Table of Contents

Theoretical Training ...................................................................................................................................... 2

Entry training ............................................................................................................................................ 2
Intermediate Training ............................................................................................................................. 18
Advanced Enterprise Solutions (Overview) ........................................................................................ 18
Link Aggregation ................................................................................................................................. 18
VLAN(Virutal Local Area Network) Principles ..................................................................................... 19
GARP and GVRP................................................................................................................................... 21
VLAN routing ....................................................................................................................................... 23
Wireless LAN Overview ....................................................................................................................... 23
Principle and Configuration of HDLC and PPP .................................................................................... 24
Frame Relay Principles ........................................................................................................................ 25
Principle and Configuration of PPPoE (Point-to-Point over Ethernet)................................................ 26
Network Address Translation (NAT) ................................................................................................... 27
Establishing Enterprise Radio Access Network Solutions ................................................................... 29
Access Control Lists (ACL) ................................................................................................................... 30
AAA (authentication, Accounting, Authorisation) .............................................................................. 31
Securing Data with IPSec VPN ............................................................................................................. 31
Generic Routing Encapsulation (GRE) ................................................................................................. 32
Simple Network Management Protocol (SNMP) ................................................................................ 33
eSight Network Management Solutions (Huawei solution) ............................................................... 34
Introducing IPv6 Networks.................................................................................................................. 34
IPv6 Routing Technologies .................................................................................................................. 34
IPv6 Application Services DHCPv6 ...................................................................................................... 34
Practical Training......................................................................................................................................... 34
Entry Training .......................................................................................................................................... 34
Intermediate Training ............................................................................................................................. 34
Lessons from the mock exams .................................................................................................................... 35
Multiple choice section ........................................................................................................................... 36
 Theoretical Training
Entry training
Point-to-Point network

Wired or wireless

RG-45 cable

Network cables:

Coaxial:

-10Base2 maximum transmission distance 185m

-10Base5 maximum 500m

Or use bridges or boosters, repeaters to extend the distance. Finally use fibre optics others

Ethernet all 100m:

• 10Base-T
• 100Base-Tx
• 1000Base-T 4 pairs of category 5e twisted pair cable supports 1Ghz transmission speed

Fiber Optic

-10Base-F distance of 2000m 10mb/ps

-100Base-FX 100mb/ps

-1000Base-LX 316-50000m 1gb/ps single-mode does not work simultaneously

-1000Base-SX multi-mode supports simultaneous transmission

Serial

-RS-232 20000bps

-RS-422 RECOMMENDED 1200m

Broadcast domains

Sending to multiple from one place

Collision Domains

Place in a network where packets collide.

 -Carrier Sense Multiple-Access Collision Detection or Collision Avoidance (CSMA/CD): Tells you
when not to send a packet

Duplex Modes (w.r.t point to point networks):

-Half duplex: You can only send or receive

-Full duplex: You can send and receive at the same time. Act as a server and client
simultaneously.

Layered Models- OSI

Encryption: Provide protection over the network to mitigate from hacking. Required key.

Application (protocol data units) and Presentation layer are unformatted

Physical layer – bits cables 0/1

Data linked layer: a frame, meta address

Network layer: packet network address

Transport layer uses segments TCP/IP

Session

Sender top to bottom Receiver bottom to top: Application, presentation, session, transportation,
network, data link, physical

Frame Formats

>=1536 0x0600 – ethernet 2

<=1500 (0x05DC) IEEE802.3

Frame check sequence: To check if the packet is complete or if there if it is fragmented. A packet is
1500/1536
2048 (0x0800) - IP

2054(0x0806) - ARP

MAC address are 48 bits (24bits OUI and 24bits organisation)

Huawei addresses are (

Representing a broadcast packet FF:FF:FF;FF:FF:FF

Multicast: Packets sent to unintended devices are dropped.

Carrier sense:

Carrier sense multiple access... Packets can be dropped, received or resent.

Layer 2

Just need a switch and the end device. A switch can establish a connection with only MAC Addresses.

Network layer:

IP packet (0x0800) length 60 bytes, source destination. Time to leave 255-0, packet dropped afterwards
at 0.

IP addresses (Private addresses):

-Class A 10.0.0.0 ~ 10.255(network).255.255 Multiple hosts. Check first that number ranges /8

-Class B /16

-Class C 192.0.0.0 - 223.0.0.2 for smaller networks /24

Class D

-Class E 240.-255.255.244.254 experimental

Private IP addresses are not linked to the internet.

E.G

Class C 192.168.1.0

Network 6

-First binary switch: 0110

-Network range/IP addresses

VLSM or classless inter domain routing.

IP Gateway
GIves us access to the.

Time to live:

If the packet gets to an unintended destination.

Internet Control Message Protocol ICMP

Reporting errors. Routing to test compatibility.

Broadcast messages as Unicast – unknown intended devices.

Investigating Unreachable devices.

ICMP Types

Echo request type=8 code = 0 multicast

Echo reply type=0 code=0 unicast

Every link is counted as a hop count and ads to the time required to send a message.

Address Resolution Protocol

Broadcast send, unicast reply.

Reverse address protocol operates on level 3

Proxy ARP takes longer because of connecting with the proxy gateway.

TCP Wired networks, conjunction control, monitoring packets. Three hand-way shake, security and
sharing of certificates. TCP is the best for safety. UDP. Doesn’t do floor control or three-way handshake.
Company usually wireless network. Wireless access point is linked to the wired connection so that
monitoring occurs on the main router, called traceback. Logs are maintained according to MAC address,
which are constant per devices.

Data forwarding scenarios

ARP to get the MAC address.

VRP (Versatile routing platform)

Multiple collisions.

Establishing connectivity to the Switch or router: Remotely, tele, or mini usb/console physically

Console Access Setup Procedures:

Bits per second 9600

Data bits 8

Party: None

Stop bits 1
Flow control none.

Correct Usage: COM3

Not recommended to autoconfigure

Navigating the CLI

CLI Clock settings

CLI Interfaces:

Allows remote access VTY (Virtual teletype terminal) 0-4 five times. Can be changed.

