Beruflich Dokumente
Kultur Dokumente
Issue 10
Date 2016-10-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
This document provides the typical configuration examples supported by the device.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
– To ensure device security, use ciphertext when configuring a password and change
the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and decrypts them. If you configure a plaintext
password that starts and ends with %^%#, %#%#, %@%@ or @%@%, the switch
decrypts it and records it into the configuration file (plaintext passwords are not
recorded for the sake of security). Therefore, do not set a password starting and
ending with %^%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
l Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5 encryption
algorithms. 3DES, RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are
irreversible. Using the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower),
MD5 (in digital signature scenarios and password encryption), or SHA1 (in digital
signature scenarios) is a security risk. If protocols allow, use more secure encryption
algorithms, such as AES, RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
l Personal data
Some personal data may be obtained or used during operation and fault location of your
purchased products, services, or features. Set up privacy policies and take appropriate
measures to protect personal data based on regional privacy laws.
l Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
Disclaimer
This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions. It
provides instructions for general scenarios, but does not cover all use cases of all product
models. The examples given may differ from your use case due to differences in software
versions, models, and configuration files. When configuring your advice, alter the
configuration depending on your use case.
The specifications provided in this document are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Contents
5.3 Example for Switching an Interface Between Layer 2 and Layer 3 Modes...............................................................257
5.4 Example for Configuring Port Isolation..................................................................................................................... 259
10.2.3 Example for Configuring Portal Authentication to Control Internal User Access................................................606
10.3 Typical NAC Configuration (Unified Mode) (V200R007C00 and Earlier Versions, V200R008C00)....................610
10.3.1 Example for Configuring 802.1x Authentication to Control Internal User Access...............................................611
10.3.2 Example for Configuring MAC Address Authentication to Control Internal User Access.................................. 615
10.3.3 Example for Configuring Portal Authentication to Control Internal User Access................................................619
10.3.4 Example for Configuring Multiple Authentication Modes to Control Internal User Access................................623
10.4 Typical NAC Configuration (Unified Mode) (V200R007C20, V200R009C00 and Later Versions)...................... 627
10.4.1 Example for Configuring 802.1x Authentication to Control Internal User Access.............................................. 627
10.4.2 Example for Configuring MAC Address Authentication to Control Internal User Access.................................. 632
10.4.3 Example for Configuring Portal Authentication to Control Internal User Access................................................636
10.5 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication Server) (V200R007C00
and Earlier Versions, V200R008C00).............................................................................................................................. 641
10.5.1 Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network
(Authentication Point on Core Switch)............................................................................................................................ 642
10.5.2 Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network
(Authentication Point on Aggregation Switch) (V200R007C00 and Earlier Versions, V200R008C00).........................662
10.5.3 Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the
Enterprise Network (Authentication Point on Access Switch).........................................................................................680
10.5.4 Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the
Enterprise Network (Authentication Point on Aggregation Switch)................................................................................696
10.6 Typical NAC Configuration (Unified Mode) (the Agile Controller as the Authentication Server) (V200R007C20,
V200R009C00 and Later Versions)..................................................................................................................................714
10.6.1 Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network
(Authentication Point on Core Switch)............................................................................................................................ 714
10.6.2 Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network
(Authentication Point on Aggregation Switch) (V200R007C20, V200R009C00 and Later Versions)........................... 734
10.6.3 Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the
Enterprise Network (Authentication Point on Aggregation Switch)................................................................................753
10.6.4 Example for Configuring User Authorization Based on ACL or Dynamic VLAN Delivery............................... 771
10.6.5 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter
Accounts) (V200R007C20, V200R009C00 and Later Versions).....................................................................................785
12.1.2 Example for Using ACLs to Control Access to the Specified Server in the Specified Time Range.................... 853
12.1.3 Example for Using an ACL to Block Network Access of the Specified Users.....................................................859
12.1.4 Example for Using Reflective ACL to Implement Unidirectional Access Control.............................................. 862
12.1.5 Example for Allowing Certain Users to Access the Internet in the Specified Time Range.................................. 864
12.1.6 Example for Using ACLs to Restrict Mutual Access Between Network Segments............................................. 868
12.1.7 Example for Using an ACL to Prevent Internal Hosts from Accessing the Internet.............................................872
12.1.8 Example for Using an ACL to Prevent External Hosts from Accessing Internal Servers.................................... 875
12.1.9 Example for Applying ACLs to SNMP to Filter NMSs........................................................................................880
12.2 Example for Configuring Port Security....................................................................................................................882
15.11 Example for Configuring the WLAN Service Using Mesh Technology.............................................................. 1159
2.1 Example for Configuring Egress Devices for Small- and Medium-Scale Campus or
Branch Networks
2.2 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected
to Core Switches in In-line Mode)
2.3 Example for Configuring the Egress of a Large-scale Campus (Firewalls Are Connected
to Core Switches in Bypass Mode)
2.4 Example for Configuring an Agile Campus Network
2.5 Example for Configuring High-Speed Self Recovery on a Subway Bearer Network
2.6 Example for Configuring ACU2 and NGFW on Switches
Configuration Notes
l This configuration example applies to small- and medium-scale enterprise campus/
branch egress solutions.
l This configuration example provides only the enterprise network egress configuration.
For the internal network configuration, see "Small- and Mid-Sized Campus Networks" in
the HUAWEI S Series Campus Switches Quick Configuration.
Networking Requirements
The headquarters and branch of an enterprise are located in different cities and far from each
other. The headquarters has two departments (A and B), and the branch has only one
department. A cross-regional enterprise campus network needs to be constructed to meet the
following requirements:
l Both users in the headquarters and branch have access to the Internet. In the
headquarters, users in Department A can access the Internet, but users in Department B
are not allowed to access the Internet. In the branch, all users can access the Internet.
l The headquarters has a web server to provide WWW service so that external users can
access the internal server.
l The headquarters and branch need to communicate through VPNs over the Internet and
communication contents must be protected.
l The headquarters' campus network egress requires link-level reliability and device-level
reliability.
l The branch does not need high reliability.
Solution Overview
A comprehensive configuration solution, as shown in Figure 2-1, is provided to meet the
preceding requirements. The solution adopts a multi-layer, modular, redundant, and secure
design and applies to small- and medium-scale enterprise or branch campus networks.
Figure 2-1 Configuring egress devices for small- and medium-scale campus networks or
branch networks
Eth0/0/2
GE0/0/1 SwitchA
GE2/0/0
Enterprise
branch RouterC
GE1/0/0
A
Internet
RouterE
RouterD
B C
Enterprise
GE1/0/0 GE1/0/0
headquarters
OSPF
RouterA RouterB
Area 0
Eth-Trunk1 Eth-Trunk1
VRRP VRID1
Web Server Eth-Trunk3 Eth-Trunk4
GE0/0/5 CORE
Eth-Trunk1 Eth-Trunk2
Eth-Trunk1
Eth-Trunk1
l Deploy Huawei S2700&S3700 switches (ACC1, ACC2, and SwitchA) at the access
layer, deploy Huawei S5700 switches (CORE) at the core layer, and deploy Huawei
AR3200 routers (RouterA, RouterB, and RouterC) at the campus network egress.
l In the headquarters, use redundancy between two AR egress routers (RouterA and
RouterB) to ensure device-level reliability. In the branch, deploy one AR router as the
egress router.
l In the headquarters, set up a stack (CORE) between two S5700 core switches to ensure
device-level reliability.
l In the headquarters, deploy Eth-Trunks between access switches, the CORE, and egress
routers to ensure device-level reliability.
l In the headquarters, assign a VLAN to each department and transmit services between
departments at Layer 3 through VLANIF interfaces of the CORE.
l Use the CORE of the headquarters as the gateway for users and servers, and deploy a
DHCP server to assign IP addresses to users.
l Deploy the gateway for branch users on the egress router.
l Deploy VRRP between the two egress routers of the headquarters to ensure reliability.
l Construct an Internet Protocol Security (IPSec) VPN between the headquarters and
branch over the Internet to enable communication while ensuring data transmission
security.
l Deploy Open Shortest Path First (OSPF) between the two egress routers and CORE of
the headquarters to advertise user routes for future capacity expansion and maintenance.
Configuration Roadmap
The configuration roadmap is as follows:
To steer the return traffic of two egress routers of the headquarters, configure OSPF
between the two egress routers and CORE, and advertise all user network segments on
the CORE into OSPF and then to the two egress routers.
On RouterD, to steer traffic generated by access to the web server from external
networks, configure two static routes of which the destination address is the public
network address of the web server and next-hop addresses are uplink interface addresses
of the two egress routers. To ensure simultaneous route switchover and VRRP
switchover, set the route with next hop pointing to RouterA as the preferred one. When
this route fails, the route with next hop pointing to RouterB takes effect.
4. Configure NAT outbound.
To enable internal users to access the Internet, configure NAT on the uplink interfaces of
the two egress routers for translation between private network addresses and public
network addresses. Use an ACL to permit the source IP address of packets from
Department A so that users in Department A can access the Internet while users in
Department B cannot.
5. Configure a NAT server.
To enable external users to access the internal web server, configure a NAT server on the
uplink interfaces of the two egress routers to translate between the public and private
network addresses of the server.
6. Deploy IPSec VPN.
To enable users in the headquarters and branch to communicate through a VPN,
configure IPSec VPN between the egress routers of the headquarters and branch for
secure communication.
NOTE
For the enterprise internal network configuration, see "Small- and Mid-Sized Campus Networks" in the
HUAWEI S Series Campus Switches Quick Configuration.
Data Plan
Table 2-1, Table 2-2, and Table 2-3 provide the data plan.
Eth-Trunk2 GE0/0/2
GE1/0/2
Eth-Trunk3 GE0/0/3
GE1/0/3
Eth-Trunk4 GE0/0/4
GE1/0/4
NOTE
All Eth-Trunk interfaces work in Link Aggregation Control Protocol (LACP) mode.
Procedure
Step 1 Configure Eth-Trunks between the CORE and two egress routers of the headquarters.
# Configure the CORE.
<HUAWEI> system-view
[HUAWEI] sysname CORE
[CORE] interface eth-trunk 3
[CORE-Eth-Trunk3] mode lacp
[CORE-Eth-Trunk3] quit
[CORE] interface eth-trunk 4
[CORE-Eth-Trunk4] mode lacp
[CORE-Eth-Trunk4] quit
[CORE] interface gigabitethernet 0/0/3
[CORE-GigabitEthernet0/0/3] eth-trunk 3
[CORE-GigabitEthernet0/0/3] quit
[CORE] interface gigabitethernet 1/0/3
[CORE-GigabitEthernet1/0/3] eth-trunk 3
[CORE-GigabitEthernet1/0/3] quit
[CORE] interface gigabitethernet 0/0/4
[CORE-GigabitEthernet0/0/4] eth-trunk 4
[CORE-GigabitEthernet0/0/4] quit
[CORE] interface gigabitethernet 1/0/4
[CORE-GigabitEthernet1/0/4] eth-trunk 4
[CORE-GigabitEthernet1/0/4] quit
<Huawei> system-view
[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 203.10.1.2 24
[RouterC-GigabitEthernet1/0/0] quit
Step 3 Deploy VRRP. Configure VRRP between RouterA and RouterB of the headquarters, and
configure RouterA as the master device and RouterB as the backup device.
# Configure RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120
[RouterA-Eth-Trunk1.100] vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced
40
[RouterA-Eth-Trunk1.100] quit
//To prevent service interruption in the case of an uplink failure on RouterA,
associate the VRRP status with the uplink interface of RouterA. The association
ensures a fast VRRP switchover when the uplink fails.
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit
After the configuration is complete, a VRRP group should have been set up between RouterA
and RouterB. You can run the display vrrp command to view the VRRP status of the two
egress routers.
# Check that the VRRP status of RouterA is Master.
[RouterA] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Master
Virtual IP : 10.10.100.1
Master IP : 10.10.100.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/0 Priority reduced : 40
IF state : UP
Create time : 2015-05-18 06:53:47 UTC-05:13
Last change time : 2015-05-18 06:54:14 UTC-05:13
# Configure a default route on each egress router of the headquarters and branch, with
the next hop pointing to the IP address of the connected carrier network device (public
network gateway address).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
[RouterB] ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
[RouterC] ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
2. Deploy OSPF. Configure OSPF between two egress routers (RouterA and RouterB) and
CORE of the headquarters so that the two egress routers can learn return routes from
user network segments.
# Configure RouterA (egress router) of the headquarters.
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
# After the configuration is complete, an OSPF neighbor relationship should have been
established between Core,RouterA and RouterB. You can run the display ospf peer
command to view the OSPF neighbor status. The following uses the display on the
CORE as an example. You can view that the OSPF neighbor status is Full.
[CORE] display ospf peer
3. Configure static routes (return routes) from external networks to the public network
address of the internal server.
# On RouterD, configure two static routes of which the destination address is the public
network address of the internal server and next-hop addresses are uplink interface
addresses of RouterA and RouterB. To ensure simultaneous route switchover and VRRP
switchover, set the route with next hop pointing to RouterA as the preferred one. When
this route fails, the route with next hop pointing to RouterB takes effect.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.1.2 preference
40 //Set the route with next hop pointing to RouterA as the preferred
route.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.2.2
When the uplink of RouterA is interrupted, the following actions are triggered:
a. VRRP master/backup switchover between two egress routers (RouterA and
RouterB) is implemented through association between the VRRP status and uplink
interface status of the two egress routers.
b. Active/standby switchover between routes from the carrier router RouterD to the
internal server is implemented through the configuration of active and standby
routes on RouterD.
The two actions ensure that the VRRP master/backup switchover and active/standby
route switchover occur simultaneously when the uplink of RouterA is interrupted and
ensure reliability of the incoming and outgoing paths.
Step 5 Configure NAT outbound.
1. Define data flows for NAT translation on the egress routers of the headquarters and
branch.
In the headquarters, only users in Department A can access the Internet using source IP
address 10.10.10.0/24. In the branch, all users can access the Internet using source IP
address 10.10.200.0/24.
# Configure RouterA (egress router) of the headquarters. The configuration of RouterB
is similar to that of RouterA.
[RouterA] acl 3000
[RouterA-acl-adv-3000] rule 5 deny ip source 10.10.10.0 0.0.0.255 destination
10.10.200.0 0.0.0.255 //Configure an ACL to deny the data flow to be
protected by IPSec.
[RouterA-acl-adv-3000] rule 10 deny ip source 10.10.20.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to deny the data
flow to be protected by IPSec.
[RouterA-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //
Configure an ACL to permit the data flow for NAT translation.
[RouterA-acl-adv-3000] quit
//On Huawei AR3200 series routers, if IPSec and NAT are configured on the
same interface, NAT translation is performed first. To avoid performing NAT
translation on the data flows to be protected by IPSec, configure ACLs to be
referenced by NAT to deny the data flows to be protected by IPSec.
2. Configure NAT on the uplink interfaces of the egress routers of the headquarters and
branch.
# Configure RouterA. The configurations of RouterB and RouterC are similar to that of
RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat outbound 3000
[RouterA-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display nat outbound command to view
NAT configuration. The following uses the display on RouterA as an example.
[RouterA] display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet1/0/0 3000 202.10.1.2 easyip
--------------------------------------------------------------------------
Total : 1
The headquarters has a web server. You need to configure a NAT server on the two egress
routers (RouterA and RouterB) to allow external users to access the internal web server.
# Configure RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www
inside 10.10.30.2 8080
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www
inside 10.10.30.2 8080
[RouterB-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display nat server command to view NAT
server configuration. The following uses the display on RouterA as an example.
[RouterA] display nat server
Total : 1
Step 7 Deploy IPSec VPN so that the headquarters and branch can communicate through the VPN
over the Internet and data communication can be protected.
1. Configure ACLs to permit the data flows to be protected by IPSec.
# Configure RouterA (egress router) of the headquarters.
[RouterA] acl 3001
[RouterA-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to permit the data
flow to be protected by IPSec.
[RouterA-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255
destination 10.10.200.0 0.0.0.255 //Configure an ACL to permit the data
flow to be protected by IPSec.
[RouterA-acl-adv-3001] quit
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
# After the configuration is complete, run the display ipsec sa command to view SA
information. The following uses the display on RouterC as an example.
[RouterC] display ipsec sa
===============================
Interface: GigabitEthernet1/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 10
Acl Group : 3001
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.1.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.10.0/255.255.255.0 0/0
Qos pre-classify : Disable
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 10
Acl Group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.1.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.20.0/255.255.255.0 0/0
Qos pre-classify : Disable
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 20
Acl Group : 3001
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 4
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.2.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.10.0/255.255.255.0 0/0
Qos pre-classify : Disable
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 20
Acl Group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 7
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.2.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.20.0/255.255.255.0 0/0
Qos pre-classify : Disable
# Run the ping command to test the connectivity between the headquarters and branch.
PC1>ping 10.10.200.2
The preceding command output shows that PC1 and PC5, and PC3 and PC5 can communicate
with each other, and the headquarters and branch can communicate through the VPN over the
Internet.
# Verify the connectivity between departments of the headquarters and the Internet. In the
following example, ping the public network gateway 202.10.1.1 of the headquarters from PC1
and PC3.
PC1>ping 202.10.1.1
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 63/109/235 ms
PC3>ping 202.10.1.1
The preceding command output shows that users (such as PC1) in Department A can access
the public network but users (such as PC3) in Department B cannot.
----End
Configuration Files
l Core switch configuration file
#
sysname CORE
#
vlan batch 100
#
interface Vlanif100
ip address 10.10.100.4 255.255.255.0
#
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 3
#
interface GigabitEthernet0/0/4
eth-trunk 4
#
interface GigabitEthernet1/0/3
eth-trunk 3
#
interface GigabitEthernet1/0/4
eth-trunk 4
#
ospf 1 router-id 10.3.3.3
area 0.0.0.0
network 10.10.100.0 0.0.0.255
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
#
return
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-cbc-128
#
ike peer vpn v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 203.10.1.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
arp broadcast enable
#
interface GigabitEthernet1/0/0
ip address 202.10.2.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
nat outbound 3000
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
ospf 1 router-id 10.2.2.2
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
#
return
l Configuration file of the branch egress router RouterC
#
sysname RouterC
#
acl number 3000
rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0
0.0.0.255
rule 15 permit ip source 10.10.200.0 0.0.0.255
Figure 2-2 Networking for configuring the egress of a large-scale campus (firewalls are
connected to core switches in in-line mode)
Internet
Access Access
point point
GE0/0/2 GE0/0/2
Router 1 Router 2
GE0/0/1 GE0/0/1
OSPF 0
GE1/0/1 GE1/0/1
GE1/0/7 GE1/0/7
FW 1 FW 2
GE2/0/4 GE2/0/4
GE2/0/3 GE2/0/3
Eth-Trunk 10 Eth-Trunk 20
Swich1 Swich2
(master) (standby)
CSS
HTTP server
Department A Department B
AGG1 AGG2
Deployment
l Routing deployment
– Router ID: Configure a loopback interface address as the router ID on each device.
– Add egress routers, firewalls, and core switches to OSPF area 0. Configure egress
routers as Autonomous System Border Routers (ASBRs) and core switches as Area
Border Routers (ABRs).
– Configure Open Shortest Path First (OSPF) areas 1 and 2 for departments A and B,
respectively, and configure the two OSPF areas as Not-So-Stubby Areas (NSSAs)
to reduce the number of LSAs transmitted between OSPF areas.
– To guide uplink traffic on each device, configure a default route pointing to the
firewall on the core switch, configure a default route pointing to the egress router on
the firewall, and configure a default route pointing to the address of the
interconnected interface (public gateway address) of the carrier's device.
l Reliability deployment
You are advised to use CSS+iStack+Eth-Trunk to build a loop-free Ethernet.
– Deploy cluster switch system (CSS) on core switches and intelligent Stack (iStack)
on aggregation switches to ensure device-level reliability.
– To improve link reliability, use Eth-Trunks between core switches and firewalls,
between core switches and aggregation switches, and between aggregation switches
and access switches.
– Deploy the Huawei Redundancy Protocol (HRP) on firewalls to implement load
balancing.
l Dynamic Host Configuration Protocol (DHCP) deployment
– Configure the core switch as the DHCP server to allocate IP addresses to users.
– Configure the DHCP relay function on the aggregation switch to ensure that the
DHCP server can allocate IP addresses to users.
l Network Address Translation (NAT) deployment
– To ensure that users on the internal network can access the Internet, configure NAT
on uplink interfaces of the two egress routers to translate private addresses into
public addresses. Configure an access control list (ACL) to match the source IP
address of department A so that users of department A can access the Internet and
users of department B cannot access the Internet.
– To ensure that users on the external network can access the HTTP server, configure
the NAT server on two egress routers.
l Security deployment
Configure security policies on firewalls to filter traffic and ensure network security.
Device planning
Device Type Device Model
Data Plan
Device Interfac Membe VLANI IP Remote Remote Interface
e r F Addres Device Number
Numbe Interfac Interfac s
r e e
GE2/1/0/
3
GE2/1/0/
4
Configuration Roadmap
The configuration roadmap is as follows.
1 (1) Configure CSS on core Core switches (Switch1 and Switch2) and
switches. aggregation switches (Switch3, Switch4,
(2) Configure iStack on Switch5, and Switch6)
aggregation switches.
Procedure
Step 1 Configure CSS on core switches.
1. Connect cables of CSS cards. CSS card EH1D2VS08000 is used as an example.
NOTE
– One CSS card can only be connected to one CSS card in the other chassis but not the local
chassis.
– An interface in group 1 of a CSS card can be connected to any interface in group 1 of the CSS
card on the other chassis. The requirements for interfaces in group 2 are the same.
– CSS cards have the same number of cluster cables connected. (If the CSS cards have different
numbers of cluster cables connected, the total cluster bandwidth depends on the cluster with
the least cluster cables connected.) In addition, interfaces on CSS cards are connected based on
the interface number.
2. Configure the CSS function on Switch1 and use CSS card connection (the default value
does not need to be configured). Use the default CSS ID 1 (the default value does not
need to be configured) and set the CSS priority to 100.
<HUAWEI> system-view
[HUAWEI] set css mode css-card //Default setting. You do not need to run
this command. The step is used for reference.
[HUAWEI] set css id 1 //Default setting. You do not need to run this
command. The step is used for reference.
[HUAWEI] set css priority 100 //The default CSS priority is 1. Change the
priority of the master switch to be higher than that of the standby switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is
rebooted. The next CSS mode is CSS-Card. Reboot now? [Y/N]:Y //Restart the
switch.
3. Configure the CSS function on Switch2. Use CSS card connection (the default value
does not need to be configured). Set the CSS ID to 2 and use default CSS priority 1 (the
default value does not need to be configured).
<HUAWEI> system-view
[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is
rebooted. The next CSS mode is CSS-Card. Reboot now? [Y/N]:Y //Restart the
switch.
NOTE
After the CSS is established, subsequent operations will be performed on the master switch and
data will be automatically synchronized to the standby switch. In a CSS, the physical interface
number is in the format of interface type chassis ID/slot ID/interface card ID/interface sequence
number, for example, 10GE1/1/0/9.
Step 2 Configure iStack on aggregation switches. S5720EI series switches are used as an example.
Service interface stacking is used.
NOTE
Switch3 and Switch4 are used as an example. The configurations of Switch5 and Switch6 are similar,
and are not mentioned here.
Connect cables after the iStack configuration is complete.
1. Configure logical stack interfaces and add physical member interfaces to them.
NOTE
Physical member interfaces of logical stack interface stack-port n/1 on one switch can only be
connected to the interfaces of stack-port n/2 on a neighboring switch.
# Configure service interface GE0/0/28 on Switch3 as the physical member interface and
add it to the corresponding logical stack interface.
# Configure service interface GE0/0/28 on Switch4 as the physical member interface and
add it to the corresponding logical stack interface.
[Switch4] interface stack-port 0/2
[Switch4-stack-port0/2] port interface gigabitethernet 0/0/28 enable
Warning: Enabling stack function may cause configuration loss on the
interface, continue?[Y/N]:Y
Info: This operation may take a few seconds. Please wait for a moment.......
[Switch4-stack-port0/2] quit
3. Power off Switch3 and Switch and connect GE0/0/28 interfaces using the SFP+ stack
cable.
NOTE
Run the save command to save the configurations before you power off the switches.
stack-port 0/1 of one switch must be connected to stack-port 0/2 of another switch. Otherwise, the
stack cannot be set up.
iStack Link
Switch3 Switch4
You can check the master and standby switches, that is, the stack is set up successfully.
Step 3 Configure inter-chassis Eth-Trunks between the CSS and firewalls and between the CSS and
aggregation switches.
1. On firewalls, configure Eth-Trunks between the CSS and firewalls.
# On FW1, create Eth-Trunk 10 to connect to the CSS and add member interfaces to Eth-
Trunk 10.
[FW1] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to the CSS.
[FW1-Eth-Trunk10] quit
[FW1] interface gigabitethernet 2/0/3
[FW1-GigabitEthernet2/0/3] eth-trunk 10
[FW1-GigabitEthernet2/0/3] quit
[FW1] interface gigabitethernet 2/0/4
[FW1-GigabitEthernet2/0/4] eth-trunk 10
[FW1-GigabitEthernet2/0/4] quit
# On FW2, create Eth-Trunk 20 to connect to the CSS and add member interfaces to Eth-
Trunk 20.
[FW2] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to the CSS.
[FW2-Eth-Trunk20] quit
[FW2] interface gigabitethernet 2/0/3
[FW2-GigabitEthernet2/0/3] eth-trunk 20
[FW2-GigabitEthernet2/0/3] quit
[FW2] interface gigabitethernet 2/0/4
[FW2-GigabitEthernet2/0/4] eth-trunk 20
[FW2-GigabitEthernet2/0/4] quit
2. In the CSS, configure inter-chassis Eth-Trunks between the CSS and firewalls and
between the CSS and aggregation switches.
# In the CSS, create Eth-Trunk 10 to connect to FW1 and add member interfaces to Eth-
Trunk 10.
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to FW1.
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 10
[CSS-GigabitEthernet1/1/0/3] quit
[CSS] interface gigabitethernet 2/1/0/3
[CSS-GigabitEthernet2/1/0/3] eth-trunk 10
[CSS-GigabitEthernet2/1/0/3] quit
# In the CSS, create Eth-Trunk 20 to connect to FW2 and add member interfaces to Eth-
Trunk 20.
[CSS] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to FW2.
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 20
[CSS-GigabitEthernet1/1/0/4] quit
[CSS] interface gigabitethernet 2/1/0/4
[CSS-GigabitEthernet2/1/0/4] eth-trunk 20
[CSS-GigabitEthernet2/1/0/4] quit
# In the CSS, create Eth-Trunk 100 to connect to AGG1 and add member interfaces to
Eth-Trunk 100.
[CSS] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to AGG1.
[CSS-Eth-Trunk100] quit
# In the CSS, create Eth-Trunk 200 to connect to AGG2 and add member interfaces to
Eth-Trunk 200.
[CSS] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to AGG2.
[CSS-Eth-Trunk200] quit
[CSS] interface gigabitethernet 1/2/0/4
[CSS-GigabitEthernet1/2/0/4] eth-trunk 200
[CSS-GigabitEthernet1/2/0/4] quit
[CSS] interface gigabitethernet 2/2/0/4
[CSS-GigabitEthernet2/2/0/4] eth-trunk 200
[CSS-GigabitEthernet2/2/0/4] quit
3. On aggregation switches, configure Eth-Trunks between the AGG and CSS and between
aggregation switches and access switches.
# Configure AGG1.
[AGG1] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to the CSS.
[AGG1-Eth-Trunk100] quit
[AGG1] interface gigabitethernet 1/0/1
[AGG1-GigabitEthernet1/0/1] eth-trunk 100
[AGG1-GigabitEthernet1/0/1] quit
[AGG1] interface gigabitethernet 2/0/1
[AGG1-GigabitEthernet2/0/1] eth-trunk 100
[AGG1-GigabitEthernet2/0/1] quit
[AGG1] interface eth-trunk 500 //Create Eth-Trunk 500 to connect to the
access switch.
[AGG1-Eth-Trunk500] quit
[AGG1] interface gigabitethernet 1/0/5
[AGG1-GigabitEthernet1/0/5] eth-trunk 500
[AGG1-GigabitEthernet1/0/5] quit
[AGG1] interface gigabitethernet 2/0/5
[AGG1-GigabitEthernet2/0/5] eth-trunk 500
[AGG1-GigabitEthernet2/0/5] quit
# Configure AGG2.
[AGG2] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to the CSS.
[AGG2-Eth-Trunk200] quit
[AGG2] interface gigabitethernet 1/0/1
[AGG2-GigabitEthernet1/0/1] eth-trunk 200
[AGG2-GigabitEthernet1/0/1] quit
[AGG2] interface gigabitethernet 2/0/1
[AGG2-GigabitEthernet2/0/1] eth-trunk 200
[AGG2-GigabitEthernet2/0/1] quit
[AGG2] interface eth-trunk 600 //Create Eth-Trunk 600 to connect to the
access switch.
[AGG2-Eth-Trunk600] quit
[AGG2] interface gigabitethernet 1/0/5
[AGG2-GigabitEthernet1/0/5] eth-trunk 600
[AGG2-GigabitEthernet1/0/5] quit
[AGG2] interface gigabitethernet 2/0/5
[AGG2-GigabitEthernet2/0/5] eth-trunk 600
[AGG2-GigabitEthernet2/0/5] quit
[Router1-GigabitEthernet0/0/2] quit
[Router1] interface gigabitethernet 0/0/1
[Router1-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //Configure an IP address
for the interface connected to FW1.
[Router1-GigabitEthernet0/0/1] quit
# Configure Router2.
[Router2] interface loopback 0
[Router2-LoopBack0] ip address 2.2.2.2 32 //Configure the IP address as the
router ID.
[Router2-LoopBack0] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] ip address 202.10.2.1 24 //Configure an IP
address for the interface connected to the external network.
[Router2-GigabitEthernet0/0/2] quit
[Router2] interface gigabitethernet 0/0/1
[Router2-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //Configure an IP address
for the interface connected to FW2.
[Router2-GigabitEthernet0/0/1] quit
# Configure FW1.
[FW1] interface loopback 0
[FW1-LoopBack0] ip address 3.3.3.3 32 //Configure the IP address as the router
ID.
[FW1-LoopBack0] quit
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //Configure an IP address for
the interface connected to Router1.
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/7
[FW1-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //Configure an IP address
for the heartbeat interface enabled with HSB.
[FW1-GigabitEthernet1/0/7] quit
[FW1] interface eth-trunk 10
[FW1-Eth-Trunk10] ip address 10.3.1.1 24 //Configure an IP address for the Eth-
Trunk connected to the CSS.
[FW1-Eth-Trunk10] quit
# Configure FW2.
[FW2] interface loopback 0
[FW2-LoopBack0] ip address 4.4.4.4 32 //Configure the IP address as the Router
ID.
[FW2-LoopBack0] quit
[FW2] interface gigabitethernet 1/0/1
[FW2-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //Configure an IP address for
the interface connected to Router2.
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface gigabitethernet 1/0/7
[FW2-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //Configure an IP address
for the heartbeat interface enabled with HSB.
[FW2-GigabitEthernet1/0/7] quit
[FW2] interface eth-trunk 20
[FW2-Eth-Trunk20] ip address 10.4.1.1 24 //Configure an IP address for the Eth-
Trunk connected to the CSS.
[FW2-Eth-Trunk20] quit
# Configure CSS.
[CSS] interface loopback 0
[CSS-LoopBack0] ip address 5.5.5.5 32 //Configure the IP address as the Router
ID.
[CSS-LoopBack0] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] undo portswitch //By default, an Eth-Trunk works in Layer 2
mode. To use an Eth-Trunk as a Layer 3 interface, run the undo portswitch command
to switch the Eth-Trunk to Layer 3 mode.
[CSS-Eth-Trunk10] ip address 10.3.1.2 24 //Configure an IP address for the Eth-
Trunk connected to FW1.
[CSS-Eth-Trunk10] quit
[CSS] interface eth-trunk 20
# Configure AGG1.
[AGG1] interface loopback 0
[AGG1-LoopBack0] ip address 6.6.6.6 32 //Configure the IP address as the router
ID.
[AGG1-LoopBack0] quit
[AGG1] vlan batch 100 500
[AGG1] interface eth-trunk 100
[AGG1-Eth-Trunk100] port link-type hybrid
[AGG1-Eth-Trunk100] port hybrid pvid vlan 100
[AGG1-Eth-Trunk100] port hybrid untagged vlan 100
[AGG1-Eth-Trunk100] quit
[AGG1] interface vlanif 100
[AGG1-Vlanif100] ip address 10.5.1.2 24 //Configure an IP address for the
interface connected to the CSS.
[AGG1-Vlanif100] quit
[AGG1] interface eth-trunk 500
[AGG1-Eth-Trunk500] port link-type hybrid
[AGG1-Eth-Trunk500] port hybrid pvid vlan 500
[AGG1-Eth-Trunk500] port hybrid untagged vlan 500
[AGG1-Eth-Trunk500] quit
[AGG1] interface vlanif 500
[AGG1-Vlanif500] ip address 192.168.1.1 24 //Configure an IP address for the
interface connected to the access switch and configure it as the gateway address
of department A.
[AGG1-Vlanif500] quit
# Configure AGG2.
[AGG2] interface loopback 0
[AGG2-LoopBack0] ip address 7.7.7.7 32 //Configure the IP address as the router
ID.
[AGG2-LoopBack0] quit
[AGG2] vlan batch 200 600
[AGG2] interface eth-trunk 200
[AGG2-Eth-Trunk200] port link-type hybrid
Step 5 On firewalls, configure security policies and zones that interfaces belong to.
# Add interfaces to zones.
[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 10 //Add Eth-Trunk 10 connected to the
internal network to a trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected
to the external network to an untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW1-zone-dmz] quit
[FW2] firewall zone trust
[FW2-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the
internal network to a trusted zone.
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected
to the external network to an untrusted zone.
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW2-zone-dmz] quit
# Configure Router2.
[Router2] router id 2.2.2.2
[Router2] ospf 1 //Configure OSPF.
[Router2-ospf-1] area 0 //Configure a backbone area.
[Router2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to FW2 to the OSPF backbone
area.
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit
# Configure FW1.
[FW1] router id 3.3.3.3
[FW1] ospf 1 //Configure OSPF.
[FW1-ospf-1] area 0 //Configure a backbone area.
[FW1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Configure the device
to advertise the network segment connected to Router1 to the OSPF backbone
area.
[FW1-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Configure the device
to advertise the network segment connected to the CSS to the OSPF backbone
area.
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
# Configure FW2.
[FW2] router id 4.4.4.4
[FW2] ospf 1 //Configure OSPF.
[FW2-ospf-1] area 0 //Configure a backbone area.
[FW2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 // //Configure the
device to advertise the network segment connected to Router2 to the OSPF
backbone area.
[FW2-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //Configure the device
to advertise the network segment connected to the CSS to the OSPF backbone
area.
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Configure AGG1.
[AGG1] ospf 1 //Configure OSPF.
[AGG1-ospf-1] area 1 //Configure OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Configure the
device to advertise the network segment connected to the CSS to OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Configure the
device to advertise the user network segment to OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] nssa //Configure OSPF area 1 as an NSSA.
[AGG1-ospf-1-area-0.0.0.1] quit
[AGG1-ospf-1] quit
# Configure AGG2.
3. Configure a default route pointing to the firewall on the core switch, configure a default
route pointing to the egress router on the firewall, and configure a default route pointing
to the address of the interconnected interface (public gateway address) of the carrier's
device.
[Router1] ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
[Router2] ip route-static 0.0.0.0 0.0.0.0 202.10.2.2
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
Check the routing table of the stack. AGG1 is used as an example. You can see that
routes are generated for network segments on the internal network and one default route
is generated for traffic going out of the NSSA.
[AGG1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Gateway-0 : 192.168.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------
Pool-name : poolb
Pool-No : 1
Position : Local Status : Unlocked
Gateway-0 : 192.168.2.1
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :506
Used :2 Idle :503
Expired :0 Conflict :1 Disable :0
Assume that the carrier allocate the following public IP addresses to enterprise users: 202.10.1.2 to
202.10.1.10 and 202.10.2.2 to 202.10.2.10. The IP addresses of 202.10.1.2 and 202.10.2.2 are used by
Router1 and Router 2 respectively to connect to the external network. The IP address 202.10.1.10 is
used by users on the external network to access the HTTP server. Users on the internal network use the
remaining public IP addresses to access the Internet.
[Router2-acl-basic-2000] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Configure
NAT on the interface connected to the external network.
[Router2-GigabitEthernet0/0/2] quit
# Verify the configuration.
[Router2] display nat outbound
NAT Outbound Information:
-------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-------------------------------------------------------------------------
GigabitEthernet0/0/2 2000 1 pat
-------------------------------------------------------------------------
Total : 1
# Configure the NAT server on Router1 and Router2 so that users on the external network can
access the HTTP server.
[Router1] interface gigabitethernet 0/0/2
[Router1-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.1.10 http
inside 10.100.1.1 http //Configure the device to allow Internet users to access
the HTTP server of the company.
[Router1-GigabitEthernet0/0/2] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.1.10 http
inside 10.100.1.1 http //Configure the device to allow Internet users to access
the HTTP server of the company.
[Router2-GigabitEthernet0/0/2] quit
NOTE
After HRP is configured, the configuration and session of the active device are automatically backed up to the
standby device.
The local and remote firewalls have the same priority and are both in active state, indicating
that the two firewalls are in load balancing state.
Step 10 Configure attack defense on firewalls.
To protect internal servers against potential SYN Flood attacks and HTTP Flood attacks,
enable defense against SYN Flood attacks and HTTP Flood attacks on firewalls.
NOTE
The attack defense threshold is used for reference. Set this value according to actual network traffic.
HRP_M[FW1] firewall defend syn-flood enable
HRP_M[FW1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW1] firewall defend udp-flood enable
HRP_M[FW1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW1] firewall defend icmp-flood enable
HRP_M[FW1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW1] firewall blacklist enable
HRP_M[FW1] firewall defend ip-sweep enable
HRP_M[FW1] firewall defend ip-sweep max-rate 4000
HRP_M[FW1] firewall defend port-scan enable
HRP_M[FW1] firewall defend port-scan max-rate 4000
HRP_M[FW1] firewall defend ip-fragment enable
HRP_M[FW1] firewall defend ip-spoofing enable
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 202.10.1.3 202.10.1.9
#
interface GigabitEthernet 0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
ip address 202.10.1.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 202.10.1.10 http inside 10.100.1.10 http
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1 router id 1.1.1.1
area 0.0.0.0
network 10.1.1.0 0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
#
return
router id 3.3.3.3
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.2
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 10
#
interface Eth-Trunk 10
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet 1/0/7
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet 2/0/3
eth-trunk 10
#
interface GigabitEthernet 2/0/4
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk10
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf
1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
policy interzone local trust outbound
policy 1
action permit
policy source 10.3.1.0 mask 24
policy source 10.5.1.0 mask 24
policy source 192.168.1.0 mask 24
#
policy interzone local untrust inbound
policy 2
action permit
policy source 10.1.1.0 mask 24
#
policy interzone trust untrust inbound
policy 3
action permit
policy source 10.1.1.0 mask 24
#
policy interzone trust untrust outbound
policy 4
action permit
policy source 192.168.1.0 mask 24
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
router id 4.4.4.4
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.1
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 20
#
interface Eth-Trunk 20
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet 1/0/7
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet 2/0/3
eth-trunk 20
#
interface GigabitEthernet 2/0/4
eth-trunk 20
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk20
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf
1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
policy interzone local trust outbound
policy 1
action permit
policy source 10.4.1.0 mask 24
policy source 10.6.1.0 mask 24
policy source 192.168.2.0 mask 24
#
policy interzone local untrust inbound
policy 2
action permit
policy source 10.2.1.0 mask 24
#
policy interzone trust untrust inbound
policy 3
action permit
policy source 10.2.1.0 mask 24
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
ip pool poola
gateway-list
192.168.1.1
network 192.168.1.0 mask
255.255.255.0
#
ip pool poolb
gateway-list
192.168.2.1
network 192.168.2.0 mask
255.255.255.0
#
interface Vlanif 100
ip address 10.5.1.1 255.255.255.0
dhcp select global
#
interface Vlanif 200
ip address 10.6.1.1 255.255.255.0
dhcp select global
#
interface Vlanif 300
ip address 10.100.1.100 255.255.255.0
#
interface Eth-Trunk 10
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface Eth-Trunk 20
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
interface Eth-Trunk 100
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface Eth-Trunk 200
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet 1/1/0/1
port link-type access
port default vlan 300
#
interface GigabitEthernet 1/1/0/3
eth-trunk 10
#
interface GigabitEthernet 1/1/0/4
eth-trunk 20
#
interface GigabitEthernet 1/2/0/3
eth-trunk 100
#
interface GigabitEthernet 1/2/0/4
eth-trunk 200
#
interface GigabitEthernet 2/1/0/3
eth-trunk 10
#
interface GigabitEthernet 2/1/0/4
eth-trunk 20
#
interface GigabitEthernet 2/2/0/3
eth-trunk 100
#
interface GigabitEthernet 2/2/0/4
eth-trunk 200
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1 router-id
5.5.5.5
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
area 0.0.0.1
network 10.5.1.0 0.0.0.255
area 0.0.0.2
network 10.6.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
nssa
#
return
area 0.0.0.2
network 10.6.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
nssa
#
return
l Only the connection configurations between firewalls and switches and the HRP
configurations on firewalls are provided in the following procedure. For the security
service plan on the firewalls and security policies, attack defense, bandwidth
management, and IPSec on the campus network, see Firewall Configuration Examples.
l This example describes only the routers and switches at the egress of campus network.
For the Internet-side configurations on routers, see the NE Router Configuration Guide.
Networking Requirements
At the egress of a large-sized campus network, core switches connect to routers to access the
Internet through upstream interfaces. Firewalls connect to the core switches in bypass mode to
filter service traffic.
To simplify network and improve reliability, a switch cluster is deployed at the core layer.
HRP (active/standby mode) is deployed on firewalls. If one firewall fails, services are
switched to another firewall.
Each of the core switches is dual homed to two egress routers, and VRRP is configured
between routers to ensure reliability.
To improve link reliability, Eth-Trunks are configured between core switches and egress
routers, core switches and firewalls, and two firewalls.
The networking diagram is as follows.
