advertise default routes and the DR or BDR will be
elected.
Tasks
<Huawei>system-view
[Huawei]sysname R1
[R1-Serial1/0/0]interface GigabitEthernet 0/0/0

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 2 Configure OSPF.
Use Loopback0's IP address 10.0.1.1 as the router ID, use OSPF process
1 (default OSPF process), and specify network segments 10.0.12.0/24,
10.0.13.0/24, and 10.0.1.0/24 in OSPF area 0.
[R1]ospf 1 router-id 10.0.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255

A router can run multiple OSPF processes and different routers in a routing
domain can use identical or different OSPF process IDs. You must specify the
wildcard mask in the network command.
10, and specify network segments 10.0.12.0/24 and 10.0.2.0/24 in OSPF area
0.
[R2-ospf-10]area 0

100, and specify network segments 10.0.13.0/24 and 10.0.3.0/24 in OSPF
area 0.
[R3-ospf-100]area 0

Step 3 Verify the OSPF configuration.
After OSPF route convergence is complete, view routing tables of R1, R2,
and R3.
----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n




10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0
10.0.3.3/32 OSPF 10 1 D 10.0.13.3 GigabitEthernet0/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------


10.0.1.1/32 OSPF 10 1562 D 10.0.12.1 Serial1/0/0
10.0.3.3/32 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------



Test network connectivity between R2 and R1 at 10.0.1.1 and between R2
and R3 at 10.0.3.3.
[R2]ping 10.0.1.1

0.00% packet loss

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2]ping 10.0.3.3

0.00% packet loss

Run the display ip routing-table protocol ospf command to view the
learned routes. Use the display on R1 as an example. The configurations on
R2 and R3 are similar.
[R1]display ip routing-table protocol ospf
----------------------------------------------------------------------------
Public routing table : OSPF

OSPF routing table status : <Active>

10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0

OSPF routing table status : <Inactive>

Run the display ospf peer command to view the OSPF neighbor status.
[R1]display ospf peer

OSPF Process 1 with Router ID 10.0.1.1
Neighbors

Area 0.0.0.0 interface 10.0.12.1(Serial1/0/0)'s neighbors
Router ID: 10.0.2.2 Address: 10.0.12.2
State: Full Mode:Nbr is Master Priority: 1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


DR: None BDR: None MTU: 0
Dead timer due in 30 sec
Retrans timer interval: 5
Neighbor is up for 00:09:19
Authentication Sequence: [ 0 ]

Neighbors
Area 0.0.0.0 interface 10.0.13.1(GigabitEthernet0/0/0)'s neighbors
DR: 10.0.13.1 BDR: 10.0.13.3 MTU: 0

The display ospf peer command displays detailed information about
neighbors. The preceding information shows that R1 has two neighbors: R2
(Router ID: 10.0.2.2) and R3 (Router ID:10.0.3.3). The neighbors are in full
state. You can also run the display ospf peer brief command to view brief
information about neighbors.
[R1]display ospf peer brief

Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Serial1/0/0 10.0.2.2 Full
0.0.0.0 GigabitEthernet0/0/0 10.0.3.3 Full
----------------------------------------------------------------------------


----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.1.1 Full
----------------------------------------------------------------------------

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Step 4 Change the OSPF hello interval and dead interval.
Run the display ospf interface GigabitEthernet 0/0/0 command on R1 to
view the default OSPF hello interval and dead interval.
[R1]display ospf interface GigabitEthernet 0/0/0

Interfaces

Interface: 10.0.13.1 (GigabitEthernet0/0/0)
Cost: 1 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.0.13.1
Backup Designated Router: 10.0.13.3
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1

Run the ospf timer command to change the OSPF hello interval and dead
interval on GE0/0/0 of R1 to 15s and 60s respectively.
[R1-GigabitEthernet0/0/0]ospf timer hello 15
[R1-GigabitEthernet0/0/0]ospf timer dead 60
[R1-GigabitEthernet0/0/0]display ospf interface GigabitEthernet 0/0/0

Interfaces

Priority: 1

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Check the OSPF neighbor status on R1.

----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------

The preceding information shows that R1 has only one neighbor, R2.
Because OSPF hello intervals and dead intervals on R1 and R3 are different,
R1 and R3 cannot establish an OSPF neighbor relationship.
Run the ospf timer command to change the OSPF hello interval and dead
interval on GE0/0/0 of R3 to 15s and 60s respectively.
[R3-GigabitEthernet0/0/0]ospf timer hello 15
[R3-GigabitEthernet0/0/0]ospf timer dead 60
[R3-GigabitEthernet0/0/0]display ospf interface GigabitEthernet 0/0/0

Interfaces

Priority: 1

Check the OSPF neighbor status on R1 again.
----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 5 Configure OSPF to advertise default routes and verify
the configuration.
Configure OSPF to advertise default routes on R3.
[R3]ip route-static 0.0.0.0 0 LoopBack 2
[R3]ospf 100
[R3-ospf-100]default-route-advertise

View routing tables of R1 and R2. You can see that R1 and R2 have
learned the default routes advertised by R3.
----------------------------------------------------------------------------


0.0.0.0/0 O_ASE 150 1 D 10.0.13.3 GigabitEthernet0/0/0
10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n




0.0.0.0/0 O_ASE 150 1 D 10.0.12.1 Serial1/0/0
10.0.1.1/32 OSPF 10 1562 D 10.0.12.1 Serial1/0/0
10.0.3.3/32 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 OSPF 10 1563 D 10.0.12.1 Serial1/0/0

Run the ping command to test connectivity between R2 and Loopback2 at
172.16.0.1.
<R2>ping 172.16.0.1

0.00% packet loss

Step 6 Control OSPF DR or BDR election.
Run the display ospf peer command to view the DR and BDR of R1 and
R3.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]display ospf peer 10.0.3.3

Neighbors

DR: 10.0.13.3 BDR: 10.0.13.1 MTU: 0

The preceding information shows that R3 is the DR and R1 is the BDR.
This is because R3's router ID 10.0.3.3 is greater than R1's router ID 10.0.1.1.
R1 and R3 use the default priority of 1, so their router IDs are used for DR or
BDR election.
Run the ospf dr-priority command to change DR priorities of R1 and R3.
[R1-GigabitEthernet0/0/0]ospf dr-priority 200

[R3-GigabitEthernet0/0/0]ospf dr-priority 100

By default, a DR or BDR is elected in non-preemption mode. After router
priorities are changed, a DR is not re-elected, so you must reset the OSPF
neighbor relationship between R1 and R3.
Shut down and re-enable GE0/0/0 interfaces on R1 and R3 to reset the
OSPF neighbor relationship between R1 and R3.


[R1-GigabitEthernet0/0/0]undo shutdown

[R3-GigabitEthernet0/0/0]undo shutdown

Run the display ospf peer command to view the DR and BDR of R1 and
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


R3.
[R1]display ospf peer 10.0.3.3

Neighbors

DR: 10.0.13.1 BDR: 10.0.13.3 MTU: 0

According to the preceding information, R1's priority is higher than R3's
priority, so R1 becomes DR and R3 becomes the BDR.
Why are OSPF hello interval and dead interval changed?
Must OSPF hello intervals and dead intervals of all the routers in an OSPF
area be the same? Must the OSPF hello interval and dead interval of a router
be the same? Why?
In which network is DR or BDR elected?
R1, R2, and R3 are configured with loopback interfaces and use 24-bit
mask. Why does the mask have 32 bits after other routers learn networks
connected to loopback interfaces?
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
ip address 10.0.13.1 255.255.255.0
ospf dr-priority 200
ospf timer hello 15
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.12.0 0.0.0.255
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.0.12.0 0.0.0.255
#
return

[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ospf dr-priority 100
ospf timer hello 15
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
default-route-advertise
area 0.0.0.0
network 10.0.13.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 LoopBack2
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 4-2 OSPF Multi-area and Authentication Configuration
Learning Objectives
x OSPF multi-area advantages.
x Route exchange in multiple OSPF areas.
x OSPF multi-area configuration commands.
x OSPF authentication configuration.
x Troubleshooting method used when the setup of an OSPF . neighbor
relationship fails.
Topology

Figure 4.2 OSPF multi area topology
Scenario
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


will use OSPF to advertise routes. As the network scale increases, OSPF
multi-area is used to plan the company network. OSPF authentication is
required to ensure security. During this configuration, you will learn about
OSPF LSA types and functions.
Tasks
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3

Step 2 Configure multiple OSPF areas.
R1 functions as the ABR. Specify network segment 10.0.12.0/24 in area 0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


and network segments 10.0.13.0/24 and 10.0.1.0/24 in area 1.
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]area 1

Add R2 to the backbone area, area 0.
[R2-ospf-1]area 0

R3 functions as the ASBR. Specify network segments 10.0.13.0/24 and
10.0.3.0/24 in area 1. The network segment 172.16.0.0/24 does not belong to
any OSPF area.
[R3-ospf-1]area 1

Step 3 Verify OSPF routes.
View routing tables of R1, R2, and R3. Verify that each router has learned
the following routes marked in grey.
----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



----------------------------------------------------------------------------



10.0.1.1/32 OSPF 10 1562 D 10.0.12.1 Serial1/0/0
10.0.3.3/32 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 OSPF 10 1563 D 10.0.12.1 Serial1/0/0

----------------------------------------------------------------------------





Test network connectivity between R3 and R1 , R3 and R2.
[R3]ping 10.0.1.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R3]ping 10.0.2.2

0.00% packet loss

Check the OSPF neighbor status.

----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------


----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.0.0.0 Serial1/0/0 10.0.1.1 Full
----------------------------------------------------------------------------


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Verify that the OSPF process ID and router ID of each router is correct and
the neighbor relationships are in full state.

Step 4 Import external routes and verify the configuration.
Run the import-route command on R3 to import direct routes.
[R3]ospf 1
[R3-ospf-1]import-route direct

View routing tables of R1 and R2. R1 and R2 have learned the route
10.0.3.0/24 and 172.16.0.0/24.
----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



----------------------------------------------------------------------------


10.0.1.1/32 OSPF 10 1562 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 O_ASE 150 1 D 10.0.12.1 Serial1/0/0
10.0.3.3/32 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
172.16.0.0/24 O_ASE 150 1 D 10.0.12.1 Serial1/0/0


The routes in grey are imported routes. The value of Proto is O_ASE,
indicating an external route.
Run the ping command with the source address specified to test network
connectivity.
[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss

[R2]ping -a 10.0.2.2 172.16.0.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

Run the display ospf lsdb command to view the LSDB of R1.
[R1]display ospf lsdb
Link State Database

Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.2.2 10.0.2.2 908 60 80000003 1562
Router 10.0.1.1 10.0.1.1 918 48 80000003 1562
Sum-Net 10.0.13.0 10.0.1.1 1022 28 80000001 1
Sum-Net 10.0.3.3 10.0.1.1 720 28 80000001 1
Sum-Net 10.0.1.1 10.0.1.1 1016 28 80000001 0
Sum-Asbr 10.0.3.3 10.0.1.1 393 28 80000001 1

Area: 0.0.0.1
Router 10.0.3.3 10.0.3.3 394 48 80000005 1
Router 10.0.1.1 10.0.1.1 719 48 80000006 1
Network 10.0.13.1 10.0.1.1 719 32 80000002 0
Sum-Net 10.0.12.0 10.0.1.1 1022 28 80000001 1562
Sum-Net 10.0.2.2 10.0.1.1 908 28 80000001 1562

AS External Database
External 10.0.3.0 10.0.3.3 395 36 80000001 1
External 10.0.13.0 10.0.3.3 395 36 80000001 1
External 172.16.0.0 10.0.3.3 395 36 80000001 1

The preceding information is the brief information about the LSDB. The
LSDB contains one ASBR-summary-LSA (Type4 LSA) and three
AS-external-LSAs (Type5 LSAs).
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


You can also run the following commands to view detailed information
about LSAs. The following three commands display the Type3 LSA, Type4
LSA, and Type5 LSA respectively.
[R1]display ospf lsdb summary 10.0.3.3

Area: 0.0.0.0
Link State Database

Type : Sum-Net
Ls id : 10.0.3.3
Adv rtr : 10.0.1.1
Ls age : 869
Len : 28
Options : E
seq# : 80000001
chksum : 0x4cf3
Net mask : 255.255.255.255
Tos 0 metric: 1
Priority : Low
Area: 0.0.0.1
Link State Database

[R1]display ospf lsdb asbr
Area: 0.0.0.0
Link State Database

Type : Sum-Asbr
Ls id : 10.0.3.3
Adv rtr : 10.0.1.1
Ls age : 591
Len : 28
Options : E
seq# : 80000001
chksum : 0x3e01
Tos 0 metric: 1
Area: 0.0.0.1
Link State Database

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]display ospf lsdb ase 172.16.0.0

Link State Database

Type : External
Ls id : 172.16.0.0
Adv rtr : 10.0.3.3
Ls age : 607
Len : 36
Options : E
seq# : 80000001
chksum : 0xf70c
Net mask : 255.255.255.0
TOS 0 Metric: 1
E type : 2
Forwarding Address : 0.0.0.0
Tag : 1
Priority : Low

Step 5 Configure OSPF authentication and verify
the configuration.
Configure S1/0/0 on R1 in interface authentication mode, use the plain text,
and set the password to Huawei.
[R1-Serial1/0/0]ospf authentication-mode simple plain huawei

On R1, check the neighbor status.