CLI interface configuration

LoopbacK? Assign IP addresses.

Viewing the file system / Updating the software

Cd, pwd, dir, more

To reboot, Type reboot.

There is one root bridge and following from there are non-root bridges or downstream bridges.

Redundancy is recommended however there may be broadcast storms. MAC instability. So, the
spanning tree protocol was introduced. To send the packet along the shortest path.

-Bridge ID (Bridge number and MAC ID): BPDU packet sent to the switches, returning switch
number and MAC address. Only if the bridge ID is the same, the path codes are used to determine the
shortest path according to the cable speed.

The smallest bridge ID is elected as the root bridge. The highest priority or election criteria. The MAC
address is the determinant.

BPDU (Bridge Protocol Data Unit) through STP (Spanning Tree Protocol) for bridges and switches:

-We are trying to control the management of data to avoid loops and broadcast storms. The
bridge facilitates communication.

-BPDU: A communication from the root to downstream switches to avoid loops.

-TCN BDPU: Goes from downstream roots to the upstream roots to better understand the
topology of the tree. A status call, these protocols are a notification and update the tree hierarchy. Hello
tree over 2 seconds. The TCN BPDU refreshes/responds every 30 seconds.

-This is done to mitigate the loops and broadcast storms.

-Criteria: MAC address and lowest bit

-To select the route bridge. Packets exist for 20seconds.

-Path Cost Standards: Faster and shortest data transmission

• 10 mbps path cost 1999

• 100 mbps path cost 199
• 1Gbps path cost 20
• 10Gbps path cost 2

Finally use the Port ID if the path IDs are equal

-Root port: From a designated port to downstream

-Designated port: Touching/attached to the root bridge

-Alternative port: not a designated or root port

Route Path Cost: In order to determine the shortest path that is loop free. The root bridge path
cost is always 0.

The highest port identifier (the lowest port number) represents the port assigned as the root
port with other ports defaulting to the alternative port role.

To propagate a Hello Timer (2 seconds) the upstream will propagate over 1 second. A maximum
ae timer by default represents a period of 20 seconds.

Root election process

Port role establishment process

Port state Transition SUMMARY

Root Failure:

When a switch is done it cannot send BPDU, so the switches reestablish the bridge root through
the Spanning Tree Protocol (STP). If the device fails

Indirect link failure:

If the port is down. The port table is relabeled. The alternative port is named as a designated
port as it cannot be communicated any other way in this circumstance. Full recovery of the STP
topology occurs after approximately 50 seconds.

Direct Root Failure:

Topology Change MAC instability

A converging spanning tree network. A MAC Address black hole is made

Port transition state:

Disabled, blocking and listening do not send.

STP Modes:
 To further mitigate against loops, the switches are not all the same mode and must be
configured by the technician.

-mstp (multiple)

-rstp (rapid)

-stp

If the stp is a priority the priority refers to integers between 0 to 61440 in increments of 4096,
16 increments. With a default value of 32768.

If a legcy stp standard is use the path cost ranges between 1 to 200000

If IEEE 802.1D standard is used the path cost ranges from 1 to 65535

If the IEEE 802.1t standard is used the path cost is ranges from 1 to 200000000.

All root bridges must be designated. Root protection only applies while not an edge port or a
command of loop protection is enabled.

When a link fails: Bridge ID, Path cost, Port ID comparison.]

If a link fails update the MAC address table.

RSTP (Rapid spanning tree protocol)

Improvement on STP, backup

STP Weaknesses: Ensures loop-free network however has a slow network topography as changes occur.
Convergence timers (30-50 seconds). Regular service interuptions

RSTP: Employs a proposal and agreement process which allows for immediate negotiation of links to
take place, effectively removing the time taken for convergence-based timers to expire before spanning
tree convergence can occur. Proposal & Agreement, immediate negotiation. Each downstream switch
gradually begins to learn of the true root bridge and the path via which the root bridge can be reached.

RSTP port toles

Backup port role represents the backup for the path for the LAN segment in the direction leading away
from the root bride. An edge port directly connects to a terminal and no other, where redundant links
exist,

RSTP edge ports:

System not participating gin RSTP connect to the edge port. Edge ports do not receive BDPU and instanly
forward data.

Port states of RSTP

RST BPDU

-00 unknown

-01 Alternate/backup

-10 root port

-Designated port

Static route would have to be reconfigured manually should the route fail. Only use a static route for
small networks of few users.

The convergence of a RSTP follow on from STP. There is an additional port on the LAN side, the edge
port.

RST BDPU Proposal

All designated ports. One is a superior BPDU. When the BDPU is sent, not propagated downstream. The
edge port is connected to the computer.

RST BPDU Agreement

RSTP Converged Link

The downstream port is blocked, and synchronization occurs. RST BPDU sent back and forth.

Link/Root failure

After not receiving three consecutive Hello intervals, the agreement process is reinsitialised in order to
discover port roles for the LAN segment.

Link failure is noticed immediately, the address entries are flushed. An RST BPDU will negotiate the port
states as part of negotiation and agreement process - MAC Addresses are dropped and updated
No waiting, part of configuration settings. When an STP enabled device is added to an RSTP system it
reverts to STP.

Network Management Station (NMS)

The edge ports that are shut down by the switch can be manually started only by the network
administrator.

STP DPDU-protection command should be ued to enable BDPU protection and is confiugred globally
within the system view.

Distance Vector Routing protocfol (RIP)

Performance is slow, Hop count limit of 15

Loop prevention

Packet is df

RIP has 2 method Extent is UDP.

-Authentication

RIP version 2 is recommended, defauit 1

Does not use I{ adfe

Metric

OSPD

OSPF

For 4 devices

Request + Acknoledgenent X2

10 seconds

4 packets sent over 40 seconds is the limit

Point-to point 10 second interval 40 seconds to withdraw packets

30 second interval

Higher prioirty the better the network

Between 1 - 255 range to select designated and back up value. THe higher the number the better the
network. The higher the authorisation/prioritu on router the beter the network

OSPF metric: By default, the metric is 10 which can be changed as per user preference, there can be
alternative.