Figure 2-6 Networking diagram at the campus egress (HRP firewalls in bypass mode)
Traffic from the
Internet to intranet
Campus egress
Router 1 Router 2
VRRP VRID 1
FW 1
CSS HRP
FW 2
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
In Layer 3 forwarding environment, traffic inside and outside the campus network is directly
forwarded by switches, but does not pass through FW1 and FW2. When traffic needs to be
forwarded to FWs for filtering through switches, the VRF function must be configured on
switches. The CSS is divided into a virtual switch VRF-A and a root switch Public, which are
separated from each other.
Public is connected to the egress routers, and forwards traffic from the Internet to FWs for
filtering and traffic from FWs to the egress routers.
VRF-A is connected to the intranet, and forwards traffic from FWs to the intranet and traffic
from intranet to FWs for filtering.
The following logical network diagram shows the traffic forwarding paths.
Figure 2-7 Connections between physical interfaces of switches, routers, and firewalls
Router 1 Router 2
10GE1/0/1 10GE1/0/2 10GE1/0/1 10GE1/0/2
Eth-Trunk1 Eth-Trunk1
Eth-Trunk1 Eth-Trunk2
Switch 1 Switch 2
(master) CSS
(backup)
Internet-side
Public
GE1/1/0/7 GE1/2/0/7 GE2/1/0/7 GE2/2/0/7
Eth-Trunk4 Eth-Trunk6
Eth-Trunk4 Eth-Trunk6
GE1/0/0 GE1/0/1 GE1/0/0 GE1/0/1
GE2/0/0 GE2/0/0
FW 1 GE2/0/1 GE2/0/1 FW 2
Eth-Trunk1 Eth-Trunk1
GE1/1/0 GE1/1/1 GE1/1/0 GE1/1/1
Eth-Trunk5 Eth-Trunk7
Eth-Trunk5 Eth-Trunk7
Intranet-side
GE1/3/0/1 GE1/3/0/2 VRF-A GE2/3/0/1 GE2/3/0/2
Eth-Trunk8 Eth-Trunk9
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
In this example, the core switches work in Layer 3 mode. The firewalls connect to Layer 3
switches through upstream and downstream interfaces. VRRP needs to be configured on both
upstream and downstream service interfaces of firewalls, as shown below.
Figure 2-8 Connections between Layer 3 interfaces of switches, routers, and firewalls
Router 1 Router 2
Eth-Trunk1 Eth-Trunk1
10.10.4.2/24 10.10.4.3/24
VRRP VRID 1
CSS
1OSPF
Virtual IP
Eth-Trunk1
3 Static route
10.10.4.100/24
Eth-Trunk2
OSPF VLANIF10
Eth-Trunk1 Eth-Trunk2
100 10.10.4.1/24
Area 0
CSS
Internet-side
Public CSS
2 Static route
Eth-Trunk4
Eth-Trunk6
Eth-Trunk4 Eth-Trunk6
2 Static route
VLANIF20
Virtual IP 10.10.2.1/24
10.10.2.5/24
Virtual IP CSS
1 Static route
10.10.3.5/24 Eth-Trunk5
Eth-Trunk7
Eth-Trunk5 Eth-Trunk7 VLANIF30
10.10.3.1/24
Intranet-side
VRF-A
CSS
Eth-Trunk8 Eth-Trunk9
VLANIF100 VLANIF200
10.10.100.1/24 10.10.200.1/24
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
The traffic (in blue) from the intranet to the Internet is forwarded as follows:
1. When traffic from the intranet to the Internet reaches VRF-A, it is then forwarded to the
firewalls based on the static route (next hop is the downstream VRRP virtual IP address
of firewalls) configured on VRF-A.
2. After filtering the traffic, the firewalls forward traffic to Public based on the static route
(next hop is the CSS's VLANIF 20).
3. Public forwards traffic to routers based on the static route (next hop is the router VRRP
virtual IP address).
The traffic (in red) from the Internet to the intranet is forwarded as follows:
1. The traffic from the Internet to the intranet reaches the routers, and is then forwarded to
Public based on the OSPF routing table.
2. Public forwards the traffic to firewalls based on the static route (next hop is the upstream
VRRP virtual IP address of firewalls).
3. After filtering the traffic, the firewalls forward traffic to VRF-A based on the static route
(next hop is the CSS's VLANIF 30).
4. VRF-A forwards the traffic to aggregation switches based on OSPF routing table, and
then the aggregation switches forward the traffic to service networks.
Data Plan
VRR - - - 10.10.4.100/ - -
P of 24
Rout
er 1
and
Rout
er 2
VRR - - - 10.10.2.5/24 - -
P1 of
FW 1
and
FW 2
(upstr
eam)
VRR - - - 10.10.3.5/24 - -
P2 of
FW 1
and
FW 2
(dow
nstre
am)
Configuration Roadmap
The configuration roadmap is as follows:
Configure the VRF function on switches to divide the CSS into a virtual switch VRF-A
and a root switch Public, which separate the service network routes and public network
routes.
To steer the upstream traffic on each device, configure a default route on core switches,
of which the next hop is the VRRP virtual IP address of the egress routers.
To steer the return traffic of two egress routers, configure OSPF between the egress
routers and core switches, and advertise all user network segment routes on the core
switches into OSPF on egress routers.
To forward the upstream traffic of service networks to firewalls, configure a default route
on switches, of which the next hop is the virtual IP address of VRRP VRID2 on
firewalls.
To forward the downstream traffic of service network 1 to firewalls, configure a default
route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on
firewalls.
To forward the downstream traffic of service network 2 to firewalls, configure a default
route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on
firewalls.
To forward the upstream traffic of service networks to switches, configure a default route
on firewalls, of which the next hop is the IP address of VLANIF 20 on switches.
To forward the downstream traffic of service network 1 to switches, configure a default
route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.
To forward the downstream traffic of service network 2 to switches, configure a default
route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.
5. Configure HRP on firewalls.
Procedure
Step 1 On switche 1 and switch 2: Configure CSSs.
1. Connect CSS cards through cables.
In the following figure, the S12700 switches have the CSS cards EH1D2VS08000
installed. An S12700 has a maximum number of MPUs, SFUs, and CSS cards installed.
Each chassis must have at least one MPU and one SFU installed. You are advised to
install two SFUs and two CSS cards in each chassis.
NOTE
<HUAWEI> system-view
[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is
rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y //Restart the
switch.
NOTE
– After the CSS is established, subsequent operations will be performed on the master switch
(switch 1) and data will be automatically synchronized to the standby switch (switch 2).
– The interface name in a CSS is in the format like 10GE1/4/0/0. The leftmost part indicates the
CSS ID.
Step 2 On switch 1: Configure the inter-chassis Eth-Trunks between CSS and FWs and between CSS
and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.
1. Configure an inter-chassis Eth-Trunk between switches and routers. Configure VLANIF
interfaces and assign IP addresses to them.
# In the CSS, create Eth-Trunk1 to connect to Router1 and add member interfaces to
Eth-Trunk1.
<HUAWEI> system-view
[HUAWEI] sysname CSS //Rename the CSS.
[CSS] interface Eth-Trunk 1
[CSS-Eth-Trunk1] quit
[CSS] interface XGigabitethernet 1/4/0/0 //Add an interface on the master
switch to Eth-Trunk1.
[CSS-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet1/4/0/0] quit
[CSS] interface XGigabitethernet 2/4/0/0 //Add an interface on the backup
switch to Eth-Trunk1.
[CSS-XGigabitEthernet2/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet2/4/0/0] quit
# In the CSS, create Eth-Trunk2 to connect to Router2 and add member interfaces to
Eth-Trunk2.
[CSS] interface Eth-Trunk 2
[CSS-Eth-Trunk2] quit
[CSS] interface XGigabitethernet 1/4/0/1 //Add an interface on the master
switch to Eth-Trunk2.
[CSS-XGigabitEthernet1/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet1/4/0/1] quit
[CSS] interface XGigabitethernet 2/4/0/1 //Add an interface on the backup
switch to Eth-Trunk2.
[CSS-XGigabitEthernet2/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet2/4/0/1] quit
2. Configure the inter-chassis Eth-Trunks between switches and FWs and between CSS and
routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.
# In the CSS, create Eth-Trunk4 to connect Public to FW1 and add member interfaces to
Eth-Trunk4.
[CSS] interface Eth-Trunk 4
[CSS-Eth-Trunk4] quit
[CSS] interface Gigabitethernet 1/1/0/7 //Add an interface on the master
switch to Eth-Trunk4.
[CSS-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet1/1/0/7] quit
[CSS] interface Gigabitethernet 2/1/0/7 //Add an interface on the backup
switch to Eth-Trunk4.
[CSS-Gigabitethernet2/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet2/1/0/7] quit
# In the CSS, create Eth-Trunk5 to connect VRF-A to FW1 and add member interfaces
to Eth-Trunk5.
# In the CSS, create Eth-Trunk6 to connect Public to FW2 and add member interfaces to
Eth-Trunk6.
[CSS] interface Eth-Trunk 6
[CSS-Eth-Trunk6] quit
[CSS] interface Gigabitethernet 1/2/0/7 //Add an interface on the master
switch to Eth-Trunk6.
[CSS-Gigabitethernet1/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet1/2/0/7] quit
[CSS] interface Gigabitethernet 2/2/0/7 //Add an interface on the backup
switch to Eth-Trunk6.
[CSS-Gigabitethernet2/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet2/2/0/7] quit
# In the CSS, create Eth-Trunk7 to connect VRF-A to FW2 and add member interfaces
to Eth-Trunk7.
[CSS] interface Eth-Trunk 7
[CSS-Eth-Trunk7] quit
[CSS] interface Gigabitethernet 1/2/0/8 //Add an interface on the master
switch to Eth-Trunk7.
[CSS-Gigabitethernet1/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet1/2/0/8] quit
[CSS] interface Gigabitethernet 2/2/0/8 //Add an interface on the backup
switch to Eth-Trunk7.
[CSS-Gigabitethernet2/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet2/2/0/8] quit
# In the CSS, create Eth-Trunk9 to connect to service network 2 and add member
interfaces to Eth-Trunk9.
[CSS] interface Eth-Trunk 9
[CSS-Eth-Trunk9] quit
[CSS] interface Gigabitethernet 1/3/0/2 //Add an interface on the master
switch to Eth-Trunk9.
[CSS-Gigabitethernet1/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet1/3/0/2] quit
[CSS] interface Gigabitethernet 2/3/0/2 //Add an interface on the backup
switch to Eth-Trunk9.
[CSS-Gigabitethernet2/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet2/3/0/2] quit
# Configure the Dot1q termination subinterface for VLAN 10 and assign an IP address to the
subinterface.
[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] ip address 10.10.4.2 24
[Router1-Eth-Trunk1.100] dot1q termination vid 10
[Router1-Eth-Trunk1.100] quit
# The configuration procedure on Router2 is the same as that on Router1 except that the
interface addresses are different.
Step 4 On firewalls: Configure interfaces and zones.
# Configure interfaces and zones on FW1.
<USG> system-view
[USG] sysname FW1
[FW1] interface Eth-Trunk 4 //Configure the interface connected to CSS and
assign an IP address to it.
[FW1-Eth-Trunk4] ip address 10.10.2.2 24
[FW1-Eth-Trunk4] quit
[FW1] interface Gigabitethernet 1/0/0 //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/0] Eth-Trunk 4
[FW1-GigabitEthernet1/0/0] quit
[FW1] interface Gigabitethernet 1/0/1 //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/1] Eth-Trunk 4
[FW1-GigabitEthernet1/0/1] quit
[FW2-Eth-Trunk6] quit
[FW2] interface Gigabitethernet 1/0/0 //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/0] Eth-Trunk 6
[FW2-GigabitEthernet1/0/0] quit
[FW2] interface Gigabitethernet 1/0/1 //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/1] Eth-Trunk 6
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface Eth-Trunk 1 //Configure the interface between FW2 and FW1.
[FW2-Eth-Trunk1] ip address 10.1.1.2 24
[FW2-Eth-Trunk1] quit
[FW2] interface Gigabitethernet 2/0/0 //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/0] Eth-Trunk 1
[FW2-GigabitEthernet2/0/0] quit
[FW2] interface Gigabitethernet 2/0/1 //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/1] Eth-Trunk 1
[FW2-GigabitEthernet2/0/1] quit
Step 5 On routers: Configure VRRP. Configure Router1 as the VRRP master and Router2 as the
VRRP backup.
# Configure Router1.
[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the
VRRP virtual IP address.
[Router1-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of
Router1 to make Router1 become the Master.
[Router1-Eth-Trunk1.100] quit
# Configure Router2.
[Router2] interface Eth-Trunk 1.100
[Router2-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the
VRRP virtual IP address.
[Router2-Eth-Trunk1.100] quit
After the configuration is complete, a VRRP group should have been set up between Router1
and Router2. You can run the display vrrp command to view the VRRP status of Router1 and
Router2.
# Check the VRRP status of Router1. The status is master.
[Router1] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Master
Virtual IP : 10.10.4.100
Master IP : 10.10.4.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2015-05-18 06:53:47 UTC-05:13
Last change time : 2015-05-18 06:54:14 UTC-05:13
Step 6 Configure routes between CSS and FWs and between CSS and routers.
1. Configure OSPF between switches and routers.
# Create VPN instance Public on CSS and bind the interfaces connected to routers and
firewalls to Public.
[CSS] ip vpn-instance Public //Create the VPN instance Public.
[CSS-vpn-instance-Public] ipv4-family
[CSS-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CSS-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CSS-vpn-instance-Public-af-ipv4] quit
[CSS-vpn-instance-Public] quit
[CSS] interface Vlanif 10
[CSS-Vlanif10] ip binding vpn-instance Public //Bind VLANIF 10, which
connects the CSS to router, to Public.
[CSS-Vlanif10] ip address 10.10.4.1 24 //Reconfigure an IP address for
VLANIF 10, because the preceding operation has deleted the original IP
address.
[CSS-Vlanif10] quit
[CSS] interface Vlanif 20
[CSS-Vlanif20] ip binding vpn-instance Public //Bind VLANIF 20, which
connects the CSS to firewall's upstream interface, to Public.
[CSS-Vlanif20] ip address 10.10.2.1 24 //Reconfigure an IP address for
VLANIF 20, because the preceding operation has deleted the original IP
address.
[CSS-Vlanif20] quit
# Configure a static route in Public to forward upstream traffic. Set the next hop of the
route to the VRRP virtual IP address of routers.
[CSS] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100 //
Configure a default route for Public and set the next hop as the VRRP virtual
IP address of the router.
# Configure OSPF between CSS and routers to forward downstream traffic. Routers can
learn the return routes to service networks using OSPF.
[CSS] ospf 100 router-id 1.1.1.1
[CSS-ospf-100] area 0
[CSS-ospf-100-area-0.0.0.0] network 10.10.100.0 0.0.0.255 //Advertise the
routes on the network segment of service network 1 to OSPF.
[CSS-ospf-100-area-0.0.0.0] network 10.10.200.0 0.0.0.255 //Advertise the
routes on the network segment of service network 2 to OSPF.
[CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the
routes on the network segment connected to Router to OSPF.
[CSS-ospf-100-area-0.0.0.0] quit
[CSS-ospf-100] import-route static //Import the static route to OSPF.
[CSS-ospf-100] quit
# Configure Router2.
[Router2] ospf 100 router-id 3.3.3.3
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise
the routes on the network segment connected to CSS to OSPF.
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit
# After the configurations are complete, CSS, Router1, and Router2 can set up neighbor
relationships. For example, when you view OSPF neighbor information on the CSS, you
can find that Router1 and Router2 have set up OSPF neighbor relationships with CSS
and the neighbor status is Full.
[CSS] display ospf peer
OSPF Process 100 with Router ID 1.1.1.1
Neighbors
# Configure a default route in VRF-A. The next hop is the downstream VRRP 2 virtual
IP address (VRID2) of firewalls.
[CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
# Configure a static route in Public to forward downstream traffic. Set the next hop of
the route to the upstream VRRP 1 virtual IP address (VRID1) of firewalls.
[CSS] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0
10.10.2.5 //The destination address is on service network 1 and the next
hop is the VRID2 virtual IP address of the two FWs.
[CSS] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0
10.10.2.5 //The destination address is on service network 2 and the next
hop is the VRID2 virtual IP address of the two FWs.
# After the configuration is complete, an OSPF neighbor relationship should have been
established between Router 1and Router 2. You can run the display ospf peer command
to view the OSPF neighbor status. The following uses the display on CSS switches as an
example. You can view that the OSPF neighbor status is Full.
4. Verify the configuration.
In the routing table on VRF-A, the first line indicates that the next hop for the traffic
destined for the Internet is the VRRP VRID 2 virtual IP address (10.10.3.5) of firewalls.
This indicates that upstream traffic is forcibly directed to firewalls for filtering.
[CSS] display ip routing-table vpn-instance Public
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
In the routing table on Public, the first line indicates that the next hop for the traffic
destined for the Internet is the VRRP VRID 1 virtual IP address (10.10.4.100) of routers.
The fifth and sixth lines indicate that the next hop for the traffic destined for service
networks is the VRRP VRID 1 virtual IP address (10.10.3.5) of firewalls. This indicates
that downstream traffic is forcibly directed to firewalls for filtering.
# Check VRRP status. FW1 is the master and FW2 is the slave.
HRP_M[FW1] display vrrp
Eth-Trunk4 | Virtual Router 1
VRRP Group : Master
State : Master
Virtual IP : 10.10.2.5
Virtual MAC : 0000-5e00-0101
Primary IP : 10.10.2.2
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES
NOTE
After HRP is configured, the configurations and sessions on the active firewall are synchronized to the
standby firewall; therefore, you only need to perform the following configurations on the active firewall
FW1.
You can find that the CSS and Router1 can ping each other.
# Ping the VRF-A VLANIF 100 on the CSS from Router1 to check the downlink
connectivity.
<Router1> Ping 10.10.100.1
You can find that Router1 and CSS VLANIF 100 can ping each other.
----End
Configuration Files
l Router1 configuration file
#
sysname Router1
#
interface Eth-Trunk1
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.4.100
vrrp vrid 1 priority 120
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet1/0/2
eth-trunk 1
#
ospf 100 router-id 2.2.2.2
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
ip vpn-instance VRF-A
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance Public
ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance Public
ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance VRF-A
ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
ip binding vpn-instance VRF-A
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif200
ip binding vpn-instance VRF-A
ip address 10.10.200.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk5
port link-type trunk
port trunk allow-pass vlan 30
#
interface Eth-Trunk6
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk7
port link-type trunk
port trunk allow-pass vlan 30
#
interface Eth-Trunk8
port link-type trunk
port trunk allow-pass vlan 100
#
interface Eth-Trunk9
port link-type trunk
port trunk allow-pass vlan 200
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
arp broadcast enable
#
interface GigabitEthernet1/1/0/7
eth-trunk 4
#
interface GigabitEthernet1/1/0/8
eth-trunk 5
#
interface GigabitEthernet1/2/0/7
eth-trunk 6
#
interface GigabitEthernet1/2/0/8
eth-trunk 7
#
interface GigabitEthernet1/3/0/1
eth-trunk 8
#
interface GigabitEthernet1/3/0/2
eth-trunk 9
#
interface GigabitEthernet2/1/0/7
eth-trunk 4
#
interface GigabitEthernet2/1/0/8
eth-trunk 5
#
interface GigabitEthernet2/2/0/7
eth-trunk 6
#
interface GigabitEthernet2/2/0/8
eth-trunk 7
#
interface GigabitEthernet2/3/0/1
eth-trunk 8
#
interface GigabitEthernet2/3/0/2
eth-trunk 9
#
interface XGigabitEthernet1/4/0/0
eth-trunk 1
#
interface XGigabitEthernet1/4/0/1
eth-trunk 2
#
interface XGigabitEthernet2/4/0/0
eth-trunk 1
#
interface XGigabitEthernet2/4/0/1
eth-trunk 2
#
ospf 100 router-id 1.1.1.1
import-route static
area 0.0.0.0
network 10.10.100.0 0.0.0.255
network 10.10.200.0 0.0.0.255
network 10.10.4.0 0.0.0.255
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5
ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5
#
return
l FW1 configuration file
#
interface Eth-Trunk1
alias Eth-Trunk1
ip address 10.1.1.1 255.255.255.0
#
interface Eth-Trunk4
alias Eth-Trunk4
ip address 10.10.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 master
#
interface Eth-Trunk5
alias Eth-Trunk5
ip address 10.10.3.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 master
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
undo enable snmp trap updown physic-status
eth-trunk 4
#
interface GigabitEthernet1/0/1
undo enable snmp trap updown physic-status
eth-trunk 4
#
interface GigabitEthernet1/1/0
undo enable snmp trap updown physic-status
eth-trunk 5
#
interface GigabitEthernet1/1/1
undo enable snmp trap updown physic-status
eth-trunk 5
#
interface GigabitEthernet2/0/0
undo enable snmp trap updown physic-status
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo enable snmp trap updown physic-status
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Eth-Trunk5
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface Eth-Trunk4
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW1
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.2
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction
outbound
firewall packet-filter default permit interzone local untrust direction
outbound
#
return
l FW2 configuration file
#
interface Eth-Trunk1
alias Eth-Trunk1
ip address 10.1.1.2 255.255.255.0
#
interface Eth-Trunk6
alias Eth-Trunk6
ip address 10.10.2.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 slave
#
interface Eth-Trunk7
alias Eth-Trunk7
ip address 10.10.30.30 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 slave
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
undo enable snmp trap updown physic-status
eth-trunk 6
#
interface GigabitEthernet1/0/1
undo enable snmp trap updown physic-status
eth-trunk 6
#
interface GigabitEthernet1/1/0
undo enable snmp trap updown physic-status
eth-trunk 7
#
interface GigabitEthernet1/1/1
undo enable snmp trap updown physic-status
eth-trunk 7
#
interface GigabitEthernet2/0/0
undo enable snmp trap updown physic-status
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo enable snmp trap updown physic-status
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Eth-Trunk7
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface Eth-Trunk6
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW2
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction
outbound
firewall packet-filter default permit interzone local untrust direction
outbound
On agile networks, flexible and fast agile switches replace traditional switches. For example,
administrators can flexibly and fast configure, manage, and maintain devices. They do not
need to modify configurations for devices one by one to change a service or take a long time
to locate a network fault. Users can flexibly and fast access an agile network and enjoy the
same network experience at any locations using any access mode.
An agile campus network for a university is taken as an example in the following sections to
describe how agile networks improve the network services for campus users.
l Users in different areas of the main campus can access the campus network and connect
to the Internet through the campus network. Wired users use 802.1x authentication and
wireless users use Web authentication to access the network.
The following figure shows only the network deployment for teaching and office areas.
The network deployment for other areas is similar and is not shown in the figure.
l The network provides the Voice over Internet Protocol (VoIP), network printer, and
multimedia services.
l Users in branch campuses can access the main campus network through the Intranet.
l Users outside the campuses can access the main campus network through the Internet.
Figure 2-11 Campus networking diagram for the main campus (with no agile network
deployed)
Intranet Internet
Independent
AC
S5700LI
Teaching Office AP
S5700LI area area Teaching Office
area area
The service deployment on the current campus network faces the following problems:
l As the population in the university grows, a large number of wireless users demand for
wireless services. The wired and wireless networks are separately deployed and difficult
to manage. The university demands for the wired and wireless convergence to simplify
network management and improve network operation and maintenance (O&M)
efficiency.
l As various network services develop in the campus and users need to access the network
during moving, network information security becomes more important. The university
desires the classification of access user roles to ensure that service policies and network
experience are consistent wherever users go.
l The university has a large number of network devices and needs to frequently adjust
network services. Network administrators need to modify configurations or upgrade
versions on devices one by one to change a service, requiring heavy and trivial workload.
In tra n e t In te rn e t
A g ile n e tw o rk o n a R e m o te
b ra n c h c a m p u s a cce s s u se rs
E x te rn a l
e S ig h t C o re sw itch w e b site s e rve r
S12708
S 5700LI
AP S 5700LI
T e a c h e r L e e is
in th e o ffic e a re a
a t 8 :0 0 a .m .
T e a c h e r L e e is in
th e te a c h in g a re a
a t 1 0 :0 0 a .m .
T e a c h e r L e e is
in th e c a n te e n
a t 1 2 :0 0 a .m .
T e a c h e r L e e is
in th e lib ra ry a t
4 :0 0 p .m .
T e a c h e r L e e is in th e
re s id e n tia l c o m m u n ity
a t 8 :0 0 p .m .
l Agile Controller
The Agile Controller integrates functions of the RADIUS server, Portal server, and free
mobility controller, facilitating service adjustment. When a user connects to the network
from different locations, the free mobility controller uniformly delivers network access
rights to ensure that the user can have the same network access rights at different
locations.
l eSight network management system (NMS)
eSight provides a graphical user interface (GUI) to help manage network devices,
perform configurations, and facilitate convenient and visual management.
l Wired and wireless convergence: Wired and wireless networks are uniformly managed
and maintained.
Agile switches at the core layer provide native capabilities on their line cards, so no
independent AC devices or AC cards (such as ACU2) are required. Administrators do
not need to configure and deploy user access services on the wired and wireless networks
respectively and can manage wired and wireless networks simply as managing one
device. The high switching capability and scalability of agile switches eliminate
bottlenecks in centralized traffic forwarding when independent ACs or AC cards are
used.
l Free mobility: Service control policies can be migrated with users, delivering consistent
experience for users.
For example, in 2.4.2 Networking Requirements, teacher Lee connects to the campus
network from the office area, teaching area, library, and residential community every
day. He may be granted different access rights on a traditional network. For example, he
can access the essay database only in the office area, teaching area, and library, but not in
public areas in the campus.
The free mobility solution enables users to have the same network access rights at
different locations. Network access policies are configured centrally on the Agile
Controller and delivered to all associated access devices. In this way, users can obtain the
same network access policies and enjoy consistent network access experience at any
locations and using any IP addresses.
Table 2-5 lists the access policies that are configured on the Agile Controller and
delivered to three user groups: guest, student, and teacher.
After the preceding policies are configured, users have the same network access rights
and network experience after passing authentication.
l Super Virtual Fabric (SVF): Agile switches deliver configurations to devices at the
aggregation and access layers.
The SVF solution virtualizes core, aggregation, and access switches on a network into
one switch. The core switch manages the aggregation and access switches, and uses
configuration templates to complete batch configuration of aggregation and access
switches. In this way, administrators do not need to configure switches one by one.
Table 2-6 describes the roles in an SVF system. The agile switch functions as a parent to
manage all access switches (ASs) and APs. In the SVF system, wired and wireless users
are all managed on the parent.
Services on ASs are configured on the parent, and the key states of ASs and APs are
maintained on the parent. Administrators can complete service configurations for
An SVF system supports at most two levels of ASs and one level of APs. When eSight is deployed to
manage the SVF system, SVF can better simplify device management.
l Packet Conservation Algorithm for Internet (iPCA): iPCA allows an agile network to be
aware of the service quality and to locate network failures.
An agile switch with iPCA configured can monitor packet loss in real time. Table 2-7
lists packet loss measurement modes. If a link fails, an iPCA-capable switch can quickly
detect the fault and sends an alarm to administrators immediately. iPCA allows the
network to be aware of the service quality, reducing impact of network failures. eSight
can display packet loss measurement results on a GUI, so administrators can easily
monitor the network quality.
Network-level Monitor packet loss on the links between the main campus and
packet loss branch campuses. iPCA needs to be configured on local and
measurement remote core switches.
Table 2-8 lists the minimum versions supporting agile features and precautions for
configuring these features.
Wired and V200R005 If modular switches are used, X1E cards need to be
wireless (V200R007C20 installed.
is not included) For details about the applicable AP models and versions,
see the product documents.
B ra n c h c a m p u s
WAN
C o re s w itc h (S 9 7 0 6 )
in th e b ra n c h c a m p u s
C o re sw itch e s (S 1 2 7 0 8 ) in th e m a in
ca m p u s
(A P 5 0 1 0 D N )
PC _1 AP_1 STA_2
STA_1
Table 2-9 and Table 2-10 describe the data planning based on the preceding networking
diagram.
Data Description
VLAN that wired users in Service VLAN accessed by wired users in teaching area
teaching area 1 belong to. 1, such as the VLAN that PC_1 belongs to.
ID: 100
IP address: 192.168.100.1/24
VLAN that wired users in the Service VLAN accessed by wired users in the library,
library belong to. such as the VLAN that PC_2 belongs to.
ID: 200
IP address: 192.168.200.1/24
VLAN that mobile terminals in Service VLAN accessed by STAs in teaching area 1,
teaching area 1 belong to. such as the VLAN that STA_1 belongs to.
ID: 202
IP address: 192.168.202.1/24
VLAN that mobile terminals in Service VLAN accessed by STAs in the library, such as
the library belong to. the VLAN that STA_2 belongs to.
ID: 204
IP address: 192.168.204.1/24
1. Configure the two switches in the parent to set up a CSS. For details, see the product
documents.
2. Log in to the CSS and enable the SVF function.
<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable //Enable the DHCP server function to allow an AS to
obtain an IP address from the parent.
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1 //Configure
the parent to send the IP address to an AS so that the AS can set up a CAPWAP
link with the specified IP address.
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11 //Set up a CAPWAP link between
the parent and the AS.
[HUAWEI] authentication unified-mode //Change the network admission control
(NAC) configuration mode to the united mode.
[HUAWEI] stp mode rstp //Set the working mode to STP or RSTP when enabling
the SVF function.
[HUAWEI] uni-mng //Enable the SVF function and enter the uni-mng view.
Warning: This operation will enable the uni-mng mode and disconnect all ASs.
NOTE
When enabling the SVF function, ensure that the current and next startup NAC configuration modes are
the unified mode.
You can run the display authentication mode command to check whether the current and next startup
NAC configuration modes are the unified mode. If not, set the modes to the unified mode.
After the traditional and unified modes are switched, restart the device to make the configuration take
effect. By default, the NAC configuration mode is unified mode.
3. Configure access parameters for ASs.
# Configure ASs' names, and specify the device models and management MAC
addresses for the ASs.
[HUAWEI-um] as name as1 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0011
[HUAWEI-um-as-as1] quit
[HUAWEI-um] as name as2 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0022
[HUAWEI-um-as-as2] quit
[HUAWEI-um] as name as3 model S5700-28X-PWR-LI-AC mac-address 0200-0000-0033
[HUAWEI-um-as-as3] quit
# Configure the fabric ports that connect the parent to level-1 ASs (AS_1 and AS_2).
The following example configures the fabric port that connects the parent to AS_1. The
configuration of the fabric port that connects the parent to AS_2 is similar and is not
mentioned here.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit
# Configure the fabric port that connects level-1 AS (AS_1) to level-2 AS (AS_3).
[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-
trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet
0/0/23 to 0/0/24
[HUAWEI-um-as-as1] quit
[HUAWEI-um] quit
# Configure AS to be authenticated using a whitelist when they connect to an SVF
system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0033
[HUAWEI-as-auth] quit
[HUAWEI] quit
4. Clear the configurations of ASs, restart the ASs, and then connect the ASs to the parent
using cables. Subsequently, an SVF system is set up.
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file or input on the
console port.
# Clear the configurations of ASs and restart the ASs. (This process takes 5 minutes.
During the process, ensure that the AS has no input on the console port. If the ASs are
unconfigured, you can directly connect the ASs to the parent with no need to restart the
ASs.)
<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
# After connecting the cables, run the display as all command to check whether all ASs
have connected to the SVF system successfully.
<HUAWEI> display as all
------------------------------------------------------------------------------
No. Type Mac IP State Name
------------------------------------------------------------------------------
0 S5700-52X-PWR-LI-AC 0200-0000-0011 192.168.11.254 normal as1
1 S5700-52X-PWR-LI-AC 0200-0000-0022 192.168.11.253 normal as2
2 S5700-28X-PWR-LI-AC 0200-0000-0033 192.168.11.252 normal as3
------------------------------------------------------------------------------
Total: 3
Configure an AP to connect to an AS. The following example describes how to connect AP_1
to AS_3, and the procedure for connecting AP_2 to AS_2 is not mentioned here.
1. Create a network basic profile, and specify a pass-VLAN for mobile terminals connected
to AP_1.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_ap
[HUAWEI-um-net-basic-profile_ap] pass-vlan 202
[HUAWEI-um-net-basic-profile_ap] quit
Configure a PC to connect to an AS. The following example describes how to connect PC_1
to AS_3, and the procedure for connecting PC_2 to AS_2 is not mentioned here.
1. Create a network basic profile and a user access profile.
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] user-vlan 100
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] quit
3. Create a group, and bind the network basic profile and user access profile to the group.
[HUAWEI-um] port-group name group1
[HUAWEI-um-portgroup-group1] network-basic-profile profile_1
[HUAWEI-um-portgroup-group1] user-access-profile pro1
[HUAWEI-um-portgroup-group1] as name as3 interface GigabitEthernet 0/0/23
[HUAWEI-um] commit as name as3
[HUAWEI-um] quit
[HUAWEI-aaa] domain pc
[HUAWEI-aaa-domain-pc] authentication-scheme sch1
[HUAWEI-aaa-domain-pc] quit
[HUAWEI-aaa] quit
5. Check whether the user has connected to the SVF system.
If the user is dynamically configured to connect to an SVF system, perform shutdown
and undo shutdown operations to reconnect the wired user to the SVF system. Run the
display access-user command to check whether the user has connected to the SVF
system.
[HUAWEI] uni-mng
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] undo shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] quit
[HUAWEI-um] quit
Table 2-11 Security groups and access control policies configured on the Agile Controller
Source Destination Security Group (Resource) Access
Security Control
Group (User) Policy
# Set the AP authentication mode to MAC address authentication (default setting). Add
the APs offline according to the obtained AP type ID. The configuration of AP access
parameters is described in the SVF configuration procedure, and will not be described
here.
# Configure an AP region and add the APs to the region.
[HUAWEI-wlan-view] ap-region id 10
[HUAWEI-wlan-ap-region-10] quit
[HUAWEI-wlan-view] ap id 1
[HUAWEI-wlan-ap-1] region-id 10
[HUAWEI-wlan-ap-1] quit
[HUAWEI-wlan-view] ap id 2
[HUAWEI-wlan-ap-2] region-id 10
[HUAWEI-wlan-ap-2] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
state. The command output shows that the AP state is normal.
[HUAWEI-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile radio, and bind the WMM profile wmm to the radio profile.
[HUAWEI-wlan-view] radio-profile name radio id 1
[HUAWEI-wlan-radio-prof-radio] wmm-profile name wmm
[HUAWEI-wlan-radio-prof-radio] quit
[HUAWEI-wlan-view] quit
# Create a traffic profile traffic and set the STA's uplink rate limit to 2000 kbit/s and
downlink rate limit to 2400 kbit/s.
[HUAWEI-wlan-view] traffic-profile name traffic id 1
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client up 2000
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client down 2400
[HUAWEI-wlan-traffic-prof-traffic] quit
# Create a service set area1, and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set. Set the forwarding mode to direct forwarding (default
setting).
iPCA can be performed to detect packet loss on agile switches and between agile switches. If you want to
detect packet loss between the main campus and branch campus networks, agile switches need to be deployed
on both networks.
2. Run the display iplpm loss-measure statistics global command to check the packet loss
measurement results on a device. You can check the values of Loss Packets and
LossRatio to know whether packet loss occurs on a device.
[HUAWEI] display iplpm loss-measure statistics global
Latest global loss statistics:
------------------------------------------------------------------------------
--
StartTime(DST) Loss Packets LossRatio
ErrorInfo
------------------------------------------------------------------------------
--
2015-06-12 18:47:30 344127 4.513519% OK
2015-06-12 18:47:20 381085 4.513196% OK
2015-06-12 18:47:10 381192 4.513290% OK
2015-06-12 18:47:00 381339 4.513341% OK
2015-06-12 18:46:50 381465 4.513392% OK
2015-06-12 18:46:40 381444 4.513487% OK
2015-06-12 18:46:30 381129 4.513309% OK
------------------------------------------------------------------------------
--
Service Requirements
Economic and social development makes traveling by subway become a major way to avoid
traffic congestion in cities. A more diverse range of IP services and increasing data traffic
require a highly secure and reliable subway public transportation system. The legacy subway
bearer network can no longer meet these requirements, and a more robust, reliable bearer
network is required by a digital subway system. A modernized subway bearer network needs
to meet the following requirements:
l Ensures high reliability and security: Subways belong to the public transportation
system, requiring the subway bearer network to be reliable and secure.
l Provides sufficient data capacity: The subway system has high passenger traffic and
increasing data terminals, requiring the subway bearer network to provide sufficient data
capacity and data switching capacity.
l Supports a diverse range of service types: The subway system involves different service
types such as the control system, advertising media, and daily office, requiring the
subway bearer network to support a diverse range of service types.
The IP data communication network is the mainstream data communication network, supports
various access modes, and has a large network scale. Constructing an IP-based subway bearer
network has become a trend in future development.
Huawei offers the HoVPN-based HSR solution to implement secure and reliable subway
system operation and support a diverse range of service types for the subway system. The
HSR solution uses Huawei agile switches to construct a hierarchical network based on MPLS
L3VPN technology, provides powerful service supporting capabilities and simple as well as
flexible networking modes, and is suitable for large-scale subway bearer networks. This
solution adopts multiple protection technologies, including hardware bidirectional forwarding
detection (BFD), TE hot standby (HSB), VPN fast reroute (FRR), and traffic forwarding on
the Virtual Route Redundancy Protocol (VRRP) backup device and provides protection
switchovers within milliseconds to complete an end-to-end link switchover without being
noticed by users.
Overview
The Hierarchy of VPN (HoVPN)-based High-Speed Self Recovery (HSR) solution is
designed to ensure network reliability, scalability, maintainability, and multi-service
supporting capability, provide a hierarchical network structure, and reduce networking costs.
Figure 2-14 shows the network topology in the HSR solution.
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
BFD for Core_SPE1 BFD for
VRRP VRRP
TE HSB TE HSB
VPN FRR VPN FRR
TE HSB
VPN FRR
BFD for
VRRP
Site2_UPE3 Site2_UPE4
CE2
vpna
Metro site 1
In Figure 2-14,
l Three S9700 switches are fully connected on the core layer to form a core ring, while the
data center site and two subway sites exchange data across the core ring.
l Two S5720HIs are deployed as aggregation switches in each subway site and form
square networking with two S9700s on the core ring. Alternatively, S5720HIs in multiple
sites are connected in serial networking and then form square networking with two
S9700s on the core ring. S5720HIs have VRRP configured to function as user gateways
of each subway site. The data center site uses two S9700s as aggregation switches and
has same services as S5720HIs deployed.
l Layer 2 switches are deployed on the access layer in each site to form an access ring and
are dual-homed to two S5720HIs in subway sites or two S9700s in the data center site.
This network transmits all service traffic of the subway system, including traffic of routine
office, advertising media, and train control management.
Service Deployment
IGP Use OSPF as an IGP and run OSPF between aggregation and core switches to
ensure that these switches can be reached through routes and set up
Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) and
MPLS Traffic Engineering (TE) over OSPF routes.
Routin Use routing policies to set the preferred value, and community attribute to filter,
g select, and back up routes.
policy
MPLS Run LDP between aggregation and core switches to transmit L3VPN data on
LDP links for label switching. Configure BFD for label switched paths (LSPs) to
implement fast link switchovers.
MPLS Deploy MPLS TE tunnels to transmit L3VPN traffic. That is, establish the
TE primary and backup TE tunnels between each S5720HI and its directly connected
S9700, and establish the primary and backup tunnels between each S9700 and its
directly connected S5720HI. Enable TE HSB and configure BFD for TE HSB to
allow traffic to be switched from the faulty primary TE tunnel to the backup TE
tunnel within 50 ms.
L3VPN Configure different VPNs for services such as daily office, advertising media,
and train control management to isolate these services. In this scenario, one VPN
is configured as an example.
BFD Use BFD on each node to detect faults and implement fast traffic switchovers in
case of faults. In this example, you need to deploy multiple services, including
BFD for VRRP, BFD for LSP, and BFD for TE, to complete end-to-end
switchovers within 50 ms.
Item Solution
Hybrid Enable IP+VPN hybrid FRR on S5720HIs. When a fault occurs on the downlink
fast access link, the connected interface on one S5720HI will detect the fault and fast
reroute switch traffic to the peer S5720HI, which then forwards traffic to access devices.
(FRR)
VRRP Deploy VRRP between two S5720HIs to implement gateway backup for access
users. Configure BFD for VRRP to speed up fault detection, VRRP convergence,
and traffic switchovers. To prevent traffic loss caused by aggregation switch
faults and shorten service interruptions, you also need to configure the VRRP
backup device to forward service traffic.
Core nodes and Use S9706s or S9712s as core nodes and data center aggregation nodes,
data center and install SRUDs and X1E LPUs on these switches.
aggregation To provide high reliability, ensure that:
nodes
l Eth-Trunk member interfaces reside on the same LPU.
l On the same device, any two interfaces connected to other devices
reside on different LPUs.
Version Mapping
Version Device
Network Topology
Construct a network based on the topology shown in Figure 2-15, name network devices, and
configure IP addresses for network devices, service interfaces, and user interfaces on the
devices.
XGE0/0/1 XGE0/0/1
XGE0/0/4
Site2_UPE3 Site2_UPE4
XGE0/0/4
XGE0/0/2.150 XGE0/0/2.150
CE2
vpna
Eth-Trunk5 XGigabitEthernet1/0/0
XGigabitEthernet1/0/1
XGigabitEthernet1/0/2
XGigabitEthernet1/0/3
Eth-Trunk17 XGigabitEthernet6/0/0
XGigabitEthernet6/0/1
XGigabitEthernet6/0/2
XGigabitEthernet6/0/3
Eth-Trunk2 XGigabitEthernet3/0/4
XGigabitEthernet3/0/5
XGigabitEthernet3/0/6
XGigabitEthernet3/0/7
Eth-Trunk17 XGigabitEthernet5/0/0
XGigabitEthernet5/0/1
XGigabitEthernet5/0/2
XGigabitEthernet5/0/3
Eth-Trunk2 XGigabitEthernet2/0/4
XGigabitEthernet2/0/5
XGigabitEthernet2/0/6
XGigabitEthernet2/0/7
Eth-Trunk7 XGigabitEthernet4/0/4
XGigabitEthernet4/0/5
XGigabitEthernet4/0/6
XGigabitEthernet4/0/7
Eth-Trunk7 XGigabitEthernet6/0/4
XGigabitEthernet6/0/5
XGigabitEthernet6/0/6
XGigabitEthernet6/0/7
Data Plan
NOTE
The data provided in this section is used as an example, which may vary depending on the network scale
and topology.