----------------------------------------------------------------------------
----------------------------------------------------------------------------

R1 and R2 cannot establish an OSPF neighbor relationship because they
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


use different OSPF authentication modes.
Configure S1/0/0 on R2 in interface authentication mode, use the plain text,
and set the password to Huawei.
[R2-Serial1/0/0]ospf authentication-mode simple plain huawei

----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------

R1 and R2 can reestablish an OSPF neighbor relationship because they
use the same authentication modes and passwords.
Configure area authentication, MD5 encryption, and password Huawei in
cipher text in area 1 on R1.
[R1]ospf 1
[R1-ospf-1]area 1
[R1-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei


----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------

R1 and R3 cannot establish an OSPF neighbor relationship because they
use different OSPF authentication modes.
Configure area authentication, MD5 encryption, and password Huawei in
cipher text in area 1 on R3.
[R3]ospf 1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3-ospf-1]area 1
[R3-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei


----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Full
----------------------------------------------------------------------------

R1 and R3 can reestablish an OSPF neighbor relationship because they
use the same authentication modes and passwords.
Information in step 4:
10.0.3.0/24 O_ASE 150 1 D 10.0.12.1 Serial1/0/0
10.0.3.3/32 OSPF 10 1563 D 10.0.12.1 Serial1/0/0
The preceding routes have the same source interface, Loopback0 on R3.
Other routers learn two routes. Does this lead to any problem and how to solve
this problem?
Analyze Type4 LSA generation, transfer, and conversion.
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
ospf authentication-mode simple plain huawei
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
area 0.0.0.1
authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2#
network 10.0.13.0 0.0.0.255
network 10.0.1.0 0.0.0.255
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
ospf authentication-mode simple plain huawei
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
network 10.0.2.0 0.0.0.255
#
return

[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
import-route direct
area 0.0.0.1
authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2#
network 10.0.3.0 0.0.0.255
network 10.0.13.0 0.0.0.255
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 5 RIP and OSPF Route Import


Chapter 5 RIP and OSPF Route Import
Lab 5-1 RIP and OSPF Route Import
Learning Objectives
x Route import advantages
x Method used to import OSPF routes to RIP
x Method used to import RIP routes to OSPF
Topology

Figure 5.1 Topology for OSPF and RIP route import
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Scenario
Assume that you are a network administrator of a company, and the
company network uses RIPv2 and OSPF. RIP needs to import OSPF routes
and OSPF needs to import RIP routes to enable communication between
RIP-enabled devices and OSPF-enabled devices. The metrics of different
routing protocols are different.
Tasks
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3
[R3-LoopBack2]interface LoopBack 3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Step 2 Configure OSPF and verify the OSPF configuration.
Enable OSPF on R1 and R2 and add them to area 0.
[R1-ospf-1]area 0

[R2-ospf-1]area 0

View routing tables of R1 and R2. The following information shows that R1
has learned a route to another network segment using OSPF.
----------------------------------------------------------------------------



10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0


[R2]

R2 is directly connected to network segments in the OSPF area; therefore,
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


R2 does not learn other routes using OSPF.
Step 3 Configure RIPv2 and verify the RIPv2 configuration.
Enable RIPv2 process 1 on R1, and specify the network segment 10.0.0.0
in RIP process 1.
[R1]rip 1
[R1-rip-1]version 2

Enable RIPv2 process 1 on R3, and specify network segments 172.16.0.0
and 10.0.0.0 in RIP process 1.
[R3]rip 1
[R3-rip-1]version 2
[R3-rip-1]network 172.16.0.0

View routing tables of R1 and R3. The following information shows that R1
has learned the corresponding routes using RIP.
[R1]display ip routing-table protocol rip
----------------------------------------------------------------------------
Public routing table : RIP

RIP routing table status : <Active>

10.0.3.0/24 RIP 100 1 D 10.0.13.3 GigabitEthernet0/0/0

RIP routing table status : <Inactive>

----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n





Step 4 Import RIPv2 and OSPF routes and verify the
configuration.
R2 and R3 do not learn routes from each other because they belong to
different routing areas. On R1, import RIP routes into the OSPF routing table.
[R1]ospf 1
[R1-ospf-1]import-route rip 1 cost 100

On R1, import OSPF routes into the RIP routing domain.
[R1]rip 1
[R1-rip-1]import-route ospf 1 cost 1

View the routing tables of R1, R2, and R3.
----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0

The R1 routing table remains unchanged after route import. This is
because R1 is located in both OSPF and RIP routing domains. Before routes
are imported, R1 has learned all the routes.
R2 and R3 have learned the following routes.
----------------------------------------------------------------------------



10.0.1.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
172.16.0.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
172.16.1.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
172.16.2.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
172.16.3.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0

----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n







Test network connectivity. On R2, run the ping command specifying the
source address.
[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss

[R2]ping -a 10.0.2.2 172.16.0.1

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

Configure RIP route aggregation on G0/0/0 of R3.
[R3-GigabitEthernet0/0/0]rip summary-address 172.16.0.0 255.255.252.0

View routing tables of R1 and R2 and compare routing tables in this step
with the routing tables in step 3.
----------------------------------------------------------------------------

10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0

----------------------------------------------------------------------------

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



10.0.1.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
10.0.3.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
10.0.13.0/24 O_ASE 150 100 D 10.0.12.1 Serial1/0/0
172.16.0.0/22 O_ASE 150 100 D 10.0.12.1 Serial1/0/0

R1 and R2 learn the aggregated route 172.16.0.0/22 but not the specific
route 172.16.0.0/24.
An external route refers to a route imported from another routing protocol.
How do OSPF and RIP identify external routes? What is the difference
between external routes and routes learned by a protocol? Which types of
routes are more reliable?
Can route aggregation be performed on R1?
The default configurations are used for route import. Which parameters are
optional when RIP routes are imported into OSPF? What are the functions of
these parameters?
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


import-route rip 1 cost 100
area 0.0.0.0
network 10.0.12.0 0.0.0.255
#
rip 1
version 2
network 10.0.0.0
import-route ospf 1 cost 1
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
network 10.0.2.0 0.0.0.255
#
return

[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
rip summary-address 172.16.0.0 255.255.252.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.3.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 6 Ethernet and STP


Chapter 6 Ethernet and STP
Lab 6-1 Ethernet Interface and Link Configuration
Learning Objectives
x Statistics on an Ethernet interface.
x Interface rate and duplex mode.
x Method used to configure the Ethernet interface rate and duplex
mode.
x Method used to configure manual link aggregation.
Topology

Figure 6.1 Switch topology
Scenario
Assume that you are a network administrator of a company that has two
Huawei S5700 switches. You need to commission the switches. The Ethernet
interface rate and duplex mode will be tested.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 1 Perform basic configurations on Ethernet switches.
Auto-negotiation is enabled on Huawei switch interfaces by default. In this
example, the rate and duplex mode of G0/0/9 and G0/0/10 on S1 and S2 are
set manually.
Change the system name and view detailed information about G0/0/9 and
G0/0/10 on S1.
<Quidway>system-view
[Quidway]sysname S1
[S1]display interface GigabitEthernet 0/0/9
GigabitEthernet0/0/9 current state : UP
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface
Switch Port,PVID : 1,The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 752 bits/sec, 0 packets/sec
Last 300 seconds output rate 720 bits/sec, 0 packets/sec
Input peak rate 1057259144 bits/sec,Record time: 2008-10-01 00:08:58
Output peak rate 1057267232 bits/sec,Record time: 2008-10-01 00:08:58
Unicast : 70,Multicast : 5011357
Broadcast : 6643714,Jumbo : 0
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments : 0,Symbols : 0
Ignoreds : 0,Frames : 0
Discard : 69,Total Error : 0
Collisions : 0,Deferreds : 0
Late Collisions: 0,ExcessiveCollisions: 0
Buffers Purged : 0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%

Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 1312 bits/sec, 0 packets/sec
Last 300 seconds output rate 72 bits/sec, 0 packets/sec
Input peak rate 1057256792 bits/sec,Record time: 2008-10-01 00:08:58
Output peak rate 1057267296 bits/sec,Record time: 2008-10-01 00:08:58
CRC : 3,Giants : 0
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments : 0,Symbols : 4
Ignoreds : 0,Frames : 0
Collisions : 0,Deferreds : 0
Late Collisions: 0,ExcessiveCollisions: 0
Buffers Purged : 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%

Set the rate of G0/0/9 and G0/0/10 on S1 to 100 Mbit/s and configure them
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


to work in full duplex mode.
[S1]interface GigabitEthernet 0/0/9
[S1-GigabitEthernet0/0/9]undo negotiation auto
[S1-GigabitEthernet0/0/9]speed 100
[S1-GigabitEthernet0/0/9]duplex full
[S1-GigabitEthernet0/0/9]quit

Before changing the interface rate and duplex mode, disable
auto-negotiation.
Set the rate of G0/0/9 and G0/0/10 on S2 to 100 Mbit/s and configure them
to work in full duplex mode.
[Quidway]sysname S2
[S2-GigabitEthernet0/0/9]quit

Verify the rate and duplex mode of G0/0/9 and G0/0/10 on S1.
Duplex: FULL, Negotiation: DISABLE
Mdi : AUTO
output omit

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Duplex: FULL, Negotiation: DISABLE
Mdi : AUTO
output omit

Step 2 Configure manual link aggregation.
Create Eth-Trunk 1 on S1 and S2. Delete the default configurations from
G0/0/9 and G0/0/10 on S1 and S2, and then add G0/0/9 and G0/0/10 to
Eth-Trunk 1.
[S1]interface Eth-Trunk 1
[S1-Eth-Trunk1]quit
[S1-GigabitEthernet0/0/9]eth-trunk 1
[S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10

[S2-Eth-Trunk1]quit

Verify the Eth-Trunk configuration.
[S1]display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to MAC
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
----------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/9 Up 1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S2]display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to MAC
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
----------------------------------------------------------------------------
PortName Status Weight
The greyed lines in the preceding information indicate that the Eth-Trunk
works properly.
When auto-negotiation is enabled on switches, which protocol is used?
What is the working principle?
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
interface Eth-Trunk1
#
eth-trunk 1
undo negotiation auto
speed 100
#
eth-trunk 1
speed 100
#
return

#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


sysname S2
#
#
eth-trunk 1
speed 100
#
eth-trunk 1
speed 100
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 6-2 STP Configuration
Learning Objectives
x Method used to enable and disable STP.
x Difference between STP modes.
x Method used to change the bridge priority to control root bridge
election.
x Method used to change the port priority to control election of the root
port and designated port.
x Method used to configure an edge port.
Topology

Figure 6.2 STP topology
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Scenario
network consists of two layers: core layer and access layer. The network uses
a redundancy design. STP will be used to prevent loops. STP has different
modes. You can set the bridge priority to control STP root bridge election, and
configure features to speed up STP route convergence at the edge network.
Tasks
Step 1 Configure STP and verify the STP configuration.
Irrelevant interfaces must be disabled to ensure test result accuracy.
Shut down E0/0/1 on S3 before starting STP configuration. Ensure that the
devices start without any configuration files. If STP is disabled, run the stp
enable command to enable STP.
In the lab, traditional STP is used.
[Quidway]sysname S1
[S1]stp mode stp
[S1]stp root secondary

[Quidway]sysname S2
[S2]stp mode stp
[S2]stp root primary

[Quidway]sysname S3
[S3]stp mode stp

[Quidway]sysname S4
[S4]stp mode stp

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Run the display stp brief command to view brief information about STP.
[S1]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/9 ROOT FORWARDING NONE
0 GigabitEthernet0/0/10 ALTE DISCARDING NONE
0 GigabitEthernet0/0/13 DESI FORWARDING NONE


0 Ethernet0/0/13 ALTE DISCARDING NONE
0 Ethernet0/0/23 ROOT FORWARDING NONE

0 Ethernet0/0/14 ALTE DISCARDING NONE
0 Ethernet0/0/24 ROOT FORWARDING NONE

Run the display stp interface command to view the STP status of a port.
[S1]display stp interface GigabitEthernet 0/0/10
----[CIST][Port10(GigabitEthernet0/0/10)][DISCARDING]----
Port Protocol :enabled
Port Role :Alternate Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Desg. Bridge/Port :0.0018-82e1-aea6 / 128.10
Port Edged :Config=default / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port Stp Mode :STP
Port Protocol Type :Config=auto / Active=dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


TC or TCN send :2
TC or TCN received :64
BPDU Sent :24
TCN: 0, Config: 0, RST: 24, MST: 0
BPDU Received :350601

Step 2 Control root bridge election.
Run the display stp command to view information about the root bridge.
[S2]display stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge :0 .0018-82e1-aea6
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :0 .0018-82e1-aea6 / 0
CIST RegRoot/IRPC :0 .0018-82e1-aea6 / 0
CIST RootPortId :0.0
BPDU-Protection :disabled
CIST Root Type :PRIMARY root
TC count per hello :0
STP Converge Mode :Nomal
Time since last TC :0 days 0h:1m:6s
output omit

Configure S2 as the root bridge and S1 as the backup root bridge. The
device with the same value of CIST Bridge and CIST Root/ERPC is the root
bridge.
A smaller bridge priority value indicates a higher bridge priority. Change
the priorities of S1 and S2 to 4096 and 8192 respectively so that S1 becomes
the root bridge.
[S1]undo stp root
[S1]stp priority 4096

[S2]undo stp root
[S2]stp priority 8192

Run the display stp command to view information about the new root
bridge.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S1]display stp
output omit

[S2]display stp
CIST Bridge :8192 .0018-82e1-ae82
CIST RegRoot/IRPC :8192 .0018-82e1-ae82 / 0
output omit

The greyed lines in the preceding information indicate that S1 has become
the new root bridge.
Shut down G0/0/9, G0/0/10, G0/0/13, and G0/0/14 on S1 to isolate S1.
[S1-GigabitEthernet0/0/9]shutdown

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S2]display stp
CIST Bridge :8192 .0018-82e1-ae82
CIST Root/ERPC :8192 .0018-82e1-ae82 / 0
output omit

The greyed lines in the preceding information indicate that S2 becomes
the root bridge when S1 is faulty.
Start the shutdown interfaces on S1.
[S1-GigabitEthernet0/0/9]undo shutdown

[S1]display stp
output omit

[S2]display stp
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


CIST Bridge :8192 .0018-82e1-ae82
output omit

The greyed lines in the preceding information indicate that S1 has restored
and became the root bridge.