10/8*bandwidth

OSFP tree recommended

Shortest path algorithm with the potential

OSFFP Areas for one domain such as uni campus.

OSFP Authentication simply password

OSPF silent interface only receives updates

DHCP

Dynamically assign IP addresses to users.

Usually wireless

To assign an IP address

-Manual: Administrator visits the machine and the IP address assigned is physically

-Dynamic: Assign to specific machines the

-Dynamic however the address is reassigned regularly

DHCP messages

DISCOVER: CLient can locate DHCP server

OFFer: When available

REQUEST: Client sends request but a message broadcast is sent, it is unicast.

Reply is unicast
Once a user/machine leaves the IP address can be reassigned. Maximum of 24hrs usage of an IP
address. Notification to renew sent at 50% usage. Down to the minute and second.

Without the message sent you can be disconnected.

FTP

Used to transfer files from the server to the client. VRP operating system.

Both the client and server must use the same password otherwise they cannot communicate with each
other. Two port numbers used to exchange packets.

-20 – data control/connections between client and server

-21 – file transfer

Two transmission modes

-ASCII mode for text

-Binary mode for pictures/images

Telnet (VTY) with the limit to trials)

Protocol to connect remotely to manage devices

-Port 23

Authentication modes:

-none: Login without authentication

-AAA: AAA authentication

-Password: Authentication

For some you can determine if a change was made and by who

Basic Knowledge of IP Routing (Routing packets)

-AS (Autonomous Systems):

A clear method of sending the data.

E.g 2 LANs connected by a LAN. LAN a, LAN b, LAN c. Where LAN c is he link between LAN a,b.

Relying on the IP address a Router uses the routing table, compared to a switch which utilises
MAC Addresses. Routers are responsible for routing decisions because of the routing table. All network
nodes are included.
 ROUTING Protocol: RIPv1, RIPv2, ARP

PRE: Preferences. A router selects the best path based on the highest preferences (smallest val)

Direct = 0 (a direct link)

RIP = 100

OSPF = 10

Static preference = 60

A router command; ‘display’ 10.1.1.0 = router A

Next hop is the next port I.e 20.1.1.2

Routing Decision – preferences

Select the lowest preference value. The protocol helps to decide.

Routing Decision – Metric/cost

The decision maker, the metric.

Routing table forwarding requirements

Inbound: Default gateway

Outbound: To the internet or other network

IP Static (manually, stationery, fixed) Routes

IP static route/path, a unique non-changing path, if unavailable or something changes it is down.

A static route can be assigned on serial links or on ethernet (data link layer) link/cable.

Configuring/creating a static route

[RTB] IP route-static 192.168.1.0 (router A/destination) 255.255.255.0 (subnet mask) 10.0.12.1

(next hop router B)

[RTB} (On router B) ip route-static 192.168.1.0 255.255.255.0 (Subnet mask) Serial 1/0/0

[RTB] ip route-static 192.168.1.0 24 Serial 1/0/0

Static Route load balancing

More than one static route to a destination. Which comes with additional cost, ISP.

Verifying static route load balancing

[RTB] ip route-static 192.168.1.0 255.255.255.0 10.0.12.1 + 2nd line is equivalent to

*[RTB] display ip routing-table

192.168.1.0/24 static 60 0 RD 10.0.12.1 GigabitEthernet 0/0/0 + 2 nd line

Floating static route check but the when a preference is assigned the route chosen might still be the
highest preference by default

Special case of default static route when a destination static route is unknown. Works on any unassigned
network:

[RTA] ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference of 60 by default. Can access any + verification

Display ip route-table:

0.0.0./0 static 60 0 RD 10.0.12.2 GigabitEthernet0/0/0

Distance Vector Routing with RIP – a dynamic routing protocol

Without a static route you are required to have a routing protocol saved on the routing table.

Small organisation

Simple to implement

RIP, according to the Bellman-Ford algorithm, operates a n interior gateway protocol

Principle Behavior

Route advertisements periodically

Only carry best route info

Metric number is important

A hope limit of 15 hops to prevent infinite forwarding/loops.

Hops represent a metric of 1

When a network fails the next best route might have loops, the routers learn among themselves. The
metric cap can be changed.

Through the use of split horizons we can prevent loops.

Split horizon:

A route that is down and learnt on an interface cannot be advertised on the same to prevent
loops.

Enabled by default except on NBMA

Loop prevention-poisoned reverse:

Has additional overheads, the routing message size is increased because of advanced
notifications as the routing table is updated.

Allows the speed of erroneous routes to be timed out to become instantaneous.

On Huawei AR2200 series router split horizon and poisoned reverse cannot be applied at the same time,
poison reverse is preferred and enabled.
Loop prevention-triggered update

Updates of the routing table are sent periodically.

RIP extension authentication (RIPv2)

Additional security fixtures. Process of security comparison.

Malicious packets are filtered.

Plaintext is not completely secure.

If the router is not configured for RIP version 2 authentication it reverts back to RIP version 1
and discards authenticated RIPv2 messages.

RIP load balancing

In case of link being down

RIP network advertisement

[RTA] rip

[RTA-rip-1] version 2

[RTA-rip-1] network 10.0.0.0

RIP metricin/out

Supports manipulation of metrics.

Metricin: Change takes effect

Metricout: Changes do not apply

*Command:

[RTC] interface GigabitEthernet 0/0/0

[RTC-GigabitEthernet0/0/0] rip metricin 2

RIP output: Outbound interface

RIP inbound: Inbound interface

*[RTA-GigabitEthernet0/0/0] undo rip output: restrict advertisement. Update message cease to

be forwarded out of the given interface. Usable where an enterprise does not want to share its internal
routes to an external network via the interface.

*[RTA-rip-1]silent-interface GigabitEthernet 0/0/1 receive no advertisement

OSPF (Open Shortest Path First)

Minimal routing traffic

 Rapid convergence

Scalable

Accurate route metrics

Configure on ethernet

Configure on serial but defaulted to point-to-point type

Configure as High-level data link control (HDLC) -data link layer OSI model

IP address on the network layer

OSPF can operate on multiaccess network that does not support broadcast.