Device information includes the site name, device role, and device number. Each device is
named in the format of AA_BBX.
For example, Site1_UPE1 indicates a UPE numbered 1 at site 1. The following table
describes the data plan.
Procedure
l Configure the device name.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of other devices are similar to the configuration of Site1_UPE1, and are not mentioned
here.
sysname Site1_UPE1
----End
Procedure
Step 1 Add physical interfaces to Eth-Trunks.
The following uses the configuration of Core_SPE1 as an example. The configurations of
other devices are similar to the configuration of Core_SPE1, and are not mentioned here.
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet5/0/4
eth-trunk 4
#
interface XGigabitEthernet5/0/5
eth-trunk 4
#
interface XGigabitEthernet5/0/6
eth-trunk 4
#
interface XGigabitEthernet5/0/7
eth-trunk 4
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
Step 4 Create Eth-Trunk load balancing profiles and apply the profiles to Eth-Trunks.
Configure load balancing based on the source and destination port numbers. The following
uses the configuration of Core_SPE1 as an example. The configurations of other devices are
similar to the configuration of Core_SPE1, and are not mentioned here.
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
load-balance enhanced profile CUSTOM
#
All devices on the entire network are connected through Layer 3 interfaces, and Layer 2 loop
prevention protocols are not required. Therefore, disable STP globally. The following uses the
configuration of Core_SPE1 as an example. The configurations of other devices are similar to
the configuration of Core_SPE1, and are not mentioned here.
#
stp disable
#
----End
Context
To implement protection switching within 50 ms, set the minimum interval at which BFD
packets are sent and received to 3.3 ms. The restraints on switches are as follows:
l For the S12700, the MPU must be an ET1D2MPUA000 card.
l For the S7700 or S9700, the MPU must have an ES0D00FSUA00 card installed or be an
EH1D2SRUDC00/EH1D2SRUDC01 card.
l For the S7706 or S7712, the assign system-resource-mode static command must be run
to set the resource allocation mode to static so that the BFD detection duration can be
controlled within 50 ms.
l For the S5720HI, the set service-mode enhanced command must be run to configure the
switch to work in enhanced mode.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
#
bfd
#
l Configure UPEs.
----End
OS Core_SPE1
PF PF
OS
PF
OS
OS
PF
PF
OS
OS
OS
PF
PF
PF
OS
Site1_UPE2 Site3_UPE5
OSPF
Core_SPE2 Core_SPE3
OSPF
OSPF
OSPF
Site2_UPE3 Site2_UPE4
CE2 OSPF
vpna
Configuration Roadmap
Use OSPF as an IGP to ensure that network-wide devices can be reached through routes and
set up MPLS LDP and MPLS TE over OSPF routes. The configuration roadmap is as follows:
1. Add all devices to area 0 and advertise the directly connected network segment and the
address of loopback interface 1.
2. Configure all interfaces that do not run OSPF as OSPF silent interfaces to disable the
interfaces from sending or receiving OSPF packets. The configuration makes the OSPF
network more adaptive and saves network resources.
3. Considering the impact of 31-bit subnet masks, configure the OSPF network type to
point-to-point on the main interconnection interface.
4. Configure synchronization between OSPF and LDP to prevent traffic loss caused by
switchovers of the primary and backup LSPs.
Context
Configuring OSPF ensures that user-end provider edges (UPEs) and superstratum provider
edges (SPEs) can be reached through public network routes.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
router id 172.16.0.5 //Configure a router ID.
#
interface Eth-Trunk4
ospf network-type p2p //Set the OSPF network type to P2P on the interfaces
using IP addresses with 31-bit subnet masks.
#
interface Eth-Trunk5
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
interface XGigabitEthernet6/0/4
ospf network-type p2p
#
ospf 1
silent-interface all //Prohibit all interfaces from receiving and sending
OSPF packets.
undo silent-interface Eth-Trunk4 //Allow interfaces to receive and send
OSPF packets.
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10 //Set the route calculation interval
to 10 ms to speed up route convergence.
lsa-originate-interval 0 //Set the LSA update interval to 0.
lsa-arrival-interval 0 //Set the interval for receiving LSAs to 0 so that
topology or route changes can be immediately detected to speed up route
convergence.
graceful-restart period 600 //Enable OSPF GR.
flooding-control //Enable flooding-control to stabilize neighbor
relationships.
area 0.0.0.0
authentication-mode md5 1 cipher %^
%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^%# //Set the authentication
mode and password for the OSPF area.
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
router id 172.16.2.51
#
interface Eth-Trunk7
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
graceful-restart period 600
bandwidth-reference 100000 //Set the bandwidth reference value used by the
system to calculate the interface cost based on a formula.
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/
%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
#
----End
Neighbors
Neighbors
Neighbors
8
1
6 9
Site1_UPE2 Site3_UPE5
3
Core_SPE2 Core_SPE3
10
12
11
Site2_UPE3 Site2_UPE4
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an LSR ID and enable MPLS LDP globally and on each interface.
2. Configure synchronization between LDP and OSPF to prevent traffic loss caused by
switchovers of the primary and backup LSPs.
3. Configure LDP GR so that traffic forwarding is not interrupted upon primary/backup
switchovers and protocol restarts.
4. Configure BFD for LSP to quickly detect LDP LSP faults on the core ring.
NOTE
The data provided in this section is used as an example, which may vary depending on the network scale and
topology.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
mpls lsr-id 172.16.0.5 //Configure an MPLS LSR ID. The IP address of a
loopback interface is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP so that the egress node assigns
labels to the penultimate hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
interface Eth-Trunk4
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk5
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk17
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface XGigabitEthernet6/0/4
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
mpls lsr-id 172.16.2.51 //Configure an MPLS LSR ID. The IP address of a
loopback interface is recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP so that the egress node assigns
labels to the penultimate hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
interface Eth-Trunk7
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk17
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
----End
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
172.16.0.3:0 Operational DU Passive 0000:00:56 226/226
172.16.0.4:0 Operational DU Active 0000:00:56 226/226
172.16.2.51:0 Operational DU Passive 0000:00:55 223/223
172.16.2.86:0 Operational DU Passive 0000:00:55 223/223
------------------------------------------------------------------------------
TOTAL: 4 session(s) Found.
Context
LDP LSRs set up LSPs using OSPF. When an LDP session fault (non-link fault) occurs on the
primary LSP or the primary LSP recovers from a fault, synchronization between LDP and
OSPF can prevent traffic loss caused by switchovers of the primary and backup LSPs.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
interface Eth-Trunk4
ospf ldp-sync //Enable synchronization between LDP and OSPF on the
protected interface.
ospf timer ldp-sync hold-down 20 //Set a Hold-down time that an interface
uses to delay setting up an OSPF neighbor relationship until an LDP session
is set up.
#
interface Eth-Trunk5
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface Eth-Trunk17
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface XGigabitEthernet6/0/4
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
l Configure UPEs.
----End
Context
LDP GR can be configured so that traffic forwarding is not interrupted upon primary/backup
switchovers and protocol restarts.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
mpls ldp
graceful-restart //Enable LDP GR.
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
mpls ldp
graceful-restart
#
----End
Context
To ensure reliability of LDP LSPs between SPEs on the core ring, configure BFD to detect
LDP LSPs quickly.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface
Eth-Trunk4 //Enable static BFD to detect the LDP LSP between SPE1 and SPE2.
discriminator local 317 //Set the local discriminator. The local
discriminator of the local system must be the same as the remote
discriminator of the remote system.
discriminator remote 137 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device
sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device
receives BFD packets to 3.3 ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface
Eth-Trunk5 //Enable static BFD to detect the LDP LSP between SPE1 and SPE3.
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End
Core_SPE2 Core_SPE3
Primary TE1
Primary TE3
2 Ba
3 1 TE ck
up 5 7
k up TE
B ac 4
6
2
Site2_UPE3 4 Site2_UPE4
8
2. Globally enable MPLS, MPLS TE and MPLS TE CSPF on each node along TE tunnels,
and deploy MPLS and MPLS TE on each interface along the TE tunnels.
3. Configure tunnel paths, enable each node to use primary and backup TE tunnels, and
configure primary and backup CR-LSPs using the affinity attribute.
4. Create L3VPN service tunnels.
a. Create primary tunnels.
n Create primary tunnel TE1 between Site2_UPE3 and Core_SPE2. Specify path
1 as the primary CR-LSP and path 2 as the backup CR-LSP.
n Create primary tunnel TE3 between Site2_UPE4 and Core_SPE3. Specify path
5 as the primary CR-LSP and path 6 as the backup CR-LSP.
b. Create backup tunnels.
n Create backup tunnel TE2 between Site2_UPE3 and Core_SPE3, which is the
backup tunnel of primary tunnel TE1. Specify path 3 as the primary CR-LSP
and path 4 as the backup CR-LSP.
n Create backup tunnel TE4 between Site2_UPE4 and Core_SPE2, which is the
backup tunnel of primary tunnel TE3. Specify path 7 as the primary CR-LSP
and path 8 as the backup CR-LSP.
c. Configure RSVP GR.
Enable RSVP GR on all devices to prevent network disconnection and recover
dynamic CR-LSPs upon switchovers on RSVP nodes.
d. Configure BFD for CR-LSP.
Configure static BFD for CR-LSP on all devices to speed up switchovers of the
primary and backup CR-LSPs.
5. Create a tunnel policy.
Configure TE tunnels to be preferentially selected.
NOTE
The data provided in this section is used as an example, which may vary depending on the network scale and
topology.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
interface Eth-Trunk4
mpls te //Enable MPLS TE on an interface.
mpls te link administrative group c //Configure the link management group
attribute for the TE tunnel to select primary and backup paths.
mpls rsvp-te //Enable RSVP-TE on an interface.
#
interface Eth-Trunk5
mpls te
mpls te link administrative group 30
mpls rsvp-te
#
interface Eth-Trunk17
mpls te
mpls te link administrative group 4
mpls rsvp-te
#
interface XGigabitEthernet6/0/4
mpls te
mpls te link administrative group 20
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque capability of OSPF.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the OSPF area.
#
interface Tunnel611 //Specify the tunnel from Core_SPE1 to Site1_UPE1.
description Core_SPE1 to Site1_UPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface
to borrow the IP address of a loopback interface.
tunnel-protocol mpls te //Set the tunnel protocol to MPLS TE.
destination 172.16.2.51 ////Configure IP address of Site1_UPE1 as the
tunnel destination IP address.
mpls te tunnel-id 71 //Configure a tunnel ID, which must be valid and
unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route
information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of
the primary CR-LSP for selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity
attribute of the backup CR-LSP.
mpls te backup hot-standby //Configure the hot standby mode of tunnels.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for
the configuration to take effect.
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure the CR-LSP
to be preferentially selected.
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
l Configure UPEs.
----End
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, if both the primary
and backup LSPs of tunnel 611 are in UP state, the primary and backup LSPs have been
set up successfully.
[Core_SPE1]display mpls te tunnel-interface Tunnel611
----------------------------------------------------------------
Tunnel611
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 71
Ingress LSR ID : 172.16.0.5 Egress LSR ID: 172.16.2.51
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 1
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32772
l Run the display mpls te hot-standby state all command to view status of all HSB
tunnels.
Using Core_SPE1 as an example, if all HSB tunnels of Core_SPE1 are in Primary LSP
state, traffic has been switched to primary CR-LSPs.
[Core_SPE1]display mpls te hot-standby state all
---------------------------------------------------------------------
No. tunnel name session id switch result
---------------------------------------------------------------------
1 Tunnel611 71 Primary LSP
2 Tunnel622 82 Primary LSP
3 Tunnel711 311 Primary LSP
4 Tunnel721 312 Primary LSP
l Run the ping lsp te tunnel command to check bidirectional connectivity of the master
and backup TE tunnels of each device.
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, run the following ping
commands on both ends of the TE tunnel:
[Core_SPE1] ping lsp te Tunnel611
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes,
press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=5 ms
Reply from 172.16.2.51: bytes=100 Sequence=2 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=3 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=4 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=5 time=3 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/5 ms
[Core_SPE1] ping lsp te Tunnel611 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes,
press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=2 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=3 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=4 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=5 time=3 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, ensure that the
primary and backup tunnel paths are different.
[Core_SPE1]tracert lsp te Tunnel611
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C
to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.11/[1078 ]
1 172.16.2.51 3 ms Egress
[Core_SPE1]tracert lsp te Tunnel611 hot-standby
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C
to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.9/[1391 ]
1 172.17.4.9 3 ms Transit 172.17.4.13/[1169 ]
2 172.17.4.13 7 ms Transit 172.17.4.14/[1109 ]
3 172.16.2.51 4 ms Egress
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper
capabilities.
#
interface Eth-Trunk4
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an
interface.
#
interface Eth-Trunk5
mpls rsvp-te hello
#
interface Eth-Trunk17
mpls rsvp-te hello
#
interface XGigabitEthernet6/0/4
mpls rsvp-te hello
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper
capabilities.
#
interface Eth-Trunk7
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an
interface.
#
interface Eth-Trunk17
mpls rsvp-te hello
#
----End
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 611.
discriminator local 6116 //Set the local discriminator. The local
discriminator of the local system must be the same as the remote
discriminator of the remote system.
discriminator remote 6115 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device
sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device
receives BFD packets to 3.3 ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 611.
discriminator local 6112
discriminator remote 6111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_b bind mpls-te interface Tunnel622 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 622.
discriminator local 6226
discriminator remote 6225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_m bind mpls-te interface Tunnel622 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 622.
discriminator local 6222
discriminator remote 6221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_b bind mpls-te interface Tunnel721 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 721.
discriminator local 7216
discriminator remote 7215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 721.
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 711.
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 711.
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 611.
discriminator local 6115 //Set the local discriminator. The local
discriminator of the local system must be the same as the remote
discriminator of the remote system.
discriminator remote 6116 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device
sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device
receives BFD packets to 3.3 ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 611.
discriminator local 6111
discriminator remote 6112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup //Enable
static BFD to detect the backup CR-LSP of TE tunnel 612.
discriminator local 6125
discriminator remote 6126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp //Enable static
BFD to detect the primary CR-LSP of TE tunnel 612.
discriminator local 6121
----End
On a rail transmit bearer network, IP tunnels between nodes need to be enabled to bear
L3VPN services. For example, set up a hierarchical L3VPN tunnel from Site1_UPE1 to
Site2_UPE3 to transmit IP data services between Site1 and Site2, as shown in Figure 2-19.
L3VPN
te
rou
L3
ific
N
VP
VP
ec
L3
Sp
N
Site1_UPE2 Site3_UPE5
Core_SPE2 Core_SPE3
Specific route VPN FRR
Default route
L3VPN
L3
L3VPN
VP
N
Site2_UPE3 Site2_UPE4
IP+VPN hybrid FRR
CE2
vpna
– Configure a tunnel policy selector on an SPE to enable the SPE to select any tunnel
policy when the next-hop address of a VPNv4 route has the prefix of another SPE
and to select a TE tunnel in other scenarios.
– Deploy VRRP on two UPEs at a site, and send information about ARP Vlink direct
routes to the neighboring SPEs so that the SPEs select the optimal route to send
packets to the CE.
3. Configure reliability protection.
– Deploy VRRP on two UPEs at a site to implement gateway backup and ensure
reliability of uplink traffic on CEs. Configure backup devices to forward service
traffic, minimizing the impact of VRRP switchovers on services.
– Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE is
faulty, traffic is automatically switched to the TE tunnel between the UPE and
another SPE at the same site, minimizing the impact on VPN services.
– Deploy VPN FRR on an SPE, for example Core_SPE1. If Core_SPE2 connected to
SPE1 is faulty, Core_SPE1 switches VPN services to Core_SPE3, implementing
fast E2E switchovers of VPN services.
– Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE is
faulty, traffic is automatically switched to the TE tunnel between the SPE and
another UPE at the same site, minimizing the impact on VPN services.
– Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a fault on
the link between the UPE and its connected CE, the UPE quickly switches traffic to
its peer UPE, and the peer UPE then forwards the traffic to the CE.
– Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic
forwarding during a master/backup switchover on the device transmitting VPN
services.
NOTE
The data provided in this section is used as an example, which may vary depending on the network scale and
topology.
Site1_UPE1 interface -
XGigabitEthernet1/0/4.200:
172.18.200.66/26
Site1_UPE2 interface -
XGigabitEthernet1/0/4.200:
172.18.200.67/26
Site2_UPE3 interface -
XGigabitEthernet0/0/2.150:
172.18.150.2/26
Site2_UPE4 interface -
XGigabitEthernet0/0/2.150:
172.18.150.3/26
Site3_UPE5 interface -
XGigabitEthernet0/0/2.100:
172.18.100.2/26
Site3_UPE6 interface -
XGigabitEthernet0/0/2.100:
172.18.100.3/26
BGP 65000 65000 65000 65000 65000 65000 65000 65000 65000
proces
s ID
Router 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
ID .0.5 .0.3 .0.4 .2.51 .2.50 .2.75 .2.76 .2.87 .2.86
Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
meter SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
1 2 3 4 5 6
Peer devCo devCo devCo devCo devCo devCo devCo devCo devCo
group re: re: re: re: re: re: re: re: re:
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.0.3, .0.4, .0.3, .0.3, .0.3, .0.3, .0.3, .0.4, .0.4,
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.0.4 .0.5 .0.5 .0.5 .0.5 .0.4 .0.4 .0.5 .0.5
devHo devHo devHo devHo devHo devHo devHo devHo devHo
st: st: st: st: st: st: st: st: st:
172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
.2.50, .2.50, .2.75, .2.50 .2.51 .2.76 .2.75 .2.86 .2.87
172.16 172.16 172.16
.2.51, .2.51, .2.76,
172.16 172.16 172.16
.2.86, .2.75, .2.86,
172.16 172.16 172.16
.2.87 .2.76 .2.87
policy Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl
vpn- e e e e e e e e e
target
200
200
200 200
Site1_UPE2 30
0 0 Site3_UPE5
30
20
00
1 2 0 :2 0 0 0 :3
5 7 :1 2 30 13:13
20 20
:5 7 :57
20 7 20
5
Core_SPE2 Core_SPE3
5720:5720
5720:5720
300
300
20
200:200
300:300
0
20 0
23:23
23:23
Site2_UPE3 Site2_UPE4
Community Attribute
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp //Configure a tunnel policy
selector to enable Core_SPE1 to select any tunnel to be iterated when the
next-hop address of a VPNv4 route has the prefix of another SPE.
#
tunnel-selector TSel permit node 10 //Configure a tunnel policy selector to
iterate a route received from an IBGP peer to a TE tunnel when the route
needs to be forwarded to another IBGP peer and Core_SPE1 needs to modify the
next hop of the route to itself.
apply tunnel-policy TE
#
bgp 65000
group devCore internal //Create an IBGP peer group.
peer devCore connect-interface LoopBack1 //Specify loopback interface 1
and its address as the source interface and address of BGP packets.
peer 172.16.0.3 as-number 65000 //Set up a peer relationship between SPEs.
peer 172.16.0.3 group devCore //Add SPEs to the IBGP peer group.
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
----End
Context
VPN instances need to be configured to advertise VPNv4 routes and forward data to achieve
communication over a L3VPN.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
ip vpn-instance vpna //Create a VPN instance.
ipv4-family
route-distinguisher 5:1 //Configure an RD.
tnl-policy TSel //Configure a TE tunnel for the VPN instance.
vpn-target 0:1 export-extcommunity //Configure the extended community
attribute VPN target.
vpn-target 0:1 import-extcommunity
#
bgp 65000
#
ipv4-family vpnv4
nexthop recursive-lookup delay 10 //Set the next-hop iteration delay to
10s.
route-select delay 120 //Set the route selection delay to 120s,
preventing traffic interruption caused by fast route switchback.
#
ipv4-family vpn-instance vpna
default-route imported //Import the default route to VPN instance vpna.
nexthop recursive-lookup route-policy delay_policy //Configure BGP next-
hop iteration based on the routing policy delay_policy.
nexthop recursive-lookup delay 10
route-select delay 120
#
route-policy delay_policy permit node 0 //Permit routes of all sites.
if-match community-filter all_site
#
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
arp vlink-direct-route advertise //Advertise IPv4 ARP Vlink direct routes.
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
interface XGigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna //Bind the VPN instance to the corresponding
service interface.
arp direct-route enable //Configure the ARP module to report ARP Vlink
direct routes to the RM module.
ip address 172.18.200.66 255.255.255.192
arp broadcast enable //Enable ARP broadcast of a VLAN tag termination sub-
interface.
#
bgp 65000
#
ipv4-family vpnv4
route-select delay 120
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex //Import direct routes to
VPN instance vpna and add the community attribute.
route-select delay 120
#
#
route-policy p_iBGP_RR_ex permit node 0 //Add the community attribute for
the route.
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640 //Set the aging time of dynamic ARP entries.
arp static 172.18.200.68 0001-0002-0003 vid 200 interface
----End
Configuration Roadmap
The configuration roadmap is as follows:
1. Deploy VRRP on two UPEs at a site to ensure reliability of uplink traffic on CEs. Site1
is used as an example, as shown in Figure 2-20.
– Configure Site1_UPE1 as the master node and Site1_UPE2 as the backup node in a
VRRP group. If Site1_UPE1 is faulty, uplink traffic on CE1 will be quickly
switched to Site1_UPE2.
– Configure BFD for VRRP so that hardware-based BFD can quickly detect faults.
When a fault is detected, hardware notifies the backup device in a VRRP group to
switch as the master device. Additionally, hardware directly sends gratuitous ARP
packets to instruct devices at the access layer to forward traffic to the new master
device.
– Configure backup devices to forward service traffic. When the VRRP status of a
device is Backup, the device can forward traffic as long as it receives traffic. This
prevents service traffic loss and shortens service interruption time if the aggregation
device is faulty.
NOTE
If there are more than 64 VRRP groups, run the set vrrp max-group-number max-group-number
command on the UPEs to set the maximum number of allowed VRRP groups.
Site1_UPE1
CE1
vpna
D
Master
BF
ck
tra
RP
VR
Backup
Configure the backup device
to forward service traffic.
Site1_UPE2 Upstream
2. Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE is faulty,
traffic is automatically switched to the TE tunnel between the UPE and another SPE at
the same site. Site1_UPE1 is used as an example, as shown in Figure 2-21.
Core_SPE1
L3VPN
Backup
path
Site1_UPE2
Upstream
Core_SPE2
Core_SPE1
VPN FRR
PN
L3
Core_SPE2 Core_SPE3
Downstream
4. Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE is faulty,
traffic is automatically switched to the TE tunnel between the SPE and another UPE at
the same site. Core_SPE2 is used as an example, as shown in Figure 2-23.
Core_SPE2 Core_SPE3
VPN FRR
Primary path Ba
L3VPN
ck L3V
up P
pa N
th
Site2_UPE3 Site2_UPE4
CE2 Downstream
vpna
5. Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a fault on the
link between the UPE and its connected CE, the UPE quickly switches traffic to its peer
UPE, and the peer UPE then forwards the traffic to the CE. Site2 is used as an example,
as shown in Figure 2-24.
If the link from Site2_UPE3 to CE2 is faulty, traffic is forwarded to Site2_UPE4 through
an LSP and then to CE2 using a private IP address, improving network reliability.
6. Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic forwarding
during a master/backup switchover on the device transmitting VPN services.
Procedure
l Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an example. The
configurations of Core_SPE2 and Core_SPE3 are similar to the configuration of
Core_SPE1, and are not mentioned here.
bgp 65000
graceful-restart //Enable BGP GR.
#
ipv4-family vpnv4
auto-frr //Enable VPNv4 FRR.
l Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The configurations
of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and Site3_UPE6 are similar to
the configuration of Site1_UPE1, and are not mentioned here.
ip vpn-instance vpna
ipv4-family
ip frr route-policy mixfrr //Enable IP FRR.
#
interface XGigabitEthernet1/0/4.200
vrrp vrid 1 virtual-ip 172.18.200.65 //Configure VRRP.
vrrp vrid 1 preempt-mode timer delay 250 //Set the preemption delay of
switches in a VRRP group.
vrrp vrid 1 track bfd-session 2200 peer //Enable BFD for VRRP to implement
master/backup switchovers.
vrrp vrid 1 backup-forward //Enable the backup device to forward service
traffic.
vrrp track bfd gratuitous-arp send enable //Enable BFD for VRRP to quickly
send gratuitous ARP packets during master/backup switchovers.
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface
XGigabitEthernet1/0/4.200 source-ip 172.18.200.66 //Configure static BFD
for VRRP.
discriminator local 2200 //Set the local discriminator. The local
discriminator of the local system must be the same as the remote
discriminator of the remote system.
discriminator remote 1200 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device
sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device
receives BFD packets to 3.3 ms.
commit //Commit the BFD session configuration.
#
bgp 65000
graceful-restart
#
ipv4-family vpn-instance vpna
auto-frr
#
#
route-policy mixfrr permit node 0 //Set the backup next hop to the loopback
interface 1 of another UPE at the same site.
apply backup-nexthop 172.16.2.50
#
----End
Destination: 172.18.150.0/26
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.75 Neighbour: 172.16.2.75
State: Active Adv Relied Age: 21h55m50s
Tag: 0 Priority: low
Label: 1025 QoSInfo: 0x0
IndirectID: 0x185
RelayNextHop: 0.0.0.0 Interface: Tunnel111
TunnelID: 0x2 Flags: RD
BkNextHop: 172.16.2.76 BkInterface: Tunnel121
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x3 BkPESecTunnelID: 0x0
BkIndirectID: 0xd
l Run the display ip routing-table vpn-instance command on UPEs to check the hybrid
FRR status.
The command output on Site2_UPE3 is used as an example. The fields in boldface
indicate the backup next hop, backup label, and backup tunnel ID. The command output
shows that the hybrid FRR entry has been generated. The command output shows that
the master hybrid FRR route is to the local sub-interface, and the backup route is to the
UPE with IP address 172.16.2.76 at the same site.
[Site2_UPE3]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 2
Destination: 172.18.150.4/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 172.18.150.4 Neighbour: 0.0.0.0
State: Active Adv Age: 1d02h36m21s
Tag: 0 Priority: high
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: XGigabitEthernet0/0/2.150
TunnelID: 0x0 Flags: D
BkNextHop: 172.16.2.76 BkInterface: XGigabitEthernet0/0/4
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x4800001b BkPESecTunnelID: 0x0
BkIndirectID: 0x0
Destination: 172.18.150.4/32
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.76 Neighbour: 172.16.2.76
State: Inactive Adv Relied Age: 1d02h36m21s
Tag: 0 Priority: low
Label: 1024 QoSInfo: 0x0
IndirectID: 0xcd
RelayNextHop: 172.16.8.181 Interface: XGigabitEthernet0/0/4
TunnelID: 0x4800001b Flags: R
l Run the display vrrp interface command to check the VRRP status.
The command output on Site2_UPE3 is used as an example. The fields in boldface in the
command output indicate that the VRRP status of Site2_UPE3 is Master, the backup
device has been configured to forward service traffic, and BFD for VRRP has been
configured.
sysname Core_SPE1
#
router id 172.16.0.5
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 5:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.5
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk4
undo portswitch
description Core_SPE1 to Core_SPE2
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
interface XGigabitEthernet6/0/4
undo portswitch
description Core_SPE1 to Site3_UPE6
ip address 172.17.10.2 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 20
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
interface Tunnel611
description Core_SPE1 to Site1_UPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.51
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
auto-frr
nexthop recursive-lookup route-policy delay_policy
nexthop recursive-lookup delay 10
vpn-route cross multipath
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk4
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
graceful-restart period 600
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^
%#
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
if-match community-filter all_site
#
route-policy p_iBGP_RR_in deny node 5
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11
if-match community-filter site1
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 12
if-match community-filter site2
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 13
if-match community-filter site3
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 20
#
route-policy core-import deny node 5
if-match community-filter site12
#
route-policy core-import deny node 6
if-match community-filter site13
#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.4 32
#
ip community-filter basic site1 permit 100:100
ip community-filter basic site2 permit 200:200
ip community-filter basic site3 permit 300:300
ip community-filter basic all_site permit 5720:5720
ip community-filter basic site12 permit 12:12
ip community-filter basic site13 permit 13:13
#
tunnel-policy TSel
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Core_SPE2
#
router id 172.16.0.3
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 3:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.3
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk2
undo portswitch
description Core_SPE2 to Core_SPE3
ip address 172.17.4.0 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk4
undo portswitch
description Core_SPE2 to Core_SPE1
ip address 172.17.4.9 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
undo portswitch
description Core_SPE2 to Site1_UPE2
ip address 172.17.4.12 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 8
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet3/0/4
eth-trunk 2
#
interface XGigabitEthernet3/0/5
eth-trunk 2
#
interface XGigabitEthernet3/0/6
eth-trunk 2
#
interface XGigabitEthernet3/0/7
eth-trunk 2
#
interface XGigabitEthernet5/0/0
eth-trunk 17
#
interface XGigabitEthernet5/0/1
eth-trunk 17
#
interface XGigabitEthernet5/0/2
eth-trunk 17
#
interface XGigabitEthernet5/0/3
eth-trunk 17
#
interface XGigabitEthernet5/0/5
undo portswitch
description Core_SPE2 to Site2_UPE3
ip address 172.16.8.178 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet6/0/4
eth-trunk 4
#
interface XGigabitEthernet6/0/5
eth-trunk 4
#
interface XGigabitEthernet6/0/6
eth-trunk 4
#
interface XGigabitEthernet6/0/7
eth-trunk 4
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.3 255.255.255.255
#
interface Tunnel111
description Core_SPE2 to Site2_UPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.75
mpls te tunnel-id 111
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel121
description Core_SPE2 to Site2_UPE4
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.76
mpls te tunnel-id 121
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel612
description Core_SPE2 to Site1_UPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.51
mpls te tunnel-id 72
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel621
description Core_SPE2 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 81
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.75 as-number 65000
peer 172.16.2.75 group devHost
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.2.75 enable
undo peer 172.16.2.76 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
peer 172.16.2.75 enable
peer 172.16.2.75 group devHost
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
bfd SPE2toSPE1 bind ldp-lsp peer-ip 172.16.0.5 nexthop 172.17.4.8 interface Eth-
Trunk4
discriminator local 137
discriminator remote 317
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.1 interface Eth-
Trunk2
discriminator local 127
discriminator remote 217
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE1_b bind mpls-te interface Tunnel612 te-lsp backup
discriminator local 6126
discriminator remote 6125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE1_m bind mpls-te interface Tunnel612 te-lsp
discriminator local 6122
discriminator remote 6121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE2_b bind mpls-te interface Tunnel621 te-lsp backup
discriminator local 6216
discriminator remote 6215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE2_m bind mpls-te interface Tunnel621 te-lsp
discriminator local 6212
discriminator remote 6211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE3_b bind mpls-te interface Tunnel111 te-lsp backup
discriminator local 1116
discriminator remote 1115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE3_m bind mpls-te interface Tunnel111 te-lsp
discriminator local 1112
discriminator remote 1111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE4_b bind mpls-te interface Tunnel121 te-lsp backup
discriminator local 1216
discriminator remote 1215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE4_m bind mpls-te interface Tunnel121 te-lsp
discriminator local 1212
discriminator remote 1211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Core_SPE3
#
router id 172.16.0.4
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 4:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.4
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.75 as-number 65000
peer 172.16.2.75 group devHost
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.75 enable
undo peer 172.16.2.76 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.75 enable
peer 172.16.2.75 group devHost
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
auto-frr
nexthop recursive-lookup route-policy delay_policy
nexthop recursive-lookup delay 10
vpn-route cross multipath
route-select delay 120
#
ospf 1
silent-interface all
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.0 interface Eth-
Trunk2
discriminator local 217
discriminator remote 127
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE3_b bind mpls-te interface Tunnel112 te-lsp backup
discriminator local 1126
discriminator remote 1125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE3_m bind mpls-te interface Tunnel112 te-lsp
discriminator local 1122
discriminator remote 1121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE4_b bind mpls-te interface Tunnel122 te-lsp backup
discriminator local 1226
discriminator remote 1225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE4_m bind mpls-te interface Tunnel122 te-lsp
discriminator local 1222
discriminator remote 1221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE5_b bind mpls-te interface Tunnel722 te-lsp backup
discriminator local 7226
discriminator remote 7225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE5_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7222
discriminator remote 7221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE6_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7126
discriminator remote 7125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE6_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7122
discriminator remote 7121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Site1_UPE1
#
router id 172.16.2.51
#
arp vlink-direct-route advertise
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.51
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface Eth-Trunk7
undo portswitch
description Site1_UPE1 TO Site1_UPE2
ip address 172.17.4.14 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface Eth-Trunk17
undo portswitch
description Site1_UPE1 to Core_SPE1
ip address 172.17.4.11 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 4
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface XGigabitEthernet1/0/0
eth-trunk 17
#
interface XGigabitEthernet1/0/1
eth-trunk 17
#
interface XGigabitEthernet1/0/2
eth-trunk 17
#
interface XGigabitEthernet1/0/3
eth-trunk 17
#
interface XGigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.200.66 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.200.65
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2200 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet4/0/4
eth-trunk 7
#
interface XGigabitEthernet4/0/5
eth-trunk 7
#
interface XGigabitEthernet4/0/6
eth-trunk 7
#
interface XGigabitEthernet4/0/7
eth-trunk 7
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.51 255.255.255.255
#
interface Tunnel611
description Site1_UPE1 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^
%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.50
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 12:12
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640
arp static 172.18.200.68 0001-0002-0003 vid 200 interface
XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup
discriminator local 6115
discriminator remote 6116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp
discriminator local 6111
discriminator remote 6112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup
discriminator local 6125
discriminator remote 6126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp
discriminator local 6121
discriminator remote 6122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 300
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#GUPhWw-[LH2O6#NMxtJAl!Io8W~iF'![mQF[\9GI%^
%#
network 172.16.2.50 0.0.0.0
network 172.16.2.92 0.0.0.0
network 172.17.4.13 0.0.0.0
network 172.17.4.15 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.51
#
route-policy p_iBGP_host_ex permit node 0
sysname Site2_UPE3
#
router id 172.16.2.75
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
destination 172.16.0.3
mpls te tunnel-id 111
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel112
description Site2_UPE3 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 112
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.150.3 vpn-instance vpna interface
XGigabitEthernet0/0/2.150 source-ip 172.18.150.2
discriminator local 2150
discriminator remote 1150
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.76 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 300
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
commit
#
return
sysname Site2_UPE4
#
router id 172.16.2.76
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.76
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site2_UPE4 to Core_SPE3
ip address 172.16.8.182 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.150
dot1q termination vid 150
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.150.3 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.150.1
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 1150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
sysname Site3_UPE5
#
router id 172.16.2.87
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.87
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.100
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.4 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.86 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 300
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#^tB:@vm8r%4Z0),RRem7dU.A3.}(a&*/IhJ70>y9%#
%#
network 172.16.2.87 0.0.0.0
network 172.16.8.212 0.0.0.0
network 172.17.10.0 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.86
#
route-policy p_iBGP_host_ex permit node 0
apply community 300:300 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 300:300 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE5toSPE1_b bind mpls-te interface Tunnel721 te-lsp backup
discriminator local 7215
discriminator remote 7216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE1_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7211
discriminator remote 7212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_b bind mpls-te interface Tunnel722 te-lsp backup
discriminator local 7225
discriminator remote 7226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7221
discriminator remote 7222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
sysname Site3_UPE6
#
router id 172.16.2.86
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.86
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.100
dot1q termination vid 100
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.100.3 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.100.1
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site3_UPE6 to Site3_UPE5
ip address 172.17.10.1 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site3_UPE6 to Core_SPE1
ip address 172.17.10.3 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.86 255.255.255.255
#
interface Tunnel711
description Site3_UPE6 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#<3.TS63Ml*_Gn]2$}@O/G8llX)VNvDY\kT;4E9-A%#
%#
network 172.16.2.86 0.0.0.0
network 172.17.10.1 0.0.0.0
network 172.17.10.3 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.87
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE6toSPE1_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7115
discriminator remote 7116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE1_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7111
discriminator remote 7112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7125
discriminator remote 7126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7121
discriminator remote 7122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
Configuration Notes
On the NGFW side, two fixed internal Ethernet interfaces are GE1/0/0 and GE1/0/1. On the
switch side, the internal Ethernet interface numbers depend on the slot ID of the NGFW
module. For example, when the NGFW module is installed in slot 1, the interface numbers are
XGE1/0/0 and XGE1/0/1.
On the ACU2 side, two fixed internal Ethernet interfaces are XGE0/0/1 and XGE0/0/2. On
the switch side, the internal Ethernet interface numbers depend on the slot ID of the ACU2.
For example, when the ACU2 is installed in slot 2, the interface numbers are XGE2/0/0 and
XGE2/0/1.
Table 2-24 lists the products and versions to which this configuration example is applicable.
Networking Requirements
Two switches are located on the network shown in Figure 2-25. Switch_1 has NGFW and
ACU2 configured. Traffic policies are configured on NGFW.
The customer wants to use ACU2 to manage the wireless network, providing stable wireless
service to STAs.
Network
XGE3/0/1
Switch_1
Eth_trunk1
ACU2_1 Eth_trunk0
Eth_trunk1
XGE1/0/0
Switch_1 Eth_trunk0
GE1/0/0
Switch_2
XGE1/0/1
GE0/0/1
GE1/0/1
NGFW_1
AP
Data Plan
Table 2-25, Table 2-26, and Table 2-27 provide the data plan.
Eth-trunk1 XGE2/0/0
XGE2/0/1
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Eth-Trunk on each switch and add interfaces to VLANs. Configure the
interfaces connecting Switch_2 to the DHCP server and AP to implement network
connectivity.
2. Implement connections between ACU2 and Switch_1.
3. Implement connections between NGFW and Switch_1.
4. Configure wireless service on ACU2. Wireless service traffic is forwarded through
tunnels, and ACU2_1 functions as a DHCP server to assign IP addresses to APs and
STAs.
5. Configure traffic policies on each interface of Switch_1 and Switch_2 to ensure that
STAs can successfully go online. The configurations include:
– Configure a redirection policy for the inbound traffic on Eth-Trunk 1, which is the
internal interface between switch and ACU2, to redirect the upstream wireless
traffic to XGE1/0/1, which is the internal interface between switch and NGFW.
When traffic is forwarded from NGFW to XGE1/0/0, the traffic matches the
inbound redirection policy again, and is forwarded to upstream interface XGE3/0/1.
– Configure a redirection policy for the inbound traffic on XGE3/0/1 to redirect the
downstream wireless traffic to XGE1/0/0, which is the internal interface between
switch and NGFW. When traffic is forwarded from NGFW to XGE1/0/1, the traffic
matches the inbound redirection policy again, and is forwarded to Eth-Trunk 0,
which is the internal interface between switch and ACU2.
Procedure
Step 1 Configure Eth-Trunks between Switch_1 and Switch_3.
# Configure Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 42 428
[Switch_1] interface Eth-Trunk 0
[Switch_1-Eth-Trunk0] port link-type trunk
[Switch_1-Eth-Trunk0] port trunk allow-pass vlan 42
[Switch_1-Eth-Trunk0] quit
[Switch_1] interface XGigabitEthernet 3/0/2
[Switch_1-XGigabitEthernet3/0/2] eth-trunk 0
[Switch_1-XGigabitEthernet3/0/2] quit
[Switch_1] interface XGigabitEthernet 3/0/3
[Switch_1-XGigabitEthernet3/0/3] eth-trunk 0
[Switch_1-XGigabitEthernet3/0/3] quit
[Switch_1-behavior-Redirect_to_ETH1] quit
[Switch_1] traffic behavior Redirect_to_XGE1/0/0
[Switch_1-behavior-Redirect_to_XGE1/0/0] permit
[Switch_1-behavior-Redirect_to_XGE1/0/0] redirect interface XGigabitEthernet1/0/0
[Switch_1-behavior-Redirect_to_XGE1/0/0] quit
[Switch_1] traffic behavior Redirect_to_XGE1/0/1
[Switch_1-behavior-Redirect_to_XGE1/0/1] permit
[Switch_1-behavior-Redirect_to_XGE1/0/1] redirect interface XGigabitEthernet1/0/1
[Switch_1-behavior-Redirect_to_XGE1/0/1] quit
# Check that the Eth-Trunk 1 status between ACU2 and Switch_1 is normal.
<ACU2_1> display interface brief | include up
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/2 up up 0% 0% 0 0
----------------------------------------------------------------------------------
-------------
UserID Username IP address MAC
Status
----------------------------------------------------------------------------------
-------------
68 986cf56f7e20 172.16.29.254 986c-f56f-7e20
Success
----------------------------------------------------------------------------------
-------------
Total: 1, printed: 1
Frames: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
XGigabitEthernet2/0/1 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 42 428
#
traffic classifier service_vlan operator or precedence 50
if-match vlan-id 428
#
traffic behavior Redirect_to_XGE3/0/1
permit
redirect interface XGigabitEthernet3/0/1
traffic behavior Redirect_to_ETH1
permit
redirect interface Eth-Trunk1
traffic behavior Redirect_to_XGE1/0/0
permit
redirect interface XGigabitEthernet1/0/0
traffic behavior Redirect_to_XGE1/0/1
permit
redirect interface XGigabitEthernet1/0/1
#
traffic policy Redirect_to_XGE3/0/1 match-order config
classifier service_vlan behavior Redirect_to_XGE3/0/1
traffic policy Redirect_to_ETH1 match-order config
classifier service_vlan behavior Redirect_to_ETH1
traffic policy Redirect_to_XGE1/0/0 match-order config
classifier service_vlan behavior Redirect_to_XGE1/0/0
traffic policy Redirect_to_XGE1/0/1 match-order config
classifier service_vlan behavior Redirect_to_XGE1/0/1
#
interface Eth-Trunk0
description to Core
port link-type trunk
port trunk allow-pass vlan 42
#
interface Eth-Trunk1
description to ACU_1 Slot2
port link-type trunk
port trunk allow-pass vlan 42 428
traffic-policy Redirect_to_XGE1/0/1 inbound
#
interface XGigabitEthernet1/0/0
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 428
stp disable
traffic-policy Redirect_to_XGE3/0/1 inbound
carrier up-hold-time 10000
am isolate XGigabitEthernet1/0/1
#
interface XGigabitEthernet1/0/1
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 428
stp disable
traffic-policy Redirect_to_ETH1 inbound
#interface XGigabitEthernet3/0/2
eth-trunk 0
#
interface XGigabitEthernet3/0/3
eth-trunk 0
#
return
l Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 42
#
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 42
#
interface XGigabitEthernet0/0/1
eth-trunk 0
#
interface XGigabitEthernet0/0/2
eth-trunk 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port type pvid vlan 42
port type allow vlan 42
#
return
l ACU2_1 configuration file
#
sysname ACU2_1
#
vlan batch 42 428
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif42
ip address 172.18.255.240 255.255.255.0
dhcp select interface
#
interface Vlanif428
ip address 172.16.29.1 255.255.255.0
dhcp select interface
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 42
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
interface XGigabitEthernet0/0/2
eth-trunk 1
#
interface Wlan-Ess1
port hybrid pvid vlan 428
port hybrid untagged vlan 428
#
action permit
#
return
Configuration Notes
l Prepare a console cable (delivered with the device). If you use a laptop or a PC without a
serial port, prepare a USB to serial cable and install the driver stored on the CD-ROM
(delivered with the cable) according to instructions.
l Install the terminal emulation software on the PC. You can use the built-in
HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation software is
available, prepare the terminal emulation software. For details on how to use terminal
emulation software, see the related usage guide or online help. The third-part software
SecureCRT is used as an example here.
l This example applies to all versions and models of S series switches.