Step 3 Control root port election.
Run the display stp brief command on S2 to view the roles of interfaces.

The preceding information shows that G0/0/9 is the root port and G0/0/10
is the alternate port. You can change port priorities so that G0/0/10 becomes
the root port and G0/0/9 becomes the alternate port.
Change priorities of G0/0/9 and G0/0/10 on S1.
The default port priority is 128. A larger port priority value indicates a lower
priority. The priorities of G0/0/9 and G0/0/10 on S1 are set to 32 and 16;
therefore, G0/0/10 on S2 becomes the root port.
[S1-GigabitEthernet0/0/9]stp port priority 32
[S1-GigabitEthernet0/0/10]stp port priority 16

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Note that the port priorities are changed on S1, not S2.
----[CIST][Port9(GigabitEthernet0/0/9)][FORWARDING]----
Port Role :Designated Port
Port Priority :32
Port Stp Mode :STP
TC or TCN send :0
BPDU Sent :229
BPDU Received :3

----[CIST][Port10(GigabitEthernet0/0/10)][FORWARDING]----
Port Role :Designated Port
Port Priority :16
Port Stp Mode :STP
TC or TCN send :0
BPDU Sent :210
BPDU Received :3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Run the display stp brief command on S2 to view the role of interfaces..

The greyed lines in the preceding information indicate that G0/0/10 on S2
has become the root port and G0/0/9 has become the alternate port.
Shut down G0/0/10 on S2 and view the port roles.
<S2>display stp brief

The greyed line in the preceding information indicates that G0/0/9 has
become the root port.

Step 4 Configure an edge port.
Configure ports connected to the user terminals as edge ports. An edge
port can transition to the forwarding state without participating in the STP
calculation. In this example, E0/0/3 and E0/0/4 on S3 are configured as edge
ports.
[S3]interface Ethernet0/0/3
[S3-Ethernet0/0/3]stp edged-port enable
[S3-Ethernet0/0/3]interface Ethernet0/0/4
[S3-Ethernet0/0/4]stp edged-port enable

After the configurations are complete, connect the network cable of a
computer to E0/0/3 on S3 and run the display stp brief command to view the
port status. You can see that E0/0/2 enters the forwarding state
immediately.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


When the network cable of the computer is connected to a non-edge port
such as E0/0/5, the port enters the forwardingstate about 30s after the link
becomes Up.

Why does root bridge election need to be controlled? How is root bridge
election controlled?
What is the transition process when a port changes from the blocking state
to the forwarding state? How much time does the transition process take?
Which method can be used to accelerate STP route convergence?
#
sysname S1
#
vlan batch 1
#
stp mode stp
stp instance 0 priority 4096
stp enable
#
stp instance 0 port priority 32
ntdp enable
ndp enable
bpdu enable
#
stp instance 0 port priority 16
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
return

#
sysname S2
#
vlan batch 1
#
stp mode stp
stp instance 0 priority 8192
stp enable
#
ntdp enable
ndp enable
bpdu enable
#
shutdown
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


return

#
sysname S3
#
stp mode stp
stp enable
#
shutdown
bpdu enable
# interface Ethernet0/0/3
stp edged-port enable
bpdu enable
#
stp edged-port enable
bpdu enable
#
bpdu enable
#
bpdu enable
#
return

#
sysname S4
#
stp mode stp
stp enable
#
bpdu enable
#
bpdu enable
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


bpdu enable
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 6-3 VLAN Configuration
Learning Objectives
x VLAN functions.
x VLAN security.
x VLAN configurations.
x Access port and trunk port configuration.
x Method used to add a port to a VLAN.
x Hybrid port configuration.
Topology

Figure 6.3 VLAN topology
Scenario
Assume that you are a network administrator of a company and need to
configure VLANs on the network. Your company has two switches. You need
to configure VLANs and relevant features.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 1 Configure an Eth-Trunk.
In this lab, Ethernet0/0/1 and Ethernet0/0/23 on S3 and Ethernet0/0/14 on
S4 need to be shut down.
Two links exist between S1 and S2. If STP is enabled, one link will be
disabled, which wastes bandwidth. If STP is not used, loops may occur. In this
situation, you can configure an Eth-Trunk.
Before configuring an Eth-Trunk, delete the original configurations on the
member interfaces.
You can add physical interfaces to an Eth-Trunk in the interface view or in
the Eth-Trunk view.
On S1, add interfaces to an Eth-Trunk in the interface view.
[Quidway]sysname S1
[S1]interface eth-trunk 1
[S1-Eth-Trunk1]quit
[S1]interface gigabitethernet0/0/9
[S1-Gigabitethernet0/0/9]eth-trunk 1
[S1-Gigabitethernet0/0/9]interface gigabitethernet0/0/10
[S1-Gigabitethernet0/0/10]eth-trunk 1

On S2, add interfaces to an Eth-Trunk in the Eth-Trunk view.
[Quidway]sysname S2
[S2]interface eth-trunk 1
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/9
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10

By default, the link type of a interface is hybrid. You can change the link
type to trunk.
By default, a interface of trunk type rejects data from any VLANs.
[S1-Eth-Trunk1]port link-type trunk
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S1-Eth-Trunk1]port trunk allow-pass vlan all

[S2-Eth-Trunk1]port link-type trunk
[S2-Eth-Trunk1]port trunk allow-pass vlan all

Step 2 Configure VLANs.
Use S3, R1, R3, and S4 as hosts to perform the VLAN configuration. S3
belongs to VLAN 3, R1 and R3 belong to VLAN 4, and S4 belongs to VLAN 5.
There are two methods to configure VLANs with consecutive IDs.
There are two methods to define mapping between VLANs and interfaces.
[S1]interface GigabitEthernet0/0/13
[S1-GigabitEthernet0/0/13]port link-type access
[S1-GigabitEthernet0/0/13]interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1]vlan 3
[S1-vlan3]port GigabitEthernet0/0/13
[S1-vlan3]vlan 4
[S1-vlan4]port GigabitEthernet0/0/1
[S1-vlan4]vlan 5

[S2]vlan batch 3 to 5
[S2-GigabitEthernet0/0/3]port default vlan 4

Step 3 Plan IP addresses.
Use S3, R1, R3, and S4 as clients to perform the VLAN configuration.
Configure IP addresses for interfaces. Physical interfaces on switches
cannot be configured with IP addresses, so VLANIF 1 is assigned an IP
address.
[Quidway]sysname S3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S3]interface vlanif 1
[S3-vlanif1]ip address 10.0.3.3 24

<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R3

[Quidway]sysname S4
[S4]interface vlanif 1
[S4-vlanif1]ip address 10.0.5.4 24

Step 4 Perform a test.
Run the ping command. R1 and R3 in VLAN 4 can communicate with
each other, and devices in different VLANs cannot communicate.
[R3]ping 10.0.4.1

0.00% packet loss

Test communication between R1 and S3, and between R3 and S4.
Configure a management address for each VLAN on S1. By doing this, S1
connects to three clients that belong to VLAN 3, VLAN 4, and VLAN 5
respectively.
[S1]interface Vlanif 3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S1-Vlanif3]ip address 10.0.3.11 24
[S1-Vlanif3]interface Vlanif 4

After the configurations are complete, test communication between clients
in VLANs on S1.
[S1]ping 10.0.3.3

0.00% packet loss

[S1]ping 10.0.4.1

0.00% packet loss

[S1]ping 10.0.4.3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[S1]ping 10.0.5.4

0.00% packet loss

Step 5 Configure a hybrid interface.
A hybrid interface is similar to a trunk interface, but it allows users in
different VLANs to communicate if these users are on the same network
segment.
Change IP addresses of S3 and R3.


Set the link type of G0/0/13 on S1 to hybrid and configure VLAN 3 as its
default VLAN. Add G0/0/13 to VLAN 3 and VLAN 4 in untagged mode. Before
changing the interface type, delete any existing configuration on the interface.
[S1-GigabitEthernet0/0/13]undo port default vlan
[S1-GigabitEthernet0/0/13]port link-type hybrid
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S1-GigabitEthernet0/0/13]port hybrid pvid vlan 3
[S1-GigabitEthernet0/0/13]port hybrid untagged vlan 3 to 4

Set the link type of G0/0/3 on S2 to hybrid and configure VLAN 4 as its
default VLAN. Add G0/03 to VLAN 3 and VLAN 4 in untagged mode.
[S2-GigabitEthernet0/0/3]undo port default vlan
[S2-GigabitEthernet0/0/3]port link-type hybrid
[S2-GigabitEthernet0/0/3]port hybrid pvid vlan 4
[S2-GigabitEthernet0/0/3]port hybrid untagged vlan 3 to 4

S3 and R3 can communicate even though they are located in different
network segments.
[S3]ping 10.0.6.4

0.00% packet loss

In which scenario is a hybrid interface used?
#
sysname S1
#
vlan batch 1 3 to 5
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
interface Vlanif1
#
interface Vlanif3
ip address 10.0.3.11 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.11 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.11 255.255.255.0
#
interface MEth0/0/1
#
port link-type trunk
port trunk allow-pass vlan 2 to 4094
bpdu enable
#
port link-type access
port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port hybrid pvid vlan 3
port hybrid untagged vlan 3 to 4
ntdp enable
ndp enable
bpdu enable
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


interface NULL0
#
return

#
sysname S2
#
vlan batch 1 3 to 5
#
interface Vlanif1
#
interface MEth0/0/1
#
bpdu enable
#
port hybrid pvid vlan 4
port hybrid untagged vlan 3 to 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port default vlan 5
ntdp enable
ndp enable
bpdu enable
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
return

#
sysname S3
#
interface Vlanif1
ip address 10.0.6.3 255.255.255.0
#
bpdu enable
#
return

#
sysname S4
#
interface Vlanif1
ip address 10.0.5.4 255.255.255.0
#
bpdu enable
#
return

[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.4.1 255.255.255.0
#
return

[V200R001C01SPC300]
#
sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
ip address 10.0.6.4 255.255.255.0
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 7 Layer3 Configuration and VRRP


Chapter 7 Layer3 Configuration and VRRP
Lab 7-1 Configuring Layer 3 Switching
Learning Objectives
x Layer 3 switching advantages.
x Similarities and differences between Layer 3 switching and Layer 3
routing.
x Method of configuring VLANIF interfaces.
x Method of configuring communication between VLANs.
x Method of configuring Open Shortest Path First (OSPF) between
VLANIF interfaces.
TopoIogy

Figure 7.1 Lab topology of Layer 3 switching
Scenario
Assume that you are a network administrator of a company and the current
network of your company has four users: S3, R1, R3, and S4. The users
belong to different virtual local area networks (VLANs). S3 belongs to VLAN 3,
R1 belongs to VLAN 4, R3 belongs to VLAN 6, and S4 belongs to VLAN 7.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Users in these VLANs can communicate with each other. S1 and S2
communicate with each other through a Layer 3 link, so routing protocols are
used.
Tasks
Step 1 Configure the links between S1 and S2 as Eth-Trunk
links.
In this example, Ethernet0/0/1 and Ethernet0/0/23 of S3 and
Ethernet0/0/14 of S4 must be disabled.
[Quidway]sysname S1
[S1-Eth-Trunk1]quit

[Quidway]sysname S2
[S2-Eth-Trunk1]quit

Step 2 Configure VLAN 3 to VLAN 7 in batches for S1 and S2.


Check the creation of VLANs.
[S1]display vlan
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The total number of vlans is : 6
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------

VID Type Ports
---------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) GE0/0/4(D)
GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(U) GE0/0/10(U) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(U) GE0/0/14(U) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(U) GE0/0/22(U) GE0/0/23(U) GE0/0/24(D)
3 common
4 common
5 common
6 common
7 common

VID Status Property MAC-LRN Statistics Description
---------------------------------------------------------------------------
1 enable default enable disable VLAN 0001

[S2]display vlan
The total number of vlans is : 6
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------

VID Type Ports
----------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) GE0/0/4(D)
GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(U) GE0/0/10(U) GE0/0/11(D) GE0/0/12(D)
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(U) GE0/0/24(U)
3 common
4 common
5 common
6 common
7 common

VID Status Property MAC-LRN Statistics Description
----------------------------------------------------------------------------

Step 3 Set the types of Eth-Trunk links between S1 and S2 to
access. The links belong to VLAN 5.
Add G0/0/1 and G0/0/13 of S1 to VLAN 4 and VLAN 3 respectively, and
add G0/0/3 and G0/0/24 of S2 to VLAN 6 and VLAN 7 respectively.
[S1-Eth-Trunk1]port link-type access
[S1-Eth-Trunk1]port default vlan 5
[S1-Eth-Trunk1]interface GigabitEthernet 0/0/1

[S2-Eth-Trunk1]port link-type access
[S2-Eth-Trunk1]port default vlan 5
[S2-Eth-Trunk1]interface GigabitEthernet 0/0/3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Step 4 Configure gateway IP addresses for the VLANs of S1
and S2.
S1 provides gateway services for VLAN 3 to VLAN 5, while S2 provides
gateway services for VLAN 5 to VLAN 7. Therefore, configure IP addresses for
VLANIF 3, VLANIF 4, and VLANIF 5 on S1, and configure IP addresses for
VLANIF 5, VLANIF 6, and VLANIF 7 on S2.