Designated Router are implemented by NBMA (Non-broadcast multi access) act as an access
point with backup routers (neighbor(not BDR-backup designated router) or adjacent(linked to
neighbour))

Link State Establishment: Each router transitions between neighbour and adjacent state.

Each router according to LSA has its own individual unique LSDB

DR election process: Priority set at 1. If priority of 0 then it doesn’t participate in the election. Highest
priority becomes the Designated Router (sends advertisements for efficiency)

Cost metric formula 10^8/bandwidth

By using the bandwidth, the metric accuracy is improved

A link state protocol, uses LSA (link state advertisement) the information is LSA saved on the LSDB (link
state database) on the routing table.

Router ID is 32-bit used to identify each router running OSPF protocol

If a logical interface has been configured the Router ID is the highest configured logical interfaces IP
address

OSPF areas-single area

As the network grows, Area 0 is recommended but can be assigned

Multi area

Allows an OSPF to compartmentalise based on a link state database that is identical for an area
while granting information on destination of the OSPF domain

Default Process id 1

Selects the lowest router ID

[RTA-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

The network to be advertised.

OSPF authentication

Once advertisement is concluded, security can be incorporated

[RTA-GigabitEthernet0/0/0]ospf authentication-mode md5 1 huawei

OSPF silent interface

Prevent an interface from forming neighbor relationships with peers (sharing its router table)

DR and BDR use the multicast address 224.0.0.6

DHCP address acquisition

Discover (broadcast)

Offer (unicast)

Request (broadcast)

ACK (unicast)

DHCP lease renewal request (unicast)

DHCP interface pool configuration

Dhcp select interface

Dhco server dns-list 10.1.1.2

Dhcp server excluded-ip-address 10.1.1.2 ***excluded the Ip address of the DNS IP address
server

Exclude the gateway IP address as it is used by everyone as an entry.

DHCP global pool configuration

Dhcp enable

[Huawei-ip-pool-pool2]network 10.2.2.0 mask 24

[Huawei-ip-pool-pool2]gateway-list 10.2.2.1

[Huawei-ip-pool-pool2]lease day 1

[Huawei-ip-pool-pool2]quit

[Huawei-GigabitEthernet0/0/1]dhcp select global

FTP protocol
 Sending files

E.g Updating operating system

Telnet protocol principel

Remote access for large organisations

Security, ssh

Telnet client and telnet server

Password vty 0 4

Gateway vs next hop (address)

Switches have a gateway only if it is layer 3 separating full access to private access. On a router,
its port assigned Ip address

Default gateway: IP address door taking your from one subnet to another.

Layer 2 switch have are not gateways they use MAC addresses and are on the same LAN

VLANs isolate into sub interfaces - datalink layer

Next hop is a link for a specific device to another port.

Intermediate Training
Huawei enterprise solutions for performance, scalability, reliability, security and management

Advanced Enterprise Solutions (Overview)

Expanding Enterprise Networks
Telecoms Solutions for Enterprise Networks
Enterprise Network Efficiency
Enterprise Network Security
Network and application

Enterprise Network Management

Monitoring through eSight. Remote, such as with wire shark.

Next Generation Enterprise Networks

Private, public and hybrid cloud.

Link Aggregation
Optimizing the throughput of data, link aggregation enables the binding of multiple physical interfaces
into a single logical pipe. (Performance, scalability, reliability)
Link Aggregation
Provides for increased bandwidth, enhanced reliability and support of load balancing.

Application in the Enterprise Network

Where is demand for data transmission the highest. Point of departure to foreign destination,

Like Aggregation Modes

on the LACP on a link aggregation

Data Flow Control

Speed 1000.

Frames with the same source MAC addresses are transmitted over the same physical link

Frames with the same destination....

….

….

...

L2 Link Aggregation Configuration

L3 Link Aggregation Configuration
Transition the trunk from 2nd layer to the 3rd layer

Use undo port switch, then an IP address can be assigned to the interface.

Displaying Aggrgation
….

VLAN(Virutal Local Area Network) Principles

For safety, put it on a separate VLAN.

Manage the large network by dividing into subnetworks.

Improve the manageability

LAN Limitation
VLAN Technology
Enable logical isolation of network traffic

At the data link layer.

Created on switches same OSI model layer as switches.

VLAN Frame Format

VLAN tag contains Tag Protocol Identifier (TPID)-IEEE 802.1Q tag format and Tag Control Information
(TCI) to carry data. Priority Code Point is a form of traffic classification field that is used to differentiate
forms of traffic. Classification such as voice, video, data, etc. Show as a 3 bit value (0-7) understood on
gerneral 802.1Q class of service (COS).

Drop Eligibility Criteria (DEI) such as true or false bit. determines eligiblity to discard data.

Link Types
Trunk: Backbone for the transmission of VLAN traffic. Difference between switches

Access: Between and end system and a swtich device participating in VLAN tagging.

Port VLAN ID
You can set each VLAN to accept default VLAN for the interface to be recognised as the Port VLAN ID
(PVID). This deter,mines the behaviour that is applied to any frames being received or transmitted.

Port Types – Access

Access ports associated with access links and frames being transmitted from an interface are assigned
VLAN tag that is equal to the Port VLAN ID (PVID).

if a tag and PVID vary the frame is not forwarded and discarded. A untagged fram is forwarded to the
interface of the switch to all other destinations to be understood

Port types –Trunk

Decides what is transmitted. Trunk port associated with the trunk links, the PVID identifies VLAN frames
requried to carry a VLAN tag before forwarding. If it has the PVID it can travel otherwise VLAN tag must
be included

Port Types – Hybrid

Hybrrd ports are either tagged or untagged. VLAN communication is managed port by port. A trunk port
is not connected to a machine but a switch.

Hybrid ports Represent the default for Huawei devices. If it is tagged the PVID allows it to travel. If it is
untagged it must be in the access area to be transmitted. If it is on the trunk it must be tagged to travel.
A tag must be added by the port which received an untagged frame from an end system.