Networking Requirements
The IT maintenance department of a company purchases S series switches, which are
configured by network administrators. A network administrator usually logs in to a new
switch through a console port and then performs initial configurations.
As shown in Figure 3-1, the serial port of a PC is connected to the console port of the Switch
through a console cable. The user wants to log in to the Switch through the console port and
requires local authentication upon the next login. To facilitate remote maintenance on the
Switch, the user wants to configure the Telnet function.
Figure 3-1 Networking diagram for configuring switch login through a console port
Serial port Console port
Console cable
PC Switch
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure terminal emulation software, set the connected port and communication
parameters, and log in to the Switch.
2. Configure basic information for the Switch, including the date, time, time zone, and
name, to facilitate management.
3. Configure an authentication mode for the console user interface so that the user is
authenticated upon the next login through the console port.
4. Configure the management IP address and Telnet to facilitate remote maintenance on the
Switch.
Procedure
Step 1 Connect the DB9 female connector of the console cable to the COM port on the PC, and
connect the RJ45 connector to the console port on the device, as shown in Figure 3-2.
NOTE
l If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install the driver
stored on the CD-ROM (delivered with the cable) according to instructions, connect the USB-DB9
female connector of the cable to the USB port on the PC, and connect the RJ-45 connector to the
console port on the device.
l If the device has two MPUs, you can log in to the device through the console port on either of the
two MPUs.
Parity None
Stop bits 1
Data bits 8
2. Set the connected port and communication parameters, as shown in Figure 3-4.
Select the connected port based on actual situations. For example, you can view port
information in Device Manager in the Windows operating system, and select the
connected port.
NOTE
By default, no flow control mode is configured on the switch. Because RTS/CTS is selected in the
software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
You can run commands to configure the Switch. Enter a question mark (?) whenever you
need help.
NOTE
The time zone varies depending on the location of a switch. Set the time zone based on the site requirements.
The following information is only for reference.
<HUAWEI> clock timezone BJ add 08:00:00 //BJ is the name of the time zone, and
08:00:00 indicates that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26 //Set the current date and time.
Before setting the current time, check the time zone and set a correct time zone
offset to ensure the correct local time.
<HUAWEI> system-view
[HUAWEI] sysname Switch //Set the switch name to Switch.
# Set the authentication mode of the console interface to AAA, and create a local user.
[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa //Set the authentication mode of
the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789 //Create a local user named admin1234 and set its password to
Helloworld@6789.
[Switch-aaa] local-user admin1234 privilege level 15 //Set the user level to
15.
[Switch-aaa] local-user admin1234 service-type terminal //Set the access type
to terminal, that is, console user.
[Switch-aaa] quit
Enter the user name admin1234 and password Helloworld@6789 to pass identity
authentication before re-logging in to the Switch from the console user interface. You can also
log in to the Switch using Telnet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
telnet server enable
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!
X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin123 privilege level 15
local-user admin123 service-type telnet
local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&
+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin1234 privilege level 15
local-user admin1234 service-type terminal
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 10
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
Related Content
Videos
Log In to a Switch Through the Console Port.
An Access Control List (ACL) is a packet filter that filters packets based on rules. One or
more rules describe the packet matching conditions, such as the source address, destination
address, and port number of packets. For packets that match the ACL rules configured on a
device, the device forwards or discards these packets according to the policies used by the
service module to which the ACL is applied.
RADIUS uses the client/server model in distributed mode and protects a network against
unauthorized access. It is often used on networks that require high security and remote user
access control. After Telnet login based on RADIUS authentication is configured, a switch
sends the user name and password of a login user to the RADIUS server. The RADIUS server
then authenticates the user and records the user operations, ensuring network security.
If ACLs and RADIUS authentication are both configured, packets matching ACL rules reach
an upper-layer module and then are authenticated in RADIUS mode based on the user name
and password. The Telnet login mode based on ACL rules and RADIUS authentication
therefore ensures network security.
Configuration Notes
l The Telnet protocol will bring security risks. The STelnet V2 mode is recommended.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in format of user name@domain name) and password
Huawei@1234 have been configured.
l This example applies to all versions and models of S series switches.
NOTE
The following uses the command lines and outputs in V200R006C00 as an example.
Networking Requirements
The network administrator requires remote management and maintenance on a switch and
high network security for protecting the network against unauthorized access. To meet the
requirements, configure Telnet login based on ACL rules and RADIUS authentication.
As shown in Figure 3-5, the Switch have reachable routes to the administrator and the
RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and
1812 respectively.
Figure 3-5 Networking diagram for configuring Telnet login based on ACL rules and
RADIUS authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet protocol so that users can log in to the Switch using Telnet.
2. Configure an ACL rule to ensure that only users matching the ACL rule can log in to the
Switch.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using Telnet, ensuring user login security.
Procedure
Step 1 Configure Telnet login.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] telnet server enable
[Switch] user-interface vty 0 14 //Enter the user interface views of VTY 0 to
VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode of
users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] user privilege level 15 //Set the level of users in VTY 0
to VTY 14 to 15.
[Switch-ui-vty0-14] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.
[Switch] domain huawei.com admin
In the login interface, type the user name admin and password Huawei@1234 as prompted
and press Enter. Authentication succeeds, and you successfully log in to the Switch using
Telnet. (The following information is only for reference.)
Login authentication
Username:admin
Password:
Info: The max number of VTY users is 8, and the number
of current VTY users on line is 2.
The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
domain huawei.com admin
#
telnet server enable
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
rule 5 permit source 10.137.217.177 0
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
authentication-scheme sch1
radius-server 1
#
user-interface vty 0 14
acl 2008 inbound
authentication-mode aaa
user privilege level 15
protocol inbound telnet
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
Configuration Notes
l The STelnet V1 protocol will bring security risks. The STelnet V2 mode is
recommended.
l Ensure that the user terminal has SSH server login software installed before configuring
STelnet login. In this example, the third-party software PuTTY is used as the SSH server
login software.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in format of user name@domain name) and password
Huawei@1234 have been configured.
l This example applies to all versions and models of S series switches.
Networking Requirements
The network administrator requires remote login to a switch and high network security for
protecting the network against unauthorized access. To meet the requirements, configure
STelnet login based on RADIUS authentication.
As shown in Figure 3-6, the Switch functions as the SSH server and has a reachable route to
the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24
and 1812 respectively.
Figure 3-6 Networking diagram for configuring STelnet login based on RADIUS
authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
2. Configure the STelnet protocol so that users can log in to the Switch using STelnet.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using STelnet, ensuring user login security.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[HUAWEI] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode of the SSH user admin to password authentication, and service
type to STelnet.
[Switch] ssh user admin authentication-type password //Set the authentication
of the SSH user admin to password authentication.
[Switch] ssh user admin service-type stelnet //Set the service type of the SSH
user admin to STelnet.
NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-type default
password command to specify password authentication as the default authentication mode of SSH
users. After this configuration is complete, you do not need to configure the authentication mode and
service type for each SSH user, simplifying configuration and improving efficiency.
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter
the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the
authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server
template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.
[Switch] domain huawei.com admin
# Click Open. In the login interface, type the user name admin and password Huawei@1234
as prompted and press Enter. Authentication succeeds, and you successfully log in to the
Switch using STelnet. (The following information is only for reference.)
login as: admin
password:
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
domain huawei.com admin
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
authentication-scheme sch1
radius-server 1
#
user-interface vty 0 14
authentication-mode aaa
user privilege level 15
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
S12708/ The system software contains a web page file that is loaded.
S12712
NOTE
A hyphen (-) indicates that the model does not have this version.
Configuration Notes
l This example applies to all models of S series switches in V200R005.
Networking Requirements
As shown in Figure 3-8, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 3-8 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
NOTE
A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in
the web page file. If the default SSL policy and self-signed digital certificate can meet security
requirements, you do not need to upload a digital certificate or manually configure an SSL policy,
simplifying configuration. The following configuration uses the default SSL policy provided by the
switch as an example.
The system software of the following switch models in V200R005 has integrated and loaded
the web page file (including the EasyOperation and Classics editions). You only need to
configure a web user and enter the web system login page.
The Classics web page file has been loaded on the S5700SI, S5700EI, S5710EI, S5700HI,
S5710HI, and S6700EI in V200R005, and has been loaded. To use the Classics web system,
you only need to configure a web user and enter the web system login page. To use the
EasyOperation web system, perform the configuration based on the following roadmap:
1. Configure a management IP address for remotely transferring files and log in to the
switch through the web system.
2. Upload the web page file to the HTTPS server through FTP.
3. Load the web page file.
4. Configure a web user and enter the web system login page.
NOTICE
The FTP protocol will bring risks to network security. The SFTP V2, SCP, or FTPS mode is
recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
l Obtain the web page file from Huawei agent.
l Download the web page file from Huawei enterprise technical support website.
– For a fixed switch, download the system software containing the web page file.
– For a modular switch, download the web page file.
– In V200R005, the web page file is named in format of product name-software
version.web page file version.web.7z.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed on the
website. If not, an exception may occur during file download. Download the file again.
Step 3 Upload the web page file to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.
[HTTPS_Server] user-interface vty 0 14 //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode
of users in VTY user interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit
# Configure the FTP function for the device and information about an FTP user, including the
password, user level, service type, and authorized directory.
# Log in to the HTTPS server from the PC through FTP and upload the web page file to the
HTTPS server.
Connect the PC to the device using FTP. Enter the user name client001 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are
transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file to the HTTPS server from the PC.
ftp> put web.7z //Upload the web page file. The web.7z file is used as an
example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
NOTE
If the size of the web page file in the current directory on the switch is different from that on the PC, an
exception may occur during file transfer. Upload the web page file file again.
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service
type to HTTP.
[HTTPS_Server-aaa] quit
Open the web browser on the PC, type https://192.168.0.1 in the address box, and press
Enter. The web system login page is displayed, as shown in Figure 3-9.
You can log in to the EasyOperation web system using the Internet Explorer (8.0 or later),
Firefox (12.0 or later), or Google Chrome (23.0 or later) browsers and to the Classics web
system using the Internet Explorer (8.0 or later) or Firefox (12.0 or later) browsers. If the
version of your web browser is not supported, the web page may be displayed incorrectly.
Additionally, the web browser used to log in to the web system must support JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO or press
Enter. The web system home page is displayed. The EasyOperation web system is logged in
by default.
Log in to the switch through the web system. The login succeeds.
Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
----End
Configuration Files
Configuration file of the HTTPS_Server
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@5d~9:M^ipCfL
\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
user-interface vty 0 14
authentication-mode aaa
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.
Overview
As a switch management mode, the web system leverages the built-in web server on a switch
to provide a GUI for users. Users can log in to the web system using HTTPS from terminals
and perform switch management and maintenance.
Configuration Notes
Web System is not supported in V200R007C20.
Networking Requirements
As shown in Figure 3-10, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 3-10 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
The configuration roadmap is as follows:
l The system software of the switch has integrated and loaded the web page file. No
manual configuration is required.
l A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital
certificate can meet security requirements, you do not need to upload a digital certificate
or manually configure an SSL policy, simplifying configuration. The following
configuration uses the default SSL policy provided by the switch as an example.
l Configure a management IP address for logging in to the switch through the web system.
l Configure a web user and enter the web system login page.
Procedure
Step 1 Configure a management IP address.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] interface vlanif 10 //Configure VLANIF 10 as the
management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address
and deploy the route based on the network plan to ensure reachability between the
PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is
the physical interface used for logging in to the switch through the web system
on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface
type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface
to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
Step 3 Configure a web user and enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and press
Enter. The web system login page is displayed, as shown in Figure 3-11.
Table 3-3 lists browser versions required for login to a switch through the web system. If a
browser or browser patch in an earlier version is used, the web page may not be properly
displayed. Upgrade the browser and browser patch. In addition, the browser must support
JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO or press
Enter. The web system home page is displayed. The EasyOperation web system is logged in
by default.
Table 3-3 Mapping between the product version and browser version
Run the display http server command to view the status of the HTTPS server.
[HTTPS_Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 0
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
HTTP server source address : 0.0.0.0
----End
Configuration Files
Configuration file of the HTTPS_Server
#
sysname HTTPS_Server
#
vlan batch 10
#
aaa
local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%#%#
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
return
Configuration Notes
l Before logging in to the device to manage files, complete the following task:
– Logging in to the device from a terminal
l This example applies to all versions and all models of S series switches.
Networking Requirements
A user logs in to the Switch using the console port, Telnet, or STelnet from the PC, and needs
to perform the following operations on the files on the Switch:
Figure 4-1 Networking diagram for logging in to the device to manage files
PC Switch
Procedure
Step 1 View the files and subdirectories in the current directory.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] quit
<Switch> dir
Directory of flash:/
Step 2 Create the directory test. Copy the file vrpcfg.zip to test and rename the file as backup.zip.
# Create the directory test.
<Switch> mkdir test
Info: Create directory flash:/test......Done.
# Copy the file vrpcfg.zip to test and rename the file as backup.zip.
<Switch> copy vrpcfg.zip flash:/test/backup.zip //Set the target file name to
backup.zip. If not specified, the target file name is the same as the source file
name.
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
return
Configuration Notes
l Before managing files using FTP, complete the following tasks:
– Ensuring that routes are reachable between the terminal and the device
– Ensuring that the terminal functions the FTP client software
l The FTP protocol will bring risks to network security. The SFTP V2, Secure Copy
Protocol (SCP), or FTPS mode is recommended.
l If the number of FTP users on the device reaches the maximum value (5), new
authorized users cannot log in. To ensure that new FTP users successfully log in to the
device, FTP users that have completed file operations need to get offline.
l This example applies to all versions and all models of S series switches.
Networking Requirements
As shown in Figure 4-2, the PC connects to the device, and IP address of the management
network interface on the device is 10.136.23.5. The device needs to be upgraded. The device
is required to function as the FTP server so that you can upload the system software from the
PC to the device and back up the configuration file to the PC.
10.136.23.5/24
Internet
PC FTP_Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FTP function for the device and information about an FTP user, including
the user name and password, user level, service type, and authorized directory.
2. Save the current configuration file on the device.
3. Connect the PC to the device using FTP.
4. Upload the system software to the device and back up the configuration file of the device
to the PC.
Procedure
Step 1 Configure the FTP function for the device and information about an FTP user.
<HUAWEI> system-view
[HUAWEI] sysname FTP_Server
[FTP_Server] ftp server enable //Enable the FTP server function.
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[FTP_Server-aaa] local-user admin1234 privilege level 15 //Set the user level
to 15.
[FTP_Server-aaa] local-user admin1234 service-type ftp //Set the user service
type to FTP.
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/ //Set the FTP
Step 3 Connect the PC to the device using FTP. Enter the user name admin1234 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. The default mode is ASCII.
200 Type set to I.
ftp>
The ASCII mode is used to transfer text files, and the binary mode is used to transfer
programs including the system software (with the file name extension of .cc, .bin, or .pat),
images, voices, videos, compressed packages, and database files.
Step 4 Upload the system software to the device and back up the configuration file of the device to
the PC.
# Upload the system software to the device.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for devicesoft.cc
226 Transfer complete.
ftp: 106616955 bytes sent in 151.05 Seconds 560.79Kbytes/sec.
NOTE
Before uploading and downloading files to the FTP server, determine the FTP working directory on the
FTP client. For example, the default FTP working directory on the Windows XP operating system is the
login user working directory (such as C:\Documents and Settings\Administrator). This directory also
stores the system software to be uploaded and backup configuration file.
----End
Configuration Files
Configuration file of the FTP_Server
#
sysname FTP_Server
#
FTP server enable
#
aaa
local-user admin1234 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe
$E<#H$J<6@KTSL/J'\}I-%^%#
local-user admin1234 privilege level 15
local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
return
Related Content
Videos
SFTP is applicable to file management when high network security is required, and is often
used for downloading logs and backing up the configuration file.
Configuration Notes
l Before managing files using SFTP, complete the following tasks:
– Ensuring that routes are reachable between the terminal and the device
– Ensuring that the SSH client software has been installed on the terminal
l The SFTP V1 protocol will bring risks to network security. The SFTP V2 or FTPS mode
is recommended.
l This example applies to all versions and all models of S series switches.
Networking Requirements
As shown in Figure 4-3, the PC connects to the device, and the IP address of the management
network interface on the device is 10.136.23.4. Files need to be securely transferred between
the PC and device to prevent man-in-the-middle attacks and some network attacks (such as
DNS spoofing and IP spoofing). Configure the device as the SSH server to provide the SFTP
service so that the SSH server can authenticate the client and encrypt data in bidirectional
mode to ensure secure file transfer.
10.136.23.4/24
Internet
PC SSH_Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server and enable the SFTP server function to
implement secure data exchange between the server and client.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
4. Use the third-party software OpenSSH to access the SSH server.
Procedure
Step 1 Generate a local key pair on the SSH server and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be:
SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length
(2048 bits) is used.
Info: Generating
keys...
Step 3 Configure an SSH user, including the authentication mode, service type, SFTP authorized
directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password //Set the
authentication mode to password authentication.
[SSH_Server] ssh user client001 service-type sftp //Set the user service type
to SFTP.
[SSH_Server] ssh user client001 sftp-directory flash: //Set the SFTP service
authorized directory to flash:.
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[SSH_Server-aaa] local-user client001 privilege level 15 //Set the user level
to 15.
[SSH_Server-aaa] local-user client001 service-type SSH //Set the user service
type to SSH.
[SSH_Server-aaa] quit
NOTE
Ensure that the OpenSSH version matches the operating system of the PC. Otherwise, you may fail to
access the device using SFTP.
After the PC connects to the device using the third-party software, enter the SFTP view to
perform file operations.
----End
Configuration Files
Configuration file of the SSH_Server
#
sysname SSH_Server
#
aaa
Configuration Notes
l Before accessing files on the TFTP server, ensure that routes are reachable between the
device and TFTP server.
l The device can only function as a TFTP client.
l The TFTP mode supports only file transfer, but does not support interaction.
l TFTP has no authorization or authentication mechanism and transfers data in plaintext,
which brings security risks and is vulnerable to network viruses and attacks.
l This example applies to all versions and all models of S series switches.
Networking Requirements
As shown in Figure 4-5, the remote server at IP address 10.1.1.1/24 functions as the TFTP
server. The device at IP address 10.2.1.1/24 functions as the TFTP client and has reachable
routes to the TFTP server.
The device needs to be upgraded. You need to download the system software from the TFTP
server to the device and back up the current configuration file of the device to the TFTP
server.
Figure 4-5 Networking diagram for accessing files on another device using TFTP
1 0 .2 .1 .1 /2 4 1 0 .1 .1 .1 /2 4
In te rn e t
T F T P C lie n t T F T P S e rv e r
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload and download files on the device using TFTP commands.
Procedure
Step 1 Run the TFTP software on the TFTP server and set the TFTP working directory. For the
detailed operations, see the help document of the third-party TFTP software.
Step 2 Upload and download files on the device using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc //Download devicesoft.cc.
Info: Transfer file in binary
mode.
# Check whether the file vrpcfg.zip is stored in the working directory on the TFTP server.
----End
Configuration Files
None
Configuration Notes
l Before accessing files on the FTP server, ensure that routes are reachable between the
device and FTP server.
l The FTP protocol will bring risks to network security. The SFTP V2, Secure Copy
Protocol (SCP), or FTPS mode is recommended.
l This example applies to all versions and all models of S series switches.
Networking Requirements
As shown in Figure 4-6, the remote server at IP address 10.1.1.1/24 functions as the FTP
server. The device at IP address 10.2.1.1/24 functions as the FTP client and has reachable
routes to the FTP server.
The device needs to be upgraded. You need to download the system software from the FTP
server to the device and back up the current configuration file of the device to the FTP server.
Figure 4-6 Networking diagram for accessing files on another device using FTP
1 0 .2 .1 .1 /2 4 1 0 .1 .1 .1 /2 4
In te rn e t
F T P C lie n t F T P S e rv e r
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the FTP software on the FTP server and configure an FTP user.
2. Use FTP to connect the device to the FTP server.
3. Upload and download files on the device using FTP commands.
Procedure
Step 1 Run the FTP software on the FTP server and configure an FTP user. For the detailed
operations, see the help document of the third-party FTP software.
Step 2 Use FTP to connect the device to the FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
Step 3 Upload and download files on the device using FTP commands.
[ftp] binary //Set the file transfer mode to binary. The default mode is ASCII.
[ftp] get devicesoft.cc //Download the system software on the FTP server to the
device.
[ftp] put vrpcfg.zip //Upload the backup configuration file on the device to
the FTP server.
[ftp] quit
The ASCII mode is used to transfer text files, and the binary mode is used to transfer
programs including the system software (with the file name extension of .cc, .bin, or .pat),
images, voices, videos, compressed packages, and database files.
Step 4 Verify the configuration.
# Run the dir command on the device to check whether the system software is downloaded to
the device.
<HUAWEI> dir
Directory of flash:/
# Check whether the file vrpcfg.zip is stored in the working directory on the FTP server.
----End
Configuration Files
None
Configuration Notes
l Before accessing files on the SSH server using SFTP, ensure that routes are reachable
between the device and SSH server.
l The SFTP V1 protocol will bring risks to network security. The SFTP V2 or FTPS mode
is recommended.
l This example applies to all versions and all models of S series switches.
Networking Requirements
As shown in Figure 4-7, the routes between the SSH server and clients client001 and
client002 are reachable. A Huawei device is used as the SSH server in this example.
The clients client001 and client002 are required to connect to the SSH server in password and
DSA authentication modes respectively to ensure secure access to files on the SSH server.
Figure 4-7 Networking diagram for accessing files on another device using SFTP
10.2.1.1/24
client001 10.1.1.1/24
Internet
SSH Server
10.3.1.1/24
client002
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server and enable the SFTP server function to
implement secure data exchange between the server and client.
2. Configure the clients client001 and client002 on the SSH server to log in to the SSH
server in password and DSA authentication modes.
3. Generate a local key pair on client002 and configure the generated DSA public key on
the SSH server, which implements authentication for the client when a user logs in to the
server from the client.
4. On the SSH server, enable client001 and client002 to log in to the SSH server using
SFTP and access the files.
Procedure
Step 1 On the SSH server, generate a local key pair and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH
Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length
(2048 bits) is used.
Info: Generating
keys........
# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] ssh user client001 //Create an SSH user.
[SSH Server] ssh user client001 authentication-type password //Set the
authentication mode to password authentication.
[SSH Server] ssh user client001 service-type sftp //Set the user service type
to SFTP.
[SSH Server] ssh user client001 sftp-directory flash: //Set the SFTP service
authorized directory to flash:.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[SSH Server-aaa] local-user client001 service-type ssh //Set the user service
type to SSH.
[SSH Server-aaa] local-user client001 privilege level 3 //Set the user level to
3.
[SSH Server-aaa] quit
# Create an SSH user named client002 and configure the DSA authentication mode for the
user.
[SSH Server] ssh user client002 //Create an SSH user.
[SSH Server] ssh user client002 authentication-type dsa //Set the
authentication mode to DSA authentication.
[SSH Server] ssh user client002 service-type sftp //Set the user service type
to SFTP.
[SSH Server] ssh user client002 sftp-directory flash: //Set the SFTP service
authorized directory to flash:.
Step 3 Generate a local key pair on client002 and configure the generated DSA public key on the
SSH server.
# Generate a local key pair on client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH
Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length
(2048 bits) is used.
Info: Generating
keys........
=====================================================
Key name :
client002_Host_DSA
Key modulus :
2048
Key fingerprint:
b7:68:86:90:d8:19:f3:e6:4a:f2:e9:fd:e4:24:ef:a5
=====================================================
Key code:
30820322
02820100
0214
02820100
02820100
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C
+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o
+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/
mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/
K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/
ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs
+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/
OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U4
2SkvxBhh7W+pMLesuDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/
LmeFNt
AEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/
6SRUuH5wf9hMf
LZzmb6ETrf8S5RZWVyZv3TKm3/
FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCo
otdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/
AOOu8jCp0l6vOUH4cniOONh6Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/
NneGPPMN
+A==
[SSH Server-dsa-key-
code]02820100
code]02820100
Trying
10.1.1.1 ...
Press CTRL+K to
abort
Connected to
10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA;
Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D,
Enter or
Ctrl_C]:D
Enter
password:
sftp-client>
Trying
10.1.1.1 ...
Press CTRL+K to
abort
Connected to
10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA;
Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D,
Enter or
Ctrl_C]:D
sftp-client>
User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820322
02820100
0214
02820100
02820100
Configuration Notes
l Usage restrictions:
– The electrical and optical interfaces of a combo interface are multiplexed. The
optical interface cannot have a copper module installed.
– When a combo interface works in auto mode and the combo optical interface has an
optical module installed, the combo interface works as an optical interface after the
device restarts.
– You can configure the working mode of the combo interface based on the remote
interface type. If the local combo electrical interface is connected to a remote
electrical interface, configure the combo interface to work in copper mode. If the
local combo optical interface is connected to a remote optical interface, configure
the combo interface to work in fiber mode. If the local combo interface is
configured to work in a different mode from the remote interface, the two interfaces
cannot communicate.
l This example applies to switches that support the combo interface.
Networking Requirements
As shown in Figure 5-1, PC1, PC2, and PC3 connect to GE1/0/1, GE1/0/2 and GE1/0/3 of
the Switch respectively. The Switch connects to the Internet through the combo interface
GE1/0/4. You can configure the working mode of the combo interface based on the remote
interface type. In this example, the remote interface at the Internet side is an electrical
interface.
Figure 5-1 Networking diagram for configuring the working mode of a combo interface
Internet
Switch GE1/0/4
GE1/0/1 GE1/0/3
GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the combo interface GE1/0/4 to work as an electrical interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] combo-port copper //Configure the combo interface
to work as an electrical interface. By default, the combo interface's working
mode is auto.
[Switch-GigabitEthernet1/0/4] quit
If COMBO AUTO is displayed, the combo interface automatically selects the working mode.
If FORCE FIBER is displayed, the combo interface is configured to work as an optical
interface. If FORCE COPPER is displayed, the combo interface is configured to work as an
electrical interface. The preceding command output shows that the combo interface is
configured to work as an electrical interface.
----End
Configuration File
Configuration file of the Switch
#
sysname Switch
#
interface GigabitEthernet1/0/4
combo-port copper
#
return
Configuration Notes
l Usage restrictions
– Ethernet interfaces at both ends of a link must work in the same auto-negotiation
mode. Otherwise, the interfaces may be Down.
– When the working rate of a GE electrical interface is 1000 Mbit/s, the interface
supports only the full-duplex mode and does not need to negotiate the duplex mode
with the remote interface.
– Interfaces at both ends of a link must use the same rate and duplex mode.
– Table 5-1 lists the rate and duplex mode of Ethernet interfaces.
Networking Requirements
As shown in Figure 5-2, Server1, Server2, and Server3 form a server cluster and connect to
GE1/0/1, GE1/0/2, and GE1/0/3 of the Switch respectively. The Switch connects to the
Internet through GE1/0/4.
Due to limitations of network adapters on the servers, GE1/0/1, GE1/0/2, and GE1/0/3 can
only work in half-duplex mode after negotiating with connected server interfaces. As a result,
packet loss occurs when the service traffic volume is high. In addition, the rate is negotiated
to 1000 Mbit/s for GE1/0/1, GE1/0/2, and GE1/0/3. When the three servers concurrently send
data at the rate of 1000 Mbit/s, the outbound interface GE1/0/4 may be congested. Users
require that packet loss and congestion do not occur.
Figure 5-2 Networking diagram for configuring the rate and duplex mode in non-auto-
negotiation mode
Internet
Switch GE1/0/4
GE1/0/1 GE1/0/3
GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create a port group and add GE1/0/1, GE1/0/2, and GE1/0/3 to the port group.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] port-group portgroup1 //Create a permanent port group portgroup1.
[Switch-port-group-portgroup1] group-member GE1/0/1 to GE1/0/3 //Add
GE1/0/1,GE1/0/2, and GE1/0/3 to portgroup1.
Step 2 Configure GE1/0/1, GE1/0/2, and GE1/0/3to work in non-auto-negotiation mode, and set the
duplex mode to full-duplex and rate to 100 Mbit/s for these interfaces in a batch.
[Switch-port-group-portgroup1] undo negotiation auto //Configure interfaces to
work in non-auto-negotiation mode in a batch.
[Switch-GigabitEthernet1/0/1] undo negotiation auto
[Switch-GigabitEthernet1/0/2] undo negotiation auto
[Switch-GigabitEthernet1/0/3] undo negotiation auto
[Switch-port-group-portgroup1] duplex full //Set the duplex mode of the
interfaces to full-duplex in a batch.
[Switch-GigabitEthernet1/0/1] duplex full
[Switch-GigabitEthernet1/0/2] duplex full
[Switch-GigabitEthernet1/0/3] duplex full
[Switch-port-group-portgroup1] speed 100 //Set the rate of the interfaces to
100 Mbit/s in a batch.
[Switch-GigabitEthernet1/0/1] speed 100
[Switch-GigabitEthernet1/0/2] speed 100
[Switch-GigabitEthernet1/0/3] speed 100
[Switch-port-group-portgroup1] quit
The command output shows that the interface works in non-negotiation mode, the rate is 100
Mbit/s, and the duplex mode is full-duplex.
Similarly, run the display interface gigabitethernet 1/0/2 and display interface
gigabitethernet 1/0/3 commands on GE1/0/2 and GE1/0/3 respectively to check interface
working information.
----End
Configuration File
Configuration file of the Switch
#
sysname Switch
#
interface GigabitEthernet1/0/1
undo negotiation auto
speed 100
#
interface GigabitEthernet1/0/2
undo negotiation auto
speed 100
#
interface GigabitEthernet1/0/3
undo negotiation auto
speed 100
#
port-group portgroup1
group-member GigabitEthernet1/0/1
group-member GigabitEthernet1/0/2
group-member GigabitEthernet1/0/3
#
return
Configuration Notes
l By default, an Ethernet interface works in Layer 2 mode and belongs to VLAN 1. An
interface is not removed from VLAN 1 immediately after being switched to Layer 3
mode. It is removed from VLAN 1 only when Layer 3 protocols are Up.
l You can configure Layer 2 and Layer 3 modes of an Ethernet interface in the Ethernet
interface view or system view. When the configurations in the two views differ, the latest
configuration takes effect.
l The minimum interval between running the portswitch and undo portswitch commands
is 30 seconds. That is, after changing the mode of an Ethernet interface, you have to wait
at least 30 seconds before changing the mode again.
l If service configurations (such as the port link-type trunk configuration) exist on an
interface, you need to clear all service configurations before switching the interface
between Layer 2 and Layer 3 modes. The mode switching configuration takes effect on
an interface when only attribute configurations (such as shutdown and description
configurations) exist on the interface.
l Interfaces on the S12700 can be switched between Layer 2 and Layer 3 modes. IP
addresses can be assigned to Ethernet interfaces working in Layer 3 mode.
Networking Requirements
As shown in Figure 5-3, PC1, PC2, PC3, and PC4 are on four network segments, and
SwitchB, SwitchC, SwitchD, and SwitchE are access switches for these four network
segments, respectively. It is required that four physical Ethernet interfaces on SwitchA be
configured as gateway interfaces for these four network segments.
Figure 5-3 Networking diagram for configuring the rate and duplex mode in non-auto-
negotiation mode
10.10.1.0/24
PC1
SwitchB
GE1/0/1
SwitchA
GE1/0/2 GE1/0/4
GE1/0/3
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Switch interfaces to Layer 3 mode.
Step 3 Run the display interface gigabitethernet 1/0/1 command in any view to check the interface
working mode.
[SwitchA] display interface gigabitethernet 1/0/1
...
Description:
Route Port,The Maximum Frame Length is 9216
Internet Address is 10.10.1.1/24
...
If Switch Port is displayed, the interface works in Layer 2 mode. If Route Port is displayed,
the interface works in Layer 3 mode. The preceding command output shows that the interface
works in Layer 3 mode.
Similarly, run the display interface gigabitethernet 1/0/2, display interface gigabitethernet
1/0/3, and display interface gigabitethernet 1/0/4 commands on GE1/0/2, GE1/0/3, and
GE1/0/4 respectively to check the interface working mode.
----End
Configuration File
Configuration file of the SwitchA
#
sysname SwitchA
#
interface GigabitEthernet1/0/1
undo portswitch
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo portswitch
ip address 10.10.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo portswitch
ip address 10.10.3.1 255.255.255.0
#
interface GigabitEthernet1/0/4
undo portswitch
ip address 10.10.4.1 255.255.255.0
#
return
The port isolation mode can be Layer 2 isolation and Layer 3 interworking or Layer 2 and
Layer 3 isolation.
l To isolate broadcast packets in the same VLAN but allow users connecting to different
interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2
isolation and Layer 3 interworking.
l To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer
3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.
Configuration Notes
l The S12700 supports Layer 2 isolation and Layer 3 interworking.
l The S12700 supports Layer 2 Layer 2 and Layer 3 isolation.
l Do not add both the uplink and downlink interfaces to the same port isolation group
unless it is required. Otherwise, the uplink and downlink interfaces cannot communicate.
Networking Requirements
An R&D office of a company contains employees from the company, partner company A, and
partner company B. As shown in Figure 5-4, PC1 and PC2 are used by two employees from
partner companies A and B respectively, and PC3 is used by an R&D employee from the
company. The requirements are as follows:
Employees from partner companies A and B cannot communicate with each other.
Employees from partner companies A and B can communicate with the company's
employees.
R o u te r
S w itch
G E 1 /0 /1 G E 1 /0 /3
P o rt iso la tio n
g ro u p
GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Add interfaces to a VLAN.
2. Add the interfaces to a port isolation group to implement Layer 2 isolation between these
interfaces. The default port isolation mode is Layer 2 isolation and Layer 3 interworking.
Procedure
Step 1 Configure port isolation.
# Configure port isolation on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Set the interface type of
GE1/0/1 to access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add GE1/0/1 to VLAN 10.
[Switch-GigabitEthernet1/0/1] port-isolate enable //By default, the interface
is added to port isolation group 1 and the port isolation mode is Layer 2
isolation and Layer 3 interworking. You can run the port-isolate mode all command
to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet1/0/1] quit
Configuration File
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
port-isolate enable group 1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
port-isolate enable group 1
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
#
return
Related Content
Videos
Configure Port Isolation.
Configuration Notes
l After the port-security enable command is configured on an interface, MAC address
limiting cannot take effect on the interface. Do not configure port security and MAC
address limiting on the same interface simultaneously.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-1, user network 1 is connected to GE1/0/1 of the switch through
LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and GE1/0/1
and GE1/0/2 belong to VLAN 2. To control the number of access users, configure MAC
address limiting in VLAN 2.
Network
Switch
GE1/0/1 GE1/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.
2. Configure MAC address limiting in a VLAN to prevent MAC address attacks and
control the number of access users.
Procedure
Step 1 Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of
the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to
VLAN 2.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is
similar to the configuration of GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch-GigabitEthernet1/0/2] quit
Step 2 Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC address entries reaches the limit,
the device forwards the packets with new source MAC address entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward //The default action taken
for packets in different versions is different. You are advised to manually
configure the action. The alarm function is enabled by default, so you do not
need to configure the alarm function manually.
[Switch-vlan2] quit
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return
Configuration Notes
l After port-security enable is configured on an interface, MAC address limiting cannot
be configured on the interface.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-2, user network 1 and user network 2 connect to the switch through the
LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user network 2
belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC address limiting can be
configured on GE1/0/1 to control the number of access users.
Network
Switch
GE1/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 forwarding.
2. Configure MAC address limiting on an interface to control the number of access users.
Procedure
Step 1 Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of
the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to
VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
Step 2 Configure a MAC address limiting rule on GE1/0/1: A maximum of 100 MAC address entries
can be learned. When the number of learned MAC address entries reaches the limit, the
device discards the packets with new source MAC address entries and generates an alarm.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The
default action taken for packets in different versions is different. You are
advised to manually specify the action. The alarm function is enabled by default,
so you do not need to specify it manually.
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
mac-limit maximum 100
#
return
Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.
Networking Requirements
As shown in Figure 6-3, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN
20 through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.
VLAN 10 VLAN 10
G E 1 /0 /4 G E 1 /0 /1 G E 1 /0 /4
G E 1 /0 /1
S w itc h A G E 1 /0 /2 E th -T ru n k G E 1 /0 /2 S w itc h B
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /5 E th -T ru n k 1 E th -T ru n k 1 G E 1 /0 /5
VLAN 20 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between member
interfaces of the Eth-Trunk and enhance reliability.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1,
GE1/0/2, and GE1/0/3 to Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1,
GE1/0/2, and GE1/0/3 to Eth-Trunk 1.
[SwitchB-Eth-Trunk1] quit
# Create VLAN 10 and VLAN 20 and add interfaces to VLAN 10 and VLAN 20. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk
interface. The default link type of an interface is not trunk.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SwitchA-Eth-Trunk1] quit
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] load-balance src-dst-mac //Configure load balancing based
on the source and destination MAC addresses on Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
The preceding information shows that Eth-Trunk 1 contains three member interfaces:
GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3. The member interface
status is Up and the value of Operate status of Eth-Trunk 1 is up.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.
l This example applies to all versions and products.
Networking Requirements
As shown in Figure 6-4, an LAG in LACP mode is configured on two directly connected
devices to improve bandwidth and reliability. The requirements are as follows:
l Two active links perform load balancing.
l One link functions as the backup link. When a fault occurs on the active link, the standby
link replaces the faulty link to ensure nonstop data transmission.
Active link
Backup link
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the system priority and determine the Actor so that the Partner selects active
interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set interface priorities and determine active interfaces so that interfaces with higher
priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar
to that of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] eth-trunk 1 //Add GE1/0/1 to Eth-Trunk 1.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] eth-trunk 1 //Add GE1/0/2 to Eth-Trunk 1.
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] eth-trunk 1 //Add GE1/0/3 to Eth-Trunk 1.
[SwitchA-GigabitEthernet1/0/3] quit
Step 3 Set the system LACP priority of SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100 //The default system LACP priority is 32768. Change
the LACP priority of SwitchA to be higher than that of SwitchB so that SwitchA
functions as the Actor.
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] max active-linknumber 2 //The defaulat upper threshold for
the number of active interfaces in the LAG is 8. Change the upper threshold for
the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] quit
Step 5 Set the interface LACP priority and determine active links on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lacp priority 100 //The default interface LACP
priority is 32768. Change the LACP priority of GE1/0/1 to 100 so that GE1/0/1
serves as the active interface.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lacp priority 100 //The default interface LACP
priority is 32768. Change the LACP priority of GE1/0/2 to 100 so that GE1/0/2
serves as the active interface.
[SwitchA-GigabitEthernet1/0/2] quit
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
GigabitEthernet1/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
GigabitEthernet1/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
The preceding information shows that the system LACP priority of SwitchA is 100 and is
higher than the system LACP priority of SwitchB. GigabitEthernet1/0/1 and
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp
max active-linknumber 2
#
interface GigabitEthernet1/0/1
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/2
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
E-Trunk Overview
Enhanced Trunk (E-Trunk) is an extension to LACP (a link aggregation protocol for a single
device) and implements link aggregation among multiple devices. E-Trunk achieves device-
level link reliability but not card-level link reliability.
Configuration Notes
l Devices must use link aggregation in LACP mode.
l As shown in Figure 6-5, the E-Trunk configuration on PE1 and PE2 must be the same.
The Eth-Trunks between PE1 and CE1 and between PE2 and CE1 must use the same rate
and duplex mode (key values must be the same) and join the same E-Trunk. After the
Eth-Trunks are added to the E-Trunk, ensure that the LACP priorities and system IDs of
PE1 and PE2 are the same. On CE1, CE1 interfaces directly connected to PE1 and PE2
must be added to the same Eth-Trunk. The Eth-Trunk can have a different Eth-Trunk ID
from that on the PEs. For example, the CE is configured with Eth-Trunk 20, while both
PEs are configured with Eth-Trunk 10.
l You must specify an IP address (loopback address recommended) for each PE to ensure
Layer 3 connectivity. Ensure that the peer IP address of a PE is the local IP address of
the other PE.
l The E-Trunk must be bound to a BFD session.
l You must set the same protocol packet password for PE1 and PE2.
l This example applies to all versions of the S12700.
Networking Requirements
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk. If the
Eth-Trunk or the PE fails, the CE cannot communicate with the PE. After an E-Trunk is
configured, the CE can be dual-homed to PEs. E-Trunk achieves device-level link reliability
but not card-level link reliability.
As shown in Figure 6-5, CE1 is connected to PE1 and PE2 using two Eth-Trunks in LACP
mode and is dual-homed to a VPLS network.
Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or the Eth-
Trunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To prevent service
interruption, configure an E-Trunk on PE1 and PE2. When communication between CE1 and
PE1 fails, traffic is switched to PE2 so that CE1 can communicate with CE2 through PE2.
When PE1 or the Eth-Trunk between CE1 and PE1 recovers, traffic is switched back to PE1.
The E-Trunk implements backup of link aggregation groups (LAGs) between PE1 and PE2
and therefore improves network reliability.