Step 5 Configure IP addresses and default routes for S3, R1, R3,
and S4.
[Quidway]sysname S3
[S3-Vlanif1]quit
[S3]ip route-static 0.0.0.0 0 10.0.3.1

Note: Physical interfaces on switches cannot be configured with IP
addresses, so IP addresses are configured for VLANIF interfaces. S3 belongs
to VLAN 3 on S1; however, E0/0/13 on S3 belongs to VLAN 1. In this case,
configure an IP address for VLANIF 1 on S3 so that S3 belongs to VLAN 3.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The configuration of S4 is similar.
<Huawei>system-view
[Huawei]sysname R1
[R1]ip route-static 0.0.0.0 0 10.0.4.1

<Huawei>system-view
[Huawei]sysname R3
[R3]ip route-static 0.0.0.0 0 10.0.6.1

[Quidway]sysname S4
[S4-Vlanif1]quit
[S4]ip route-static 0.0.0.0 0 10.0.7.1

Step 6 Test connectivity between VLAN 3 and VLAN 4.
Test connectivity between S3 and R1.
[R1]ping 10.0.3.33

0.00% packet loss

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]ping 10.0.6.33
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

R1 and R3 fail to communicate with each other. Run the tracert command
to troubleshoot the fault:
[R1]tracert 10.0.6.33
to break
1 10.0.4.1 62 ms 4 ms 4 ms
2 * * *

According to the command output, R1 has sent the data packet to the
destination address 10.0.6.33, but the gateway at 10.0.4.1 responds that the
network is unreachable.
Then check whether the network is unreachable on the gateway (S1).
[S1]display ip routing-table
----------------------------------------------------------------------------


10.0.3.0/24 Direct 0 0 D 10.0.3.1 Vlanif3
10.0.4.0/24 Direct 0 0 D 10.0.4.1 Vlanif4
10.0.5.0/24 Direct 0 0 D 10.0.5.1 Vlanif5
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



According to the command output, S1 does not have a route to the
network segment 10.0.6.0 because the network segment is not directly
connected to S1. In addition, no static route or dynamic routing protocol is
configured.
Step 7 Enable OSPF on S1 and S2.
[S1]ospf 1
[S2-ospf-1]area 0
[S1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

[S2]ospf 1
[S2-ospf-1]area 0

After the configuration, wait until S1 and S2 exchange OSPF routes. View
the routing table of S1.
[S1]display ip routing-table
----------------------------------------------------------------------------


10.0.3.0/24 Direct 0 0 D 10.0.3.1 Vlanif3
10.0.4.0/24 Direct 0 0 D 10.0.4.1 Vlanif4
10.0.5.0/24 Direct 0 0 D 10.0.5.1 Vlanif5
10.0.6.0/24 OSPF 10 2 D 10.0.5.2 Vlanif5
10.0.7.0/24 OSPF 10 2 D 10.0.5.2 Vlanif5

S1 has learned two routes using OSPF.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1]ping 10.0.6.33

0.00% packet loss

[R1]ping 10.0.7.44

0.00% packet loss

If the links between S1 and S2 are trunk links, can users in VLANs
communicate with each other without using any routing protocols?

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


FnaI Confguratons
#
sysname S1
#
vlan batch 1 3 to 7
#
interface Vlanif1
#
interface Vlanif3
ip address 10.0.3.1 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.1 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.1 255.255.255.0
#
interface MEth0/0/1
#
port default vlan 5
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port default vlan 3
ntdp enable
ndp enable
bpdu enable
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return

#
sysname S2
#
vlan batch 1 3 to 7
#
interface Vlanif1
#
interface Vlanif5
ip address 10.0.5.2 255.255.255.0
#
interface Vlanif6
ip address 10.0.6.1 255.255.255.0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


interface Vlanif7
ip address 10.0.7.1 255.255.255.0
#
interface MEth0/0/1
#
port default vlan 5
#
port default vlan 6
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port default vlan 7
ntdp enable
ndp enable
bpdu enable
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return

#
sysname S3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
interface Vlanif1
ip address 10.0.3.33 255.255.255.0
#
bpdu enable
#
ip route-static 0.0.0.0 0.0.0.0 10.0.3.1
#
return

#
sysname S4
#
interface Vlanif1
ip address 10.0.7.44 255.255.255.0
#
bpdu enable
#
ip route-static 0.0.0.0 0.0.0.0 10.0.7.1
#
return

[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.4.11 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
#
return

[V200R001C01SPC300]
#
sysname R3
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ip address 10.0.6.33 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.1
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 7-2 Configuring the VRRP
Learning Objectives
x Functions of load balancing.
x Working principles of the Virtual Router Redundancy Protocol (VRRP).
x Method of configuring one VRRP group on a Layer 3 switching
network.
x Method of configuring VRRP authentication.
x Method of configuring VRRP to trace the interface status.
x Method of using VRRP to implement load balancing.
TopoIogy
Figure 7.2 Lab topology of the VRRP configuration
5cenaro
Assume that you are a network administrator of a company and the current
network of your company has two users: R2 and R3. A loopback interface of
R1 simulates an Internet server. The network has two gateways, and you use
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


VRRP to implement gateway redundancy.
Tasks
Step 1 Perform basic configurations and IP addressing.
In this lab, GigabitEthernet0/0/9, GigabitEthernet0/0/13 and
GigabitEthernet0/0/14 on S1 need to be shut down.
The user network uses VLAN 1; S1 connects to R1 using VLAN 2; S2
connects to R1 using VLAN 3; a loopback interface has been configured on R1;
IP addresses and default gateways have been configured on R2 and R3.
The router R1 simulates a wide area network (WAN), while its loopback
interface simulates a server on the WAN.
[Huawei]sysname R1
[R1]interface LoopBack 0
[R1-LoopBack0]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2

The router R2 simulates one PC on a local area network (LAN), using the
network segment 10.0.123.0/24 and the gateway 10.0.123.1.
The router R3 simulates another PC on the LAN, using the network
segment 10.0.123.0/24 and the gateway 10.0.123.1.
<Huawei>system-view
[Huawei]sysname R2
[R2]ip route-static 0.0.0.0 0 10.0.123.1

<Huawei>system-view
[Huawei]sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3]ip route-static 0.0.0.0 0 10.0.123.1

Create VLAN 1 to VLAN 3 on the switch S1. The default link type of
interfaces is hybrid. Configure G0/0/10 as a Trunk interface and configure it to
allow all VLANs. Configure G0/0/1 as an access interface and add it to VLAN 2.
Configure G0/0/2 as an access interface and add it to VLAN 1. Create VLANIF
1 to provide gateway for VLAN 1 and assign IP address 10.0.123.2/24 to
VLANIF 1. Create VLANIF 2 as a Layer 3 link connecting to R1 and assign IP
address 10.0.11.1/24 to VLANIF 2.
<Huawei>system-view
[Huawei]sysname S1
[S1-GigabitEthernet0/0/10]port link-type trunk
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan all
[S1-GigabitEthernet0/0/2]interface Vlanif 1
[S1-Vlanif1]interface vlanif 2

Create VLAN 1 to VLAN 3 for the switch S2. The interfaces by default
adopt the hybrid mode. Define G0/0/10 as a Trunk interface to allow the
access of all VLANs. Define G0/0/1 as an access interface belonging to VLAN
3. Define G0/0/3 as an access interface belonging to VLAN 1. Set the IP
address of VLANIF 1 to 10.0.123.3/24 and use VLANIF 1 to provide gateway
services for VLAN 1. Set the IP address of VLANIF 2 to 10.0.12.1/24 and use
VLANIF 2 as a Layer 3 link for connecting to R1.
<Huawei>system-view
[Huawei]sysname S2
[S2-GigabitEthernet0/0/10]port link-type trunk
[S2-GigabitEthernet0/0/10]port trunk allow-pass vlan all
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S2-GigabitEthernet0/0/3]interface Vlanif 1

After completing the configuration, test connectivity of direct links. Use the
ping command to test the connections to S1, R1, R2, and R3 on S2. Use -c 1
in the ping command to configure the system to send only one ping packet. If
you do not use this parameter, the system sends five packets by default.
[S2]ping -c 1 10.0.12.2

0.00% packet loss

[S2]ping -c 1 10.0.123.2

0.00% packet loss

[S2]ping -c 1 10.0.123.4

0.00% packet loss
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S2]ping -c 1 10.0.123.5

0.00% packet loss

Step 2 Configure the OSPF routing protocol to implement the
route connectivity between S1, S2, and R1.
[S1]ospf 1
[S1-ospf-1]area 0
[S1-ospf-1-area-0.0.0.0]quit
[S1-ospf-1]silent-interface Vlanif 1

[S2]ospf 1
[S2-ospf-1]area 0
[S2-ospf-1-area-0.0.0.0]quit
[S2-ospf-1]silent-interface Vlanif 1

[R1]ospf 1
[R1-ospf-1]area 0

After completing the configuration, wait until the network convergence is
complete. Then test the network connectivity.
[S2]ping -c 1 10.0.11.1

0.00% packet loss
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S2]ping -c 1 10.0.1.1

0.00% packet loss

[S2]ping -c 1 10.0.12.2

0.00% packet loss

Step 3 Configure VRRP to implement gateway redundancy.
Configure VRRP on S1. Create VRRP group 1 and set its priority to 105.
By default, the priority is 100.
[S1-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1
[S1-Vlanif1]vrrp vrid 1 priority 105

[S2-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1

After the configuration, run the ping command on R2 and R3 to test
whether they can communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

[R3]ping -c 1 10.0.1.1

0.00% packet loss

Check the VRRP state on S1.
[S1]display vrrp
Vlanif1 | Virtual Router 1
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.2
PriorityRun : 105
PriorityConfig : 105
MasterPriority : 105
Preempt : YES Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Config track link-bfd down-number : 0

Currently, R2 and R3 send data packets to the Internet server through S1.
Shut down VLANIF 1 on S1, and then test whether the traffic can be switched
to S2.
[S1-Vlanif1]shutdown

Run the ping command on R2 and R3 to test whether they can
communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R3]ping -c 1 10.0.1.1

0.00% packet loss

S1 stops running at present. Check the VRRP state on S1 and S2.
[S1]display vrrp
State : Initialize
Virtual IP : 10.0.123.1
Master IP : 0.0.0.0
PriorityRun : 105
MasterPriority : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

[S2]display vrrp
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.3
PriorityRun : 100
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

Step 4 Configure interface tracking.
Enable the VLANIF 1 interface on S1. Specify G0/0/1 for S1 and S2 to
track.
[S1-Vlanif1]undo shutdown

[S1]display vrrp
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.2
PriorityRun : 105
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

Currently, R2 and R3 send data to the Internet server through S1. If G0/0/1
of S1 or G0/0/1 of R1 is disabled, traffic cannot be switched to S2.
Disable G0/0/1 of S1.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



[S1]display vrrp brief
VRID State Interface Type Virtual IP
--------------------------------------------------------
1 Master Vlanif1 Normal 10.0.123.1

Note: You can use the brief parameter to display only the brief information.
Test connectivity between R2 and the Internet server.
[R2]ping -c 1 10.0.1.1
Request time out

100.00% packet loss

The command output shows that R2 cannot communicate with the Internet
server.
Enable G0/0/1 of S1.

Configure VRRP to track G0/0/1 on S1 and S2. If G0/0/1 of S1 is
disabled, the VRRP priority of S1 is reduced by 10. In this case, S2 replaces
S1 as the VRRP master device.
[S1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10

[S2-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10

Test the network connectivity.
R2 can communicate with the Internet server.
[R2]ping -c 1 10.0.1.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

Disable G0/0/1 of S1.