Hybrid ports something about tags corresponding to a PVID

VLAN Assignment Methods

Port based e.g. G0/0, g0/0/7

MAC Address 00:01:02:03:04:AA,

IP based subnet 10.0.0.1

Protocol based e.g. IP, IPX

Policy based10.0.1, g0/07, 00:01:02:04:AA

Creating a VLAN
VLAN range 1-4094.

VLAN batch (each host)

All ports are associated with VLAN 1 as the default

Setting the port Link type

0/0/1 the layer for trunks: tagged

0/0/5 trunk access: untagged

All Huawei switches are Hybrid Look at the image for the switch.

Creating VLANs
vlan <ID>

port <location>

port link type <access/trunk>

Forwarding over the Trunk

port link-type trunk

port trunk pvid vlan 10

port trunk allow-pass vlan 2 3 #forwarding over the trunk

Access untagged, link down(inactive) as it as it is unspecified

Access untagged, link up(active), specified... it was added to the trunk

Configuring Hybrid Port

[SWA.....0/0/5]

Voice VLAN Application

voice-vlan 2 enable …..(required)

mode auto: to add the port or not

voice-vlan mac-address <mac-address>

Associated with voice VLAN based on the Organisationallu Unique identifer (OUI)

GARP and GVRP

The VLAN organising themselves as though they were routers (network layer 2), this is however the
datalink layer 2. For implementation and removal of

Generic Attribute Registration Protocol (GARP)

An architecture for the registration, deregistration and propagation of attributes between switches is
enabled. GARP is employed by GVRP - the shell, the virtual machine.

PDU (Protocol Data Unit) are sent from GARP and use multicast MAC address 01:20-C2-00-00-21.

Events between switches:

0: LeaveAll event

1: JoinEmpty event
 2: JoinIn event

3: LeaveEmpty event

4: LeaveIn event

5: Empty event

Attrbute events – Join Message

Allows the device to join the attributes. Either:

JoinEmpty: Unregistered

JoinIn: Declared a registered attribute

Attribute events - leave message

Trying to deregister what has been registered.

LeaveIn:

LeaveEmpty:

Attribute events – Leave All message

GVRP
Registration modes
VLAN Types:

Static (Manually for registration)

Dynamic (Automatically for registration)

Registration modes:

Fixed: Only sends declaration static registration

Normal: Permits static and dynamic VLANs

Forbidden: The GVRP interface is disabled from dynamically registering and

deregistering VLANs except for VLAN 1 – default Huawei router

Enabling GVRP
Command gvrp is used to enable GVRP once the interface has neem configured to operate as part of
VLAN.

port trunk allow-pass vlan all

gvrp registration fixed/normal

[SWA]display gvrp status … “GVRP is enabled”

VLAN routing
VLAN Disadvantages
Forbidden access

VLAN Routing
VLAN frames are routed over a trunk link for port conservation.

VLAN routing features

2 IP addresses however one IP address is virtual – sub interface

VLAN Routing Config

**[SWA]vlan batch 2 3

[SWA]port link-type access

[SWA]port trunk allow-access all**

[RTA] interface GigabitEthenet0/0/0/1.1... Creating the sub interface

[RTA-GigabitEthernet0/0/1.1]dotlq terminate vid 2

performs port receiving VLAN packet will remove the VLAN tag from the fram and forward the
packet via layer 3 routing

[RTA-GigabitEthernet0/0/1.1]arp broadcast enable

Applied to each logical interface, if it remains disabled on the sub-interface the router will
discard packets!!

*** learn the sequence of all commands****

L3 Switch based VLAN routing

VLANIF (VLAN interfaces) are used by each VLAN as a route gateway.

Benefit over router:

Forwarding VLAN traffic with minimum delay.

Known as line speed forwarding

VLAN Gateway assigned

Wireless LAN Overview

Development of WLAN
Wireless Local Area Network Evolution
Fixed network

802.11a/b 54 MBps 2.4GHz

802.11n 600Mbps 2.4-5GHz

 802.11 ac >1 Gbps 5GHz

BYOD

Wireless coverage
Wireless LAN solutions
Wireless LAN security
Principle and Configuration of HDLC and PPP
Point-to-point : Data link layer 2

Frame relay : Data link layer 2

HDLC : Data layer 2

Serial Signaling
Connect via ethernet or serial link

Synchrnoous access

Asynchrnonouos access

THe HDLC (High Level Data Link Control) Protocol

Supports both

Basic Config of HDLC

[RTA[ interface serial 1/0/0

[RTA] link-protocoo hdlc

[RTA] ip address 10.0.1.1 30

Assigning Unnumbered Addresses in HDLC

IP addresses can be borrowed from other interfaces in order to establish connectivity I.e. Eduroam

ISP provides links occasionally.

Config validation
[RTA] display ip interface brief

PPP protocol Application

A multiprotocol standard used as with HDLC to define the link layer operation over a serial medium.

Encapsulates and transmits network layer packets over point-to-point (P2P) over full-duplex
synchronous and asynchronous links. Built on Serial Line Internet Protocol (SLIP).

Frame relay (FR) only supports synchronous links – such as with Banks that are standalone.

Components of PPP
PPP encapsulation method: ….

Link Control protocol: …

Network Control Protocol: ….

PPP Frame:
LCP packets, NCP packets...

Packet types used in LCP negotiation

Configure Request

Configure-Acknolodgement

Configure-Nak, unaccepted configuration options

Configure-Reject

Common Link Parameters of LCP Negotiation

Maximum Receive Unit

Authenticaton protocol

Magic Number

PPP Basic Configuration

[RTA] interface serial 0/0/0

[RTA serial ] protocol PPP

PPP Authentication Mode – PAP

PPP Authentication Mode – CHAP (Challenge handshake authentication protocol)

Configuring PAP Authentication
Less secure than CHAP (encryption based) as it is plaintext

[RTA] aaa

[RTA-aaa] local-user huawei password: cipher huawei123

AAA: Authentication, Acknowledge

Frame Relay Principles

Frame relay networks comprise of Data terminal equipment (DTE) and Data circuit terminating
equipment(DCE).