PE1
Eth-Trunk10
/1
Eth-Trunk20 E 1/0 GE
G /2 1/0
0/1 E 1/0 / 3 Loopback1
1/ G GE
GE /0/2 1 /0/
1 1
GE PE3
E-Trunk1
GE GE1/0/3
CE1 GE1 1/0
/0/ /3 /0/2 CE2
4 GE GE1
1/0 /0/3
GE
1/0 /1 G E1
/2
Eth-Trunk10
PE2
Loopback1
PE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- Loopback1 - 2.2.2.9/32
- GigabitEthernet1/0/3 GigabitEthernet1/0/3.1 -
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- GigabitEthernet1/0/3 - -
- GigabitEthernet1/0/4 - -
CE2 GigabitEthernet1/0/3 - -
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an E-Trunk as follows:
– Create Eth-Trunks in LACP mode between CE1 and PE1 and between CE1 and
PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks in LACP mode to
the E-Trunk.
– Set the following parameters of the E-Trunk:
n E-Trunk priority
n LACP system ID and LACP priority of the E-Trunk
n Interval at which Hello packets are sent
n Time multiplier for detecting Hello packets
n IP addresses of the local and remote ends
– Bind the E-Trunk to a BFD session.
2. Configure CE1 to connect to the VPLS network as follows:
– Configure a routing protocol on the backbone network to implement the
interworking between devices.
– Configure basic MPLS functions and LDP.
– Enable MPLS L2VPN on PEs.
– Configure a VSI and specify LDP as the signaling protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure 6-5.
Configure a routing protocol on the backbone network to implement the interworking
between devices. OSPF is used in this example.
# Configure aggregation switch PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 100
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to
Loopback1 of one another, and can ping one another. Run the display ip routing-table
command on PE1, PE2, and PE3. You can see that the PEs have learned the routes to one
another.
NOTE
l The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN; otherwise,
a loop may occur.
l When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure Eth-Trunks in LACP mode on user-side switch CE1, PE1, and PE2, and add
member interfaces to the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20 //Create Eth-Trunk 20 and enter the view of Eth-
Trunk 20.
[CE1-Eth-Trunk20] port link-type trunk //Set the link type of the interface to
trunk.
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10 //Add Eth-Trunk 20 to VLAN 10.
[CE1-Eth-Trunk20] mode lacp //Configure Eth-Trunk 20 to work in LACP mode.
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 //Add GE1/0/1 to
GE1/0/4 to Eth-Trunk20.
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[PE1-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[PE1-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and
GE1/0/2 to Eth-Trunk10.
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[PE2-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[PE2-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and
GE1/0/2 to Eth-Trunk10.
[PE2-Eth-Trunk10] quit
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, time
multiplier for detecting hello packets, interval at which hello packets are sent, and local and
remote IP addresses.
# Configure PE1.
[PE1] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE1] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1
to 00E0-FC00-0000.
[PE1] e-trunk 1 //Enter the view of E-Trunk 1.
[PE1-e-trunk-1] priority 10 //Set the priority of E-Trunk 1 to 10.
[PE1-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for
detecting hello packets to 3.
[PE1-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent
to 9 ms.
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 //Set the remote IP
# Configure PE2.
[PE2] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE2-e-trunk-1] quit
[PE2] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE2] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1
to 00E0-FC00-0000.
[PE2] e-trunk 1 //Enter the view of E-Trunk 1.
[PE2-e-trunk-1] priority 20 //Set the priority of E-Trunk 1 to 20.
[PE2-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for
detecting hello packets to 3.
[PE2-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent
to 9 ms.
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 //Set the remote IP
address to 1.1.1.9 and local IP address to 2.2.2.9.
[PE2-e-trunk-1] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
[PE2-Eth-Trunk10] quit
The IP addresses of the local and remote ends of a BFD session must be the same as
those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9 //Create a BFD
session named hello2 and bind the BFD session toremote IP address 1.1.1.9 and
local IP address 2.2.2.9.
[PE2-bfd-session-hello2] discriminator local 2 //Set the local discriminator
to 2.
[PE2-bfd-session-hello2] discriminator remote 1 //Set the remote
discriminator to 1.
[PE2-bfd-session-hello2] commit //Commit the BFD session configuration.
[PE2-bfd-session-hello2] quit
# Configure PE2.
[PE2] e-trunk 1 //Enter the view of E-Trunk 1.
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2 //Bind E-Trunk
1 to the BFD session hello2.
[PE2-e-trunk-1] quit
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 //Set the LSR ID to 1.1.1.9.
[PE1] mpls //Enable global MPLS.
[PE1-mpls] quit
[PE1] mpls ldp //Enable global LDP.
[PE1-mpls-ldp] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] mpls //Enable MPLS on an interface.
[PE1-Vlanif100] mpls ldp //Enable LDP on an interface.
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 //Set the LSR ID to 2.2.2.9.
[PE2] mpls //Enable global MPLS.
[PE2-mpls] quit
[PE2] mpls ldp //Enable global LDP.
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls //Enable MPLS on an interface.
[PE2-Vlanif200] mpls ldp //Enable LDP on an interface.
[PE2-Vlanif200] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.9 //Set the LSR ID to 3.3.3.9.
[PE3] mpls //Enable global MPLS.
[PE3-mpls] quit
[PE3] mpls ldp //Enable global LDP.
[PE3-mpls-ldp] quit
[PE3] interface vlanif 100
[PE3-Vlanif100] mpls //Enable MPLS on an interface.
[PE3-Vlanif100] mpls ldp //Enable LDP on an interface.
[PE3-Vlanif100] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] mpls //Enable MPLS on an interface.
[PE3-Vlanif200] mpls ldp //Enable LDP on an interface.
[PE3-Vlanif200] quit
After the configuration is complete, run the display mpls ldp session command on PEs.
You can see that the status of the remote LDP peer relationship is Operational,
indicating that remote LDP sessions are set up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn //Enable global MPLS L2VPN.
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn //Enable global MPLS L2VPN.
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn //Enable global MPLS L2VPN.
[PE3-l2vpn] quit
3. Create a VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling protocol in
the VSI.
# Configure PE1.
[PE1] vsi ldp1 static //Create a VSI named ldp1 and configure static member
discovery.
[PE1-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE1-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE1-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2] vsi ldp1 static //Create a VSI named ldp1 and configure static member
discovery.
[PE2-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE2-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE2-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE2-vsi-ldp1-ldp] quit
[PE2-vsi-ldp1] quit
# Configure PE3.
[PE3] vsi ldp1 static //Create a VSI named ldp1 and configure static member
discovery.
[PE3-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE3-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE3-vsi-ldp1-ldp] peer 1.1.1.9 //Set the peer address of the VSI to 1.1.1.9.
[PE3-vsi-ldp1-ldp] peer 2.2.2.9 //Set the peer address of the VSI to 2.2.2.9.
[PE3-vsi-ldp1-ldp] quit
[PE3-vsi-ldp1] quit
4. Configure Eth-Trunk sub-interfaces on PE1 and PE2, and bind the VSI to the Eth-Trunk
sub-interfaces.
# Configure PE1.
[PE1] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of
Eth-Trunk 10.1.
[PE1-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for
dot1q encapsulation on Eth-Trunk 10.1 to VLAN 10.
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of
Eth-Trunk 10.1.
[PE2-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for
dot1q encapsulation on Eth-Trunk 10.1 to VLAN 10.
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE2-Eth-Trunk10.1] quit
5. Configure a sub-interface on PE3 and bind the VSI to the sub-interface.
# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1 //Create GE1/0/3.1 and enter the view
of GE1/0/3.1.
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10 //Set the single VLAN
ID for dot1q encapsulation on GE1/0/3.1 to VLAN 10.
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1 //Bind GE1/0/3.1 to the VSI
ldp1.
[PE3-GigabitEthernet1/0/3.1] quit
The preceding information shows that the E-Trunk priority on PE1 is 10, and the E-
Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-Trunk status is
Backup. Device backup is implemented.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Eth-Trunk20
port link-type trunk
port trunk allow-pass vlan 10
mode lacp
#
interface GigabitEthernet1/0/1
eth-trunk 20
#
interface GigabitEthernet1/0/2
eth-trunk 20
#
interface GigabitEthernet1/0/3
eth-trunk 20
#
interface GigabitEthernet1/0/4
eth-trunk 20
#
return
l Configuration file of PE1
#
sysname PE1
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
interface Eth-Trunk10
port link-type trunk
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
return
lowering traffic forwarding efficiency. To address this issue, you can enable an Eth-Trunk to
preferentially forward local traffic.
Configuration Notes
l This example applies to all versions of the S12700.
l If active interfaces of an Eth-Trunk on the local device have sufficient bandwidth to
forward traffic, you can configure the Eth-Trunk to preferentially forward local traffic.
This function improves traffic forwarding efficiency and increases bandwidth capacity
between devices in the CSS.
l If active interfaces of an Eth-Trunk on the local device do not have sufficient bandwidth
to forward traffic, you can configure the Eth-Trunk not to preferentially forward local
traffic. In this case, some traffic on the local device is forwarded through member
interfaces of an Eth-Trunk on another device, preventing packet loss.
Networking Requirements
On the network shown in Figure 6-6, CSS technology is used to increase the total capacity of
devices. Switch3 and Switch4 are connected through stack cables to form a logical switch. To
implement backup between devices and improve reliability, physical interfaces on the two
switches are added to an Eth-Trunk. In normal situations, when checking information about
member interfaces on the PE, you can see that traffic from VLAN 2 and VLAN 3 is
forwarded through GE1/0/1 and GE1/0/2 respectively. This increases bandwidth capacity
between devices and reduces traffic forwarding efficiency.
To ensure that traffic from VLAN 2 is forwarded through GE1/0/1 and traffic from VLAN 3
is forwarded through GE1/0/2, you can configure the Eth-Trunk to preferentially forward
local traffic.
N e tw o rk
PE
G E 1 /0 /1 G E 1 /0 /2
E th -T ru n k 1 0
G E 1 /1 /0 /4 G E 2 /1 /0 /4 CSS
S w itc h 3 G E 1 /1 /0 /3 G E 2 /1 /0 /3 S w itc h 4
G E 1 /0 /2 G E 1 /0 /2
S w itc h 1
S w itc h 2
G E 1 /0 /1 G E 1 /0 /1
VLAN 2 VLAN 3
C S S ca b le
V L A N 2 d a ta flo w
V L A N 3 d a ta flo w
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic.
4. Add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Create an Eth-Trunk and configure the ID of a VLAN from which packets can pass through
the Eth-Trunk.
# Configure the CSS.
<HUAWEI> system-view
[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-
Trunk 10.
[CSS-Eth-Trunk10] port link-type trunk //Set the link type of the interface to
trunk.
[CSS-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to
Step 3 Configure the Eth-Trunk on devices in the CSS to preferentially forward local traffic.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable //Enable Eth-Trunk 10 to preferentially
forward local traffic.
[CSS-Eth-Trunk10] quit
NOTE
By default, an Eth-Trunk is enabled to preferentially forward local traffic. If the local-preference enable
command is executed, the system displays the message "Error: The local preferential forwarding mode
has been configured."
[Switch1-GigabitEthernet1/0/1] quit
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/2] quit
After the configuration is complete, run the display trunkmembership eth-trunk command
in any view to check information about member interfaces of the Eth-Trunk.
----End
Configuration Files
l Configuration file of the CSS
#
sysname CSS
#
vlan batch 2 3
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/1/0/3
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet2/1/0/3
port link-type trunk
port trunk allow-pass vlan 3
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
return
When the master detects that the uplink interface fails, the master reduces its priority to be
lower than the priority of the backup and immediately sends VRRP packets. After the backup
receives the VRRP packets, it detects that the priority in the VRRP packets is lower than its
priority and switches to the master. This ensures correct traffic forwarding.
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l A VRRP group can be associated with a maximum of eight interfaces on a device.
Association between a VRRP group and the interface status cannot be configured on the
device as the IP address owner.
l The following describes the applicable product models and versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 6-7, the user hosts are dual-homed to SwitchA and SwitchB through the
switch. The requirements are as follows:
l The hosts use SwitchA as the default gateway to connect to the Internet. When SwitchA
or the downlink/uplink fails, SwitchB functions as the gateway to implement gateway
backup.
l The bandwidth of the link between SwitchA and SwitchB is increased to implement link
backup and improve link reliability.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 6-7 Networking of association between VRRP and the interface status
A g g re g a tio n la y e r C o re la y e r
S w itc h A
M a s te r
VLAN 101~ G E 1 /0 /1
G E 1 /0 /2 1 9 2 .1 6 8 .1 .1 /2 4
VLAN 116
G E 1 /0 /3 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /4 1 9 2 .1 6 8 .1 .2 /2 4
E th -T ru n k1
G E 1 /0 /3
...
S w itc h S w itc h C In te rn e t
1 7 2 .1 6 .1 .1 /2 4
G E 1 /0 /4 G E 1 /0 /2
G E 1 /0 /2
G E 1 /0 /3 1 9 2 .1 6 8 .2 .2 /2 4
VLAN 165~ G E 1 /0 /1
VLAN 180 G E 1 /0 /2
1 9 2 .1 6 8 .2 .1 /2 4
S w itc h B
Backup
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an example. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 400
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 to 180
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 10.1.1.2 24
[SwitchA-Vlanif11] quit
[SwitchA] interface vlanif 12
[SwitchA-Vlanif12] ip address 10.1.2.2 24
[SwitchA-Vlanif12] quit
[SwitchA] interface vlanif 13
[SwitchA-Vlanif13] ip address 10.1.3.2 24
[SwitchA-Vlanif13] quit
[SwitchA] interface vlanif 14
[SwitchA-Vlanif14] ip address 10.1.4.2 24
[SwitchA-Vlanif14] quit
[SwitchA] interface vlanif 15
[SwitchA-Vlanif15] ip address 10.1.5.2 24
[SwitchA-Vlanif15] quit
[SwitchA] interface vlanif 400
[SwitchA-Vlanif400] ip address 192.168.1.1 24
[SwitchA-Vlanif400] quit
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and are
not mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit
[SwitchB] interface vlanif 12
[SwitchB-Vlanif12] vrrp vrid 2 virtual-ip 10.1.2.1
[SwitchB-Vlanif12] vrrp advertise send-mode 302
[SwitchB-Vlanif12] quit
[SwitchB] interface vlanif 13
[SwitchB-Vlanif13] vrrp vrid 3 virtual-ip 10.1.3.1
[SwitchB-Vlanif13] vrrp advertise send-mode 303
[SwitchB-Vlanif13] quit
[SwitchB] interface vlanif 14
[SwitchB-Vlanif14] vrrp vrid 4 virtual-ip 10.1.4.1
[SwitchB-Vlanif14] vrrp advertise send-mode 304
[SwitchB-Vlanif14] quit
[SwitchB] interface vlanif 15
[SwitchB-Vlanif15] vrrp vrid 5 virtual-ip 10.1.5.1
[SwitchB-Vlanif15] vrrp advertise send-mode 305
[SwitchB-Vlanif15] quit
# Run the display vrrp command on SwitchB. You can see that SwitchB is the backup.
VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Backup
state, SwitchB enters the Master state, and the associated interface becomes Down.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] shutdown
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.3
Send VRRP packet to subvlan : 301
PriorityRun : 20
PriorityConfig : 120
MasterPriority : 100
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : DOWN
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.3
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA restores to be the master and SwitchB the backup, and the associated interface is in
Up state.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable
#
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 180
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable
#
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
access-vlan 117 to 132 302
vlan 13
aggregate-vlan
access-vlan 133 to 148 303
vlan 14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp advertise send-mode 303
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.4.1
vrrp advertise send-mode 304
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.5.1
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.
Interface-based VLAN assignment is the simplest and most commonly used method.
Configuration Notes
This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-8, the switch of an enterprise connects to many users, and users
accessing the same service connect to the enterprise network through different devices. To
ensure communication security and prevent broadcast storms, the enterprise requires that
users using the same service communicate with each other and users accessing different
services be isolated. You can configure interface-based VLAN assignment on the switch so
that the switch adds interfaces connected to users using the same service to the same VLAN.
Users in different VLANs cannot communicate with each other at Layer 2, and users in the
same VLAN can communicate with each other.
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces that connect users to VLANs to isolate Layer 2 traffic
of different services.
2. Configure link types of interfaces between SwitchA and SwitchB and VLANs allowed
by interfaces so that users accessing the same service can communicate with each other
through SwitchA and SwitchB.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA and add interfaces that are connected to users to
VLANs. The configuration of SwitchB is similar to the configuration of SwitchA, and is not
mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //The interface connected
to the access device must be the access interface. The default link type of an
interface is not access, so you need to manually configure the access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3 //Add GE1/0/2 to VLAN 3.
[SwitchA-GigabitEthernet1/0/2] quit
Step 2 Configure the link type of the interface on SwitchA that is connected to SwitchB and VLAN
allowed by the interface. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
User1 and User2 are on the same network segment, for example, 192.168.100.0/24; User3 and
User4 are on the same network segment, for example, 192.168.200.0/24.
User1 and User2 can ping each other, but cannot ping User3 or User4. User3 and User4 can
ping each other, but cannot ping User1 or User2.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Related Content
Support Community
l VLAN Basics
l VLAN Assignment
Videos
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols, and
policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN assignment is
the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on interfaces. A
network administrator preconfigures a PVID for each interface on a switch. When an
untagged frame arrives at an interface, the switch adds the PVID of the interface to the frame.
Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 3 switch, the access
switch can be used as the gateway of PCs to simplify the configuration of the aggregation
switch.
Configuration Notes
his example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-9, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1
and PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3 belongs
to VLAN 4 and connects to SW1 through SW3. SW2 functions as the gateway of PC1 and
PC2, and SW3 is used as the gateway of PC3. Static routes are configured on switches so that
PCs can communicate with each other and can be connected to the router.
GE1/0/1
SW1
GE1/0/2 GE1/0/3
GE1/0/1 GE1/0/1
Gateway of
SW2 SW3
PCs
GE1/0/23 GE1/0/24 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based assignment on the access switch to implement Layer 2
interworking.
2. Configure access switches as gateways of PCs to implement communication between
PCs on different network segments.
3. Configure static routes on the aggregation switch so that PCs can communicate with the
router.
Procedure
Step 1 Configure SW2.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
<HUAWEI> system-view
[HUAWEI] sysname SW3 //Change the device name to SW3.
[SW3] vlan batch 4 //Create VLAN 4.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW1 //Change the device name to SW1.
[SW1] vlan batch 5 //Create VLAN 5.
# Configure a static route so that PCs on different network segments can communicate with
each other.
[SW1] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 //Configure a static
route. Packets with the destination IP address of 192.168.2.0/24 are forwarded to
the next hop address of 192.168.5.2. The next hop address is the IP address of
the VLANIF interface connected to SW2.
[SW1] ip route-static 192.168.3.0 255.255.255.0 192.168.5.2 //Configure a static
route. Packets with the destination IP address of 192.168.3.0/24 are forwarded to
the next hop address of 192.168.5.2. The next hop address is the IP address of
the VLANIF interface connected to SW2.
[SW1] ip route-static 192.168.4.0 255.255.255.0 192.168.5.3 //Configure a static
route. Packets with the destination IP address of 192.168.4.0/24 are forwarded to
the next hop address of 192.168.5.3. The next hop address is the IP address of
the VLANIF interface connected to SW3.
# Configure a default route so that PCs can communicate with the router.
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.5.4 //The IP address is the IP
address of the interface connected to SW1.
----End
Configuration Files
Configuration file of SW1
#
sysname SW1
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/23
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/24
port link-type access
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols, and
policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN assignment is
the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on interfaces. A
network administrator preconfigures a PVID for each interface on a switch. When an
untagged frame arrives at an interface, the switch adds the PVID of the interface to the frame.
Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 2 switch, the
aggregation switch can be used as the gateway of PCs. The configuration of the access switch
is simplified, and PCs access the external network through one outbound interface, thereby
facilitating maintenance and management.
Configuration Notes
his example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-10, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1
and PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3 belongs
to VLAN 4 and connects to SW1 through SW3. No configuration is performed on SW3, and
SW3 functions as the hub and is plug-and-play. SW1 functions as the gateway of PC1, PC2,
and PC3 so that PCs can communicate with each other and can be connected to the router.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based assignment on the access switch to implement Layer 2
interworking.
2. Configure the aggregation switch as the gateway of PCs to implement Layer 3
interworking between PCs on different network segments.
3. Configure the interface connecting the aggregation switch and router.
Procedure
Step 1 Configure SW2.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
PC1, PC2, and PC3 can access each other, and they can communicate with the router.
----End
Configuration Files
Configuration file of SW1
#
sysname SW1
#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 4
#
return
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.
Configuration Notes
This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-11, GE1/0/1 interfaces on SwitchA and SwitchB connect to two
conference rooms, respectively. Laptop1 and Laptop2 are portal computers used in the two
conferences rooms. Laptop1 and Laptop2 belong to two departments, which belong to VLAN
100 and VLAN 200, respectively. Regardless of which conference room in which Laptop1
and Laptop2 are used, Laptop1 and Laptop2 are required to access the servers of their
respective departments (Server1 and Server2, respectively). The MAC addresses of Laptop1
and Laptop2 are 0001-00ef-00c0 and 0001-00ef-00c1.
Switch
GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4
GE1/0/2 GE1/0/2
SwitchA SwitchB
GE1/0/1 GE1/0/1
Laptop1 Laptop2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on SwitchA and SwitchB and add interfaces to VLANs to implement
Layer 2 connectivity.
2. Configure MAC address-based VLAN assignment on SwitchA and SwitchB.
3. Configure transparent transmission of VLAN tagged-packets on the switch so that
Laptop1 and Laptop2 can access Server1 and Server2 of their respective departments.
Procedure
Step 1 Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 //Create VLAN 100 and VLAN 200.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk //The link type of
interfaces connecting switches must be trunk. The default link type of an
interface is not trunk, so you need to manually configure the trunk interface.
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 //Add GE1/0/2
to VLAN 100 and VLAN 200.
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 0001-00ef-00c0 //Packets with the MAC
address of 0001-00ef-00c0 are transmitted in VLAN 100.
[SwitchA-vlan100] quit
[SwitchA] vlan 200
[SwitchA-vlan200] mac-vlan mac-address 0001-00ef-00c1 //Packets with the MAC
address of 0001-00ef-00c1 are transmitted in VLAN 200.
[SwitchA-vlan200] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //MAC address-based VLAN
assignment can only be enabled on hybrid interfaces. The default link type of an
interface is not hybrid, so you need to manually configure the hybrid interface.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 //Add the
interface to VLAN 100 and VLAN 200 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] mac-vlan enable //Enable MAC address-based VLAN
assignment on the interface.
[SwitchA-GigabitEthernet1/0/1] quit
Step 2 Configure the switch. The configurations of GE1/0/2, GE1/0/3, and GE1/0/4 are similar to the
configuration of GE1/0/1, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200 //Add GE1/0/1
to VLAN 100 and VLAN 200.
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200
mac-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
vlan 100
mac-vlan mac-address 0001-00ef-00c0 priority 0
vlan 200
mac-vlan mac-address 0001-00ef-00c1 priority 0
#
return
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200
mac-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
vlan 100
mac-vlan mac-address 0001-00ef-00c0 priority 0
vlan 200
mac-vlan mac-address 0001-00ef-00c1 priority 0
#
return
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.
Configuration Notes
This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-12, an enterprise has multiple services, including IPTV, VoIP, and
Internet access. Each service uses a different IP subnet. To facilitate management, the
company requires that packets of the same service be transmitted in the same VLAN and
packets of different services in different VLANs. The switch receives packets of multiple
services such as data, IPTV, and voice services, and user devices of these services use IP
addresses on different IP subnets. The switch needs to assign VLANs to packets of different
services so that the router can transmit packets with different VLAN IDs to different servers.
R o u te r
G E 1 /0 /1
G E 1 /0 /2
S w it c h
G E 1 /0 /1
S im p lifie d L a y e r 2
s w itc h
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP subnet-
based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with VLANs so that
the switch determines VLANs based on source IP addresses or network segments of
packets.
Procedure
Step 1 Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200 300 //Create VLAN100, VLAN 200, and VLAN 300 in a
batch.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0 priority 3
vlan 300
ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0 priority 4
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200 300
#
return
Configuration Notes
l The default gateway address of hosts in a VLAN must be the IP address of the VLANIF
interface that corresponds to the VLAN.
l This example applies to all versions of the S12700.
Networking Requirements
Different user hosts of an enterprise transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.
As shown in Figure 6-13, User1 and User2 access the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine the VLANs to which users belong.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
Procedure
Step 1 Configure the switch.
# Create VLANs, and configure interfaces on the switch connected to user hosts as access
interfaces and add them to VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the link type
of the interface as access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Related Content
Support Community
l VLAN Communication
Videos
l Deploying a Layer 3 Switch on a LAN
Configuration Notes
l On the S12700, only E series cards, X1E series cards, and SC cards among S series
support the termination sub-interface. For details, see the card classification in Hardware
Description.
X1E series cards support the termination sub-interface in V200R007C00 and later
versions.
l For Layer 2 interfaces, only hybrid and trunk interfaces support termination sub-
interfaces.
l The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-14, Host A and Host B belong to the R&D department, and Host C and
Host D belong to the quality department. The two departments are connected through a Layer
2 switch, and require Layer 2 isolation and Layer 3 connectivity.
Figure 6-14 Networking for connecting a terminal to a Layer 3 gateway through a Layer 2
switch
SwitchB
GE1/0/1.1 GE1/0/1.2
1.1.1.1/24 2.2.2.1/24
GE1/0/5
SwitchA
GE1/0/1 GE1/0/4
GE1/0/2 GE1/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based assignment on the Layer 2 switch to implement Layer 2
isolation.
2. Configure sub-interface termination on the Layer 3 switch to implement Layer 3
connectivity.
Procedure
Step 1 Configure Layer 2 switch SwitchA.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA //Change the device name to SwitchA for easy
identification.
[SwitchA] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Enable the interface connected to the Layer 3 switch to transparently transmit packets from
a specified VLAN.
[SwitchA] interface gigabitethernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] port link-type trunk //Configure the interface
connected to the switch as the trunk interface.
[SwitchA-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 to 3 //Add the
interface to VLAN 2 and VLAN 3.
[SwitchA-GigabitEthernet1/0/5] quit
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Configuration Notes
his example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-15, to ensure security and facilitate management, an enterprise assigns
a VLAN for a server. The user device belongs to VLAN 10, and the server belongs to VLAN
20. Access, aggregation, and core switches are deployed between the user and server. Access
switches are layer 2 switches, and aggregation and core switches are Layer 3 switches. The
user and server need to communicate with each other due to service requirements.
Figure 6-15 Networking for configuring communication between different network segments
through static routes
AGG
GE1/0/3
aggregation switch
VLANIF10:
10.1.1.1/24
GE1/0/2
GE1/0/2 GE1/0/2
ACC1 ACC2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the access switch ACC1.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname ACC1 //Change the device name to ACC1 for easy identification.
[ACC1] vlan batch 10 //Create VLAN 10 in a batch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname ACC2 //Change the device name to ACC2.
[ACC2] vlan batch 20 //Create VLAN 20 in a batch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname AGG //Change the device name to AGG.
[AGG] vlan batch 10 30 //Creaet VLAN 10 and VLAN 30 in a batch.
# Create VLANIF 10 and configure an IP address for VLANIF 10 as the gateway address.
[AGG] interface vlanif 10 //Create VLANIF 10.
[AGG-Vlanif10] ip address 10.1.1.1 24 //Configure an IP address for VLANIF 10.
The IP address is the gateway address.
[AGG-Vlanif10] quit
# Create VLANIF 20 and configure an IP address for VLANIF 20 as the gateway address of
the server.
[CORE] interface vlanif 20 //Create VLANIF 20.
[CORE-Vlanif20] ip address 192.168.1.1 24 //Configure an IP address for VLANIF
20. The IP adress is the gateway address of the server.
[CORE-Vlanif20] quit
# Configure a static route so that the server and PC can access each other.
[CORE] ip route-static 10.1.1.0 255.255.255.0 10.10.30.1 //Configure a static
route. The packets with the destination IP address of 10.1.1.0/24 are forwarded
to the IP address 10.10.30.1 of VLANIF 30 on the aggregation switch.
Configure the IP address of 192.168.1.2/24 for the server in VLAN 20 and the default
gateway address as 192.168.1.1 (VLANIF 20's IP address).
After the configuration is complete, the PC in VLAN 10 and the server in VLAN 20 can
access each other.
----End
Configuration Files
Configuration file of ACC1
#
sysname ACC1
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Super-VLAN Overview
Super-VLAN, also called VLAN aggregation, reduces the number of IP addresses required,
isolates broadcast storms, and controls Layer 2 access on interfaces. A super-VLAN can be
associated with multiple sub-VLANs, which are isolated at Layer 2. All sub-VLANs use the
IP address of the corresponding VLANIF interface for the super-VLAN to implement Layer 3
connectivity with an external network, thereby reducing the number of IP addresses required.
The super-VLAN applies to scenarios where there are many users and VLANs, IP addresses
of devices in many VLANs are on the same network segment, and inter-VLAN Layer 2
isolation needs to be implemented. Inter-VLAN proxy ARP can be enabled to implement
inter-VLAN communication. The scenarios include hotels and residential buildings requiring
broadband access. A room or household is assigned a VLAN and isolated. An IP network
segment cannot be allocated to each VLAN because IP addresses are finite and there are many
VLANs. The VLANs can only share an IP network segment. Assume that the IP network
segment of VLAN 10 is 10.10.10.0/24. A household may use one or two IP addresses,
consuming over 200 IP addresses. Super-VLAN technology allows users in VLANs 11 to 100
to share the IP network segment of 10.10.10.0/24, thus reducing the number of IP addresses
required.
Configuration Notes
l VLAN 1 cannot be configured as a super-VLAN.
l No physical interface can be added to a VLAN configured as a super-VLAN.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-16, a company has many departments on the same network segment.
To improve service security, the company assigns different departments to different VLANs.
VLAN 2 and VLAN 3 belong to different departments. Each department wants to access the
Internet, and PCs in different departments need to communicate to meet service requirements.
In te rn e t
R o u te r
G E 1 /0 /1
VLAN 10
S w itc h B S u p e r-V L A N 4
G E 1 /0 /5
G E 1 /0 /5
S w itc h A
G E 1 /0 /1 G E 1 /0 /4
G E 1 /0 /2 G E 1 /0 /3
VLAN 2 VLAN 3
Configuration Roadmap
Configure VLAN aggregation on SwitchB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces on SwitchA and SwitchB to
transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure SwitchA.
# Add GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 to VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 to 3
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the link type
of the interface as access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add the interface to VLAN
2.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 2
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add the interface to VLAN
3.
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type access
[SwitchA-GigabitEthernet1/0/4] port default vlan 3
[SwitchA-GigabitEthernet1/0/4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[SwitchB] interface vlanif 4
[SwitchB-Vlanif4] ip address 10.1.1.1 24
[SwitchB-Vlanif4] quit
# Configure the uplink interface GE1/0/1 to transparently transmit packets from the VLAN
that SwitchB and router belong to.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting SwitchB and the router.
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.10.1.1 24
[SwitchB-Vlanif10] quit
# Configure a static route to the router on SwitchB so that users can access the Internet.
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2 to the router
interface. See the router configuration manual.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
Configuration Notes
l The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN
mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l The VLAN ID assigned to a group or separate VLAN cannot be used to configure any
VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
l Disabling MAC address learning or limiting the number of learned MAC addresses on
an interface affects the MUX VLAN function on the interface.
l MUX VLAN and port security cannot be configured on the same interface
simultaneously.
l MUX VLAN and MAC address authentication cannot be configured on the same
interface simultaneously.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface
simultaneously.
l If the MUX VLAN function is enabled on an interface, VLAN mapping and VLAN
stacking cannot be configured on the interface.
Networking Requirements
All employees of an enterprise can access servers on the enterprise network. The enterprise
allows some employees to communicate but expects to isolate some employees.
As shown in Figure 6-17, Switch1 is deployed at the aggregation layer and used as the
gateway for downstream hosts. Switch2, Switch3, Switch4, Switch5, and Switch6 are access
switches. Their GE1/0/1 interfaces connect to downstream hosts, and their GE1/0/2 interfaces
connect to Switch1. You can configure MUX VLAN on Switch1. This reduces the number of
VLAN IDs on the enterprise network and facilitates network management.
In te rn e t
S w itc h 2
S w itc h 1 G E 1 /0 /2
S e rve r
G E 1 /0 /3 G E 1 /0 /6 VLAN 2
GE
(P rin cip a l V L A N )
/4
1/0
1/0
GE
/5
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address for downstream hosts and servers.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to VLANs and enable the MUX VLAN function on the interfaces.
5. Add interfaces of access switches to VLANs.
Procedure
Step 1 Enable the MUX VLAN function on Switch1.
# On Switch1, create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for VLAN 2.
The IP address of the VLANIF interface is used as the gateway IP address for downstream
hosts and servers.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure the group VLAN and separate VLAN of the MUX VLAN on Switch1.
[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3 //Configure VLAN 3 as the group VLAN.
[Switch1-vlan2] subordinate separate 4 //Configure VLAN 4 as the separate VLAN.
[Switch1-vlan2] quit
# Add interfaces to the VLANs on Switch1 and enable the MUX VLAN function on
interfaces.
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2
[Switch1-GigabitEthernet1/0/2] quit
[Switch1] interface gigabitethernet 1/0/3
[Switch1-GigabitEthernet1/0/3] port link-type trunk
[Switch1-GigabitEthernet1/0/3] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/3] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/3] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] port link-type trunk
[Switch1-GigabitEthernet1/0/4] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/4] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/4] quit
[Switch1] interface gigabitethernet 1/0/5
[Switch1-GigabitEthernet1/0/5] port link-type trunk
[Switch1-GigabitEthernet1/0/5] port trunk allow-pass vlan 4
[Switch1-GigabitEthernet1/0/5] port mux-vlan enable vlan 4
[Switch1-GigabitEthernet1/0/5] quit
[Switch1] interface gigabitethernet 1/0/6
[Switch1-GigabitEthernet1/0/6] port link-type trunk
[Switch1-GigabitEthernet1/0/6] port trunk allow-pass vlan 4
[Switch1-GigabitEthernet1/0/6] port mux-vlan enable vlan 4
[Switch1-GigabitEthernet1/0/6] quit
Step 2 Configure interfaces of access switches and add them to VLANs. The configurations of
Switch3, Switch4, Switch5, and Switch6 are similar to the configuration of Switch2, and are
not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan batch 2
[Switch2] interface gigabitethernet 1/0/1
[Switch2-GigabitEthernet1/0/1] port link-type access //Configure the link type
of the interface as access.
[Switch2-GigabitEthernet1/0/1] port default vlan 2
[Switch2-GigabitEthernet1/0/1] quit
[Switch2] interface gigabitethernet 1/0/2
[Switch2-GigabitEthernet1/0/2] port link-type trunk
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 //Configure the
link type of the interface as trunk.
[Switch2-GigabitEthernet1/0/2] quit
----End
Configuration Files
Configuration file of Switch1
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
port mux-vlan enable vlan 2
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 4
port mux-vlan enable vlan 4
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk allow-pass vlan 4
port mux-vlan enable vlan 4
#
return
#
sysname Switch2
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return
#
sysname Switch3
#
vlan batch 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return
#
sysname Switch4
#
vlan batch 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return
#
sysname Switch5
#
vlan batch 4
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 4
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 4
#
return
#
sysname Switch6
#
vlan batch 4
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 4
#
interface GigabitEthernet1/0/2
Configuration Notes
This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-18, a network has two enterprises: enterprise 1 and enterprise 2. Both
enterprises have two branches. Enterprise 1 and enterprise 2 networks connect to SwitchA and
SwitchB, respectively, of the ISP network. In addition, there are non-Huawei devices on the
public network and the TPID in the outer VLAN tag is 0x9100.
The requirements are as follows:
l VLANs need to be independently assigned to enterprise 1 and enterprise 2.
l Traffic between the two branches of each enterprise is transparently transmitted through
the public network. Users accessing the same service in different branches of each
enterprise are allowed to communicate, and users accessing different services must be
isolated.
QinQ can be used to meet the preceding requirements. Configure VLAN 100 and VLAN 200
to implement connectivity of enterprise 1 and enterprise 2 respectively and to isolate
enterprise 1 and enterprise 2; configure the TPID in the outer VLAN tag on switch interfaces
connected to non-Huawei devices so that Huawei switches can communicate with the non-
Huawei devices.
ISP
VLAN 100,200
TPID=0x9100
GE1/0/3 GE1/0/3
Switch A Switch B
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure connected
interfaces as QinQ interfaces, and add the interfaces to VLANs so that different VLAN
tags are added to packets of different services.
2. Add interfaces of SwitchA and SwitchB that are connected to the public network to
VLANs so that packets from VLAN 100 and VLAN 200 are allowed to pass through.
3. Configure the TPID in the outer VLAN tag on interfaces of SwitchA and SwitchB that
are connected to the public network so that SwitchA and SwitchB can communicate with
non-Huawei devices.
Procedure
Step 1 Create VLANs.
# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the default VLAN
of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN 200. VLAN 100 and
VLAN 200 are added to outer tags. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link
type of the interface as QinQ.
[SwitchA-GigabitEthernet1/0/1] port default vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link
type of the interface as QinQ.
[SwitchA-GigabitEthernet1/0/2] port default vlan 200
[SwitchA-GigabitEthernet1/0/2] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet1/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
Related Content
Videos
Configuring QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to
802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted
over a public network.
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ.
Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of
basic QinQ, selective QinQ takes different actions for packets received by the same interface
based on VLANs.
VLAN ID-based selective QinQ adds different outer VLAN tags to packets with different
inner VLAN IDs.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
l Before configuring selective QinQ on a fixed switch, you must run the qinq vlan-
translation enable command to enable VLAN translation.
l Selective QinQ can only be enabled on hybrid interfaces in the inbound direction.
l The outer VLAN must be created before Selective QinQ is performed.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can add only one outer VLAN tag to a frame
with an inner VLAN tag on an interface.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN of selective QinQ.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-19, Internet access users (using PCs) and VoIP users (using VoIP
phones) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network.
PC VoIP VoIP PC
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
If the configurations on SwitchA and SwitchB are correct, you can obtain the following
information:
l PCs can communicate with each other through the ISP network.
l VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
port vlan-stacking vlan 300 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Related Content
Videos
Configuring QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to
802.1Q tagged packets. It allows services in a private VLAN to be transparently transmitted
over a public network.
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of QinQ.
Selective QinQ is performed based on interfaces and VLAN IDs. In addition to functions of
basic QinQ, selective QinQ takes different actions for packets received by the same interface
based on VLANs.
Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can provide
differentiated services based on service types.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following points:
l Selective QinQ can only be enabled on hybrid interfaces in the inbound direction.
l The outer VLAN must be created before Selective QinQ is performed.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can add only one outer VLAN tag to a frame
with an inner VLAN tag on an interface.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN of selective QinQ.
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 6-20, Internet access users (using PCs) and VoIP users (using VoIP
phones) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network. Flow-based selective
QinQ can be configured to meet the requirement.
PC V o IP V o IP PC
Configuration Roadmap
The configuration roadmap is as follows:
2. Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and
SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to
VLANs.
4. Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective
QinQ.
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching
rule to match packets from VLANs 100 to 200.
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding
VLAN 2 in an outer VLAN tag in a traffic behavior. In V200R009 and later
versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching
rule to match packets from VLANs 300 to 400.
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding
VLAN 3 in an outer VLAN tag in a traffic behavior. In V200R009 and later
versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1 //Configure a traffic policy named name1.
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching
rule to match packets from VLANs 100 to 200.
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding
VLAN 2 in an outer VLAN tag in a traffic behavior. In V200R009 and later
versions, the command is changed to add-tag vlan-id.
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching
Step 3 Apply the traffic policies to interfaces on SwitchA and SwitchB to implement selective QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic
policy name1 to the interface in the inbound direction.
[SwitchA-GigabitEthernet1/0/1] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
LDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check whether the
packets return to the local device (receive and transmit interfaces can be different), and
determines whether loops occur on the interface, local network, or downstream network.
l If LDT packets are received by the same interface, a loopback occurs on the interface or
a loop occurs on the network connected to the interface.
l If LDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no LDT
packets from the problematic interface within the recovery time, it considers that the loop is
eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/
RSTP/MSTP/VBST.
Configuration Notes
l This example applies to all versions of the S12700.
l LDT and LBDT cannot be configured simultaneously.
l LDT needs to send a large number of LDT packets to detect loops, occupying system
resources. Therefore, disable LDT if loops do not need to be detected.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an
interface of a LDT-enabled VLAN. In contrary, if LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT on the
interface first.
l LDT sends only tagged packets and can only detect loops based on VLANs. LDT can
detect loops in a maximum of 4094 VLANs, and cannot detect loops in dynamic
VLANs.
l When a loop occurs on the network-side interface where the Block or Shutdown action
is configured, all services on the device are interrupted. Do not deploy LDT on the
network-side interface.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
Networking Requirements
As shown in Figure 6-21, a new branch network of an enterprise connects to the aggregation
switch Switch, and VLANs 10 to 20 are deployed on the branch network. Loops occur due to
incorrect connections or configurations. As a result, communication on the Switch and uplink
network is affected.
It is required that the Switch should immediately detect loops on the new branch network to
prevent the impact of loops on the Switch and uplink network.
Figure 6-21 Networking for configuring LDT to detect loops on the downstream network
Switch
GE1/0/1
New branch
VLAN 10-20
Configuration Roadmap
Loops need to be detected in VLANs 10 to 20 (more than eight VLANs) on the new branch
network, so you need to configure LDT on the Switch to detect loops on the new branch
network. The configuration roadmap is as follows:
1. Enable LDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so that loops
on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can immediately shut
down the interface where a loop is detected. This prevents the impact of the loop on the
Switch and uplink network.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure these
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity
on the new network and between the new network and the Switch.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable //Enable LDT globally.
The command output shows that LDT is enabled in VLANs 10 to 20 and the Shutdown
action is taken on GE1/0/1 in VLAN 10, indicating that loops are detected in VLAN 10.