Test connectivity between R2 and the Internet server.
[R2]ping -c 1 10.0.1.1

0.00% packet loss

R2 can communicate with the Internet server. Check the VRRP state on
S1.
[S1]display vrrp
State : Backup
Virtual IP : 10.0.123.1
Master IP : 10.0.123.3
PriorityRun : 95
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track IF : GigabitEthernet0/0/1 Priority reduced : 10
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


IF state : DOWN

The configuration in this lab implements the redundancy of two Layer 3
switches, which can effectively prevent single-point failures. However, only
one Layer 3 switch processes services, resulting in resource waste.
Design a scheme based on the current topology to implement redundancy
and load balancing.
FnaI Confguratons
#
sysname S1
#
vlan batch 1 to 3
#
interface Vlanif1
ip address 10.0.123.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.123.1
vrrp vrid 1 priority 105
vrrp vrid 1 track interface GigabitEthernet0/0/1
#
interface Vlanif2
ip address 10.0.11.1 255.255.255.0
#
shutdown
port default vlan 2
ntdp enable
ndp enable
bpdu enable
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
ospf 1
silent-interface Vlanif1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return

#
sysname S2
#
vlan batch 1 to 3
#
interface Vlanif1
ip address 10.0.123.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.123.1
vrrp vrid 1 track interface GigabitEthernet0/0/1
#
interface Vlanif3
ip address 10.0.12.1 255.255.255.0
#
port default vlan 3
ntdp enable
ndp enable
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
ospf 1
silent-interface Vlanif1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return

[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.11.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[V200R001C01SPC300]
#
sysname R2
#
ip address 10.0.123.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.123.1
#
#
return

[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.123.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.123.1
#
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 8 WAN Configuration


Chapter 8 WAN Configuration
Lab 8-1 HDLC and PPP Configuration
Learning Objectives
x WAN technologies.
x PPP implementation.
x Method used to configure HDLC on a serial link.
x Method used to change the clock frequency on a serial link.
x Method used to configure PPP on a serial link.
x Method used to configure PAP authentication on the PPP link.
x Method used to configure CHAP authentication on the PPP link.
x Negotiation on the PPP link.
Topology

Figure 8.1 HDLC and PPP configuration

Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are routers.
R1 is located in the headquarters, and R2 and R3 are located in two branches.
The headquarters and branches need to be interconnected. Use HDLC and
PPP on WAN links and use different authentication modes to ensure security.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 1 Configure IP addresses.
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3

Step 2 Enable HDLC on serial interfaces.
[R1-Serial1/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R1-Serial1/0/0]

[R2-Serial2/0/0]

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3-Serial2/0/0]

After HDLC is enabled the on serial interfaces, view the serial interface
status. Use the display on R1 as an example.
[R1]display interface Serial1/0/0
Description:HUAWEI, AR Series, Serial1/0/0 Interface
Link layer protocol is nonstandard HDLC
frame errors: 0
deferred: 0


Test connectivity of the directly connected link after verifying that the
physical status and protocol status of the interface are Up.
[R2]ping 10.0.12.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R2]ping 10.0.23.3

0.00% packet loss

[R1]rip
[R1-rip-1]version 2

[R2]rip
[R2-rip-1]version 2

[R3]rip
[R3-rip-1]version 2

After the configurations are complete, check whether all the routes are
learned. Verify that corresponding routes are learned by RIP.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------


10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0

On R1, run the ping command to test connectivity between R1 and R3.
[R1]ping 10.0.23.3

0.00% packet loss

Step 4 View the type of the cable connected to the serial
interface, interface status, and clock frequency, and
change the clock frequency.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Link layer protocol is nonstandard HDLC
Physical layer is synchronous, Virtualbaudrate is 64000 bps
Interface is DTE, Cable type is V35, Clock mode is TC
frame errors: 0
deferred: 0


The preceding information shows that S1/0/0 on R2 connects to a DCE
cable and the clock frequency is 64000 bit/s.
The DCE controls the clock frequency and bandwidth.
Change the clock frequency on the link between R1 and R2 to 128000 bit/s.
This operation must be performed on the DCE, R1.
[R1-Serial1/0/0]baudrate 128000

After the configurations are complete, view the serial interface status.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


LCP opened, IPCP opened
frame errors: 0
deferred: 0


Step 5 Configure PPP on serial interfaces between R1 and R2
and between R2 and R3.
Configure PPP. Both ends of the link must use the same encapsulation
mode. If both ends of the link use different encapsulation modes, interfaces
may become Down.
[R1-Serial1/0/0]link-protocol ppp
[R1-Serial1/0/0]

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2-Serial2/0/0]

[R3-Serial2/0/0]

After the configurations are complete, test link connectivity.
[R2]ping 10.0.12.1

0.00% packet loss

[R2]ping 10.0.23.3

0.00% packet loss

If the ping operation fails, check the interface status and check whether
the link layer protocol type is correct.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


frame errors: 0
deferred: 0


Step 6 Check routing entry changes.
After PPP configurations are complete, routers establish connections at
the data link layer. The local device sends a route to the peer device. The route
contains the interface IP address and a 32-bit mask.
The following information uses R2 as an example. You can see the routes
to R1 and R3.
----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

Think about the origin and functions of the two routes. Check the following
items:
If HDLC is used, do the two routes exist?
Can R1 and R2 communicate using HDLC or PPP when the IP addresses
of S1/0/0 interfaces on R1 and R2 are located on different network segments?
Step 7 Enable PAP authentication on the PPP link between R1
and R2.
Configure R1 as the authentication server. After R2 sends an
authentication request to R1, R1 sends a response message to R2, requesting
R2 to use PAP authentication and send its password to R1.
Configure PAP authentication on R1.
[R1-Serial1/0/0]ppp authentication-mode pap
[R1]aaa
[R1-aaa]local-user huawei password simple hello
info: A new user added
[R1-aaa]local-user huawei service-type ppp

Configure PAP authentication on R2.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2-Serial1/0/0]ppp pap local-user huawei password simple hello

After the configurations are complete, test connectivity between R1 and R2.

Step 8 Enable CHAP authentication on the PPP link between R2
and R3.
Configure R3 as the authentication server. After R2 sends an
authentication request to R3, R3 sends a response message to R2, requesting
R2 to use CHAP authentication and send its user name and password to R3.
[R3-Serial2/0/0]ppp authentication-mode chap
[R3]aaa
[R3-aaa]local-user user1 password cipher huawei
info: A new user added
[R3-aaa]local-user user1 service-type ppp
[R3-aaa]quit

On R3, the following information is displayed.
Oct 10 2011 16:46:03+00:00 R3 %%01PPP/4/PEERNOCHAP(l)[9]:On the interface
Serial2/0/0, authentication failed and PPP link was closed because CHAP was
disabled on the peer.
Oct 10 2011 16:46:03+00:00 R3 %%01PPP/4/RESULTERR(l)[10]:On the interface
Serial2/0/0, LCP negotiation failDCD=UP DTR=UP DSR=UP RTS=UP CTS=UP

The greyed line indicates that authentication failed.
Configure R2 as the CHAP client.
[R2-Serial2/0/0]ppp chap user user1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2-Serial2/0/0]ppp chap password cipher huawei

After the configurations are complete, the interface becomes Up. The ping
command output is as follows:
[R2]ping 10.0.23.3

0.00% packet loss

Step 9 Run the debug command to view negotiation of the PPP
connection between R2 and R3. The PPP connection is
established by CHAP.
Use R2 as an example. View the PPP negotiation process between R2
and R3. Disable S2/0/0 on R2, run the debug command, and enable S2/0/0 on
R2.
First shut down S2/0/0 on R2.

Run the debugging ppp chap all command. By default, the debugging
information is displayed. Run the terminal debugging command to display
the debugging information on the console port.
[R2-Serial2/0/0]return
<R2>debugging ppp chap all

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Enable S2/0/0 on R2.
<R2>system-view

The following debugging information is displayed on the console port:
PPP State Change:
Serial2/0/0 CHAP : Initial --> ListenChallenge
Oct 10 2011 17:54:48.830.1+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 25
State ListenChallenge, code Challenge(01), id 1, len 21
Value_Size: 16 Value: 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87 94 3 f0 1
Name:
Oct 10 2011 17:54:48.830.2+00:00 R2 PPP/7/debug2:
PPP Event:
Serial2/0/0 CHAP Receive Challenge Event
state ListenChallenge
Oct 10 2011 17:54:48.830.3+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Output CHAP(c223) Pkt, Len 37
State ListenChallenge, code Response(02), id 1, len 33
Value_Size: 16 Value: 4b 6 73 d1 48 c2 55 8d da a6 c7 3e 21 e9 44 48
Name: user1
Oct 10 2011 17:54:48.830.4+00:00 R2 PPP/7/debug2:
PPP State Change:
Serial2/0/0 CHAP : ListenChallenge --> SendResponse
Oct 10 2011 17:54:48.850.1+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 20
State SendResponse, code SUCCESS(03), id 1, len 16
Message: Welcome to .
Oct 10 2011 17:54:48.850.2+00:00 R2 PPP/7/debug2:
PPP Event:
Serial2/0/0 CHAP Receive Success Event
state SendResponse
Oct 10 2011 17:54:48.850.3+00:00 R2 PPP/7/debug2:
PPP State Change:
Serial2/0/0 CHAP : SendResponse --> ClientSuccess

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The greyed line shows the interface status change.
Run the debugging ppp pap all command to view PPP negotiation when
PAP authentication is used between R1 and R2. Compare the debugging ppp
pap all command output with the debugging ppp chap all command output to
learn about difference between PAP authentication and CHAP authentication.
Why CHAP is more secure than PAP?
[V200R001C01SPC300]
#
sysname R1
#
aaa
domain default
local-user huawei password simple hello
local-user huawei service-type ppp
#
link-protocol ppp
ppp authentication-mode pap
ip address 10.0.12.1 255.255.255.0
baudrate 128000
#
rip 1
version 2
network 10.0.0.0
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[V200R001C01SPC300]
#
sysname R2
#
aaa
domain default
#
link-protocol ppp
ppp pap local-user huawei password simple hello
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ppp chap user user1
ppp chap password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
ip address 10.0.23.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return

[V200R001C01SPC300]
#
sysname R3
#
aaa
authentication-scheme system
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


domain default
domain system
local-user user1 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user user1 service-type ppp
#
link-protocol ppp
ppp authentication-mode chap
ip address 10.0.23.3 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
Return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 8-2 FR Configuration (Back to Back)
Learning Objectives
x PVC functions.
x Frame Relay (FR) implementation.
x Method used to configure FR on a serial link.
x Method used to configure mapping between IP addresses and DLCIs
on the FR network.
x Method used to configure RIP on the FR network.
x Method used to configure OSPF on the FR network.
Topology

Figure 8.2 FR topology
Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are routers.
R1 is located in the headquarters, and R2 and R3 are located in two branches.
The headquarters and branches need to be interconnected. You need to
configure FR on WAN links and mapping between DLCIs and IP addresses.
Tasks
<Huawei>system-view
[Huawei]sysname R1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



<Huawei>system-view
[Huawei]sysname R2
[R2-LoopBack0]interface Serial 2/0/0

<Huawei>system-view
[Huawei]sysname R3

After the IP addresses are configured, test network connectivity.
[R2]ping 10.0.12.1

0.00% packet loss

[R2]ping 10.0.23.3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

Step 2 Configure FR in back-to-back mode between R1 and R2
and use static address mapping.
The router configurations vary depending on whether it is connected to
DCE or DTE port. Check whether R1 or R2 connects to the DCE port of the
serial interface cable.
frame errors: 0
deferred: 0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



The preceding information shows that S1/0/0 on R1 connects to the DCE
port of the serial interface cable.
[R1-Serial1/0/0]link-protocol fr
[R1-Serial1/0/0]fr interface-type dce
[R1-Serial1/0/0]undo fr inarp
[R1-Serial1/0/0]fr dlci 102
[R1-fr-dlci-Serial1/0/0-102]quit
[R1-Serial1/0/0]fr map ip 10.0.12.2 102 broadcast

S1/0/0 on R2 connects to the DTE port of the serial interface cable.
[R2-Serial1/0/0]fr interface-type dte

After the configurations are complete, test link connectivity between R1
and R2.
[R2]ping 10.0.12.1

0.00% packet loss

If communication between R1 and R2 is abnormal before step 1 is
performed, the FR configuration is incorrect. Perform the following operations
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


to troubleshoot the fault.
Compare the display fr map-info command output on R1 with that on R2.
Use R1 as an example.
[R1]display fr map-info
Map Statistics for interface Serial1/0/0 (DCE)
DLCI = 102, IP 10.0.12.2, Serial1/0/0
create time = 2011/10/11 14:44:45, status = ACTIVE
encapsulation = ietf, vlink = 6, broadcast

Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE
LMI status enquiry received 21, LMI status sent 21
LMI status enquiry timeout 9, LMI message discarded 2
frame errors: 0
deferred: 0


[R1]display fr lmi-info interface Serial 1/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Frame relay LMI statistics for interface Serial1/0/0 (DCE, Q933)
T392DCE = 15, N392DCE = 3, N393DCE = 4
in status enquiry = 31, out status = 31
status enquiry timeout = 9, discarded messages = 2

Step 3 Configure FR in back-to-back mode between R2 and R3
and use dynamic address mapping.
The router configurations vary depending on whether it is connected to
DCE or DTE port. Check whether R2 or R3 connects to the DCE port of the
serial port cable.
frame errors: 0
deferred: 0


h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The greyed line indicates that S2/0/0 on R3 connects to the DCE port.
[R2-Serial2/0/0]fr interface-type dte
[R2-Serial2/0/0]fr inarp

S2/0/0 on R3 connects to the DCE port of the serial port cable.
[R3-Serial2/0/0]fr interface-type dce
[R3-Serial2/0/0]fr dlci 203
[R3-fr-dlci-Serial2/0/0-203]quit
[R3-Serial2/0/0]fr inarp

After the configurations are complete, test connectivity between R2 and
R3.
[R3]ping 10.0.23.2

0.00% packet loss

If R2 fails to communicate with R3, locate the fault using the following
command output.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE
LMI status enquiry received 28, LMI status sent 28
LMI status enquiry timeout 0, LMI message discarded 8
frame errors: 0
deferred: 0

[R3]display fr lmi-info
Frame relay LMI statistics for interface Serial2/0/0 (DCE, Q933)
T392DCE = 15, N392DCE = 3, N393DCE = 4
in status enquiry = 31, out status = 31
status enquiry timeout = 0, discarded messages = 8
[R3]display fr map-info
DLCI = 203, IP INARP 10.0.23.2, Serial2/0/0

Pay attention to the greyed lines. Compare the information on R1 with that
on R2.