DTE is at the edge of the customer network

LMI Negotiation Process

LMI protocol one link can negotiate with the frame relay switch

Inverse ARP Neogtiation Process

Main function to resolve the IP address of the remote device that is connected to every virtual circuit.
(VC). If protocol address of the remote device connected to the VC is known, the mapping between the
remote protocol address and DLCI can be created on the local end, which can avoid configuring the
address mapping manually.

Frame Relay & Split Horizon

Split Horizon: Prevents data received on an interface from being forwarded out of the same
physical interface.

Frame relay sub-interfaces

Apply a logical sub-interface to a single physical interface. Two types:

Point-to-Point: Connect a single remote device. The peer address is identified

Point-to-Multipoint: Used to connect multiple remote devices, each PVC will map the protocol
address of its connected remote device. Different PVCs can reach different remote devices.

The address mapping must be configured manually, or dynamically set up through the Inverse address
resolution protocol(InARP)

Frame Relay Config –Dynamic Mapping

You need InArp – Inverse Address Resolution Protocol, Need a linked layer ptocol type. The interface on
the custome side must be DTE on the edge. . This is by default on Huawei ARG3 series routers, set to
DTE.

To allow the dynamic mapping to cocur the fr in arp command is applied.

***See Syntax***

Using the fr Inarp it is possible to discover all permanent virtual circuits (PVC) associated with the local
interface

Frame Relay Configuration –Static Mapping

The fr map ip [des-addr [mask] dlci-numer] configures a static mapping by associating the protocol
address.

This config helps upper layer protocols locate a peer device based on the protocol address o f the peer
device.

READ rules

Need DLCI number.

Simple methods to transmit and exchange data.

Principle and Configuration of PPPoE (Point-to-Point over Ethernet)

Fiber is possible.

Digital Subscriber Lines

Old tech, dial-up,

BRAS (Broadband Remote Access Server)

PPPoE Application in DSL
No security, no authentiation

PPPoE Protocol Packets:

PADI: Active Discovery Initiative Packet

PADO:

PADR:

PADS:

PADT:

Padi, Pado, Padr needed to open a connection.

PADT to close the connection

PPPoE session Establishment Protocol

PADI to all to determine who needs the data.

PADO sent back,

If no response is received, PADR sent to the address that is relevant

PADS is the session to be open.

PADT: The session is over terminate the session

Configuring A PPP Dialer interface

Old reliable. Three steps:

Dial-up interface

Network Address Translation (NAT)

Private & Public Networks
NAT behaviour
Uses the established boundary of the gateway router to identify network domains for translation.
Separates public from private.

A NAT must be able to create a mapping table within the gateway to allow the gateway to allow the
gateway to determine as to which private network destination address a packet received from the
public network should be sent, again requiring address translation to be performed along the return
path

Static NAT
Represents a one –to-one (1 IP address) mapping of static NAT that is manually configured by the
administrator
Dynamic NAT
Works on the principle of an address pool. Internal end systems wishing to forward traffic to a public
network can associate with a public address from an address pool.

Network Address port translation (NAPT)

Security reason. Internals ports should not be available externally. Hide the IP address and the port
numbers. The ISP provides public port numbers in lieu of the private individuals port number. More like
dynamic.

Easy IP
The WAN interfaces address used as a single public address for all internal users, with port numbers
used to distinguish sessions. Create an Easy IP through a dial-up to receive a temporary public IP address
received by the outbound interface. Small scale enterprises.

NAT Internal Server

E.g. Accessing the UCT/WITs server externally

External sources can reach internal addresses.

Mapping of both the IP address and port number is performed.

Mapping occurs.

Static NAT Config

[RTA]interface GigabitEthernet0/0/1 …. Inbound, default gateway

[RTA-GigabitEthernet0/0/1]ip address 19.2.168.1.254 24 ….

[RTA] interface Serial1/0/0

[RTA-Serial1/0/1]ip address 200.10.10.1 24

[RTA]nat static global 200.10.10.5 inside 192.168.1.1 .... invoking NAT static

[RTA} display nat static

...

Netmask: 255.255.255.255

Dynamic NAT Config

[RTA]nat address-group 1 200.10.10.11 200.10.10.16 …. pool of IP addresses

[RTA]acl 2000 …. Access Control List (ACL)

[RTA-acl-basic-2000]rule 5 permit source 192.168.1 0 0.0.255 (subnet)

[RTA-acl-basic-2000]quit
[RTA-Serial1/0/0]nat outbound 2000 address-group 1 no-pat

We have ACL (Access Control List) 2000

Rule 5, 10, 15

outbound – we request their port numbers and IP addresses, belongs to address group 1

no-pat : No port address translation

Easy IP Configuration
Very similar to dynamic, rely on the creation of an access control list for defining address range to which
to translate. Perform the nat outbound command.

NAT Internal Server Configuration

[RTA] nat server protcol tcp global. 200.10.10.5 www inside 192.168.1.1 8080

Establishing Enterprise Radio Access Network Solutions

Wireless WAN Overview (WWAN)
Mobile station (MS) or User Equipment (UE) to communicate. On 3G (UMTS) and 4G (LTE)

Wireless WAN and the Enterprise Network

Security, reliability

Enterprise Wireless WAN Solution

Failover solutions for 2G and 3G... If 2G is down you seamlessly transfer to 3G vice versa

Establishing the 3G Network

3G network parameters are defined on the cellular interface. Create the interface, known as

[Huawei] \interface cellular. 0/0/0

ip address ppp-negotiate

prof

Setting the dial control center

Dial Control Center is implemented. The dialer-rule command inititiates the dialer-rule view where the
rules are defined to enable IPv4 –32 bits- to carry over the interface. Dialer-rule number (E.g. +27 ZAR).