NOTE
After loops are detected in a or some VLANs, the system shuts down an interface and loops are
removed. In this case, LDT may be unable to detect all VLANs where loops occur.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent trap enable feature-name LDTTRAP
#
return
LDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check whether the
packets return to the local device (receive and transmit interfaces can be different), and
determines whether loops occur on the interface, local network, or downstream network.
l If LDT packets are received by the same interface, a loopback occurs on the interface or
a loop occurs on the network connected to the interface.
l If LDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no LDT
packets from the problematic interface within the recovery time, it considers that the loop is
eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/
RSTP/MSTP/VBST.
Configuration Notes
l This example applies to all versions of the S12700.
l LDT and LBDT cannot be configured simultaneously.
l LDT needs to send a large number of LDT packets to detect loops, occupying system
resources. Therefore, disable LDT if loops do not need to be detected.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an
interface of a LDT-enabled VLAN. In contrary, if LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT on the
interface first.
l LDT sends only tagged packets and can only detect loops based on VLANs. LDT can
detect loops in a maximum of 4094 VLANs, and cannot detect loops in dynamic
VLANs.
l When a loop occurs on the network-side interface where the Block or Shutdown action
is configured, all services on the device are interrupted. Do not deploy LDT on the
network-side interface.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
Networking Requirements
As shown in Figure 6-22, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass through.
Because employees often move, the network topology changes frequently. Connections or
configurations may be incorrect due to misoperations. As a result, loops may occur in VLANs
10 to 20.
Loops cause broadcast storms and affect device and network communication. It is required
that loops be detected and eliminated in VLANs in a timely manner to prevent broadcast
storms.
Figure 6-22 Networking for configuring LDT to detect loops on the local network
Switch
GE1/0/0 GE2/0/0
VLAN 10~20
Configuration Roadmap
Loops need to be detected in VLANs 10 to 20. Because there are more than eight VLANs,
you can configure LDT to detect loops and configure an action after loops are detected to
prevent broadcast storms. All VLANs share a link. To prevent loop removal in a VLAN from
affecting data forwarding in other VLANs, configure the Quitvlan action. The configuration
roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs 10 to 20.
2. Configure an action to be taken after a loop is detected on GE1/0/0 and GE2/0/0, and set
the recovery time so that the Switch can immediately take the preconfigured action on
the interface to prevent broadcast storms after a loop is detected. In addition, the Switch
can restore the interface after the loop is eliminated.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure these
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable //Enable LDT globally.
Quitvlan Quitvlan 30 11
Quitvlan Quitvlan 30 12
Normal Quitvlan 30 13
Normal Quitvlan 30 14
Normal Quitvlan 30 15
Quitvlan Quitvlan 30 16
Normal Quitvlan 30 17
Normal Quitvlan 30 18
Quitvlan Quitvlan 30 19
Normal Quitvlan 30 20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Quitvlan Quitvlan 30 13
Quitvlan Quitvlan 30 14
Quitvlan Quitvlan 30 15
Normal Quitvlan 30 16
Quitvlan Quitvlan 30 17
Quitvlan Quitvlan 30 18
Normal Quitvlan 30 19
Quitvlan Quitvlan 30 20
In the command output, LDT is enabled in VLANs 10 to 20, GE1/0/0 is removed from
VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is removed from VLANs 13, 14, 15, 17, 18,
and 20.
NOTE
The VLANs that an interface is removed from are uncertain, but the interface will be removed
from all VLANs where loops occur.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and connections
between devices are corrected), check whether GE1/0/0 and GE2/0/0 are restored.
[Switch] display loop-detection interface gigabitethernet 1/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Normal Quitvlan 30 13
Normal Quitvlan 30 14
Normal Quitvlan 30 15
Normal Quitvlan 30 16
Normal Quitvlan 30 17
Normal Quitvlan 30 18
Normal Quitvlan 30 19
Normal Quitvlan 30 20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30 11
Normal Quitvlan 30 12
Normal Quitvlan 30 13
Normal Quitvlan 30 14
Normal Quitvlan 30 15
Normal Quitvlan 30 16
Normal Quitvlan 30 17
Normal Quitvlan 30 18
Normal Quitvlan 30 19
Normal Quitvlan 30 20
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent trap enable feature-name LDTTRAP
#
return
LBDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
Loopback detection (LBDT) periodically sends LBDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can be
different), and determines whether loops occur on the interface, local network, or downstream
network.
l If LBDT packets are received and sent by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
l If LBDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface or device.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LBDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured recovery
time expires, the system attempts to restore the problematic interface. If the device receives
no LBDT packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the entire
network in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST.
Configuration Notes
l This example applies to all versions of the S12700.
l LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l Do not use LBDT with ERPS, RRPP, SEP, Smart Link, or STP/RSTP/MSTP/VBST.
l An interface can send LBDT packets with the specified VLAN tag only when the
specified VLAN has been created.
l LBDT can detect loops in a maximum of eight VLANs, and cannot detect loops in
dynamic VLANs.
l When loops in the default VLAN of an interface need to be detected or an interface joins
the detected VLAN in untagged mode, LBDT may fail to detect loops. This is because
the VLAN tag of LBDT packets is removed and the packet priority changes.
l When the Quitvlan action is used, the configuration file remains unchanged.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
l On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
Networking Requirements
As shown in Figure 6-23, aggregation switch SwitchA on an enterprise network connects to
access switch SwitchB. To prevent loopbacks on a TX-RX interface (GE1/0/0) because
optical fibers are connected incorrectly or the interface is damaged by high voltage, SwitchA
is required to detect loopbacks on GE1/0/0. Furthermore, it is required that the interface be
blocked to reduce the impact of the loopback on the network when a loopback is detected, and
the interface be restored after the loopback is removed.
G E 1 /0 /0
Tx Rx
G E 1 /0 /0
S w itc h B
Configuration Roadmap
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on GE1/0/0
of SwitchA. The configuration roadmap is as follows:
Procedure
Step 1 Enable LBDT on an interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable //Enable LBDT on the
interface.
[SwitchA-GigabitEthernet1/0/0] quit
Step 2 Configure an action to be taken after a loop is detected and set the recovery time.
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block //Configure the
Block action to be taken after a loop is detected.
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30 //Set the
recovery delay to 30s.
[SwitchA-GigabitEthernet1/0/0] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block
NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/0 is
blocked.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block BLOCK(Loopback
detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is blocked, indicating that a
loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command to check
whether GE1/0/0 is restored.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block
NORMAL
------------------------------------------------------------------------------
----
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
interface GigabitEthernet1/0/0
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return
LBDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
Loopback detection (LBDT) periodically sends LBDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can be
different), and determines whether loops occur on the interface, local network, or downstream
network.
l If LBDT packets are received and sent by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
l If LBDT packets are received by another interface on the same device, a loop occurs on
the network connected to the interface or device.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LBDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured recovery
time expires, the system attempts to restore the problematic interface. If the device receives
no LBDT packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the entire
network in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST.
Configuration Notes
l This example applies to all versions of the S12700.
l LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l Do not use LBDT with ERPS, RRPP, SEP, Smart Link, or STP/RSTP/MSTP/VBST.
l An interface can send LBDT packets with the specified VLAN tag only when the
specified VLAN has been created.
l LBDT can detect loops in a maximum of eight VLANs, and cannot detect loops in
dynamic VLANs.
l When loops in the default VLAN of an interface need to be detected or an interface joins
the detected VLAN in untagged mode, LBDT may fail to detect loops. This is because
the VLAN tag of LBDT packets is removed and the packet priority changes.
l When the Quitvlan action is used, the configuration file remains unchanged.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
l On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
Networking Requirements
As shown in Figure 6-24, a new department of an enterprise connects to the aggregation
switch Switch, and this department belongs to VLAN 100. Loops occur due to incorrect
connections or configurations. As a result, communication on the Switch and uplink network
is affected.
It is required that the Switch should detect loops on the new network to prevent the impact of
loops on the Switch and connected network.
Figure 6-24 Networking for configuring LBDT to detect loops on the downstream network
Switch
GE1/0/1
New Department
VLAN 100
Configuration Roadmap
The new department network has only VLAN 100, so configure LBDT on the Switch to
detect loops. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1 after a
loop is detected. This prevents the impact of the loop on the Switch and connected
network.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure these
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity
on the new network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the
interface.
[Switch-GigabitEthernet1/0/1] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown
NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. Construct loops on the downstream network and run the display loopback-detect
command to check whether GE1/0/1 is shut down.
[Switch] display loopback-detect
oopback-detect sending-packet interval:
10
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown SHUTDOWN(Loopback
detected)
------------------------------------------------------------------------------
----
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect packet vlan 100
loopback-detect enable
#
return
LBDT Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes network
breakdown. Quickly detecting loops on a Layer 2 network can minimize the impact of loops
on the entire network; therefore, a detection technology that notifies users of loops is required.
When a loop occurs, users are requested to check network connections and configurations,
and control the problematic interface.
After loops are detected, the device can send alarms to the NMS and record logs, and control
the interface status (the interface is shut down by default) according to the device
configuration so that the impact of loops on the device and network is minimized. The device
provides the following actions after LBDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device blocks this interface, and can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LBDT packets. After the configured recovery
time expires, the system attempts to restore the problematic interface. If the device receives
no LBDT packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the entire
network in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST.
Configuration Notes
l This example applies to all versions of the S12700.
l LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l Do not use LBDT with ERPS, RRPP, SEP, Smart Link, or STP/RSTP/MSTP/VBST.
l An interface can send LBDT packets with the specified VLAN tag only when the
specified VLAN has been created.
l LBDT can detect loops in a maximum of eight VLANs, and cannot detect loops in
dynamic VLANs.
l When loops in the default VLAN of an interface need to be detected or an interface joins
the detected VLAN in untagged mode, LBDT may fail to detect loops. This is because
the VLAN tag of LBDT packets is removed and the packet priority changes.
l When the Quitvlan action is used, the configuration file remains unchanged.
l The Quitvlan action cannot be used with GVRP, or the action of removing an interface
from the VLAN where MAC address flapping occurs.
l On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.
Networking Requirements
As shown in Figure 6-25, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes frequently. Loops
occur due to incorrect connections or configurations during the change. As a result, broadcast
storms occur and affect communication of the Switch and entire network.
l When a loop exists, the interface is blocked to reduce the impact of the loop on the
Switch and network.
l When the loop is eliminated, the interface can be restored.
Figure 6-25 Networking for configuring LBDT to detect loops on the local network
Switch
GE1/0/1 GE1/0/2
VLAN 100
Configuration Roadmap
To detect loops on the network where the Switch is deployed, configure LBDT on GE1/0/1
and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent by the Switch will
be discarded by other switches on the network. As a result, the packets cannot be sent back to
the Switch, and LBDT fails. Therefore, LBDT is configured in a specified VLAN. The
configuration roadmap is as follows:
1. Enable LBDT on interfaces and configure the Switch to detect loops in VLAN 100 to
implement LBDT on the network where the Switch is located.
2. Configure an action to be taken after a loop is detected and set the recovery time. After a
loop is detected, the Switch blocks the interface to reduce the impact of the loop on the
network. After a loop is eliminated, the interface can be restored.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure these
interfaces to allow packets from corresponding VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on interfaces.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the
interface.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect enable //Enable LBDT on the
interface.
[Switch-GigabitEthernet1/0/2] quit
switch interface is not hybrid. You can choose run the port link-type hybrid
command to configure the link type of the interface as hybrid.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/1] loopback-detect packet vlan 100 //Enable LBDT to
detect loops in VLAN 100.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/2] loopback-detect packet vlan 100 //Enable LBDT to
detect loops in VLAN 100.
[Switch-GigabitEthernet1/0/2] quit
Step 3 Configure an action to be taken after a loop is detected and set the recovery time.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect action block //Configure the Block
action to be taken after a loop is detected.
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30 //Set the
recovery time to 30s.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect action block //Configure the Block
action to be taken after a loop is detected.
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30 //Set the
recovery time to 30s.
[Switch-GigabitEthernet1/0/2] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/1 or
GE1/0/2 is blocked.
[Switch] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback
detected)
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
Interface RecoverTime Action
Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
return
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 7-1
compares STP, RSTP, and MSTP.
STP l Forms a loop-free tree to prevent User or service traffic does not need
broadcast storms and implement to be differentiated, and all VLANs
redundancy. share a spanning tree.
l Provides slow convergence.
Configuration Notes
l This example applies to all versions and products.
l The ports connected to terminals do not participate in STP calculation, so you are
advised to configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the primary link and the others are
backup links. Loops may occur, causing broadcast storms or MAC address entry damage.
After a network designer deploys a network, STP can be deployed on the network to prevent
loops. When loops exist on a network, STP blocks a port to eliminate the loops. As shown in
Figure 7-1, SwitchA, SwitchB, SwitchC, and SwitchD running STP exchange STP BPDUs to
discover loops on the network and block ports to prune the network into a loop-free tree
network. STP prevents infinite looping of packets to ensure packet processing capabilities of
switches.
N e tw o rk
G E 1 /0 /3 G E 1 /0 /3
Root
S w itc h D G E 1 /0 /1 G E 1 /0 /1
B rid g e
G E 1 /0 /2 G E 1 /0 /2 S w itc h A
STP
G E 1 /0 /3 G E 1 /0 /3
S w itc h C S w itc h B
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /2
PC1 PC2
B lo cke d p o rt
Configuration Roadmap
Configure basic STP functions on switching devices of the ring network.
1. Configure the switching devices on the ring network to work in STP mode.
2. Configure the root bridge and secondary root bridge.
3. Configure the path cost of a port so that the port can be blocked.
4. Enable STP to eliminate loops.
Procedure
Step 1 Configure basic STP functions.
1. Configure the switching devices on the ring network to work in STP mode.
# Configure SwitchA to work in STP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode stp
3. Configure the path cost of a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an
example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate the path cost
of ports.
# Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return
#
sysname SwitchB
#
stp mode stp
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/2
stp bpdu-filter
enable
Related Content
Videos
Configuring STP to Prevent Loops
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 7-2
compares STP, RSTP, and MSTP.
STP l Forms a loop-free tree to prevent User or service traffic does not need
broadcast storms and implement to be differentiated, and all VLANs
redundancy. share a spanning tree.
l Provides slow convergence.
Configuration Notes
l This example applies to all versions and products.
l The ports connected to terminals do not participate in RSTP calculation, so you are
advised to configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the primary link and the others are
backup links. Loops may occur, causing broadcast storms or MAC address entry damage.
After a network designer deploys a network, RSTP can be deployed on the network to prevent
loops. When loops exist on a network, RSTP blocks a port to eliminate the loops. As shown in
Figure 7-2, SwitchA, SwitchB, SwitchC, and SwitchD running RSTP exchange RSTP
BPDUs to discover loops on the network and block ports to prune the network into a loop-free
tree network. RSTP prevents infinite looping of packets to ensure packet processing
capabilities of switches.
N e tw o rk
G E 1 /0 /3 G E 1 /0 /3
Root
S w itc h D G E 1 /0 /1 G E 1 /0 /1
B rid g e
G E 1 /0 /2 G E 1 /0 /2 S w itc h A
RSTP
G E 1 /0 /3 G E 1 /0 /3
S w itc h C S w itc h B
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /2
PC1 PC2
B lo cke d p o rt
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic RSTP functions on switching devices of the ring network.
a. Configure the switching devices on the ring network to work in RSTP mode.
b. Configure the root bridge and secondary root bridge.
c. Configure the path cost of a port so that the port can be blocked.
d. Enable RSTP to eliminate loops.
2. Enable protection functions to protect devices or links. For example, enable root
protection on the designed port of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the switching devices on the ring network to work in RSTP mode.
# Configure SwitchA to work in RSTP mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode rstp
3. Configure the path cost of a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an
example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate the path cost
of ports.
# Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
Step 2 Enable protection functions. Here, root protection is used on the designated port of the root
bridge.
# Configure root protection on GigabitEthernet1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
stp mode rstp
Related Content
Videos
Configuring STP to Prevent Loops
The Spanning Tree Protocol (STP) is used to solve these problems. STP prevents loops.
Devices running STP discover loops on the network by exchanging information with each
other, and block some ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 7-3
compares STP, RSTP, and MSTP.
STP l Forms a loop-free tree to prevent User or service traffic does not need
broadcast storms and implement to be differentiated, and all VLANs
redundancy. share a spanning tree.
l Provides slow convergence.
Configuration Notes
l This example applies to all versions and products.
l The ports connected to terminals do not participate in MSTP calculation, so you are
advised to configure the ports as edge ports or disable STP on the ports.
Networking Requirements
To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the primary link and the others are
backup links. Loops may occur, causing broadcast storms or MAC address entry damage.
MSTP can be used to prevent loops. MSTP blocks redundant links and prunes a network into
a tree topology free from loops.
As shown in Figure 7-3, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. MSTP uses
multiple instances to implement load balancing of traffic in VLANs 2 to 10 and VLANs 11 to
20. The VLAN mapping table that defines the mapping between VLANs and MSTIs can be
used.
Network
RG1
SwitchA Eth-Trunk1 SwitchB
GE1/0/3 GE1/0/3
GE1/0/2
SwitchC SwitchD
GE1/0/2
GE1/0/1 GE1/0/1
MSTI 1:
Root Switch:SwitchA
Blocked port
MSTI 2:
Root Switch:SwitchB
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
2. Enable protection functions to protect devices or links. For example, enable root
protection on the designed port of the root bridge in each MSTI.
NOTE
When the link between the root bridge and secondary root bridge goes Down, the port enabled with root
protection becomes Discarding because root protection takes effect.
To improve the reliability, you are advised to bind the link between the root bridge and secondary root
bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD (access switches) in the MST
region RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region of root bridge SwitchA in MSTI 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchA-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in the MST
region RG1.
– Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be larger than the
default values.
NOTE
– The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an
example. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to 20000.
– Switching devices on the same network must use the same algorithm to calculate the path cost
of ports.
Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost and
set the path cost of GE1/0/2 to 20000 in MSTI 2.
[SwitchC] stp pathcost-standard legacy
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost and
set the path cost of GE1/0/2 to 20000 in MSTI 1.
[SwitchD] stp pathcost-standard legacy
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet1/0/2] quit
– Configure the ports connected to the terminal as edge ports and BPDU filter ports.
Step 2 Enable protection functions. For example, enable root protection on the designed port of the
root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in MSTI 0.
# Run the display stp brief command on SwitchA to view the port status and protection type.
The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 Eth-Trunk1 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 Eth-Trunk1 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, Eth-Trunk1 and GE1/0/1 on SwitchA are designed ports because SwitchA is the
root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and Eth-Trunk1 is the root
port.
# Run the display stp brief command on SwitchB. The following information is displayed:
In MSTI 2, GE1/0/1 and Eth-Trunk1 on SwitchB are designed ports because SwitchB is the
root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and Eth-Trunk1 is the root
port.
# Run the display stp interface brief command on SwitchC. The following information is
displayed:
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[SwitchC] display stp interface gigabitethernet 1/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/2 ALTE DISCARDING NONE
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is blocked
in MSTI 2 and is the designated port in MSTI 1.
# Run the display stp interface brief command on SwitchD. The following information is
displayed:
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is blocked
in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
stp bpdu-filter
enable
Related Content
Videos
Configuration Notes
l The following describes the applicable product models and versions.
l The ports connected to terminals do not participate in MSTP calculation, so you are
advised to configure the ports as edge ports or disable STP on the ports.
Networking Requirements
As shown in Figure 7-4, hosts connect to the network through SwitchC. SwitchC is dual-
homed to SwitchA and SwitchB and connect to the Internet. Redundant links are deployed for
access backup. The use of redundant links, however, may produce loops, causing broadcast
storms and rendering the MAC address table unstable.
It is required that network loops be prevented when redundant links are deployed, traffic be
switched to another link when one link is disconnected, and network bandwidth be effectively
used.
MSTP can be configured on the network. MSTP blocks redundant links and prunes a network
into a tree topology free from loops. VRRP can be configured on SwitchA and SwitchB.
HostA connects to the Internet with SwitchA as the default gateway and SwitchB as the
backup gateway; HostB connects to the Internet with SwitchB as the default gateway and
SwitchA as the backup gateway. This setting implements reliability and traffic load balancing.
GE1/0/2
1 /0
/2 1/ 0 /1
GE
S w itc h C M STP In te rn e t
GE1/0/2
GE
/ 0 /3 1 /0
G E 1 S w itc h C /4
H o stB GE R o u te rB
1 /0 /0 /3
VLAN 3 /1 GE1
1 0 .1 .3 .1 0 1 /2 4 S w itc h B
V R ID 1 :B a cku p
V R R P V R ID 2 V R ID 2 :M a ste r
V irtu a l IP A d d re s s :
1 0 .1 .3 .1 0 0
M STI 1: M STI 2:
Configuration Roadmap
The configuration roadmap is as follows:
a. Configure an MST region and create multi-instance, and map VLAN 2 to MSTI 1
and VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and secondary root bridge in each MST region.
c. Configure the path cost of a port in each MSTI so that the port can be blocked.
d. Enable MSTP to prevent loops.
n Enable MSTP globally.
n Enable MSTP on all ports except the ports connected to hosts.
2. Enable protection functions to protect devices or links. For example, enable root
protection on the designed port of the root bridge in each MSTI.
3. Configure Layer 2 forwarding on devices.
4. Assign an IP address to each interface and configure a routing protocol to ensure
network connectivity.
NOTE
In this example, SwitchA and SwitchB need to support VRPP and OSPF. For details about the
models supporting VRRP and OSPF, see the documentation.
5. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP group 2, configure SwitchB
as the master and SwitchA as the backup.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create MSTI 1
and MSTI 2.
# Configure an MST region on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration //Enter the MST region view.
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region
configuration.
[SwitchA-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in the MST
region RG1.
– Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be larger than the
default values.
NOTE
– The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an
example. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to 20000.
– Switching devices on the same network must use the same algorithm to calculate the path cost
of ports.
# Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost, and
set the path cost of GE1/0/1 in MSTI 2 to 20000 and path cost of GE1/0/4 in MSTI 1 to
20000.
[SwitchC] stp pathcost-standard legacy
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp instance 2 cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/4
[SwitchC-GigabitEthernet1/0/4] stp instance 1 cost 20000
[SwitchC-GigabitEthernet1/0/4] quit
– Configure the ports connected to hosts as edge ports and configure BPDU filtering.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp disable
[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
[SwitchC-GigabitEthernet1/0/2] stp bpdu-filter enable
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface gigabitethernet 1/0/3
[SwitchC-GigabitEthernet1/0/3] stp edged-port enable
– Configure the ports connected to the router as edge ports and configure BPDU
filtering.
# Configure the SwitchA.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
[SwitchA-GigabitEthernet1/0/3] stp bpdu-filter enable
[SwitchA-GigabitEthernet1/0/3] quit
Step 2 Enable protection functions. For example, enable root protection on the designed port of the
root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in MSTI 0.
# Run the display stp brief command on SwitchA to view the port status and protection type.
The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 GigabitEthernet1/0/2 ROOT FORWARDING NONE
In MSTI 1, GE1/0/2 and GE1/0/1 on SwitchA are designed ports because SwitchA is the root
bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and GE1/0/2 is the root port.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
[SwitchB] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 GigabitEthernet1/0/2 ROOT FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
In MSTI 2, GE1/0/1 and GE1/0/2 on SwitchB are designed ports because SwitchB is the root
bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and GE1/0/2 is the root port.
# Run the display stp interface brief command on SwitchC. The displayed information is as
follows:
GE1/0/1 on SwitchC is the root port in MSTI 1 and is blocked in MSTI 2. GE1/0/4 on
SwitchC is blocked in MSTI 1 and is the designated port in MSTI 2.
Step 5 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of
SwitchB is similar to that of SwitchA, and is not mentioned here. For details, see the
configuration files.
[SwitchA] vlan batch 4
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 4
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.2.102 24
[SwitchA-Vlanif2] quit
[SwitchA] interface vlanif 3
[SwitchA-Vlanif3] ip address 10.1.3.102 24
[SwitchA-Vlanif3] quit
[SwitchA] interface vlanif 4
[SwitchA-Vlanif4] ip address 10.1.4.102 24
[SwitchA-Vlanif4] quit
# Configure OSPF between SwitchA, SwitchB, and router. SwitchA is used as an example.
The configuration of SwitchB is similar to that of SwitchA, and is not mentioned here. For
details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.
# Set virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of HostA, and
virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of HostB.
Step 7 Verify the configuration.
# After the configuration is complete, run the display vrrp command on SwitchA. You can
see that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.
[SwitchA] display vrrp
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# After the configuration is complete, run the display vrrp command on SwitchB. You can
see that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
[SwitchB] display vrrp
Vlanif2 | Virtual Router 1
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp root-protection
#
interface GigabitEthernet1/0/2
#
sysname SwitchC
#
vlan batch 2 to 3
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp instance 2 cost 20000
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
stp bpdu-filter enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
stp bpdu-filter enable
stp edged-port enable
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp instance 1 cost 20000
#
return
Configuration Notes
l STP and Smart Link must be disabled on the interface added to an RRPP domain.
l DHCP and MAC address limiting rules cannot be configured in an RRPP control VLAN.
l When the mapping between the protected instance and MUX VLAN needs to be
configured, you are advised to configure the principal VLAN, subordinate group VLAN,
and subordinate separate VLAN in the MUX VLAN in the protected instance.
Otherwise, loops may occur.
l This example applies to all versions and products.
Networking Requirements
As shown in Figure 7-5, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and to implement fast
convergence to rapidly restore communication between nodes in the ring when the ring fails.
You can enable RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
G E 2 /0 /2
G E 2 /0 /1 G E 2 /0 /1
R in g 1
G E 2 /0 /2 G E 2 /0 /2 S w itc h C
G E 2 /0 /1
S w itc h A
P r im a r y in te r fa c e
S e c o n d a r y in te r fa c e
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major
control VLAN and a sub-control VLAN. You only need to specify the major control
VLAN. The system uses the VLAN whose ID is one greater than the ID of the major
control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
Step 2 Map instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the configuration files.
[SwitchA] vlan batch 100 to 300
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300 //Add the major control
VLAN, sub-control VLAN, and data VLANs to instance 1.
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, configure the
interfaces to allow VLANs 100 to 300 to pass through, and disable STP on the interfaces.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
instance 1 as the protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchA-rrpp-domain-region1] quit
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
According to the preceding information, RRPP is enabled on SwitchA; the major control
VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21; SwitchA is
the master node in ring 1; the primary interface is GigabitEthernet2/0/1 and the secondary
interface is GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
Relevant Information
Video
Configure RRPP
UPE2 P E -A G G 3
RRPP T ra n sit 1
D o m a in 2
M a ste r
P E -A G G 1
UPE RRPP P IP /M P L S
D o m a in 1 C o re
UPE S
UPE B lo ck NPE
RRPP T ra n sit 2
D o m a in 3
P E -A G G 2
M a s te r P E -A G G : P E -A g g re g a tio n
UPE N P E : N e tw o rk P ro vid e r E d g e
U M G : U n ive rsa l M e d ia G a te w a y
U P E : U n d e rla ye r P ro vid e r E d g e
D S L A M : D ig ita l S u b scrib e r L in e A cce ss M u ltip le xe r
Two tangent rings cannot belong to the same RRPP domain. The tangent point of the two
tangent rings belongs to two RRPP domains, and the major node can be located in the tangent
point.
When there are multiple tangent RRPP rings, a fault of a ring does not affect other domains
and the convergence process of RRPP rings in a domain is the same as that of a single ring.
Configuration Notes
l STP and Smart Link must be disabled on the interface added to an RRPP domain.
l DHCP and MAC address limiting rules cannot be configured in an RRPP control VLAN.
l When the mapping between the protected instance and MUX VLAN needs to be
configured, you are advised to configure the principal VLAN, subordinate group VLAN,
and subordinate separate VLAN in the MUX VLAN in the protected instance.
Otherwise, loops may occur.
l This example applies to all versions and products.
Networking Requirements
As shown in Figure 7-6, the network is required to prevent loops when the ring is complete
and to implement fast convergence to rapidly restore communication between nodes in the
ring when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You
can configure RRPP rings at the aggregation and access layers. The two rings are tangent,
simplifying the network configuration.
SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB in Figure 7-7 map PE-AGG1, PE-
AGG2, PE-AGG3, UPE1, and UPE2 in Figure 7-6 respectively. Figure 7-7 is used as an
example to describe how to configure tangent RRPP rings with a single instance.
D o m a in 2 D o m a in 1
S w tic h A G E 2 /0 /2 G E 1 /0 /1 S w tic h E
G E 2 /0 /1 G E 2 /0 /1 G E 1 /0 /2 G E 1 /0 /2
R in g 2 S w tic h C R in g 1
G E 2 /0 /2 G E 1 /0 /1
G E 2 /0 /2 G E 1 /0 /1
S w tic h B
G E 2 /0 /1 G E 1 /0 /2 S w tic h D
Configuration Roadmap
The configuration roadmap is as follows:
1. Create RRPP domains and control VLANs for configuring RRPP rings.
2. Map the VLANs that need to pass through ring 1 to instance 1, including data VLANs
and control VLANs, which are used for configuring protected VLANs.
Map the VLANs that need to pass through ring 2 to instance 2, including data VLANs
and control VLANs, which are used for configuring protected VLANs.
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure SwitchA, SwitchB, and SwitchC to be in ring 2 of RRPP domain 2.
b. Configure SwitchC, SwitchD, and SwitchE to be in ring 1 of RRPP domain 1.
c. Configure SwitchA as the master node in ring 2, and configure SwitchB and
SwitchC as transit nodes in ring 2.
d. Configure SwitchE as the master node in ring 1, and configure SwitchC and
SwitchD as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Configure instance 2 and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 2 vlan 20 to 21 ///Add the major control VLAN and
sub-control VLAN to instance 1.
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 2 Create RRPP domains and configure control VLANs and protected VLANs of the RRPP
domains.
# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and SwitchD are
similar to the configuration of SwitchE, and are not mentioned here. For details, see the
configuration files.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10 //Each RRPP domain has a major
control VLAN and a sub-control VLAN. You only need to specify the major control
VLAN. The system uses the VLAN whose ID is one greater than the ID of the major
control VLAN as the sub-control VLAN.
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
instance 1 as the protected instance of the RRPP domain.
[SwitchE-rrpp-domain-region1] quit
Step 3 Configure the interfaces to be added to RRPP rings as trunk interfaces and disable STP on the
interfaces.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
# Configure SwitchB as a transit node in ring 2 (major ring) and specify the primary and
secondary interfaces.
[SwitchB] rrpp domain 2
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region2] ring 2 enable
[SwitchB-rrpp-domain-region2] quit
# Configure SwitchC as a transit node in ring 2 and specify the primary and secondary
interfaces.
[SwitchC] rrpp domain 2
[SwitchC-rrpp-domain-region2] ring 2 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchC-rrpp-domain-region2] ring 2 enable
[SwitchC-rrpp-domain-region2] quit
# Configure SwitchC as a transit node in ring 1 and specify the primary and secondary
interfaces.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
# Configure SwitchD as a transit node in ring 1 and specify the primary and secondary
interfaces.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/1 GigabitEthernet1/0/2 Yes
Domain Index : 2
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
2 0 T GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchC; the major control
VLAN of RRPP domain 1 is VLAN 10 and the sub-control VLAN is VLAN 11; SwitchC is a
transit node in ring 1; the primary interface is GigabitEthernet1/0/1 and the secondary
interface is GigabitEthernet1/0/2.
The major control VLAN of SwitchC in RRPP domain 2 is VLAN 20 and the sub-control
VLAN is VLAN 21; SwitchC is a transit node in ring 2; the primary interface is
GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
On SwitchC, run the display rrpp verbose domain command. The following information is
displayed.
# Check detailed information about RRPP domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: UP
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-configuration
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 2 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-configuration
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 2 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 10 to 11 20 to 21
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 to 11
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
ring 2 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
return
Relevant Information
Video
Configure RRPP
VPLS
NPEA NPEC
NPED
R R P P rin g
P
UPEA UPEB
S
d a ta p a c k e t
h e llo p a c k e t
P p rim a ry in te rfa c e
S s e c o n d a ry in te rfa c e
You can enable RRPP snooping on the sub-interface or VLANIF interface of NPED and
associate the interface with VSIs on the local device. When the RRPP ring is faulty, NPED on
the VPLS network deletes forwarding entries of VSIs (including the associated VSIs) on the
local node and forwarding entries of NPEB to re-learn forwarding entries. This ensures that
traffic can be switched to a normal path and downstream traffic can be properly forwarded.
Configuration Notes
l RRPP and RRPP snooping cannot be configured on the same interface.
l SA series cards and XGE interfaces connected to ET1D2IPS0S00, ET1D2FW00S00,
ET1D2FW00S01, ET1D2FW00S02, and ACU2 cards do not support RRPP snooping. In
earlier versions of V200R007C00, X1E series cards do not support RRPP snooping.
l The following describes the applicable product models and versions.
Networking Requirements
As shown in Figure 7-9, SwitchA, SwitchB, SwitchC, and SwitchD constitute an RRPP ring.
The network is required to prevent loops when the ring is complete and to implement fast
convergence to rapidly restore communication between nodes in the ring when the ring fails.
The VPLS network is able to transparently transmit RRPP packets, detect RRPP ring status
change, and update forwarding entries so that traffic can be rapidly switched to a normal path
according to the ring status.
VPLS
S w itc h C S w itc h D
G E 2 /0 /0 .1 0 b in d in g V S I 1 0 G E 2 /0 /0 .1 0 b in d in g V S I 1 0
G E 2 /0 /0 .2 0 b in d in g V S I 2 0 G E 2 /0 /0 .2 0 b in d in g V S I 2 0
R R P P r in g
R in g 1
G E 1 /0 /2 C o n tr o l V L A N 2 0 G E 1 /0 /2
S w itc h A S w itc h B
G E 1 /0 /1 G E 1 /0 /1
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VPLS network.
2. Configure an RRPP ring to prevent loops and implement fast convergence when a device
fails.
3. Enable RRPP snooping so that the VPLS network can transparently transmit RRPP
packets and detect RRPP ring status change.
4. Associate interfaces with VSIs so that SwitchC and SwitchD on the VPLS network can
delete the MAC address tables of their VSIs when a fault occurs on the RRPP ring
network.
NOTE
VLAN termination sub-interfaces can be created on a non-VCMP client.
Procedure
Step 1 Configure VPLS. SwitchC is used as an example. The configuration of SwitchD is similar to
the configuration of SwitchC, and is not mentioned here. For details, see the configuration
files.
NOTE
This example provides only configurations of sub-interfaces on SwitchC and SwitchD connected to the
RRPP ring. The configurations of devices on the VPLS network are not mentioned.
# Configure GE2/0/0.10 on SwitchC to allow the packets of VLAN 10 to pass through and
bind GE2/0/0.10 to VSI 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] interface gigabitethernet 2/0/0
[SwitchC-GigabitEthernet2/0/0] undo portswitch
[SwitchC-GigabitEthernet2/0/0] quit
[SwitchC] interface gigabitethernet 2/0/0.10
[SwitchC-GigabitEthernet2/0/0.10] dot1q termination vid 10
[SwitchC-GigabitEthernet2/0/0.10] l2 binding vsi VSI10 //Bind a VSI to the sub-
interface.
[SwitchC-GigabitEthernet2/0/0.10] quit
# Configure SwitchA (master node in ring 1) in RRPP domain 1 and VLAN 20 as the control
VLAN.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure
instance 1 as the protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP
domain has a major control VLAN and a sub-control VLAN. You only need to specify
the major control VLAN. The system uses the VLAN whose ID is one greater than the
ID of the major control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
# Configure SwitchB (transit node in ring 1) in RRPP domain 1 and VLAN 20 as the control
VLAN.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] control-vlan 20
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchB as a transit node in ring 1 (major ring) and specify the primary and
secondary interfaces.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
According to the preceding information, RRPP is enabled on SwitchA; the major control
VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21;
SwitchA is the master node in ring 1; the primary interface is GE1/0/1 and the secondary
interface is GE1/0/2.
l Run the display rrpp verbose domain command on SwitchA. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchA.
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6
sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active : Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: BLOCKED
You can see that VSI 20 and VLAN 20 are associated with GE2/0/0.20.
# Check information about other VSIs associated with GE2/0/0.20 on SwitchC.
[SwitchC] display rrpp snooping vsi interface gigabitethernet 2/0/0.20
Port VsiName
---------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI10
GigabitEthernet2/0/0.20 VSI20
You can see that GE2/0/0.20 is associated with VSI 10 and VSI 20.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20 to 21
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 10 20 to 21
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 to 21
stp disable
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
interface GigabitEthernet2/0/0
undo portswitch
#
interface GigabitEthernet2/0/0.10
dot1q termination vid 10
l2 binding vsi VSI10
#
interface GigabitEthernet2/0/0.20
dot1q termination vid 20
l2 binding vsi VSI20
Relevant Information
Video
Configure RRPP
Configuration Notes
This example applies to all versions and products.
Networking Requirements
Multiple Layer 2 access devices need to be added due to service development of company A.
As shown in Figure 7-10, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The aggregation layer uses
MSTP to eliminate redundant links. Company A requires that services be rapidly switched to
prevent traffic interruption when a link at the access layer fails.
You can deploy multiple Layer 2 devices in a ring and configure SEP to meet the following
requirements of company A:
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can fast restore communication between
nodes in the ring.
l The topology change notification function is configured on an edge device in a SEP
segment so that devices on the upper-layer network can detect topology changes on the
lower-layer network in a timely manner. After receiving a topology change notification
from a lower-layer network, a device on an upper-layer network sends a TC packet to
instruct other devices to delete original MAC addresses and learn new MAC addresses.
This ensures nonstop traffic forwarding.
G E 1 /0 /2
G E 1 /0 /3 G E 1 /0 /3
Aggregation
G E 1 /0 /2 PE4
PE3
G E 1 /0 /1
G E 1 /0 /1
M STP
G E 1 /0 /2 PE1 PE2 G E 1 /0 /2
G E 1 /0 /3
G E 1 /0 /1 D o n o t S u p p o rt S E P G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /1
SEP
LSW 1 S e g m e n t1 LSW 2
G E 1 /0 /2 G E 1 /0 /2
G E 1 /0 /2 G E 1 /0 /1
Access
G E 1 /0 /3 S W 3
L
G E 1 /0 /1
CE
N o -n e ig h b o r P rim a ry E d g e P o rt
N o -n e ig h b o r S e co n d a ry E d g e P o rt
VLAN 100 B lo ck P o rt(S E P )
B lo ck P o rt(M S T P )
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on edge
devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
PE1 and PE2 are aggregation switches, PE3 is the root bridge, PE4 is the secondary root bridge, LSWs are
access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1 //Create SEP segment 1.
[LSW1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW1-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1 //Create SEP segment 1.
[LSW2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW2-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1 //Create SEP segment 1.
[LSW3-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW3-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW3-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the command for
creating a common VLAN is automatically displayed in the configuration file after the control
VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to an SEP segment that
has a control VLAN, the interface is automatically added to the control VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to an SEP segment, disable
STP on the interface.
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary //
Configure the interface as the no-neighbor primary edge interface and add it
to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] port link-type hybrid
[LSW1-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type hybrid
[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary //
Configure the interface as the no-neighbor secondary edge interface and add
it to SEP segment 1.
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type hybrid
[LSW2-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW2-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type hybrid
[LSW3-GigabitEthernet1/0/1] stp disable //Disable STP.
[LSW3-GigabitEthernet1/0/1] sep segment 1 //Add the interface to SEP segment
1.
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type hybrid
[LSW3-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW3-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW3-GigabitEthernet1/0/2] quit
# Configure LSW2.
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] stp region-configuration //Enter the MST region view.
[PE2-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE2-mst-region] active region-configuration //Activate MST region
configuration.
[PE2-mst-region] quit
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] stp region-configuration //Enter the MST region view.
[PE3-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE3-mst-region] active region-configuration //Activate MST region
configuration.
[PE3-mst-region] quit
# Configure PE4.
<HUAWEI> system-view
[HUAWEI] sysname PE4
[PE4] stp region-configuration //Enter the MST region view.
[PE4-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE4-mst-region] active region-configuration //Activate MST region
configuration.
[PE4-mst-region] quit
# Configure LSW1.
[LSW1] stp region-configuration //Enter the MST region view.
[LSW1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW1-mst-region] active region-configuration //Activate MST region
configuration.
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2] stp region-configuration //Enter the MST region view.
[LSW2-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW2-mst-region] active region-configuration //Activate MST region
configuration.
[LSW2-mst-region] quit
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On PE1, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1]interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1]interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are
not mentioned here. For details, see configuration files in this example.
On LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1, and are not
mentioned here. For details, see configuration files in this example.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure E4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable
# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
# Set the priority of PE3 to 0 in MSTI 0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI 0 to ensure that PE4 functions as the
secondary root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
The configuration details are not mentioned here. For details, see configuration files in this
example.
After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 on LSW3 changes from
the discarding state to the forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
#
sysname LSW1
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
#
return
Related Content
Videos
Configuring SEP
Configuration Notes
This example applies to all versions and products.
Networking Requirements
As shown in Figure 7-11, multiple Layer 2 switching devices at access and aggregation layers
constitute a ring network and connect to the core layer. The aggregation layer uses RRPP to
eliminate redundant links, and the access layer uses SEP.
l When there is no faulty link on the ring network, SEP can eliminate loops on the
Ethernet network.
l When a link fails on the ring network, SEP can fast restore communication between
nodes in the ring.
l The topology change notification function is configured on an edge device in a SEP
segment so that devices on the upper-layer network can detect topology changes on the
lower-layer network in a timely manner.
After receiving a topology change notification from a lower-layer network, a device on
an upper-layer network sends a TC packet to instruct other devices to delete original
MAC addresses and learn new MAC addresses. This ensures nonstop traffic forwarding.
N e tw o rk
NPE1 NPE2
G E 1 /0 /2
G E 1 /0 /3 G E 1 /0 /3
G E 1 /0 /2
Aggregation
PE3 PE4
G E 1 /0 /1
G E 1 /0 /1
RRPP
G E 1 /0 /2 PE1 P E 2 G E 1 /0 /2
G E 1 /0 /3
G E 1 /0 /1 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /1
SEP
LSW 1 S e g m e n t1 LSW 2
G E 1 /0 /2 G E 1 /0 /2
G E 1 /0 /2 G E 1 /0 /1
Access
G E 1 /0 /3 S W 3
L
G E 1 /0 /1
CE
P rim a ry E d g e P o rt
S e co n d a ry E d g e P o rt
VLAN 100 B lo ck P o rt(S E P )
B lo ck P o rt(R R P P )
Configuration Roadmap
The configuration roadmap is as follows:
a. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN on
PE1 to PE4, and configure the protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on the major
ring, and configure primary and secondary interfaces of the master node.
c. Create VLANs on PE1 to PE4 and add interfaces on the RRPP ring to the VLANs.
3. Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
NOTE
PEs are aggregation switches, LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 and configure VLAN 10 as the control VLAN of SEP segment
1.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] sep segment 1 //Create SEP segment 1.
[PE1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of
SEP segment 1.
[PE1-sep-segment1] protected-instance all //Configure all protected instances
of SEP segment 1.
[PE1-sep-segment1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] sep segment 1 //Create SEP segment 1.
[PE2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of
SEP segment 1.
[PE2-sep-segment1] protected-instance all //Configure all protected instances
of SEP segment 1.
[PE2-sep-segment1] quit
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1 //Create SEP segment 1.
[LSW1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW1-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1 //Create SEP segment 1.
[LSW2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW2-sep-segment1] protected-instance all //Configure all protected
instances of SEP segment 1.
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1 //Create SEP segment 1.
[LSW3-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN
of SEP segment 1.
[LSW3-sep-segment1] protected-instance all //Configure all protected
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the command for
creating a common VLAN is automatically displayed in the configuration file after the control
VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to an SEP segment that
has a control VLAN, the interface is automatically added to the control VLAN.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to an SEP segment,
disable STP on the interface.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary //Configure the
interface as the primary edge interface and add it to SEP segment 1.
[PE1-GigabitEthernet1/0/1] quit
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type trunk
[LSW1-GigabitEthernet1/0/1] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/1] sep segment 1 //Add the interface to SEP segment
1.
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] port link-type trunk
[LSW1-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type trunk
[LSW2-GigabitEthernet1/0/1] stp disable //Disable STP.
[LSW2-GigabitEthernet1/0/1] sep segment 1 //Add the interface to SEP segment
1.
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type trunk
[LSW2-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW2-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type trunk
[LSW3-GigabitEthernet1/0/1] stp disable //Disable STP.
[LSW3-GigabitEthernet1/0/1] sep segment 1 //Add the interface to SEP segment
1.
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type trunk
[LSW3-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW3-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment
1.
[LSW3-GigabitEthernet1/0/2] quit
# Configure PE2.
After the configuration is complete, run the display sep topology command on PE1 to
check the topology of the SEP segment. The command output shows that the blocked
interface is one of the two interfaces on the link that last completes neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
LSW1 GE1/0/2 common forwarding 3
LSW3 GE1/0/2 common forwarding 4
LSW3 GE1/0/1 common forwarding 5
LSW2 GE1/0/2 common forwarding 6
LSW2 GE1/0/1 common forwarding 7
PE2 GE1/0/1 secondary discarding 8
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
[PE2-sep-segment1] quit
After the configuration is complete, perform the following operations to verify the
configuration. PE1 is used as an example.
l Run the display sep topology command on PE1 to check the topology of the SEP
segment.
The command output shows that GE1/0/2 of LSW3 is in discarding state and other
interfaces are in forwarding state.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
LSW1 GE1/0/2 common forwarding 3
LSW3 GE1/0/2 common discarding 4
LSW3 GE1/0/1 common forwarding 5
l Run the display sep interface verbose command on PE1 to check detailed information
about interfaces in the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
# Configure PE2.
[PE2] stp region-configuration //Enter the MST region view.
[PE2-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100
to MSTI 1.
[PE2-mst-region] active region-configuration //Activate MST region
configuration.
[PE2-mst-region] quit
[PE2] rrpp domain 1 //Create RRPP domain 1.
[PE2-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control
VLAN of RRPP domain 1.
[PE2-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the
protected VLAN in protected instance 1.
# Configure PE3.
[PE3] stp region-configuration //Enter the MST region view.
[PE3-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100
to MSTI 1.
[PE3-mst-region] active region-configuration //Activate MST region
configuration.
[PE3-mst-region] quit
[PE3] rrpp domain 1 //Create RRPP domain 1.
[PE3-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control
VLAN of RRPP domain 1.
[PE3-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the
protected VLAN in protected instance 1.
# Configure PE4.
[PE4] stp region-configuration //Enter the MST region view.
[PE4-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100
to MSTI 1.
[PE4-mst-region] active region-configuration //Activate MST region
configuration.
[PE4-mst-region] quit
[PE4] rrpp domain 1 //Create RRPP domain 1.
[PE4-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control
VLAN of RRPP domain 1.
[PE4-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the
protected VLAN in protected instance 1.
NOTE
The control VLAN must be a VLAN that has not been created or used, but the command for creating a
common VLAN is automatically displayed in the configuration file after the control VLAN is created.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On PE1, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
# On PE2, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] stp disable //Disable STP.
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/3] quit
# On PE3, create VLAN 100 and add GE1/0/1 and GE1/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE3-GigabitEthernet1/0/1] port link-type trunk
[PE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE3-GigabitEthernet1/0/2] port link-type trunk
# On PE4, create VLAN 100 and add GE1/0/1 and GE1/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
[PE4] interface gigabitethernet 1/0/1
[PE4-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE4-GigabitEthernet1/0/1] port link-type trunk
[PE4-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE4-GigabitEthernet1/0/1] quit
[PE4] interface gigabitethernet 1/0/2
[PE4-GigabitEthernet1/0/2] stp disable //Disable STP.
[PE4-GigabitEthernet1/0/2] port link-type trunk
[PE4-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE4-GigabitEthernet1/0/2] quit
3. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on the major ring,
and configure primary and secondary interfaces of the master node.
# Configure PE1.
[PE1] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/3 level 0 //
Configure the master node on RRPP primary ring 1 in RRPP domain 1, and
configure GE1/0/2 as the primary interface and GE1/0/3 as the secondary
interface.
[PE1-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
# Configure PE2.
[PE2] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/3 level 0 //
Configure the transit node on RRPP primary ring 1 in RRPP domain 1, and
configure GE1/0/2 as the primary interface and GE1/0/3 as the secondary
interface.
[PE2-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
# Configure PE3.
[PE3] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE3-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0 //
Configure the transit node on RRPP primary ring 1 in RRPP domain 1, and
configure GE1/0/1 as the primary interface and GE1/0/2 as the secondary
interface.
[PE3-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
# Configure PE4.
[PE4] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE4-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet1/0/1 secondary-port gigabitethernet1/0/2 level 0 //Configure
the transit node on RRPP primary ring 1 in RRPP domain 1, and configure
GE1/0/1 as the primary interface and GE1/0/2 as the secondary interface.
[PE4-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After the configuration is complete, run the display rrpp brief or display rrpp verbose
domain command. PE1 is used as an example.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
According to the preceding information, RRPP is enabled on PE1; the major control VLAN is
VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP domain 1; VLANs mapping
Instance1 are protected VLANs; PE1 is the master node in ring 1; the primary interface is
GE1/0/2 and the secondary interface is GE1/0/3.
[PE1] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/3 Port status: BLOCKED
The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP domain
1; VLANs mapping Instance1 are protected VLANs; PE1 is the master node in Complete
state; the primary interface is GE1/0/2 and the secondary interface is GE1/0/3.
Step 3 Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration files in this
example.
After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 on LSW3 changes from
the discarding state to the forwarding state.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
return
stp disable
sep segment 1
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Configuration file of PE1
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port
GigabitEthernet 1/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port
GigabitEthernet 1/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1 edge secondary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
l Configuration file of PE3
#
sysname PE3
#
vlan batch 5 to 6 100 200
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port
GigabitEthernet 1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
return
l Configuration file of PE4
#
sysname PE4
#
vlan batch 5 to 6 100 200
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
VBST Overview
VLAN-based Spanning Tree (VBST), a Huawei proprietary protocol, constructs a spanning
tree in each VLAN so that traffic from different VLANs can be forwarded through different
spanning trees. VBST is equivalent to the Spanning Tree Protocol (STP) or Rapid Spanning
Tree Protocol (RSTP) running in each VLAN. Spanning trees in different VLANs are
independent of each other.
Currently, there are three standard spanning tree protocols: STP, RSTP, and Multiple Spanning
Tree Protocol (MSTP). STP and RSTP cannot implement VLAN-based load balancing,
because all the VLANs on a LAN share a spanning tree and packets in all VLANs are
forwarded along this spanning tree. In addition, the blocked link does not carry any traffic,
which wastes bandwidth and may cause a failure to forward packets from some VLANs. In
real-world situations, MSTP is preferred because it is compatible with STP and RSTP, ensures
fast convergence, and provides multiple paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and maintain,
whereas the configuration of MSTP multi-instance and multi-process are complex and has
high requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in each
VLAN so that traffic from different VLANs is load balanced along different spanning trees. In
addition, VBST is easy to configure and maintain.
Configuration Notes
When configuring VBST on the switch, pay attention to the following points:
l When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and change of these parameters may cause network flapping. To ensure fast
and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
l If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
l VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
you must delete the mapping before changing the STP working mode to VBST.
l If stp vpls-subinterface enable has been configured on the switch, you must run the
undo stp vpls-subinterface enable command on the interface before changing the STP
working mode to VBST.
l If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
l When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
l To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) >= Max Age
– Max Age >= 2 x (Hello Time + 1.0 second)
l It is recommended that fast convergence in normal mode be used. If the fast mode is
used, frequently deleting ARP entries may result in 100% CPU usage of the MPU and
LPU. As a result, packet processing expires and network flapping occurs.
l After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the peer device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
l Root protection takes effect only on designated ports.
l An alternate port is the backup of the root port. If a switch has an alternate port, you need
to configure loop protection on both the root port and alternate port.
Networking Requirements
As shown in Figure 7-12, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches). SwitchC transmits traffic from VLAN 10 and
VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A ring network is
formed between the access layer and aggregation layer. The enterprise requires that service
traffic in each VLAN be correctly forwarded and service traffic from different VLANs be
load balanced to improve link use efficiency.
C o re N e tw o rk
S w itc h A S w itc h B
G E 1 /0 /1 G E 1 /0 /1
VLAN 10, 20, 30
G E 1 /0 /3 G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /3
G E 1 /0 /4 G E 1 /0 /5 G E 1 /0 /4 G E 1 /0 /5
R o o t b rid g e
U n b lo cke d lin k
B lo cke d lin k
B lo cke d p o rt
Configuration Roadmap
VBST can be used to eliminate loops between the access layer and aggregation layer and
ensures that service traffic in each VLAN is correctly forwarded. In addition, traffic from
different VLANs can be load balanced. The configuration roadmap is as follows:
path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30 so that GE1/0/2 is
blocked in the spanning tree of VLAN 20 and VLAN 30.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports to reduce
VBST topology calculation and improve topology convergence.
Procedure
Step 1 Configure Layer 2 forwarding on switches of the ring network.
l Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 20 30
# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
– Configure the root bridge and secondary root bridge in VLAN 20.
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
– Configure the root bridge and secondary root bridge in VLAN 30.
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
3. Configure the path cost for a port in each VLAN so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an example. Set
the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN 20.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchC-GigabitEthernet1/0/2] quit
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN 30.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000
[SwitchD-GigabitEthernet1/0/2] quit
By default, all ports join VLAN 1 and VBST is enabled in VLAN 1. To reduce spanning tree
calculation, disable VBST in VLAN 1. To prevent loops in VLAN 1 after VBST is disabled,
delete ports from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA.
[SwitchA] stp vlan 1 disable
Step 3 Configure ports connected to terminals as edge ports to improve topology convergence.
# On SwitchC and SwitchD, configure GE1/0/4 and GE1/0/5 connected to terminals as edge
ports.
[SwitchC] interface gigabitethernet 1/0/4
[SwitchC-GigabitEthernet1/0/4] stp edged-port enable
[SwitchC-GigabitEthernet1/0/4] quit
[SwitchC] interface gigabitethernet 1/0/5
[SwitchC-GigabitEthernet1/0/5] stp edged-port enable
[SwitchC-GigabitEthernet1/0/5] quit
[SwitchD] interface gigabitethernet 1/0/4
[SwitchD-GigabitEthernet1/0/4] stp edged-port enable
[SwitchD-GigabitEthernet1/0/4] quit
[SwitchD] interface gigabitethernet 1/0/5
[SwitchD-GigabitEthernet1/0/5] stp edged-port enable
[SwitchD-GigabitEthernet1/0/5] quit
After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the display stp bridge local command on SwitchA to check the STP working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay
----- -------------------- ----- --- ------- ---------------------------
10 0.0200-0000-6703 2 20 15 VBST
20 0.0200-0000-6703 2 20 15 VBST
30 4096.0200-0000-6703 2 20 15 VBST
# Run the display stp brief command on SwitchA to check the port status.
[SwitchA] display stp brief
VLAN-ID Port Role STP State Protection
10 GigabitEthernet1/0/1 DESI FORWARDING NONE
10 GigabitEthernet1/0/3 DESI FORWARDING NONE
20 GigabitEthernet1/0/1 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
30 GigabitEthernet1/0/1 ROOT FORWARDING NONE
30 GigabitEthernet1/0/2 DESI FORWARDING NONE
The preceding information shows that SwitchA participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root bridge in VLAN 10
and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected as designated ports.
GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as designated ports. SwitchA is the
secondary root bridge in VLAN 30, so GE1/0/1 is selected as the root port and GE1/0/2 is
selected as the designated port in VLAN 30.
# Run the display stp vlan 10 command on SwitchA to check detailed information about
VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :0 .0200-0000-6703
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :0 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
The preceding information shows that SwitchA is selected as the root bridge in VLAN 10 and
GE1/0/1 and GE1/0/3 are selected as designated ports in FORWARDING state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to check the port
status.
[SwitchB] display stp brief
VLAN-ID Port Role STP State Protection
10 GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
30 GigabitEthernet1/0/1 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 DESI FORWARDING NONE
[SwitchC] display stp brief
VLAN-ID Port Role STP State Protection
10 GigabitEthernet1/0/2 ALTE DISCARDING NONE
10 GigabitEthernet1/0/3 ROOT FORWARDING NONE
10 GigabitEthernet1/0/4 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 GigabitEthernet1/0/5 DESI FORWARDING NONE
[SwitchD] display stp brief
VLAN-ID Port Role STP State Protection
20 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 GigabitEthernet1/0/4 DESI FORWARDING NONE
30 GigabitEthernet1/0/2 ALTE DISCARDING NONE
30 GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 GigabitEthernet1/0/5 DESI FORWARDING NONE
The preceding information shows that SwitchB participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning tree calculation in
VLAN 10 and VLAN 20, and SwitchD participates in spanning tree calculation in VLAN 20
and VLAN 30. After the calculation is complete, ports are selected as different roles to
eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and traffic in
VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning trees to implement
load balancing.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet1/0/3
#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
stp vlan 1 disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
stp vlan 20 30 cost 2000000
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 30
stp edged-port enable
#
return
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As show in Figure 8-1, an enterprise divides two network segments for office terminals:
10.1.1.0/24 for employees with fixed office terminals and 10.1.2.0/24 for employees on
business trips to temporarily access the network. The enterprise requires that DHCP be used
to assign IP addresses to employees with fixed office terminals and employees on business
trips. A PC (DHCP Client_1) requires fixed IP address 10.1.1.100/24 to meet service
requirements.
Figure 8-1 Networking diagram for configuring the device as a DHCP server
Internet
GE1/0/1 GE1/0/2
VLANIF10 VLANIF11
10.1.1.1/24 10.1.2.1/24
Switch
DHCP Server
LSW_1 LSW_2
DHCP Client_1
MAC:286e-d488-b684
... DHCP DHCP DHCP
... Client_t
Client_n Client_s
IP:10.1.1.100/24
Employees with Employees on
fixed office business trips
Configuration Roadmap
The configuration roadmap is as follows:
Configure the DHCP server function on the Switch to dynamically assign IP addresses to the
terminals on the two network segments. Configure the IP address lease to 30 days for the
employees with fixed office terminals on 10.1.1.0/24 and one day for the employees on
business trips on 10.1.2.0/24 to temporarily access the network.
NOTE
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2 communication.
Procedure
Step 1 Enable the DHCP service. By default, the service is disabled.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dhcp enable
# Configure the terminals connected to VLANIF 11 to obtain IP addresses from the interface
address pool. The default lease (one day) is used and does not need to be configured.
[Switch] interface vlanif 11
[Switch-Vlanif11] dhcp select interface //Enable the DHCP server function based
on the interface address pool on the interface. By default, the function is
disabled.
[Switch-Vlanif11] quit
Step 5 Configure each terminal (using the PC running Windows 7 as an example) to automatically
obtain an IP address.
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display the
Internet Protocol Version 4 (TCP/IPv4) Properties window. Select Obtain an IP
address automatically, and click OK.
Step 6 Verify the configuration.
Run the display ip pool command on the Switch to check the configuration of VLANIF 10
and VLANIF 11. For example, the enterprise has 100 employees with fixed office terminals
and 3 employees on business trips.
[Switch] display ip pool interface vlanif10
Pool-name : Vlanif10
Pool-No : 0
Lease : 30 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-----------------------------------------------------------------------------
[Switch] display ip pool interface vlanif11
Pool-name : Vlanif11
Pool-No : 1
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 3 250(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
dhcp server lease day 30 hour 0 minute 0
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 11
#
return
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-2, an enterprise has two offices, to save network resources, the switch
functions as the DHCP server to allocate IP addresses to hosts in the two offices. Hosts in
office 1 are on the network segment 10.1.1.0/25 and are added to VLAN 10, the lease of IP
addresses for these hosts is ten days; hosts in office 2 are on the network segment
10.1.1.128/25 and are added to VLAN 11, the lease of IP addresses for these hosts is two
days.
Figure 8-2 Networking diagram for configuring a device as the DHCP server
D N S S e rve r
1 0 .1 .2 .3 /2 5
IP N e tw o rk
G E 1 /0 /1 G E 1 /0 /2
V L A N IF 1 0 V L A N IF 1 1
1 0 .1 .1 .1 /2 5 1 0 .1 .1 .1 2 9 /2 5
S w itch
D H C P S e rve r
Configuration Roadmap
The configuration roadmap is as follows:
Configure the switch as the DHCP server to dynamically allocate IP addresses and the DNS
server address to hosts in the two offices. PCs on the network segment 10.1.1.0/25 are for
employees in office 1 and obtain IP addresses with a lease of ten days. PCs on the network
segment 10.1.1.128/25 are for employees in office 2 and obtain IP addresses with a lease of
two days.
Procedure
Step 1 Enable the DHCP service.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] dhcp enable
# Configure the IP addresses and relevant network parameters of the global address pool
pool2.
[Switch] ip pool pool2
[Switch-ip-pool-pool1] network 10.1.1.128 mask 255.255.255.128
[Switch-ip-pool-pool1] dns-list 10.1.2.3
[Switch-ip-pool-pool1] gateway-list 10.1.1.129
[Switch-ip-pool-pool1] lease day 2
[Switch-ip-pool-pool1] quit
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.126 125 2 123(0) 0 0
-----------------------------------------------------------------------------
# Run the display ip pool name pool2 command on the switch to view IP address allocation
in the global address pool pool2. The Used field displays the number of allocated IP
addresses.
[Switch] display ip pool interface pool2
Pool-name : pool2
Pool-No : 1
Lease : 2 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : 10.1.2.3
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.129
Network : 10.1.1.128
Mask : 255.255.255.128
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.129 10.1.1.254 125 2 123(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.2.3
#
ip pool pool2
gateway-list 10.1.1.129
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.2.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif11
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 11
port hybrid untagged vlan 11
#
return
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-3, the IP phone and PCs are devices in an office area. To uniformly
manage devices and reduce manual configuration costs, the administrator needs to configure
hosts to dynamically obtain IP addresses through DHCP. PCs are fixed terminals in the duty
room. They need to always be online and use domain names to access network devices. In
addition to obtaining an IP address dynamically, the PCs require an unlimited IP address lease
and need to obtain information about the DNS server. The IP phone uses a fixed IP address
10.1.1.4/24 and its MAC address is dcd2-fc96-e4c0. In addition to obtaining an IP address,
the IP phone needs to dynamically obtain the startup configuration file. The startup
configuration file configuration.ini is stored on the FTP server. The routes between the FTP
server and IP phone must be reachable. The gateway address of the PCs and IP phone is
10.1.1.1/24.
Figure 8-3 Networking diagram for configuring a device as the DHCP server
DNS Server
10.1.1.2/24
GE1/0/1
SwitchB VLANIF10
10.1.1.1/24 Internet
SwitchA
IP Phone DHCP Server
10.1.1.4/24
PC PC PC FTP Server
10.1.1.3/24
Configuration Roadmap
1. Create a DHCP Option template on SwitchA. In the DHCP Option template view,
configure the startup configuration file for the static client IP phone, and specify the IP
address of the FTP server for the IP phone.
2. Create a global address pool on SwitchA. In the global address pool view, configure the
IP address lease and information about the DNS server for the dynamic client PCs. Bind
an IP address and the DHCP Option template to the MAC address of the static client IP
phone. In this way, the DHCP server can allocate different network parameters to
dynamic and static clients.
Procedure
Step 1 Create a VLAN and configure an IP address for the VLANIF interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 10
Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the startup
configuration file for the static client IP phone, and specify the IP address of the file server for
the IP phone.
[SwitchA] dhcp option template template1
[SwitchA-dhcp-option-template-template1] gateway-list 10.1.1.1
[SwitchA-dhcp-option-template-template1] bootfile configuration.ini
[SwitchA-dhcp-option-template-template1] next-server 10.1.1.3
[SwitchA-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway address, IP
address lease, and IP address of the DNS server for the PCs. Allocate a fixed IP address to the
IP phone and configure the startup configuration file.
[SwitchA] ip pool pool1
[SwitchA-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-pool1] dns-list 10.1.1.2
[SwitchA-ip-pool-pool1] gateway-list 10.1.1.1
[SwitchA-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[SwitchA-ip-pool-pool1] lease unlimited
[SwitchA-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-
e4c0 option-template template1
[SwitchA-ip-pool-pool1] quit
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 247(0) 0 2
-----------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on SwitchA to view the
DHCP Option template configuration.
[SwitchA] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp option template template1
gateway-list 10.1.1.1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0 option-template
template1
lease unlimited
dns-list 10.1.1.2
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Relevant Information
Video
Configure DHCP Server and Relay
configure the DHCP server function on each aggregation switch (user gateway) and requires
that the DHCP server function be configured on a core device or an exclusive DHCP server
be deployed in the server area. In this case, the aggregation switches functioning as the user
gateways need to be configured with the DHCP relay function to implement exchange of
DHCP packets between the DHCP server and clients.
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-4, an enterprise deploys the DHCP server on the core switch. The
DHCP server and terminals in the enterprise belong to different network segments. The
enterprise requires that the DHCP server should dynamically assign IP addresses to the
terminals.
Figure 8-4 Networking diagram for configuring the device as a DHCP relay
Internet
SwitchB
DHCP Server
GE1/0/1
VLANIF200
GE1/0/1 192.168.20.2/24
VLANIF200
192.168.20.1/24
SwitchA
DHCP Relay
GE1/0/2
VLANIF100
10.10.20.1/24
LSW
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP relay on SwitchA (user gateway) to forward DHCP packets
between the terminals and DHCP server.
2. On SwitchB, configure the DHCP server based on the global address pool so that the
DHCP server can assign IP addresses from the global address pool to the terminals.
NOTE
Use a Huawei S series switch as an example for the DHCP server (SwitchB).
On the LSW, configure the interface link type and VLAN to implement Layer 2 communication.
Procedure
Step 1 Configure the DHCP relay on SwitchA.
# Add the interface to the VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.20.1 24
[SwitchA-Vlanif200] quit
Step 2 Configure the DHCP server function based on the global address pool on SwitchB.
# Enable the DHCP service. By default, the service is disabled.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] dhcp enable
on the global address pool on the interface. By default, the function is disabled.
[SwitchB-Vlanif200] quit
# Create an address pool and configure the attributes. The default lease (one day) is used and
does not need to be configured.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 10.10.20.0 mask 24 //Configure the network
segment and mask of the global address pool.
[SwitchB-ip-pool-pool1] gateway-list 10.10.20.1 //Configure the gateway address
assigned to the terminals.
[SwitchB-ip-pool-pool1] quit
Step 4 Configure each terminal (using the PC running Windows 7 as an example) to automatically
obtain an IP address.
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display the
Internet Protocol Version 4 (TCP/IPv4) Properties window. Select Obtain an IP
address automatically, and click OK.
# Run the display dhcp relay interface vlanif 100 command on SwitchA to check the DHCP
relay configuration.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server IP address [00] : 192.168.20.2
Gateway address in use : 10.10.20.1
# Run the display ip pool command on SwitchB to check the IP address allocation of pool1.
For example, the enterprise has 100 terminals.
[SwitchB] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.10.20.1
Network : 10.10.20.0
Mask : 255.255.255.0
VPN instance : --
--------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
--------------------------------------------------------------------------
10.10.20.1 10.10.20.254 253 100 153(0) 0 0
--------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.10.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.20.2
#
interface Vlanif200
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/2
port link-type
access
port default vlan 100
#
return
return
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-5, an enterprise deploys its headquarters and branch in different areas.
A GRE tunnel is deployed between the headquarters and branch to enable them to
communicate through the Internet. To facilitate unified management, the enterprise
administrator deploys the DHCP server on Switch_1 in the headquarters to assign IP
addresses to the terminals in the headquarters and branch. The network segments 10.1.1.0/24
and 10.2.1.0/24 are planned for the headquarters and branch respectively.
Figure 8-5 Networking diagram for configuring the device as a DHCP relay
G E 1 /0 /0
S w itch _ 2
G E 2 /0 /0
V L A N IF 1 0 V L A N IF 2 0
1 9 2 .1 6 8 .2 0 .2 /2 4 1 9 2 .1 6 8 .3 0 .1 /2 4
G E 1 /0 /0 G E 1 /0 /0
V L A N IF 1 0 V L A N IF 2 0
1 9 2 .1 6 8 .2 0 .1 /2 4 Tunnel Tunnel 1 9 2 .1 6 8 .3 0 .2 /2 4
S w itc h _ 1 1 9 2 .1 6 8 .4 0 .1 /2 4 1 9 2 .1 6 8 .4 0 .2 /2 4 S w itch _ 3
D H C P S e rve r G RE Tunnel D H C P R e la y
G E 2 /0 /0 G E 2 /0 /0
V L A N IF 3 0 1 0 .1 .1 .1 /2 4 V L A N IF 3 0 1 0 .2 .1 .1 /2 4
LSW _1 LSW _2
D H C P clie n ts D H C P clie n ts
H e a d q u a rte rs B ra n c h
Configuration Roadmap
The configuration roadmap is as follows:
1. Run OSPF between Switch_1, Switch_2, and Switch_3 to ensure the communication
between devices.
2. On Switch_1 and Switch_3, configure tunnel interfaces and create a GRE tunnel.
3. On Switch_1, configure the DHCP server based on the global address pool so that the
DHCP server can assign IP addresses from the global address pool to the terminals in the
headquarters and branch.
4. On Switch_3, configure the DHCP relay function to function as the branch's gateway to
forward DHCP packets between the terminals and DHCP servers so that the terminals
can apply to the DHCP server for IP addresses.
NOTE
Use a Huawei S series switch as an example for the DHCP server (Switch_1).
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2 communication.
Procedure
Step 1 Configure an IP address for each physical interface on Switch_1 through Switch_3.
# Configure Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10 30
[Switch_1] interface gigabitethernet 1/0/0
[Switch_1-GigabitEthernet1/0/0] port link-type trunk
[Switch_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/0] quit
[Switch_1] interface gigabitethernet 2/0/0
[Switch_1-GigabitEthernet2/0/0] port link-type trunk
[Switch_1-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[Switch_1-GigabitEthernet2/0/0] quit
# Configure Switch_2.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 10 20
[Switch_2] interface gigabitethernet 1/0/0
[Switch_2-GigabitEthernet1/0/0] port link-type trunk
[Switch_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[Switch_2-GigabitEthernet1/0/0] quit
[Switch_2] interface gigabitethernet 2/0/0
[Switch_2-GigabitEthernet2/0/0] port link-type trunk
[Switch_2-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[Switch_2-GigabitEthernet2/0/0] quit
[Switch_2] interface vlanif 10
[Switch_2-Vlanif10] ip address 192.168.20.2 24
[Switch_2-Vlanif10] quit
[Switch_2] interface vlanif 20
[Switch_2-Vlanif20] ip address 192.168.30.1 24
[Switch_2-Vlanif20] quit
# Configure Switch_3.
<HUAWEI> system-view
[HUAWEI] sysname Switch_3
[Switch_3] vlan batch 20 30
[Switch_3] interface gigabitethernet 1/0/0
[Switch_3-GigabitEthernet1/0/0] port link-type trunk
[Switch_3-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[Switch_3-GigabitEthernet1/0/0] quit
[Switch_3] interface gigabitethernet 2/0/0
[Switch_3-GigabitEthernet2/0/0] port link-type trunk
[Switch_3-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[Switch_3-GigabitEthernet2/0/0] quit
[Switch_3] interface vlanif 20
[Switch_3-Vlanif20] ip address 192.168.30.2 24
[Switch_3-Vlanif20] quit
[Switch_3] interface vlanif 30
[Switch_3-Vlanif30] ip address 10.2.1.1 24
[Switch_3-Vlanif30] quit
# Configure Switch_2.
[Switch_2] ospf 1
[Switch_2-ospf-1] area 0
[Switch_2-ospf-1-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[Switch_2-ospf-1-area-0.0.0.0] network 192.168.30.0 0.0.0.255
[Switch_2-ospf-1-area-0.0.0.0] quit
[Switch_2-ospf-1] quit
# Configure Switch_3.
[Switch_3] ospf 1
[Switch_3-ospf-1] area 0
# Configure Switch_3.
[Switch_3] interface tunnel 1
[Switch_3-Tunnel1] tunnel-protocol gre
[Switch_3-Tunnel1] ip address 192.168.40.2 24
[Switch_3-Tunnel1] source 192.168.30.2
[Switch_3-Tunnel1] destination 192.168.20.1
[Switch_3-Tunnel1] quit
# Configure the terminals connected to VLANIF30 to obtain IP addresses from the global
address pool.
[Switch_1] interface vlanif 30
[Switch_1-Vlanif30] dhcp select global //Enable the DHCP server function based
on the global address pool on the interface. By default, the function is disabled.
[Switch_1-Vlanif30] quit
# Configure a static route to the network segment of the terminals in the branch.
[Switch_1] ip route-static 10.2.1.0 255.255.255.0 tunnel 1
# Configure the DHCP relay function on VLANIF 30 and specifies the DHCP server address
for the relay.
[Switch_3] interface vlanif 30
[Switch_3-Vlanif30] dhcp select relay //Enable the DHCP relay function. By
default, the function is disabled.
[Switch_3-Vlanif30] dhcp relay server-ip 10.1.1.1 //Configure the DHCP server IP
address for the DHCP relay agent.
Step 6 Configure each terminal (using the PC running Windows 7 as an example) to automatically
obtain an IP address.
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display the
Internet Protocol Version 4 (TCP/IPv4) Properties window. Select Obtain an IP
address automatically, and click OK.
Step 7 Verify the configuration.
# Run the display dhcp relay interface vlanif 30 command on Switch_3 to check the DHCP
relay configuration.
[Switch_3] display dhcp relay interface vlanif
30
Pool-No :
0
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Network :
10.2.1.0
Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Pool-No :
1
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Network :
10.1.1.0
Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Switch_1
#
sysname Switch_1
#
vlan batch 10 30
#
dhcp
enable
#
ip pool
pool1
gateway-list
10.2.1.1
#
ip pool
pool2
gateway-list
10.1.1.1
#
interface Vlanif10
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface Tunnel1
ip address 192.168.40.1 255.255.255.0
tunnel-protocol gre
source 192.168.20.1
destination 192.168.30.2
#
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1
#
return
l Configuration file of Switch_2
#
sysname Switch_2
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.20.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
#
return
#
interface Vlanif20
ip address 192.168.30.2 255.255.255.0
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.0
dhcp select
relay
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-6, Switch_1 functions as the DHCP client to dynamically obtain
information including the IP address, DNS server address, and gateway address from the
DHCP server (Switch_2).
Figure 8-6 Networking diagram for configuring a device as the DHCP server
Gateway
192.168.1.126/24
DNS Server Switch_2
192.168.1.2/24 DHCP Server
GE1/0/1
VLANIF10
192.168.1.1/24
GE1/0/1
VLANIF10
Switch_1
DHCP Client
Configuration Roadmap
1. Configure Switch_1 as the DHCP client to dynamically obtain the IP address from a
DHCP server.
2. Configure Switch_2 as the DHCP server to dynamically allocate network parameters
including IP addresses to Switch_1.
Procedure
Step 1 Configure Switch_1 as the DHCP client.
# Create VLAN 10, and add GE1/0/1 to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan 10
[Switch_1-vlan10] quit
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type trunk
[Switch_1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
Step 2 Create a global address pool on Switch_2 and set corresponding attributes.
1. Enable the DHCP service.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] dhcp enable
# After VLANIF 10 obtains an IP address, run the display dhcp client command on Switch_1
to view the status of the DHCP client on VLANIF 10.
[Switch_1] display dhcp client
DHCP client lease information on interface
Vlanif10 :
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
DHCP server :
192.168.1.1
DNS : 192.168.1.2
# On Switch_2, run the display ip pool name pool1 command to view IP address allocation
in the address pool. The Used field displays the number of used IP addresses in the address
pool.
[Switch_2] display ip pool name pool1
Pool-name :
pool1
Pool-No :
0
Domain-name :
-
DNS-server0 :
192.168.1.2
NBNS-server0 :
-
Netbios-type :
-
Network :
192.168.1.0
Mask :
255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Switch_1
#
sysname Switch_1
#
vlan batch 10
#
interface
Vlanif10
ip address dhcp-
alloc
#
interface
GigabitEthernet1/0/1
port link-type
trunk
port trunk allow-pass vlan
10
#
return
interface
GigabitEthernet1/0/1
port link-type
trunk
port trunk allow-pass vlan
10
#
return
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 8-7, a host in an enterprise is dual-homed to SwitchA and SwitchB
through Switch. SwitchA functions as the master DHCP server to allocate IP addresses to the
host. If the master DHCP server fails, a backup DHCP server must allocate an IP address to
the host.
Figure 8-7 Networking diagram for configuring a device as the DHCP server
VRRP VRID 1 SwitchA
Virtual IP Address: GE1/0/2 Master DHCP Server
10.1.1.111 VLANIF100
10.1.1.1/24
GE1/0/5
GE1/0/1
GE1/0/3
Switch
DHCP GE1/0/2
Client GE1/0/5
GE1/0/2
VLANIF100
10.1.1.129/24 SwitchB
Backup DHCP Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces connecting SwitchA and SwitchB to implement
network-layer connectivity. Configure Switch to transparently transmit Layer 2 packets.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA has a higher priority and
functions as the DHCP server to allocate IP addresses to clients. SwitchB has a lower
priority and functions as a backup DHCP server.
3. Create global address pools on SwitchA and SwitchB, and set corresponding attributes.
4. Configure a loop prevention protocol on Switch, SwitchA, and SwitchB to prevent loops.
In this example, STP is configured.
Procedure
Step 1 Configure network-layer connectivity among devices.
# Configure IP addresses for interfaces connecting SwitchA and SwitchB. SwitchA is used as
an example. The configuration on SwitchB is similar to that on SwitchA. For details, see the
configuration file of SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
# Create an address pool on SwitchA and specify an IP address range 10.1.1.2 to 10.1.1.128,
which is exclusive from the IP address range of the address pool on SwitchB.
NOTE
Information about the address pool on the master DHCP server cannot be backed up to a backup DHCP
server in real time. To prevent IP address conflicts after a master/backup switchover, ensure that the
address pool ranges on the master and backup DHCP servers are exclusive to one another.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-1] gateway-list 10.1.1.111
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.129 10.1.1.254
[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit
# Create VRRP group 1 on SwitchA, set the priority of SwitchA in the VRRP group to 120,
and configure clients to obtain IP addresses from a global address pool.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchA-Vlanif100] vrrp vrid 1 priority 120
[SwitchA-Vlanif100] dhcp select global
[SwitchA-Vlanif100] quit
# Create VRRP group 1 on SwitchB, set the priority of SwitchB in the VRRP group to 100
(default), and configure clients to obtain IP addresses from a global address pool.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchB-Vlanif100] dhcp select global
[SwitchB-Vlanif100] quit
# Disable STP on GE1/0/3 of Switch, and set the path cost of GE1/0/1 to 20000.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] stp disable
[Switch-GigabitEthernet1/0/3] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] stp cost 20000
[Switch-GigabitEthernet1/0/1] quit
# Run the display ip pool command on SwitchA and SwitchB. The command output shows
that SwitchA, but not SwitchB, successfully allocated an IP address to the client.
[SwitchA] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total :253 Used :1
Idle :125 Expired :0
Conflict :0 Disable :127
IP address Statistic
Total :253
Used :1 Idle :125
Expired :0 Conflict :0 Disable :127
[SwitchB] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total :253 Used :0
Idle :125 Expired :0
Conflict :0 Disable :128
IP address Statistic
Total :253
Used :0 Idle :125
Expired :0 Conflict :0 Disable :128
# Run the shutdown command on GE1/0/2 and GE1/0/5 of SwitchA to simulate a fault.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] shutdown
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] shutdown
[SwitchA-GigabitEthernet1/0/5] quit
# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is Master.
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.129
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
# Run the display ip pool command on SwitchB to view the address pool configuration.
[SwitchB] display ip pool
-----------------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Lease : 10 Days 0 Hours 0 Minutes
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total :253 Used :1
Idle :124 Expired :0
Conflict :0 Disable :128
IP address Statistic
Total :253
Used :1 Idle :124
Expired :0 Conflict :0 Disable :128
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
dhcp enable
#
ip pool 1
gateway-list 10.1.1.111
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.1
excluded-ip-address 10.1.1.129 10.1.1.254
lease day 10 hour 0 minute 0
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
dhcp select global
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
Relevant Information
Video
Configure DHCP Server and Relay
Configuration Notes
l Communication between two devices is bidirectional, so reachable routes must be
available in both directions. To enable two devices to communicate through static routes,
configure a static route on the local device and then configure a return route on the peer
device.
l If an enterprise network has two egresses, two equal-cost static routes can be configured
for load balancing so that traffic can be evenly balanced between two different links. In
this case, two non-equal-cost static routes can be configured for active/standby backup.
When the active link is faulty, traffic is switched from the active link to the standby link.
Networking Requirements
As shown in Figure 9-1, hosts on different network segments are connected using several
Switches. Each two hosts on different network segments can communicate with each other
without using dynamic routing protocols.
Figure 9-1 Networking diagram of configuring static routes for interworking between
different network segments
PC2
10.1.2.2/24
GE1/0/3
VLANIF40
10.1.2.1/24
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.1.4.2/30 10.1.4.5/30
SwitchB
SwitchA SwitchC
GE1/0/1 GE1/0/1
VLANIF10 VLANIF20
10.1.4.1/30 10.1.4.6/30
GE1/0/2 GE1/0/2
VLANIF30 VLANIF50
10.1.1.1/24 10.1.3.1/24
PC1 PC3
10.1.1.2/24 10.1.3.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static routes or
default static routes on each Switch so that hosts on different network segments can
communicate with each other.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 30
[SwitchA-GigabitEthernet1/0/2] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
#
return
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 50
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.5
#
return
Relevant Information
Video
Static routes are easy to configure and control, and meet network requirements on a simple
network. On a complex network, static routes can also be configured to improve network
performance and ensure bandwidth for important applications.
Configuration Notes
l Communication between two devices is bidirectional, so reachable routes must be
available in both directions. To enable two devices to communicate through static routes,
configure a static route on the local device and then configure a return route on the peer
device.
l If an enterprise network has two egresses, two equal-cost static routes can be configured
for load balancing so that traffic can be evenly balanced between two different links. In
this case, two non-equal-cost static routes can be configured for active/standby backup.
When the active link is faulty, traffic is switched from the active link to the standby link.
Networking Requirements
On the network shown in Figure 9-2, PC1 and PC2 are connected through four Switches.
Data traffic can be transmitted from PC1 to PC2 through two links: PC1-SwitchA-SwitchB-
SwitchC-PC2 and PC1-SwitchA-SwitchD-SwitchC-PC2. To improve link efficiency, users
want to implement load balancing between the two links. That is, traffic from PC1 to PC2 is
evenly balanced between the two links. When faults occur on one of the two links, traffic is
automatically switched to the other link.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
GE1/0/1 GE1/0/2
VLANIF400 VLANIF300
192.168.14.2/24 192.168.34.2/24
SwitchD
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to
the configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 100 400
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
# Configure SwitchB.
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1
# Configure SwitchB.
[SwitchB] ip route-static 10.1.1.0 24 192.168.12.1
# Configure SwitchD.
[SwitchD] ip route-static 10.1.1.0 24 192.168.14.1
The IP routing table on SwitchA contains two equal-cost routes to network segment
10.1.2.0/24. In this situation, data traffic is evenly balanced between two different links,
achieving load balancing.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 100 400
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 400
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2
#
return
Relevant Information
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
Configuration Notes
l Communication between two devices is bidirectional, so reachable routes must be
available in both directions. To enable two devices to communicate through static routes,
configure a static route on the local device and then configure a return route on the peer
device.
l If an enterprise network has two egresses, two equal-cost static routes can be configured
for load balancing so that traffic can be evenly balanced between two different links. In
this case, two non-equal-cost static routes can be configured for active/standby backup.
When the active link is faulty, traffic is switched from the active link to the standby link.
Networking Requirements
On the network shown in Figure 9-3, PC1 and PC2 are connected through four Switches.
Data traffic of PC1 can reach PC2 through two links: PC1-SwitchA-SwitchB-SwitchC-PC2
and PC1-SwitchA-SwitchD-SwitchC-PC2. To improve reliability, users want to implement
backup between the two links. That is, traffic from PC1 to PC2 is first transmitted through the
link that passes through SwitchB. When faults occur on this link, traffic is automatically
switched to the link that passes through SwitchD.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
SwitchB
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200
192.168.12.2/24 192.168.23.1/24
GE1/0/1 GE0/0/2
VLANIF400 VLANIF300
192.168.14.2/24 192.168.34.2/24
SwitchD
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to
the configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 100 400
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 400
[SwitchA-GigabitEthernet1/0/3] quit
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to
the configuration of SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.12.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 400
[SwitchA-Vlanif400] ip address 192.168.14.1 24
[SwitchA-Vlanif400] quit
# Configure SwitchB.
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1
Step 5 Configure static routes from PC2 to PC1 and ensure that the active and standby links in two
directions are the same.