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 4 Configure RIPv2 between R1 and R2 and configure a
neighbor relationship.
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]undo summary

[R2]rip
[R2-rip-1]version 2

View the R1 routing table.
----------------------------------------------------------------------------


10.0.2.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2 Serial1/0/0

The preceding information shows that R1 has learned routes. Test network
connectivity on R1.
[R1]ping 10.0.23.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

The preceding information shows that communication between R1 and R2
is normal.
R1 fails to communicate with R3 because R3 is not running any routing
protocol.
R1 and R2 run RIPv2. They can learn routes from each other because the
network supports broadcast.
Run the display fr map-info interface Serial 1/0/0 command on R2 to
check whether R2 supports broadcast. Use R2 as an example.
[R2]display fr map-info interface Serial 1/0/0
Map Statistics for interface Serial1/0/0 (DTE)
DLCI = 102, IP 10.0.12.1, Serial1/0/0

Modify configurations of R1 and R2 and disable broadcast.
[R1-Serial1/0/0]undo fr map ip 10.0.12.2 102
[R1-Serial1/0/0]fr map ip 10.0.12.2 102

[R2-Serial1/0/0]fr map ip 10.0.12.1 102

To enable R1 and R2 to update routes, run shutdown and undo
shutdown on an interface of R1 or R2. Use R2 as an example.

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


After the configurations are complete, check the routes. Use R2 as an
example.
----------------------------------------------------------------------------


10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0

R1 and R2 cannot exchange routes because broadcast is disabled. Run
the ping command on R2.
[R2]ping 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Run the display fr map-info interface Serial 1/0/0 command on R2 to
check whether R2 supports broadcast.
DLCI = 102, IP 10.0.12.1, Serial1/0/0
encapsulation = ietf, vlink = 13

There is no broadcast field, indicating that R2 does not support broadcast.
Configure a RIP neighbor relationship between R1 and R2 and configure
them to exchange routes in unicast mode.
[R1]rip
[R1-rip-1]peer 10.0.12.2

[R2]rip
[R2-rip-1]peer 10.0.12.1

After the configurations are complete, check the routes on R2.
----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.12.1 Serial1/0/0
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Run the ping command to test network connectivity.
[R2]ping 10.0.1.1

0.00% packet loss

By default, route aggregation is enabled in RIPv2; therefore, there is only
one RIP route on R1.
Step 5 Configure OSPF between R2 and R3 and configure an
OSPF neighbor relationship between them.
[R2]router id 10.0.2.2
[R2]ospf 1
[R2-ospf-1]area 0

[R3]router id 10.0.3.3
[R3]ospf 1
[R3-ospf-1]area 0

After the configurations are complete, check the routes on R3.
----------------------------------------------------------------------------

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0

The preceding information shows that R3 does not learn the routes sent by
R2.
By default, OSPF considers that the network mode on the FR-enabled port
is NBMA and devices do not detect neighbors.
[R3]display ospf interface Serial 2/0/0

Interfaces

Interface: 10.0.23.3 (Serial2/0/0)
Cost: 1562 State: Waiting Type: NBMA MTU: 1500
Priority: 1

Check the OSPF neighbor. Use R3 as an example.


R3 does not discover a neighbor. You must manually configure an OSPF
[R2]ospf 1
[R2-ospf-1]peer 10.0.23.3

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3]ospf 1
[R3-ospf-1]peer 10.0.23.2

After the configurations are complete, check the OSPF neighbor
relationship on R3.

Neighbors

State: Full Mode:Nbr is Slave Priority: 1
DR: 10.0.23.2 BDR: None MTU: 0

The preceding information shows that the OSPF neighbor relationship has
been set up.
Check the routing tables. Use R3 as an example.
----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Test network connectivity between R3 and R2.
[R3]ping 10.0.2.2

0.00% packet loss

Step 6 Configure OSPF between R2 and R3 and change the
network type to broadcast.
Run OSPF on the FR network. You can manually configure a neighbor
relationship or configure OSPF on a broadcast network to discover neighbors.
Delete the configured neighbors on R2 and R3 shown in step 5.
[R2]ospf 1
[R2-ospf-1]undo peer 10.0.23.3

[R3]ospf 1
[R3-ospf-1]undo peer 10.0.23.2

Check whether the FR-enabled interface supports broadcast.
DLCI = 203, IP INARP 10.0.23.2, Serial2/0/0

Determine the OSPF network type on the port.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Interfaces

Cost: 1562 State: DR Type: NBMA MTU: 1500
Priority: 1

Change the network type to broadcast.
[R2-Serial2/0/0]ospf network-type broadcast

[R3-Serial2/0/0]ospf network-type broadcast

Run the shutdown and undo shutdown commands on S2/0/0 of R3 to
update neighbors.

After the OSPF neighbor relationship is established, check the OSPF

Neighbors

State: Full Mode:Nbr is Slave Priority: 1
DR: 10.0.23.3 BDR: 10.0.23.2 MTU: 0

Check the routing table of R3 and test connectivity between R3 and R2.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Use R3 as an example.
----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0


Interfaces

Priority: 1
[R3]ping 10.0.2.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

How is the broadcast function on an FR-enabled interface used? If
possible, verify this configuration.
[V200R001C01SPC300]
#
sysname R1
#
link-protocol fr
fr interface-type dce
undo fr inarp
fr dlci 102
fr map ip 10.0.12.2 102
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
undo summary
version 2
peer 10.0.12.2
network 10.0.0.0
#
return

[V200R001C01SPC300]
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
sysname R2
#
router id 10.0.2.2
#
link-protocol fr
fr dlci 102
undo fr inarp
fr map ip 10.0.12.1 102
ip address 10.0.12.2 255.255.255.0
#
link-protocol fr
ip address 10.0.23.2 255.255.255.0
ospf network-type broadcast
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
rip 1
undo summary
version 2
peer 10.0.12.1
network 10.0.0.0
#
return

[V200R001C01SPC300]
#
sysname R3
#
router id 10.0.3.3
#
link-protocol fr
fr interface-type dce
fr dlci 203
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ip address 10.0.23.3 255.255.255.0
ospf network-type broadcast
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
Return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 8-3 FR Configuration (Using FR Switch)
Learning Objectives
x How to configure frame relay (FR) router interfaces when an FR switch
is used on the network.
x How to configure RIP in hub-spoke mode.
x How to configure OSPF in hub-spoke mode.
x How to configure FR interfaces when the OSPF network type is set to
point-to-multipoint.
Topology

Figure 8.3 Lab topology for FR configuration

Scenario
Assume that you are a network administrator of a company. R1, R2, R3 in
Figure 8.3 are routers. R1 is located at the company headquarters, and R2 and
R3 are located in two branches. To interconnect the headquarters and
branches, you need to configure FR on WAN links in hub-spoke mode.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Set basic parameters, such as IP addresses. When configuring FR
encapsulation, you must disable the Inarp function and manually define
mapping between the PVC DLCI numbers and IP addresses.
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



After the IP addresses are configured, test network connectivity.
[R1]ping 10.0.123.2

0.00% packet loss

[R1]ping 10.0.123.3

0.00% packet loss

Run the following commands to view the FR encapsulation information for
the R1 interfaces.
[R1]display fr interface Serial 2/0/0
Serial2/0/0, DTE, physical up, protocol up

DLCI = 102, IP 10.0.123.2, Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


DLCI = 103, IP 10.0.123.3, Serial2/0/0

Step 2 Configure RIPv2 among R1, R2, and R3.
Configure RIPv2 and ensure that all network segments are in the RIP area.
By default, static neighbors are not configured. The automatic summary
function must be disabled. In addition, the RIP split horizon function for FR
interfaces is disabled by default because an FR network has its own unique
features. You do not need to modify the split horizon configurations for this
exercise.
[R1]rip 1
[R1-rip-1]version 2

[R2]rip 1
[R2-rip-1]version 2

[R3]rip 1
[R3-rip-1]version 2

View the routing tables on R1, R2, and R3 to check the learned routes.
----------------------------------------------------------------------------



10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0


----------------------------------------------------------------------------



10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial3/0/0
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0


----------------------------------------------------------------------------



10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0

Perform a test on R3 to detect network connectivity.
[R3]ping 10.0.1.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R3]ping 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

The preceding test results indicate that R3 and R2 are disconnected.
Check the routes to find out why R3 and R2 are disconnected.
The procedure for diagnosing this fault is as follows:
View the R3 routing table and check whether any route is destined for the
IP address 10.0.2.2.
If there is such a route, find out the next hop IP address of this route. Then
check whether R3 can reach the next hop and whether there is mapping
between Layer-3 IP addresses and Layer-2 PVCs.
If R3 can reach the next hop and there is mapping between Layer-3 IP
addresses and Layer-2 PVCs, check the devices on the route to determine
whether there is any route that can reach IP address 10.0.2.2, whether the
next hop of this route is reachable, and whether there is mapping between
Layer-3 IP addresses and Layer-2 PVCs.
If there is a route that can reach IP address 10.0.2.2 and there is mapping
between Layer-3 IP addresses and Layer-2 PVCs, check R2 to determine
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


whether there is any route that reaches the destination IP address of response
packets and whether the next hop of this route is reachable.
If the next hop of this route is unreachable and the destination IP address
of the response packets is 10.0.123.3, R2 has the route that reaches this
address but there is no mapping between Layer-3 IP addresses and Layer-2
PVCs.
The following is the output of the commands used in the preceding fault
diagnosis procedure.
----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial1/0/0

DLCI = 301, IP 10.0.123.1, Serial1/0/0

----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.2/32 Direct 0 0 D 10.0.123.2 Serial2/0/0
10.0.123.3/32 Direct 0 0 D 10.0.123.3 Serial2/0/0

DLCI = 102, IP 10.0.123.2, Serial2/0/0
DLCI = 103, IP 10.0.123.3, Serial2/0/0

----------------------------------------------------------------------------


10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial3/0/0
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.2 Serial3/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial3/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



DLCI = 201, IP 10.0.123.1, Serial3/0/0

The conclusion is that R2 has no PVC reaching IP address 10.0.123.3.

Step 3 Modify network parameters to enable the connection
between R2 and R3.
The fault diagnosis results in step 2 indicate that there is no virtual circuit
between the FR interfaces on R2 and R3. In this case, configure the mapping
between IP addresses and PVCs to enable communications between FR
interfaces on R2 and R3 through R1.


After you configure the mapping between IP addresses and PVCs, check
the IP address-PVC mapping tables on R2 and R3 and detect network
connectivity.
DLCI = 301, IP 10.0.123.1, Serial1/0/0
DLCI = 301, IP 10.0.123.2, Serial1/0/0

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R3]ping 10.0.2.2

0.00% packet loss

Step 4 Configure OSPF between R1 and R2.
Delete the RIP configurations added in step 2 and the IP address-PVC
mapping of R2 and R3 that is established in step 3.
[R1]undo rip 1
Warning: The RIP process will be deleted. Continue?[Y/N]y
[R1]

[R2]undo rip 1
[R2]

[R3]undo rip 1
[R3]

Configure single-area OSPF on R1, R2, and R3.
[R1-ospf-1]area 0

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R2-ospf-1]area 0

[R3-ospf-1]area 0

After basic parameters are set, OSPF cannot establish neighbor
relationships. By default, OSPF determines that the FR network can identify
the NBMA network. As a result, OSPF does not support broadcast and cannot
automatically discover neighbors.
[R3]display ospf interface Serial 1/0/0 verbose

Interfaces

Cost: 1562 State: DR Type: NBMA MTU: 1500
Priority: 1
IO Statistics
Type Input Output
Hello 0 0
DB Description 0 0
Link-State Req 0 0
Link-State Update 0 0
Link-State Ack 0 0
OpaqueId: 0 PrevState: Waiting

There are various methods for running OSPF on an FR network. This
exercise demonstrates how to run OSPF on the FR network by setting the
OSPF network type of the interface to point-to-multipoint.
Step 5 Set the OSPF network type of the interface to
point-to-multipoint.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[R1-Serial2/0/0]ospf network-type p2mp



After you set the OSPF network type, wait until the neighbor relationship is
established. Then check the neighbor relationship and route information.