Configure NAT Role & Static Route

[Huawei]acl number 3002

[Huawei-acl-adv-3002]acl <5,10,15> permit ip source 192.168.1.0 0.0.0.255

[Huawei-acl-adv-3002]quit

[Huawei]interface cellular 0/0/0

[Huawei0cellular0/0/0]nat outbound 3002

[Huawei-cellular0/0/0]quit
[Huawei]ip route-static 0.0.0.0 cellular 0/0/0

Access Control Lists (ACL)

IPv4 –32 bits security but bulky.

IPv6-128 bits due to increased security, however it is streamlined and incorporated making it less bulky

Monitoring (performance) and Security.

ACL: For better management and filtering of traffic as part of security.

Filtering Restricted Traffic

ACL is a mechanism that implements access control for a system resource by listing the entities based on
parameters (rules) to permit access to the resource.

Filtering Interesting Traffic

ACL Types
Basic

Value Range: 2000-2999

Parameter: Source IP

Advanced

Value Range: 3000-3999

Parameter: Source & Destination IP, Protocol, Source & Destination port

Layer 2 ACL

Value Range: 4000-49999

Parameter: MAC Address

Can all be applied on AR2200 series routers

Packet filtering parameters vary for each ACL types

ACL Rule Management

Rules increment 5 -> 10-> 15-> 20

Basic ACL
[RTA-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255

[RTA-acl-basic-2000[rule permit source 192.168.2.0 0.0.0.255

[RTA]interface GigabitEthernet 0/0/0

[RTA-GigabitEthernet0/0/0]traffic-filter outbound acl 2000

Advanced ACL
[RTA]acl 3000
[RTA-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 desination 172.16.10.1 0.0.0.0
destination-port eq 21 … FTP ports 20 or 21

[RTA-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0 ..default

route, all IPv4 addresses on the local machine

[RTA-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

ACL Application –NAT (Network Address Translation)

You can apply ACL on NAT

AAA (authentication, Accounting, Authorisation)

Authentication
You must be authenticated to communicate

Accounting
AAA Local Config
Both must have the same user name and password

Securing Data with IPSec VPN

The methods of securing your environment.

IPSec – network layer 3

A SA (Security Association) is shared in a single direction

Two modes:

IPSec Transport Mode:

IPSec Tunnel Mode: More secure

Reachability

Identify interesting traffic

Establish IPSec Proposal

Create IPSec Policy

Apply Policy to Interface

IPSec VPN Configuration

…

...

Required network layer communication for an IPSec VPN. An advanced ACL is needed to determine the
protocols, ports and ip addresses.

E.g. use authentication algorithms [md5 | sha1 | sha2-256 | sha 2-384 | ….]
The sha* must correlate between devices that are to communicate.

IPSec Policy Creation

IPSec Policy defines parameters for establishing IPSec SA:

Policy-name

seq-number (1-15)

Multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group. The IPSec
policy gorup contains a maximum of 16 IPSec policies. The smalledst IPSec sequence number has the
highest priority. The group must be applied to an interface

The Tunnel local and Tunnel remote have links that determine where the tunnel starts and ends.

The SPI (Source Parameter Index)

The Inbound SPI must be the same as the outbound SPI, the number

Finally, authentication key must be defined as inbound and outbound, they must be the same

IPSec policy Creation

[RTA]ipsec policy P1 10 manual

[RTA-ipsec-policy-manual-P1-10]security acl 3001

…
...

Applying policies to interfaces

…

IPSec Policy Verification

Generic Routing Encapsulation (GRE)

GRE Application
Supports encapsulation of protocols over other protocols: supports multiple protocols simultaneously.

Enables routing between remote and disparate networks.

Can be implemented on tunneling. Less secure. Ideal to implement GRE tunnel and IPSec VPN

IPSec VPN (Virtual Private Network) support for GRE (Generic Routing Encapsulation)
GRE Keepalive
,,,

GRE Configuration
Simple Network Management Protocol (SNMP)
Management solutions widely used in TCP/IP networks. Adaptation of SGMP protocol, forms the basis
for common network management throughout the system. SNMP is effectively a communication
medium between the network elements and the network adminstrator/(NMS).

Network Management Station (NMS) relies on SNMP to define sources for network information.

SNMP relays reports in the form of trap messages to the NMS so that the station can obtain network
status in near real time. This allows the network administrator to quickly act on system discrepancies
and failures.

SNMP is used to manage:

Software:

Applications

User Accounts

Write/read permissions (licenses)

Hardware:

Workstations

Servers

Network cards

Routing devices

Switches

SNMP Architecture
The network management station (NMS) has network management requests that it makes know to the
elements; hosts, gateways, terminal servers etc. The management agent resides on the network
element in order to Retrieve/get or alter/set vaiables.

NMS associates with the management agent on each of the network elements that perform NMS
designed functions composing the MIB (Management Information Base) objects.

SNMP messages of IP require UDP

MIB Objects
Specifies the variables to be maintained by each network element. These variables are queried and set
by the management process.

The SNMP MIB has the same tree structure as the DNS (Domain Name System) with the top objects:

ISO

ITU-T (CCITT)

Joint organisation branch

 V1;

Version2: Security upgrade

Version 3:

eSight Network Management Solutions (Huawei solution)

Monitors each component

Traffic

Introducing IPv6 Networks

IPv6 Routing Technologies

IPv6 Application Services DHCPv6

Practical Training
Entry Training
..

//

Intermediate Training
..
 Lessons from the mock exams
Loopback address 127.0.0.1

VLAN 12 bits

Huawei switch forwarding delay: 0.15 seconds

ICMP protocol is applied to the network layer

ID of the Backbone OSFP = area 0

OSI Model layer:

-Application

-Presentation

-Session

-Transportation

-Network

-Data link

-Physical

TCP/IP Model Layers:

-Application, sessio, presentation

-Transport

-Network

-Data link

OSFP uses SPF (Shortest Path First) algorithm to calculate the shortest route

Link state routing protocol = OSPF (Open Shortest First Protocol)

Repeaters, hubs, network interface cards, cables and connector operate on the Physical layer

Maximum hop count RIP

DNS port number 53

Two others will either exchange LSA or send Hello packet to each other due to the existence of DR in
Broadcast network of OSPF

A static route can be neither configured manually by a network administrator nor generated
automatically.