----------------------------------------------------------------------------
0.0.0.0 Serial2/0/0 10.0.2.2 Full
0.0.0.0 Serial2/0/0 10.0.3.3 Full
----------------------------------------------------------------------------

----------------------------------------------------------------------------


10.0.2.2/32 OSPF 10 1562 D 10.0.123.2 Serial2/0/0
10.0.3.3/32 OSPF 10 1562 D 10.0.123.3 Serial2/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.2/32 Direct 0 0 D 10.0.123.2 Serial2/0/0
10.0.123.3/32 Direct 0 0 D 10.0.123.3 Serial2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



----------------------------------------------------------------------------
0.0.0.0 Serial3/0/0 10.0.1.1 Full
----------------------------------------------------------------------------

----------------------------------------------------------------------------


10.0.1.1/32 OSPF 10 1562 D 10.0.123.1 Serial3/0/0
10.0.3.3/32 OSPF 10 3124 D 10.0.123.1 Serial3/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.2 Serial3/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial3/0/0
10.0.123.3/32 OSPF 10 3124 D 10.0.123.1 Serial3/0/0


----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.1.1 Full
----------------------------------------------------------------------------
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


----------------------------------------------------------------------------


10.0.1.1/32 OSPF 10 1562 D 10.0.123.1 Serial1/0/0
10.0.2.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial1/0/0
10.0.123.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0

Perform a network connectivity test on R3.
[R3]ping 10.0.1.1

0.00% packet loss

[R3]ping 10.0.2.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R3]ping 10.0.123.2

0.00% packet loss

As mentioned in step 4, there are various methods for running OSPF on
the FR network that are achieved by changing the network type of the
interface.
By default, OSPF determines that the FR network does not support
broadcast and cannot automatically discover neighbors. Is it possible to
achieve the connectivity of an OSPF network by manually defining the
neighbor relationship? How?
In step 5, the R2-R3 communications are successful even when the IP
address-PVC mapping between them is not manually configured. Why?
[V200R001C01SPC300]
#
sysname R1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol fr
undo fr inarp
fr map ip 10.0.123.2 102 broadcast
ip address 10.0.123.1 255.255.255.0
ospf network-type p2mp
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return

[V200R001C01SPC300]
#
sysname R2
#
link-protocol fr
undo fr inarp
ip address 10.0.123.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return

[V200R001C01SPC300]
#
sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
link-protocol fr
undo fr inarp
ip address 10.0.123.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 9 Firewall Configuration


Chapter 9 Firewall Configuration
Lab 9-1 USG Firewall Configuration
Learning Objectives
x How to log in to the USG firewall.
x How to change the firewall device name.
x How to change the system time and time zone.
x How to modify the login banner.
x How to change the login password.
x How to view, save, and delete firewall configurations.
x How to configure the VLAN/interface IP address and detect network
connectivity.
x How to restart the firewall.
Topology

Figure 9.1 Lab topology for USG firewall configuration
Scenario
bought a USG2160 firewall and intends to connect it to S1, the core switch, to
filter packets transmitted across different VLANs. You need to familiarize
yourself with various operations of the firewall.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Step 1 Log in to the firewall and change its name.
Like a router, a firewall provides a console interface, which can connect to
the COM interface on a computer. The computer can connect to the firewall
using the super terminal software that comes with the Windows operating
system. For details, see "Lab 1-1 Basic Operations on the VRP Platform."
The firewall provides default configurations and the default user name and
password are admin and Admin@123. Enter the case-sensitive user name
and password when logging in to the firewall.

*************************************************************************
* Copyright(C) 2008-2012 Huawei Technologies Co., Ltd. *
* All rights reserved *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************

User interface con0 is available

Please Press ENTER.


Username:admin
Password:*********
NOTICE:This is a private communication system.
Unauthorized access or use may lead to prosecution.
Warning: Using default authentication method and password on console.
<USG2100>
The method for changing the firewall name is the same as that for
changing the router name.
Because both the firewall and router use the VRP operating system, the
command level and help operations for them are the same.
< USG2100>system-view
[USG2100]sysname FW
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[FW]

Step 2 Change the time and time zone for the firewall.
By default, the time zone is not defined on the firewall. Therefore, the
firewall system time may be inconsistent with the actual time. You should
change the time and time zone information based on the actual information for
your location. During the exercise, the time zone GMT+8 is used and the
standard time is defined.
<FW>clock timezone 1 add 08:00:00
<FW>display clock
2011-11-17 18:39:48
Thursday
Time Zone : 1 add 08:00:00
<FW>clock datetime 10:36:00 2011/11/17
<FW>display clock
2011-11-17 10:36:09
Thursday
Time Zone : 1 add 08:00:00

Step 3 Change the login banner information.
Change the login banner information. The following login banner
information is displayed by default after you successfully log in to the fire wall.
<FW>quit
Please Press ENTER.


Username:admin
Password:*********
<FW>

The firewall device warns about unauthorized access using the banner
information.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The administrator can change the login banner information as needed.
Different banner information is displayed before and after you log in to the
firewall.
[FW]header login information ^
Info: The banner text supports 220 characters max, including the start and the
end character. If you want to enter more than this, use banner file instead.
Input banner text, and quit with the character '^':
Welcome to USG2160 ^

[FW]header shell information ^
Info: The banner text supports 220 characters max, including the start and the
end character. If you want to enter more than this, use banner file instead.
Input banner text, and quit with the character '^':
Welcome to USG2160
You are logining in system Please donot delete system config files
^
[FW]
Log out of the firewall system and then log in to the system again to check
whether the change takes effect.
Please Press ENTER.

Welcome to USG2160


Username:admin
Username:admin
Password:*********
Welcome to USG2160
You are logining in system Please do not delete system config files

<FW>

If the preceding information is displayed, the banner information is
successfully changed. Note that the default notice information cannot be
deleted or replaced.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Step 4 Change the login user name and password.
The default user name and password are admin and Admin@123. You
can change them as needed. For this exercise, create a level-3 user. The user
name and password are user1 and huawei@123. By default, only the user
admin is allowed to log in to the firewall system using the console interface.
Therefore, a newly created user is allowed to log in to the system using the
console interface only after the authentication mode is set to aaa. In addition,
specify the applicable scope of the newly created user. In this exercise, the
applicable scope is set to terminal, indicating that this user is allowed to log in
to the system using the console interface.
[FW]aaa
[FW-aaa]local-user user1 password cipher huawei@123
[FW-aaa]local-user user1 service-type terminal
[FW-aaa]local-user user1 level 3
[FW-aaa]quit
[FW]user-interface console 0
[FW-ui-console0]authentication-mode aaa

After you set the authentication mode to aaa, log out of the system and
check whether the newly created user name and password take effect.
[FW-ui-console0]return
<FW>quit

*************************************************************************
* Copyright(C) 2008-2011 Huawei Technologies Co., Ltd. *
* All rights reserved *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************

User interface con0 is available

Please Press ENTER.

Welcome to USG2160

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Username:user1
Password:**********
Welcome to USG2160
You are logining in system Please donot delete system config files

<FW>

Step 5 View, save, and delete firewall configurations.
On a firewall, run the display current-configuration command to view the
configurations that are running and run the display saved-configuration
command to view the configurations that have been saved.
<FW>display current-configuration
#
sysname FW
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1
#
firewall statistic system enable
output omit
<FW>display saved-configuration
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Error:No startup config.
<FW>

As shown in the preceding example, if no configurations are saved, the
related information is unavailable.
If the configurations have been saved, information similar to the following
is displayed.
<FW>save
15:05:50 2011/11/17
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info:Please input the file name(*.cfg,*.zip)[vrpcfg.zip]:
Now saving the current configuration to the device.................
Info:The current configuration was saved to the device successfully..
<FW>display saved-configuration
# Last configuration was changed at 2011/11/17 15:05:59 from console0
#*****BEGIN****public****#
#
sysname FW
#
#
#
#
#
dns resolve
#
vlan batch 1
#
output omit

Run the delete flash:/vrpcfg.zip command to delete the configurations
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


that have been saved.
<FW>delete flash:/vrpcfg.zip
Be Careful! Deleting the next startup config file will lose your configuration.

Delete flash:/vrpcfg.zip?[Y/N]:y
%Deleting file flash:/vrpcfg.zip...

Step 6 Configure the VLAN and interface IP address.

On the firewall, E0/0/0 is a Layer-3 interface and E1/0/0 to E1/0/7 are
Layer-2 interfaces. Layer-2 interface IP addresses cannot be configured
directly but must be configured on the related VLANIF interfaces. By default,
VLAN1 is available on the firewall device and the VLANIF1 IP address has
been assigned. Create VLAN2 and VLANIF2 and configure their IP addresses
as 10.0.2.1/24. In addition, delete the IP address of VLANIF1.
[FW]interface Vlanif 1
[FW-Vlanif1]undo ip address
[FW]vlan 2
[FW-vlan-2]interface vlanif 2
[FW-Vlanif2]ip address 10.0.2.1 24

Configure E1/0/0 to access VLAN2.
[FW]interface Ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 2

Configure the IP address for E0/0/0 as 10.0.1.1/24 and the IP address for
E2/0/0 as 10.0.3.1/24.
[FW-Ethernet0/0/0]ip address 10.0.1.1 24
[FW-Ethernet0/0/0]interface Ethernet 2/0/0

On S1, configure G0/0/21, G0/0/22, and G0/0/23 to access VLAN1,
VLAN2, and VLAN3, respectively. Configure the IP addresses of VLANIF1,
VLANIF2 and VLANIF3 as 10.0.2.2/24, 10.0.2.2/24, and 10.0.3.2/24.
[Quidway]sysname S1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[S1]vlan batch 2 3
[S1-GigabitEthernet0/0/23]interface vlanif 1

As default,the trust zone contain interface Ethernet1/0/0~1/0/7 and
interface Vlanif1.Add the interface Vlanif 2Ethernet 0/0/0 and Ethernet 2/0/0
into the trust zone. Delete the interface Ethernet 0/0/0 from the untust zone
before Add it into the trust zone.
After the configurations are complete, perform a test on the firewall to
detect the network connectivity.
[FW]firewall zone untrust
[FW-zone-untrust]undo add interface Ethernet 0/0/0
[FW-zone-untrust]quit
[FW]firewall zone trust
[FW-zone-trust]add interface Vlanif 2
[FW-zone-trust]add interface Ethernet 2/0/0
[FW-zone-trust]add interface Ethernet 0/0/0

[S1]ping 10.0.1.1

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

[S1]ping 10.0.2.1

0.00% packet loss

[S1]ping 10.0.3.1

0.00% packet loss

Step 7 Restart the firewall.

After all configurations are complete and the test is successful, delete the
configuration files and restart the firewall to clear the configurations. After you
restart the firewall, a message is displayed, asking you whether to save the
current configuration. Delete the current configuration.
<FW>reboot
Info:Reading saved configuration failed.
System will reboot, could you want to save current configuration [Y/N]?n
System will reboot, continue?[Y/N]:y
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


The login banner contains mainly warning information. Is there any other
information that can be included in the login banner?
[FW]display current-configuration
#
sysname FW
#
#
dns resolve
#
vlan batch 1 to 2
#
interface Vlanif1
#
interface Vlanif2
ip address 10.0.2.1 255.255.255.0
#
link-protocol ppp
#
ip address 10.0.1.1 255.255.255.0
#
portswitch
port access vlan 2
#
ip address 10.0.3.1 255.255.255.0
#
interface NULL0
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet0/0/0
add interface Vlanif1
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$Ir#0"8`~3LQ#K3<xK3a)g'{r%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
local-user user1 password cipher %$%$P-[yN}K4yXZTL0*(IWw)m#wn%$%$
local-user user1 service-type terminal
local-user user1 level 3
#
header shell information "Welcome to USG2160
You are logining in system Please do not delete system config files
"
header login information "Welcome to USG2160 "
banner enable
#
user-interface tty 2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


modem both
protocol inbound all
#
Return

#
sysname S1
#
vlan batch 2 to 3
#
interface Vlanif1
ip address 10.0.1.2 255.255.255.0
#
interface Vlanif2
ip address 10.0.2.2 255.255.255.0
#
interface Vlanif3
ip address 10.0.3.2 255.255.255.0
#
#
port default vlan 2
#
port default vlan 3
#
return

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Lab 9-2 USG Firewall Zone Configuration
Learning Objectives
x How to configure firewall security zones
x Parameter settings for security zones
x How to filter packets transmitted between different zones
Topology

Figure 9.2 Lab topology for USG firewall zone configuration
Scenario
Assume that you are a network administrator of a company. The
company's network at headquarters is divided into three zones: trust, untrust,
and DMZ. You intend to control inter-zone traffic using the firewall. On S1,
configure three network segments: G0/0/1 to G0/0/21 for accessing VLAN11,
G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3 to G0/0/23 for accessing
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


VLAN13.
You need to achieve the following configurations to meet work
requirements:
z Users in the trust zone can access users in the untrust zone.
z Users in the trust and untrust zones can access users in the DMZ
zone.
z Users in the untrust zone cannot directly access users in the trust
zone.
z Users in the DMZ zone cannot directly access users in the trust and
untrust zones.
Tasks
Set IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Note that E1/0/0 is an interface on the Layer-2 switch and you cannot
directly set an IP address for it. In this exercise, configure the VLAN12, the
VLANIF12 interface, and the IP address 10.0.20.254/24 for the gateway in the
inside zone. By default, the firewall automatically assigns an IP address for its
VLANIF1. Delete this configuration to prevent any interference during the
exercise.
<USG2100>system-view
[USG2100]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]quit
[FW-Ethernet0/0/0]interface ethernet 2/0/0

Configure the VLAN on S1 based on requirements.
[Quidway]sysname S1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



Step 2 Configuring security zones.
Configure trusted zones of FW, and add interfaces to the trusted zones.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW]firewall packet-filter default permit all
[FW]ping 10.0.10.1
Request time out

20.00% packet loss

[FW]ping 10.0.20.2
Request time out

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


20.00% packet loss

[FW]ping 10.0.30.3
Request time out

20.00% packet loss

Step 3 Configure static routes to implement network
connectivity.
Configure default routes on R1, R2, and R3 and specific static routes on
the firewall to implement the connectivity between the three network segments
that are connected by three Loopback0 interfaces.
[R1]ip route-static 0.0.0.0 0 10.0.10.254

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254

[FW]ip route-static 10.0.1.0 24 10.0.10.1

After the configurations are complete, test the connectivity between the
network segments that connect to each other using Loopback0 interfaces.
[R1]ping -a 10.0.1.1 10.0.2.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[R1]ping -a 10.0.1.1 10.0.3.3

0.00% packet loss

Step 4 Configuring security filtering between zones.
Configure packets to transmit only from the trusted zone to the other zone.
[FW]firewall packet-filter default deny all
[FW]firewall packet-filter default permit interzone trust untrust direction
outbound
[FW]firewall packet-filter default permit interzone trust dmz direction outbound
[FW]firewall session link-state check
Information similar to the following indicates that the communication from
the untrust zone to the trust zone is normal.
<R1>ping -a 10.0.1.1 10.0.2.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

Information similar to the following indicates that communication from the
untrust zone to the DMZ zone is normal.
[R1]ping -a 10.0.1.1 10.0.3.3

0.00% packet loss

trust zone to the untrust zone is normal.
[R2]ping -a 10.0.2.2 10.0.1.1

0.00% packet loss

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


trust zone to the DMZ zone is normal.
[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss

DMZ zone to the untrust zone is normal.
[R3]ping -a 10.0.3.3 10.0.1.1

0.00% packet loss

DMZ zone to the trust zone is normal.
[R3]ping -a 10.0.3.3 10.0.2.2

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

Configure the inter-zone policies to allow users in the trust zone to access
other zones but not allow other zones to access each other.
[FW]firewall packet-filter default deny all
[FW]firewall packet-filter default permit interzone trust untrust direction
outbound
[FW]firewall packet-filter default permit interzone trust dmz direction outbound

After the configurations are complete, test the inter-zone connectivity.
untrust zone to the trust zone is normal.
[R1]ping -a 10.0.1.1 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

untrust zone to the DMZ zone is normal.
[R1]ping -a 10.0.1.1 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


100.00% packet loss

trust zone to the untrust zone is normal.
[R2]ping -a 10.0.2.2 10.0.1.1

0.00% packet loss

trust zone to the DMZ zone is normal.
[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss

DMZ zone to the untrust zone is normal.
[R3]ping -a 10.0.3.3 10.0.1.1
Request time out
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Request time out
Request time out
Request time out
Request time out

100.00% packet loss

DMZ zone to the trust zone is normal.
[R3]ping -a 10.0.3.3 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

Step 5 Configure the specific server used to allow the untrust
zone to access the DMZ zone.
In the DMZ zone, configure the server with IP address 10.0.3.3 to enable
two functions: the Telnet service available for the untrust zone and ICMP ping
for the network connectivity test.
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound]policy 1
[FW-policy-interzone-dmz-untrust-inbound-1]policy service service-set icmp
[FW-policy-interzone-dmz-untrust-inbound-1]policy destination 10.0.3.3 0
[FW-policy-interzone-dmz-untrust-inbound-1]action permit
[FW-policy-interzone-dmz-untrust-inbound-1]quit
[FW-policy-interzone-dmz-untrust-inbound-2]policy service service-set telnet
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[FW-policy-interzone-dmz-untrust-inbound-3]action deny

You must enable the Telnet function on R3 before performing the Telnet
test.
[R3-ui-vty0-4]authentication-mode none

[R1]ping 10.0.3.3

0.00% packet loss

[R1]ping -a 10.0.1.1 10.0.3.3

0.00% packet loss

[R1]ping 10.0.30.3
Request time out
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Request time out
Request time out
Request time out
Request time out

100.00% packet loss

<R1>telnet 10.0.3.3
Trying 10.0.3.3 ...
<R3>quit

Configuration console exit, please retry to log on

The connection was closed by the remote host
<R1>telnet 10.0.30.3
Trying 10.0.30.3 ...

The preceding test results indicate how the data transmitted between
zones is filtered. Except for the permitted data, all other data is filtered out.
In this exercise, you can replace the switch with the firewall to make
configuration easier. However, most of the time, the scenario in this exercise is
used in actual applications. What is the advantage of this application scenario?
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
Return

[V200R001C01SPC300]
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return

[V200R001C01SPC300]
#
sysname R3
#
sysname R3
#
ip address 10.0.30.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
authentication-mode none
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
Return

#
sysname FW
#
#
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
#
#
vlan batch 1 12
#
#
interface Vlanif1
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 10.0.10.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
set priority 5
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$r(sf.cF$A7%o4X%u-+AZ]6-$%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.30.3
#
user-interface tty 2
modem both
protocol inbound all
#
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 10.0.3.3 0

policy 2
action permit
policy service service-set telnet
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



policy 3
action deny
#
return

Lab 9-3 NAT Configuration on the USG Firewall
Learning Objectives
x How to configure a network address translation (NAT) server on the
USG firewall.
x How to configure the Easy IP feature on the USG firewall.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Topology

Figure 9.3 Lab topology for NAT configuration on the USG firewall

Scenario
network is isolated into three zones by the USG firewall: untrust zone, trust
zone, and demilitarized zone (DMZ). You need to release the Telnet service
that is provided by a server with IP address 10.0.3.3 in the DMZ zone. The
external IP address of the server is 10.0.10.20/24. Users in the trust zone can
access the untrust zone by means of Easy IP. Other access methods are not
allowed.
On S1, you need to configure three network segments: G0/0/1 to G0/0/21
for accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3
to G0/0/23 for accessing VLAN13.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
Configure IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2

<Huawei>system-view
[Huawei]sysname R3

Note that E1/0/0 is an interface on the Layer-2 switch and you cannot
directly set an IP address for it. In this exercise, you need to configure VLAN12,
the VLANIF12 interface, and the IP address 10.0.20.254/24 for the gateway in
the trust zone. By default, the firewall automatically assigns an IP address for
its VLANIF1. You need to delete this configuration to prevent any interference
during the experiment.
<USG2100>system-view
[USG2100]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]quit
[FW-Vlanif1]quit
[FW-Ethernet0/0/0]interface ethernet 2/0/0

Configure VLANs on S1 as required.
[Quidway]sysname S1

Step 2 Configuring security zones.
Configure trusted zones of FW, and add interfaces to the trusted zones.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[FW-zone-dmz]firewall zone trust
[FW]firewall packet-filter default permit all
[FW]ping 10.0.10.1
Request time out

20.00% packet loss

[FW]ping 10.0.20.2
Request time out

20.00% packet loss

[FW]ping 10.0.30.3
Request time out

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


20.00% packet loss

Step 3 Configure static routes to implement network
connectivity.
Configure default routes on R2 and R3 and specific static routes on the
firewall to implement the connectivity between the three network segments
that are connected by three Loopback0 interfaces. R1, an Internet device,
does not require you to define default routes because R1 does not need to
know any private network information about the trust and DMZ zones.
[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254


Test the link connectivity of the three network segments on the firewall:
10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24.
[FW]ping 10.0.1.1

0.00% packet loss

[FW]ping 10.0.2.2
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n



0.00% packet loss

[FW]ping 10.0.3.3

0.00% packet loss

At present, devices in all zones can communicate with each other.
However, currently devices in the untrust zone cannot communicate with
devices in the trust and DMZ zones because NAT is not defined.
Step 4 Configure interzone packet filtering.
Packets can be sent from 10.0.2.0 in the trust zone to the untrust zone.
Telnet requests can be sent from the untrust zone to the target server with IP
address 10.0.3.3 in the DMZ zone.
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy 0
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]action permit
[FW-policy-interzone-trust-untrust-outbound-0]quit
[FW-policy-interzone-trust-untrust-outbound]quit
[FW]policy interzone dmz untrust inbound
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet

Step 5 Configure the Easy IP feature to enable the trust and
untrust zones to access each other.
Configure the Easy IP feature, perform NAT translation, and bind the NAT
to E0/0/0.
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 0
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0

After the configurations are complete, check whether the trust and untrust
zones can access each other.
[R2]ping 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

[R2]ping -a 10.0.2.2 10.0.1.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


0.00% packet loss

The preceding information shows that the connectivity between R2 and
10.0.1.1 is not working. After you perform the expanded ping and specify the
source IP address of packets as 10.0.2.2, the connectivity is implemented. The
cause of this problem is that packets are directly sent to 10.0.1.1 and the
source IP address of packets is 10.0.20.2, which is not within the client IP
address range of NAT translation.

Step 6 Release the Telnet service that is provided by the
internal server with IP address 10.0.3.3.
Configure the Telnet service on R3 with IP address 10.0.3.3 and map it to
10.0.10.20.
[FW]nat server protocol tcp global 10.0.10.20 telnet inside 10.0.3.3 telnet

Enable the Telnet function on R3 and test it on R1. Note that the external
IP address of R3 is 10.0.10.20. When R1 needs to access 10.0.3.3, the
destination address must be 10.0.10.20.
[R3-ui-vty0-4]authentication-mode none

<R1>telnet 10.0.10.20
Trying 10.0.10.20 ...
<R3>

In this exercise, the simple Telnet service is selected for release. If the
FTP application service needs to be released, what are the differences
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


between releasing the two services in terms of principles and configurations?
Analyze how the firewall processes FTP data from the aspect of two
modes (proactive testing and passive monitoring) of the FTP application
service.
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
Return

[V200R001C01SPC300]
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
Return

[V200R001C01SPC300]
#
sysname R3
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


#
ip address 10.0.30.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
authentication-mode none
#
Return

#
sysname FW
#
#
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat server 0 protocol tcp global 10.0.10.20 telnet inside 10.0.3.3 telnet
#
#
#
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


interface Vlanif1
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 10.0.10.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.30.3
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.0.2.0 0.0.0.255
#
policy interzone dmz untrust inbound
policy 0
action permit
policy service service-set telnet
#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255
easy-ip Ethernet0/0/0
#
return
[FW]

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
HCDA-HNTD Chapter 10 Comprehensive Exercise


Chapter 10 Comprehensive Exercise
Lab 10-1 Comprehensive Exercise
Learning Objectives
The objective of this lab is to test whether you have understood how to
configure the following items:
x Frame Relay (FR).
x Virtual Local Area Network (VLAN).
x Layer 3 switching.
x Open Shortest Path First (OSPF).
x OSPF operating mode on a Non-Broadcast Multi-Access (NBMA)
network.
x Dynamic Host Configuration Protocol (DHCP) function.
x DHCP relay.
x Firewall.
x Network Address Translation (NAT).
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Topology

Figure 10.1 Topology for the comprehensive exercise
Scenario
Assume that you are a network administrator of a company.
The company network is divided into three areas: headquarters network
area, company branch network area, and branch office network area. The
three network areas communicate with each other using the FR network
connected to routers: R1, R2 and R3. Private lines are leased to provide line
backups for network services.
Router R1 resides in the headquarters network area, router R2 resides in
the company branch network area and router R3 resides in the branch office
network.
The firewall located in HQ area divides it into three zones: Demilitarized
Zone (DMZ), internal network zone and external network zone.
For details about interface and IP address configurations, see the
preceding figure.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Tasks
The purpose of this comprehensive exercise is to test whether you have
understood the configuration methods described in the previous 19 labs.
Therefore, only a brief description of the configuration procedures and
verification methods, not specific commands, is provided.
Step 1 Perform basic configuration and set IP addresses.
Set IP addresses and configure VLANs based on the topology, and
configure the FR function to achieve communication between different network
areas. Test the network connectivity.

Layer 3 switching needs to be configured only for S1. The IP addresses of
VLANIFs on S1 must be the same as those displayed in the preceding
topology.
R3 uses physical interface G0/0/2 to provide services for VLAN21,
VLAN22, and VLAN23.
Inverse Address Resolution Protocol (InARP) must be disabled on FR
interfaces. The mapping between Data Link Connection Identifiers (DLCIs) of
permanent virtual circuits (PVCs) on the FR interfaces and the peer IP
addresses for the PVCs must be defined on R1, R2, and R3. No virtual circuit
exists between R2 and R3.
E1/0/0 on the firewall must be connected to the DMZ, but no IP address
can be configured for this interface. This comprehensive exercise requires that
an IP address be configured for VLANIF100 and the default interface VLANIF1
be deleted from the firewall.
Step 2 Configure OSPF.
Configure OSPF on R1, R2, R3, S1, and the firewall. Ensure that all the
network segments belong to area 0. On FR interfaces, configure OSPF to
operate in NBMA mode, the default mode.
Configure all of the interfaces that do not need to send OSPF messages
as silent interfaces. Enable MD5 authentication on the 10.0.123.0/24 network
segment and set the authentication password to huawei.
On the firewall, configure a default route with the next hop of 10.0.200.2.
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n


Set the route type to Type 1 and cost value to 20, and import this route to the
OSPF area in permanent advertisement mode.
Step 3 Configure the DHCP service.
Configure the DHCP service on R1 to serve the devices on network
segments including 10.0.11.0/24, 10.0.12.0/24, 10.0.13.0/24, 10.0.21.0/24,
10.0.22.0/24, and 10.0.23.0/24. Set the IP address of the Domain Name
Server (DNS) to 10.0.200.200 and the IP address validity to three hours.
Configure the DHCP relay function on R3 and ensure that the users in
VLAN21, VLAN22, and VLAN23 can automatically obtain IP addresses.
Configure VLANIF23 on S4 and test the DHCP service on the 10.0.23.0/24
segment.
Configure VLANIF13 on S3 and test the DHCP service on the 10.0.13.0/24
segment.
Step 4 Configure the firewall.
Configure firewall functions and ensure that users on the internal network
can access the external network, but users on the external network cannot
access the internal network or the DMZ and users in the DMZ cannot access
any network. By default, users on the internal network cannot access the DMZ.
A server with IP address 10.0.100.11/24 resides in the DMZ to provide
Telnet, File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP)
services. The HTTP service is available to all areas, the FTP service is
available to all addresses on the internal network, and the Telnet service is
available only to 10.0.13.100/24.
Step 5 Configure NAT on the firewall.
Configure NAT on the firewall and enable the Easy-IP function so that
users in the headquarters network area, company branch network area, and
branch office network area can access the external network by means of NAT.
What are the advantages and disadvantages of this topology used for the
comprehensive exercise?
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n










h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n
h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
c
n

HCDA EN LAB-content PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

HCDA EN LAB-content PDF

Hochgeladen von

Copyright:

Verfügbare Formate

h

Das könnte Ihnen auch gefallen