When a network condition changes a static route canNOT be rectified automatically without
reconfiguration by the network administrator
Root bridges provide root ports and designated, alternative ports

Routing information Protocol (RIP) is NOT available in the RIPv2, RIPv2 and RIPv3 versions

When a trunk port receives an untagged frame, the switch will NOT drop the frame

One router forwards the packets according to the routing table on itself without considering the routing
table of any neighbour routers

A trunk port does not always send tagged frames to the peer equipment.

Each router only knows how to forward the packet to the net hop IP address. It doesn’t know the end to
end forwarding path. This type of forwarding is called Hop by Hop forwarding

OSFP version specific to the IPv6 technology = OSPFv3

The IP protocol is unreliable and connectionless orientated.

The subnet mask of a class A address is 255.255.240.0 has 12 bits

When a node transmits data over a network medium, the data is transmitted to all the nodes on the
network. The topology used is BUS

A router runs OSFP and its interface serial 0 and IP address 10.0.0.1/30 belongs to the backbone area.
The command used to enable OSFP on this interface is = [Quidway-osfp –1area-0.0.0.0]network
10.0.0.0 0.0.0.3

Switch –A and Switch-B are configured with ports in VLAN for deparments. Each VLAN contains 20 users.
Only 5 subnets are required.

Multiple choice section

The functions of all seven layers of the OSI reference model

-The email server

-network management server.

Access ports:

-Belong to only one VLAN

-Are used for connection between switches and PC’s

Data link layer has two sub-layers:

-MAC sub-layer

-LLC sub-layer

RIP (Routing information protocol):

-User can specify the route preference of RIP higher than that of static routes
 -If the route calculated by other routing protocol which is imported by RIP does not specify the
cost value, the cost value will be set as 1 by default

Routed protocols:

-IP

-OSPF (Open shortest path first)

VLAN interfaces:

-A virtual interface is required to be created for VLAN if we want to assign an IP address for that
VLAN

-VLAN interface number must be the same as the VLAN ID

If two static routes are configured to the route 10.1.1.1/32. If one does not have a value for the
preference_value parameter and the other static route is assigned with 100 for the preference_value
parameter

-The route not assigned a preference_value parameter will function as the working route

-A static route supports route backup

Functions of a router:

-Check the destination address in a datagram

-Discover possible routes

-Verify and maintain route information

Packet filtering firewall filters packet based on quintuplet. Components of quintuplet:

-IP address

-Protocol number

-Port number

Protocols used for file transfer:

-FTP

-TFTP

Standards defined by IEEE to regulate the implementation of VLAN between switches

OSPF takes the precedence to select the biggest IP address of all the loopback addresses as a router ID
unless you specify a router ID manually.

The frame is the PDU that resides at the data link layer

EUI-64 used to configure IPv6

ICMP used to ping test sending a series of packets

DD packets are used to describe LSDBs

STP interface states:

-Blocking

-Listening

-Learning

-Forwarding

-Disabled

Interior Gateway Protocol (IGP):

Route Information Protocol uses the hop count to determine the value cost

IP address consists of: Network address, Host address, subnet field, non-default masks, default subnet
mask

CHAP (Challenge-Handshake authentication protocol):

-Verify remote clients

-Challenge packet

-Response packet

-Success packet

-Failure packet

Link aggregation benefits:

-Increased bandwidth (the capacity of multiple links is combined into one logical link

-Automatic failover

-Failback (The traffic from a failed link is automatically switched over to other working links

ESight is supported by SNMPv1, SNMPv2c and SNMPv3

DHCP offer packet can carry more than one DNS server address

After a fault occurs in a network, a static route canNOT be rectified automatically and the network
administrator is needed to reconfigure.

(RIP) Routing Information Protocol is not available in RIPv1, RIPv2 and RIPv3 versions

On Huawei switches you can run the VLAN batch command to create multiple VLANs in batches

HDLC is ISO standard link layer protocol and it is used to encapsulate data transmitted on asynchronous
link
One of the significant features of the PPP protocol is the authentication function. With this function, the
two ends of a link can negotiate with each other to use which authentication protocol and then perform
authentication. A PPP connection is established only when the authentication is successful.

When you configure Frame Relay on Quidway routers, you can configure inverse ARP instead of static
address mapping because the function of inverse ARP is to provide dynamic address mapping.

The operation deleting the configuration files saved in the storage devices will become effective after
rebooting the router.

Frame relay point-to-multipoint sub-port canNOT connect multiple remote nodes together through a
PVC

ICMP protocol is applied to the Network Layer

Protocols can dynamically register VLAN information:

-MVRP (Multiple VLAN registration Protocol) sends PDU (protocol data unit)

-MRP (Multiple Registration Protocol)

-GARP (Generic Attribute Registration Protocol))

ARP (Address Resolution Protocol) performs required IP routing. It finds the hardware address (MAC
address) from the IP address. ARP maintains a cache table of MAC addresses mapped to IP addresses.

HDLC is NOT ISO standard link layer protocol and it is used to encapsulated data transmitted on
asynchronous link.

The standard defined by IEEE to regulate the implementation of VLAN between switches is 802.1Q

A switch supporting 802.1Q protocol can support a maximum number of 4096 VLANs

ESight is not only for Huawei

When two routers synchronise their LSDBs they use DD packets to describe their LSDBs

IGP(Internal gateway protocol) is the protocol which is used for asynchronous systems

OSPF takes the precedence to select the IP address of all loopback port addresses as a router ID unless
you specify a router ID

Hop count is the parameter used by RIP to calculate the value of cost

On Huawei switches running STP, the default value of forward delay is 15 seconds

The broadcast MAC address is FF:FF:FF:FF:FF

To release the IP address assigned by the DHCP server on Windows XP, command IPconfig/release

IPv6 is 128 bits, processed in order

The protocols that can be used for file transfer is FTP and TFTP

CHAP packets:
Challenge

Response

Success

Failure