# On SwitchC, configure two static routes with different priorities, of which next hops point
to SwitchB and SwitchD respectively. Subsequently, data traffic is first forwarded to SwitchB.
When faults occur on the link that passes through SwitchB, traffic is automatically switched
to SwitchD.
[SwitchC] ip route-static 10.1.1.0 24 192.168.23.1
[SwitchC] ip route-static 10.1.1.0 24 192.168.34.2 preference 70
# Configure SwitchB.
[SwitchB] ip route-static 10.1.1.0 24 192.168.12.1
# Configure SwitchD.
[SwitchD] ip route-static 10.1.1.0 24 192.168.14.1
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 192.168.12.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h13m13s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000001
RelayNextHop: 0.0.0.0 Interface: Vlanif100
TunnelID: 0x0 Flags: RD
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 192.168.14.2 Neighbour: 0.0.0.0
State: Inactive Adv Relied Age: 00h00m45s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000002
RelayNextHop: 0.0.0.0 Interface: Vlanif400
TunnelID: 0x0 Flags: R
The IP routing table on SwitchA contains only one active route to network segment
10.1.2.0/24. Normally, data traffic from PC1 to PC2 is transmitted through the link that passes
through SwitchB. Detailed information about the IP routing table on SwitchA shows two
routes to network segment 10.1.2.0/24: one Active route that passes through SwitchB and the
other Inactive route that passes through SwitchD. When faults occur on the active link, the
Inactive route will become active to take over the traffic. This implements link backup.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 100 400
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 400
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2 preference 70
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 20 200 300
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 300
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
Relevant Information
Video
On a simple network or when the route to the destination cannot be established using dynamic
routing protocols, static routes can be configured. Unlike dynamic routing protocols, static
routes do not have a dedicated detection mechanism. If a fault occurs, static routes cannot
detect the fault, and the network administrator must delete the corresponding static route. This
delays the link switchover and may cause lengthy service interruptions.
BFD for IPv4 static routes is adaptable to link changes but both ends of the link must support
BFD. If either end of a link does not support BFD, NQA for IPv4 static routes can be
configured. When an NQA test instance detects a link fault, it instructs the routing
management module to delete the associated static route from the IP routing table. Then
service traffic switches to a route without any link fault to prevent lengthy service
interruptions.
Configuration Notes
l The NQA function of the S12700 can be used only when a license is available. If the
license is unavailable, the NQA commands can be run on the S12700, but the NQA
function does not take effect.
Networking Requirements
On a company network shown in Figure 9-4, access switches SwitchD and SwitchE connect
to aggregation switches SwitchB and SwitchC in dual-homing mode through static routes to
implement redundancy. The requirements are as follows:
l A detection mechanism is deployed for static routes so that static routes can detect link
faults and traffic can switch from a faulty link to prevent lengthy service interruptions.
l In normal cases, traffic is transmitted along the primary link SwitchB→SwitchD.
l When the primary link becomes faulty, traffic switches to the backup link
SwitchC→SwitchD.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
IP N e t w o r k
S w it c h A
V L A N IF 3 0 V L A N IF 4 0
G E 1 /0 /1 G E 1 /0 /2
V L A N IF 3 0 V L A N IF 4 0
S w it c h B G E 1 /0 /1 G E 1 /0 /1 S w it c h C
V L A N IF 1 0 V L A N IF 2 0
VL 0
G E 1 /0 /3 AN IF 6 G E 1 /0 /3
G E IF 5 0 L A N 1 /0 /2
V
1 /0 GE
/2
V L A N IF 1 0 0 VL V L A N IF 2 0
G E 1 /0 /1 IF 6 /2 AN
G E 1 /0 /1
AN 0 G E IF 5 0
VL E 1/ ...... 1 /0
G /2
V L A N IF 7 0 GE V L A N IF 8 0
3
G E 1 /0 /4 1/
0/ / 0/ G E 1 /0 /4
S w it c h D 3 G E1 S w it c h E
...... ......
VLANIF 30 192.168.3.1/24
SwitchA
VLANIF 40 192.168.4.1/24
VLANIF 30 192.168.3.2/24
SwitchB
VLANIF 50 192.168.5.1/24
VLANIF 10 192.168.1.1/24
VLANIF 40 192.168.4.2/24
VLANIF 20 192.168.2.1/24
VLANIF 10 192.168.1.2/24
VLANIF 70 192.168.7.1/24
VLANIF 20 192.168.2.2/24
VLANIF 80 192.168.8.1/24
Configuration Roadmap
1. Create an Internet Control Message Protocol (ICMP) NQA test instance to monitor the
status of the primary link.
Create an ICMP NQA test instance on the NQA client SwitchB to test whether the
primary link SwitchB→SwitchD is running properly.
2. Configure static routes and associate the static routes with the NQA test instance.
Configure static routes on aggregation switches SwitchB and SwitchC, and associate the
static route configured on SwitchB with the ICMP NQA test instance. When the ICMP
NQA test instance detects a link fault, it instructs the routing management module to
delete the associated static route from the IPv4 routing table.
3. Configure a dynamic routing protocol. Configure a dynamic routing protocol on
aggregation switches SwitchA, SwitchB, and SwitchC so that they can learn routes from
each other.
4. Configure the dynamic routing protocol to import static routes, and set a higher cost for
the static route used for the backup link than for the static route used for the primary link
to improve link reliability.
Configure the dynamic routing protocol on aggregation switches SwitchB and SwitchC
to import static routes, and set a higher cost for the static route imported by SwitchC than
for the static route imported by SwitchB. This configuration allows SwitchA to
preferentially select the link SwitchB→SwitchD with a lower cost.
Procedure
Step 1 Configure VLANs that each interface belongs to.
# Configure SwitchA. Ensure that the configurations of SwitchB, SwitchC, SwitchD, and
SwitchE are the same as the configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
Step 3 Create an NQA test instance on SwitchB to test the link between SwitchB and SwitchD.
[SwitchB] nqa test-instance user test //Create an NQA test instance with the
administrator name user and instance name test.
[SwitchB-nqa-user-test] test-type icmp //Set the test type of the NQA test
instance to ICMP.
[SwitchB-nqa-user-test] destination-address ipv4 192.168.1.2 //Configure the
destination address of the NQA test instance to 192.168.1.2.
[SwitchB-nqa-user-test] frequency 10 //Set the interval of periodic NQA test
instances to 10s.
[SwitchB-nqa-user-test] probe-count 2 //Set the number of probes to be sent
each time in the NQA test instance to 2.
[SwitchB-nqa-user-test] interval seconds 5 //Set the interval at which probe
packets are sent in the NQA test instance to 5s.
[SwitchB-nqa-user-test] timeout 4 //Set the timeout period of a probe in the
NQA test instance to 4s.
[SwitchB-nqa-user-test] start now
[SwitchB-nqa-user-test] quit
Step 5 Configure a dynamic routing protocol on SwitchA, SwitchB, and SwitchC. OSPF is used in
this example.
# Configure OSPF on SwitchA.
[SwitchA] ospf 1 router-id 10.1.1.1
[SwitchA-ospf-1] area 0.0.0.0
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.4.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure OSPF on SwitchC to import a static route, and set the cost to 20 for the static
route.
[SwitchC] ospf 1
[SwitchC-ospf-1] import-route static cost 20
[SwitchC-ospf-1] quit
The command output shows "Lost packet ratio 0 %," indicating that the link is running
properly.
# Check the IP routing table on Switch B.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
The command output shows that a route to 192.168.7.0/24 exists in the routing table. The
route's next hop address is 192.168.3.2 and the cost is 10. Traffic is preferentially transmitted
along the link SwitchB -> SwitchD.
# Shut down GigabitEthernet1/0/3 on SwitchB to simulate a link fault.
[SwitchB] interface GigabitEthernet1/0/3
[SwitchB-GigabitEthernet1/0/3] shutdown
[SwitchB-GigabitEthernet1/0/3] quit
The command output shows "Completion:failed" and "Lost packet ratio is 100 %," indicating
that the link is faulty.
# Check the IP routing table on SwitchB.
[SwitchB] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
The command output shows that the static route has been deleted.
# Check the IP routing table on SwitchA.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
The static route has been associated with the NQA test instance on SwitchB. If NQA detects a
link fault, it rapidly notifies SwitchB that the associated static route is unavailable. SwitchA
cannot learn the route to 192.168.7.0/24 from SwitchB. However, SwitchA can learn the route
to 192.168.7.0/24 from SwitchC. The route's next hop address is 192.168.4.2, and the cost is
20. Traffic switches to the link SwitchC -> SwitchD.
----End
Configuration Files
l Configuration file of aggregation switch SwitchA
#
sysname SwitchA
#
vlan batch 30 40
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 40
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return
l Configuration file of aggregation switch SwitchB
#
sysname SwitchB
#
vlan batch 10 30 50
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
interface Vlanif50
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 50
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10
#
ospf 1 router-id 10.2.2.2
import-route static cost 10
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
ip route-static 192.168.7.0 255.255.255.0 Vlanif10 192.168.1.2 track nqa user
test
#
nqa test-instance user test
test-type icmp
destination-address ipv4 192.168.1.2
frequency 10
interval seconds 5
timeout 4
probe-count 2
start now
#
return
l Configuration file of aggregation switch SwitchC
#
sysname SwitchC
#
vlan batch 20 40 60
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.2 255.255.255.0
#
interface Vlanif60
ip address 192.168.6.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet1/0/2
port link-type trunk
#
return
Relevant Information
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
Configuration Notes
l By default, EFM is disabled globally and on interfaces.
l After EFM OAM is enabled on an interface, the interface starts to send OAM PDUs to
perform the point-to-point EFM link detection. EFM link detection can be implemented
between two interfaces only after EFM OAM is enabled on the peer interface.
Networking Requirements
As shown in Figure 9-5, SwitchA connects to the NMS across a network segment through
SwitchB. SwitchA and SwitchB need to detect the link quality in real time. When the link
between them becomes faulty, the corresponding static route is deleted from the IP routing
table. Then traffic switches from the faulty link to a normal route to improve network
reliability.
Figure 9-5 Networking for configuring EFM for a static IPv4 route
G E 1 /0 /1 G E 1 /0 /2
V L A N IF 1 0 V L A N IF 2 0
1 9 2 .1 6 8 .1 .1 /2 4 1 9 2 .1 6 8 .2 .2 /2 4
G E 1 /0 /1 1 9 2 .1 6 8 .2 .1 /2 4
S w it c h A V L A N IF 1 0 S w it c h B NMS
1 9 2 .1 6 8 .1 .2 /2 4
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable EFM OAM globally and on interfaces of SwitchA and SwitchB to implement
real-time link quality detection.
2. Configure a static route from SwitchA to the NMS and binds the static route to the EFM
state to associate the static route with EFM. When a link where the static routes resides
becomes faulty, traffic switches to a route without link faults.
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
# Configure SwitchA. The configuration of SwitchB is similar to that of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
mode. That is, the interface is in handshake state. The following uses the display on SwitchA
as an example.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static route.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
# Run the undo efm enable command in the view of GigabitEthernet1/0/1 on SwitchB to
simulate a link fault.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] undo efm enable
# Run the display efm session all command on SwitchA. The command output shows that the
EFM OAM protocol state is discovery, indicating that the interface is in OAM discovery
state.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 discovery --
# Check the IP routing table on SwitchA. The IP routing table does not contain the static route
192.168.2.0/24. This is because the static route is bound to the EFM state. After EFM OAM
detects a link fault, it rapidly notifies SwitchA that the static route is unavailable.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 4 Routes : 4
# Run the efm enable command in the view of GigabitEthernet1/0/1 on SwitchB to simulate
link recovery.
[SwitchB-GigabitEthernet1/0/1]efm enable
# Run the display efm session all command on SwitchA. The command output shows that the
EFM OAM protocol state is detect, indicating that the interface is in handshake state again.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static route
192.168.2.0/24 again. After EFM OAM detects that the link recovers from a fault, it rapidly
notifies that the bound static route is valid again.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
efm enable
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
efm enable
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 track efm-state
GigabitEthernet1/0/1
#
return
Relevant Information
Video
Introduction to OSPF
The Open Shortest Path First (OSPF) protocol is a link-state Interior Gateway Protocol (IGP)
developed by the Internet Engineering Task Force (IETF). OSPF Version 2 defined in RFC
2328 is used in IPv4.
OSPF is loop-free, provides fast route convergence, and supports area partitioning, equal-cost
routes, authentication, and multicast transmission. Therefore, OSPF is widely used as the
mainstream IGP in various industries, including the enterprise, carrier, government, finance,
education, and health care industries.
OSPF uses the hierarchical design, provides various routing policies, applies to networks of
different sizes and topologies. OSPF is often the first choice for you to deploy an IGP.
Configuration Notes
l Each router ID in an OSPF process must be unique on an OSPF network. Otherwise, the
OSPF neighbor relationship cannot be established and routing information is incorrect.
You are advised to configure a unique router ID for each OSPF process on an OSPF
device.
l OSPF partitions an AS into different areas, in which Area 0 is the backbone area. OSPF
requires that all non-backbone areas maintain the connectivity with the backbone area
and devices in the backbone area maintain the connectivity with each other.
l Network types of interfaces on both ends of a link must be the same; otherwise, the two
interfaces cannot establish an OSPF neighbor relationship. When the network types of
OSPF interfaces on both ends are broadcast and P2P respectively, the two OSPF
interfaces can still establish an OSPF neighbor relationship but cannot learn routing
information from each other.
l The IP address masks of OSPF interfaces on both ends of a link must be the same;
otherwise, the two OSPF interfaces cannot establish an OSPF neighbor relationship. On
a P2MP network, however, you can run the ospf p2mp-mask-ignore command to
disable a device from checking the network mask so that an OSPF neighbor relationship
can be established.
l On a broadcast or NBMA network, there must be at least one OSPF interface of which
the DR priority is not 0 to ensure that the DR can be elected. Otherwise, the neighbor
status of devices on both ends can only be 2-Way.
l Table 9-1 lists applicable products and versions of this configuration example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 9-6, three switches, SwitchA, SwitchB, and SwitchC reside on the OSPF
network. The three switches need to communicate with each other, and SwitchA and SwitchB
function as core switches to support network expansion.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for each VLANIF interface on each switch and specify the
VLAN to which the interfaces belong to implement interworking.
2. Configure basic OSPF functions on each switch and partition the OSPF network into
Area 0 and Area 1 with SwitchA as the area border router (ABR). Consequently, the area
where SwitchA and SwitchB reside become the backbone area and can be used to
expand the OSPF network.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] return
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] return
Neighbors
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchC has a route to 192.168.0.0/24 and the
route is an inter-area route.
# Check the routing table on SwitchB and perform the ping operation to test the connectivity
between SwitchB and SwitchC.
<SwitchB> display ospf routing
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchB has a route to 192.168.1.0/24 and the
route is an inter-area route.
# On SwitchB, perform a ping operation to test the connectivity between SwitchB and
SwitchC.
<SwitchB> ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=254 time=62 ms
Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=254 time=16 ms
Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=254 time=62 ms
Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=254 time=94 ms
Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=254 time=63 ms
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return
Assume that a device of Company H connects to the backbone area through a single link. The
device has low performance and a small routing table. The area where the device resides
needs to access other areas or network segments outside the OSPF area, and the next-hop
address of routes of the device is the IP address of the next-hop core device of the link.
Therefore, the area where the device resides does not need to learn a large number of OSPF
external routes and can be configured as a stub area. This configuration can reduce the routing
table size of the area and resource consumption of the device.
Configuration Notes
l The backbone area cannot be configured as a stub area.
l An ASBR cannot exist in a stub area. That is, external routes are not advertised in a stub
area.
l A virtual link cannot pass through a stub area.
l To configure an area as a stub area, configure stub area attributes on all the routers in this
area using the stub command.
l To configure an area as a totally stub area, run the stub command on all the routers in
this area, and run the stub no-summary command on the ABR in this area.
l The stub no-summary command can only be configured on an ABR to prevent the
ABR from advertising Type 3 LSAs within a stub area. After this command is
configured on the ABR, the area becomes a totally stub area, the number of routing
entries on routers in the area is reduced, and there are only intra-area routes and a default
route advertised by the ABR.
l Table 9-2 lists applicable products and versions of this configuration example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 9-7, SwitchA, SwitchB, and SwitchC run OSPF, and the OSPF network
is divided into Area 0 and Area 1. SwitchB functions as an ASBR to communicate with
external networks. The OSPF routing table size on SwitchC needs to be reduced without
affecting communication.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement interworking in the OSPF
network.
2. Configure a static route on SwitchB and import the route to the OSPF routing table to
ensure that there is a reachable route from the OSPF network to external networks.
3. Configure Area 1 as a stub area to reduce the OSPF routing table size on SwitchC.
4. Prohibit the ABR (SwitchA) in Area 1 from advertising Type 3 LSAs within the stub
area to configure Area 1 as a totally stub area. This configuration minimizes the OSPF
routing table size on SwitchC.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ip address 192.168.1.1 24
[SwitchA-Vlanif20] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] quit
[SwitchC-ospf-1] quit
# Check the OSPF routing table on SwitchC. The command output shows that the OSPF
routing table contains an AS external route.
[SwitchC] display ospf routing
Total Nets: 3
Intra Area: 1 Inter Area: 1 ASE: 1 NSSA: 0
[SwitchA-ospf-1-area-0.0.0.1] quit
[SwitchA-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the
routers in Area 1 must have the stub command configured.
[SwitchC-ospf-1-area-0.0.0.1] quit
[SwitchC-ospf-1] quit
# Check the OSPF routing table on SwitchC. The command output shows that the OSPF
routing table does not contain any AS external route but contains a default route to external
networks.
[SwitchC] display ospf routing
Total Nets: 3
Intra Area: 1 Inter Area: 2 ASE: 0 NSSA: 0
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return
Configuration Notes
l The backbone area cannot be configured as an NSSA.
l To configure an area as an NSSA, configure NSSA attributes on all the routers in this
area.
l A virtual link cannot pass through an NSSA.
l To reduce the number of LSAs that are transmitted to the NSSA, configure no-summary
on an ABR. This prevents the ABR from transmitting Type 3 LSAs to the NSSA,
making the area a totally NSSA.
l Table 9-3 lists applicable products and versions of this configuration example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 9-8, SwitchA, SwitchB, SwitchC, and SwitchD run OSPF, and the OSPF
network is divided into Area 0 and Area 1. Devices in Area 1 need to be prohibited from
receiving external routes imported from other areas and to communicate with external
networks using the external routes imported by the ASBR in Area 1. SwitchB transmits many
services, so SwitchA needs to translate Type 7 LSAs into Type 5 LSAs and send the LSAs to
other OSPF areas.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement interworking in the OSPF
network.
2. Configure Area 1 as an NSSA, configure a static route on SwitchD, and configure
SwitchD to import the static route into the OSPF routing table so that switches in Area 1
can communicate with external networks only through SwitchD.
3. Configure SwitchA as an LSA translator to translate Type 7 LSAs into Type 5 LSAs and
send the LSAs to other OSPF areas.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to
the configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 30
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] network 192.168.4.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1 router-id 10.4.4.4
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.4.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
# Configure SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 1
[SwitchB-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the
devices in Area 1 must have the nssa command configured.
[SwitchB-ospf-1-area-0.0.0.1] quit
[SwitchB-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the
devices in Area 1 must have the nssa command configured.
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
Total Nets: 5
Intra Area: 2 Inter Area: 2 ASE: 1 NSSA: 0
The command output shows that the AS external routes imported into the NSSA are
advertised by SwitchB to other areas. That is, SwitchB translates Type 7 LSAs into Type 5
LSAs. This is because OSPF selects the ABR with a larger router ID as an LSA translator.
# Wait for 40 seconds and then check the OSPF routing table on SwitchC.
[SwitchC] display ospf routing
Total Nets: 5
Intra Area: 2 Inter Area: 2 ASE: 1 NSSA: 0
The command output shows that the AS external routes imported into the NSSA are
advertised by SwitchA to other areas. That is, SwitchA translates Type 7 LSAs into Type 5
LSAs.
NOTE
By default, the new LSA translator works with the previous LSA translator to translate LSAs for 40
seconds. After 40 seconds, only the new LSA translator translates LSAs.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
area 0.0.0.1
network 192.168.3.0 0.0.0.255
nssa translator-always
#
return
nssa
#
return
Configuration Notes
l The maximum number of equal-cost routes for load balancing can be configured using
the maximum load-balancing command.
l To cancel load balancing, you can set the maximum number of equal-cost routes to 1.
l Table 9-4 lists applicable products and versions of this configuration example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 9-9, four switches all belong to Area0 on the OSPF network. Load
balancing needs to be configured so that the traffic from SwitchA is sent to SwitchD through
SwitchB and SwitchC.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 9-9 Networking diagram for configuring load balancing among OSPF routes
S w it c h B
1 0 .1 .1 .2 /2 4 1 9 2 .1 6 8 .0 .1 /2 4
V L A N IF 1 0 V L A N IF 3 0
G E 1 /0 /1 G E 1 /0 /2
1 7 2 .1 6 .1 .1 /2 4 1 7 2 .1 7 .1 .1 /2 4
V L A N IF 5 0 G E 1 /0 /1 G E 1 /0 /1 V L A N IF 6 0
G E 1 /0 /3 V L A N IF 1 0 V L A N IF 3 0 G E 1 /0 /3
1 0 .1 .1 .1 /2 4 1 9 2 .1 6 8 .0 .2 /2 4
S w it c h A S w it c h D
G E 1 /0 /2 A re a 0 G E 1 /0 /2
V L A N IF 2 0 V L A N IF 4 0
1 0 .1 .2 .1 /2 4
G E 1 /0 /1 G E 1 /0 /2 1 9 2 .1 6 8 .1 .2 /2 4
V L A N IF 2 0 V L A N IF 4 0
1 0 .1 .2 .2 /2 4 1 9 2 .1 6 8 .1 .1 /2 4
S w it c h C
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on each switch to implement basic connections on the
OSPF network.
2. Configure load balancing on SwitchA.
Procedure
Step 1 Configure VLANs that each interface belongs to.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are the same as
the configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 50
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 50
[SwitchA-GigabitEthernet1/0/3] quit
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are the same as
the configuration of SwitchA.
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ip address 10.1.2.1 24
[SwitchA-Vlanif20] quit
[SwitchA] interface vlanif 50
[SwitchA-Vlanif50] ip address 172.16.1.1 24
[SwitchA-Vlanif50] quit
# Configure SwitchA.
[SwitchA] ospf 1 router-id 10.10.10.1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.10.10.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.10.10.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Configure SwitchD.
[SwitchD] ospf 1 router-id 10.10.10.4
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] network 172.17.1.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.0] quit
[SwitchD-ospf-1] quit
As shown in the routing table, two next hops 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC) of
SwitchA both become valid routes as the maximum number of equal-cost routes is 16 for a
modular switch and 8 for a fixed switch.
If you do not want to implement load balancing between SwitchB and SwitchC, set the weight
of equal-cost routes to specify the next hop.
[SwitchA] ospf 1
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1 //Specify the weight parameter to
set the priority of equal-cost routes. The default weight value is 255. A larger
priority value indicates a lower priority.
[SwitchA-ospf-1] quit
As shown in the routing table, the priority of the next hop 10.1.2.2 (SwitchC) with the weight
1 is higher than that of 10.1.1.2 (SwitchB), after the weight is set for equal-cost routes. OSPF
selects the route with the next hop 10.1.2.2 as the optimal route.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 50
#
ospf 1 router-id 10.10.10.1
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 60
#
ospf 1 router-id 10.10.10.4
area 0.0.0.0
network 172.17.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
Configuration Notes
l BFD needs to be configured on the two ends between which the OSPF neighbor
relationship is established.
l The two ends that establish BFD sessions must be located in the same network segment
on an OSPF area.
l The ospf bfd enable and ospf bfd block commands are mutually exclusive and cannot
be enabled at the same time.
l Table 9-5 lists applicable products and versions of this configuration example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 9-10, OSPF runs among SwitchA, SwitchB, and SwitchC, and the switch
between SwitchA and SwitchB only provides the transparent transmission function. SwitchA
and SwitchB need to quickly detect the status of the link between them. When the link
SwitchA-SwitchB is faulty, services can be quickly switched to the backup link SwitchA-
SwitchC-SwitchB.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
A re a 0
1 0 .3 .3 .1 /2 4 1 0 .3 .3 .2 /2 4
S w it c h A V L A N IF 3 0 V L A N IF 3 0 S w it c h B
G E 1 /0 /2 G E 1 /0 /1
G E 1 /0 /3
G E 1 /0 /1 V L A N IF 4 0
G E 1 /0 /2
V L A N IF 1 0 1 7 2 .1 6 .1 .1 /2 4
V L A N IF 2 0
1 0 .1 .1 .1 /2 4
1 0 .2 .2 .2 /2 4
G E 1 /0 /1 G E 1 /0 /2
V L A N IF 1 0 V L A N IF 2 0
1 0 .1 .1 .2 /2 4 1 0 .2 .2 .1 /2 4
S w it c h C
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic OSPF functions on SwitchA, SwitchB, and SwitchC to implement basic
connections on the OSPF network.
2. Configure BFD for OSPF on SwitchA, SwitchB, and SwitchC so that services can be
quickly switched to the backup link when the link between SwitchA and SwitchB is
faulty.
Procedure
Step 1 Configure VLANs that each interface belongs to.
# Configure SwitchA. The configurations of SwitchB and SwitchC are the same as the
configuration of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 30
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 30
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] ospf 1 router-id 10.10.10.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 10.3.3.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1 router-id 10.10.10.3
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# After the preceding configurations, run the display ospf peer command. The neighbor
relationships are set up among SwitchA, SwitchB, and SwitchC. The command output of
SwitchA is used as an example.
[SwitchA] display ospf peer
Neighbors
Neighbors
# Check the OSPF routing table on SwitchA. You can see the routing entries to SwitchB and
SwitchC. However, the next-hop address of the route to the destination network segment
172.16.1.0/24 is 10.3.3.2, which indicates that the traffic is transmitted on the link
SwitchA→SwitchB.
[SwitchA] display ospf routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
# After the preceding configurations, run the display ospf bfd session all command on
SwitchA, SwitchB, or SwitchC. The peer BFD session is Up. The command output of
SwitchA is used as an example.
[SwitchA] display ospf bfd session all
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
When the link SwitchA-SwitchB is faulty, the backup link SwitchA-SwitchC-SwitchB takes
effect and the next-hop address of the route to the destination network segment 172.16.1.0/24
changes to 10.1.1.2.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1 router-id 10.10.10.3
bfd all-interfaces enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
When a specific data flow needs to be transmitted to a specified next hop, PBR can be
configured to meet this requirement. For example, different data flows can be transmitted on
different links to improve link efficiency. Data flows can be directed to security devices such
as firewalls for security filtering. Service data can be transmitted on a low-cost link to reduce
enterprises' data service costs without compromising service quality.
Configuration Notes
l If a device does not have the ARP entry that matches the specified next-hop IP address,
the device triggers ARP learning. If the device cannot learn the ARP entry, packets are
forwarded along the previous forwarding path without being redirected.
l If multiple next-hop IP addresses are configured using the redirect ip-nexthop or
redirect ipv6-nexthop command, the device redirects packets in active/standby link
mode. That is, the device determines active and standby links according to the sequence
in which next-hop IP addresses were configured. The first configured next-hop IP
address has the highest priority and its link functions as the active link, while links of
other next-hop IP addresses function as standby links. When the active link is Down, the
standby link of the second-highest-priority next-hop IP address is selected as the new
active link.
l If multiple next-hop IP addresses are configured using the redirect ip-multihop or
redirect ipv6-multihop command, the device redirects packets in equal-cost route load
balancing mode.
l Table 9-6 lists the products and versions to which this configuration example is
applicable.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
An enterprise network is dual-homed to two external network devices through the Switch, as
shown in Figure 9-11. One uplink is a high-speed link with the gateway at 10.1.20.1/24, and
the other is a low-speed link with the gateway at 10.1.30.1/24.
The enterprise intranet has two network segments: 192.168.1.0/24 and 192.168.2.0/24.
Network segment 192.168.1.0/24 belongs to the server zone and requires high link bandwidth.
Therefore, traffic of this network segment needs to be transmitted on the high-speed link.
Network segment 192.168.2.0/24 is used for Internet access and traffic of this network
segment is transmitted on the low-speed link.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, configure interfaces, and configure routes to connect enterprise users to
the external network.
2. Configure ACLs to match data flows of network segments 192.168.1.0 and 192.168.2.0,
respectively.
3. Create traffic classifiers and reference the ACLs to differentiate packets.
4. Configure traffic behaviors to transmit data traffic matching different ACLs on different
links and allow traffic transmitted between the intranet users to pass through first.
5. Configure a traffic policy, bind the traffic classifiers and traffic behaviors to it, and apply
it to the inbound direction of GE1/0/3 on the Switch to implement PBR.
Procedure
Step 1 Create VLANs, configure interfaces, and configure routes for interworking.
# On Switch, set the link types of the interfaces connected to PCs to access and interface
connected to the Switch to trunk, and add the interfaces to VLANs.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[SwitchA-GigabitEthernet1/0/3] quit
# On the Switch, set the link types of the interfaces connected to SwitchA to trunk and
interface connected to the external network to access, and add the interfaces to VLANs.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 200
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet1/0/3] quit
# On the Switch, configure VLANIF10 and VLANIF20 as user gateways and assign IP
addresses 192.168.1.1/24 and 192.168.2.1/24 to them, respectively.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 24
[Switch-Vlanif20] quit
# On the Switch, configure VLANIF 100 and VLANIF 200 to connect to external network
devices and assign IP addresses to 10.1.20.2/24 and 10.1.30.2/24 to them, respectively.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.20.2 24
[Switch-Vlanif100] quit
[Switch] interface vlanif 200
[Switch-Vlanif200] ip address 10.1.30.2 24
[Switch-Vlanif200] quit
# On the Switch, configure two default routes and set their next-hop IP addresses to IP
addresses of the two external network devices respectively.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1
[Switch] ip route-static 0.0.0.0 0 10.1.30.1
After the preceding configuration is complete, intranet users can access the external network.
To ensure that data flows of network segments 192.168.1.0/24 and 192.168.2.0/24 are
transmitted on the high-speed link and low-speed link respectively, continue to perform the
following configurations.
[Switch] acl 3000 //This ACL is used to match data traffic between two network
segments of the intranet. The data traffic does not need to be redirected. If
this configuration is not performed, traffic between the network segments will be
redirected. As a result, communication between the network segments will fail.
[Switch-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.2.0 0.0.0.255
[Switch-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.1.0 0.0.0.255
Switch-acl-adv-3000] quit
[Switch] acl 3001 //Match user data traffic of the intranet network segment
192.168.1.0/24.
[Switch-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
[Switch] acl 3002 //Match user data traffic of the intranet network segment
192.168.2.0/24.
[Switch-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255
[Switch-acl-adv-3002] quit
On the Switch, create traffic classifiers c0, c1, and c2, and bind c0 to ACL 3000, c1 to ACL
3001, and c2 to ACL 3002.
[Switch] traffic classifier c0 operator or
[Switch-classifier-c0] if-match acl 3000
[Switch-classifier-c0] quit
[Switch] traffic classifier c1 operator or
[Switch-classifier-c1] if-match acl 3001
[Switch-classifier-c1] quit
[Switch] traffic classifier c2 operator or
[Switch-classifier-c2] if-match acl 3002
[Switch-classifier-c2] quit
# On the Switch, create traffic behaviors b0, b1, and b2, configure the permit action in b0,
and configure actions that redirect packets to IP addresses 10.1.20.1 and 10.1.30.1 in b1 and
b2 respectively.
[Switch] traffic behavior b0
[Switch-behavior-b0] permit
[Switch-behavior-b0] quit
[Switch] traffic behavior b1
[Switch-behavior-b1] redirect ip-nexthop 10.1.20.1
[Switch-behavior-b1] quit
[Switch] traffic behavior b2
[Switch-behavior-b2] redirect ip-nexthop 10.1.30.1
[Switch-behavior-b2] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# On the Switch, create a traffic policy p1 and bind the traffic classifiers and traffic behaviors
to this traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c0 behavior b0
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] quit
# Apply the traffic policy p1 to the inbound direction of GE1/0/3 on the Switch.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/3] return
Classifier: c0
Precedence: 5
Operator: OR
Rule(s) : if-match acl 3000
Classifier: c1
Precedence: 10
Operator: OR
Rule(s) : if-match acl 3001
Redirect: no forced
Redirect ip-nexthop
10.1.20.1
Classifier: c2
Operator: OR
Behavior: b2
Permit
Redirect: no forced
Redirect ip-nexthop
10.1.30.1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
classifier c0 behavior b0
classifier c1 behavior b1
classifier c2 behavior b2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
return
Relevant Information
Video
How to Configure Redirection for Policy Routing
– Run the undo dot1x handshake command to disable handshake between the
device and 802.1x online users.
– Run the dot1x authentication-method eap command to configure EAP relay
authentication for 802.1x users.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-1, administrator needs to remotely manage the device in a simplified
and secure manner. The specific requirements are as follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.
Figure 10-1 Configuring authentication for Telnet login users (AAA local authentication)
Management
Network GE1/0/1
Admin VLANIF10 Switch
10.1.2.10/24
Username: user1
Password: Huawei@1234
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the user
access type to Telnet, and setting the user level to 15.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login
uses to 15 (The value range varies according to product versions and models). By
default, the maximum number of Telnet users is 5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for
the VTY user view to AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the user using the
default administrative domain default_admin. By default, the default administrative domain uses the
authentication scheme default and accounting scheme default.
l Authentication scheme default: local authentication
l Accounting scheme default: non-accounting
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
telnet server enable
#
aaa
local-user user1 password irreversible-cipher %^%#.)P`(ahmeXKljES$}IC%OdjjC
$m)cA#}T(8z4*ZK!_Z+GSo<7C*O8WO,!rt;%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-2, a RADIUS server is deployed on a network. The administrator is
authenticated through RADIUS and Telnet to the device to remotely manage it. The specific
requirements are as follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.
Figure 10-2 Configuring authentication for Telnet login users (RADIUS authentication)
GE1/0/2
VLANIF20
10.1.6.10/24
Management
Network GE1/0/1
VLANIF10
Admin
10.1.2.10/24 Switch RADIUS Server
Username: user1 10.1.6.6/24
Password: Huawei@1234
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure RADIUS authentication, including creating a RADIUS server template, an
AAA authentication scheme, and a service scheme, and applying the schemes to a
domain.
4. Configure the domain to which the administrator belongs as the default administrative
domain so that the administrator does not need to enter the domain name when logging
in.
NOTE
This example only provides the configurations on the device. Ensure that the required parameters have been
set on the RADIUS server, for example, device's IP address, shared key, and the creating user.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.6.10 24
[Switch-Vlanif20] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/2
] port link-type access
[Switch-GigabitEthernet1/0/2
] port default vlan 20
[Switch-GigabitEthernet1/0/2
] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login
uses to 15 (The value range varies according to product versions and models). By
# Configure the RADIUS server template to implement communication between the device
and the RADIUS server.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP
address and port number of the RADIUS authentication server.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Specify the
shared key of the RADIUS server, which must be the same as that configured on the
RADIUS server.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo radius-server
user-name domain-included command on the device so that the packets sent from the device to the
RADIUS server do not contain domain names.
# Configure an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit
# Apply the AAA authentication scheme, RADIUS server template, and service scheme to the
domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
Step 5 Configure the domain to which the administrator belongs as the default administrative domain
so that the administrator does not need to enter the domain name when logging in to the
device through Telnet.
[Switch] domain huawei.com admin
# Run the test-aaa command on the device to test whether the administrator can pass the
authentication.
[Switch] test-aaa user1 Huawei@1234 radius-template 1
# Choose Start > Run on your computer running Windows operating system and enter cmd
to open the cmd window. Run the telnet command and enter the user name user1 and
password Huawei@1234 to log in to the device through Telnet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain huawei.com admin
#
telnet server enable
#
radius-server template 1
radius-server shared-key cipher %^%#Zh-H!i<+2RUI,E4_q<''+[14Fmj4@>Aa0pM0H}@D%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
service-scheme sch1
admin-user privilege level 15
domain huawei.com
authentication-scheme sch1
service-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
Related Content
AAA Attribute Query Tool
This tool shows details about AAA attributes on switches. You do not need to register a
Huawei account before using this tool.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l In this example, the RADIUS authentication server is the secure ACS running version
5.2.0.26.
Networking Requirements
As shown in Figure 10-3, on an enterprise network, an administrator connects to the switch
through a management network and an 802.1x user connects to the switch through an access
network. The enterprise uses ACS to create and maintain user information. The administrator
can log in to the ACS through web.
The administrator and 802.1x user are allocated different accounts and rights to improve
security. The requirements are as follows:
1. The administrator can Telnet to the switch only after entering the user name and
password, and can use the commands from level 0 to level 15 after login.
2. To access the switch, the 802.1x user needs to start the 802.1x client, enter the user name
and password, and be authenticated.
After the 802.1x user accesses the switch:
– The user can use the commands at level 0 to level 2.
– The ACS delivers VLAN 100 and ACL 3000 to the user.
3. The administrator is authenticated in the default domain, and the 802.1x user is
authenticated in the huawei.com domain.
Figure 10-3 Networking of Telnet login user authentication (Using the Secure ACS as a
RADIUS Authentication Server)
M a n a g e m e n t G E 1 /0 /2
N e tw o rk V L A N IF 2 0
G E 1 /0 /1
A d m in 1 0 .1 .2 .1 0 /2 4
V L A N IF 3 0
1 0 .1 .6 .1 0 /2 4
S w itch S e c u re A C S
1 0 .1 .6 .6 /2 4
A cce ss G E 1 /0 /3
N e tw o rk V L A N IF 1 0
1 0 .1 .3 .1 0 /2 4
8 0 2 .1 x u se r
Preparations
Configuration Roadmap
1. Configure the switch.
a. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
b. Create a VLAN and an ACL that the ACS will deliver.
c. Enable the Telnet service.
d. Configure AAA authentication for the administrator to Telnet to the switch.
e. Configure RADIUS authentication, including creating the RADIUS server template
and AAA authentication scheme and applying them to the default_admin and
huawei.com domains.
f. Enable 802.1x authentication on the interface that the 802.1x user accesses.
2. Configure the ACS, add access devices and users, and configure an authentication and
authorization profile. Add access policies and bind users to the authentication and
authorization profile.
NOTE
Ensure that the Switch switch and ACS can communicate with each other.
Procedure
Step 1 Configure the switch.
1. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.6.10 24 //Configure the IP address used
to communicate with the controller.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.10 24
[Switch-Vlanif30] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/1 //Configure the interface used to
connect to administrators.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet1/0/3 //Configure the interface used to
connect to 802.1x users.
[Switch-GigabitEthernet1/0/3] port link-type hybrid //If the AAA server
needs to deliver VLAN or ACL to access users, the user access interface (with
authentication enabled) on the switch must be a hybrid interface.
[Switch-GigabitEthernet1/0/3] port hybrid untagged vlan 30
[Switch-GigabitEthernet1/0/3] quit
2. Create a VLAN and an ACL that the ACS will deliver to access users.
Only the VLAN or ACL that is the same as that configured on the AAA server can be
delivered.
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] acl 3000
[Switch-acl-adv-3000] quit
versions support Telnet, and switches in V200R007 and later versions support
SSH.
[Switch-ui-vty0-14] quit
# Configure a RADIUS server template so that the switch and ACS can communicate
through RADIUS.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the
IP address and port number of the ACS.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Set the ACS
shared key, which must be the same as that configured on the ACS.
[Switch-radius-1] quit
NOTE
If the user name stored on the AAA server does not contain a domain name, run the undo radius-
server user-name domain-included command. After this command is executed, the user names in the
packets sent from the switch to RADIUS server do not contain domain names.
# Create an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit
# Apply the AAA authentication scheme and RADIUS server template to the default
administrative domain.
NOTE
Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are
authenticated in the default administrative domain.
By default, the administrative domain is default_admin.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] radius-server 1
[Switch-aaa-domain-default_admin] authentication-scheme sch1
[Switch-aaa-domain-default_admin] quit
# Apply the AAA authentication scheme and RADIUS server template to the
huawei.com domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
NOTE
After a switching between common mode and unified mode, restart the switch to make the
configuration take effect. By default, the unified mode is used.
NOTE
The ACS's URL address is in the format http://IP/ or https://IP/, for example, http://10.13.1.1/ or https://
10.13.1.1/.
Users and Identity Stores Configures the internal users and identities.
b. Enter the switch name and IP address, set the authentication mode between the
switch and ACS to RADIUS, enter the shared secret and CoA port number, and
click Submit, as shown in Figure 10-5.
3. Add a user.
a. Choose Users and Identity Stores > Internal Identity Stores > Users > Create,
as shown in Figure 10-6.
b. Enter the user name, password, and confirm password, and click Submit, as shown
in Figure 10-7.
Figure 10-7 shows the page for adding an 802.1x user. After adding the access user,
add an administrator according to the administrator parameters.
a. Choose Policy Elements > Authorization and Permissions > Network Access >
Authorization Profiles > Create to add an authentication and authorization profile,
as shown in Figure 10-8.
NOTE
When you use the RADIUS protocol, it is recommended that you choose Policy Elements >
Authorization and Permissions > Network Access.
When you use the TACACS+ protocol, it is recommended that you choose Policy Elements >
Authorization and Permissions > Authorization Profiles.
b. Add the authentication and authorization profile for the administrator to specify that
the administrator can only log in through Telnet and has a user privilege of 15.
The settings on the General tab page are shown in Figure 10-9.
Figure 10-9 Setting general parameters for the administrator's authentication and
authorization profile
The settings on the RADIUS Attributes tab page are shown in Figure 10-10. Click
Submit to commit the profile configuration.
c. Add an authentication and authorization profile for an 802.1x user to specify that
the user can only log in through 802.1x and has a user privilege of 2 and ACS
delivers ACL 3000 and VLAN 100, as shown in Figure 10-11, Figure 10-12, and
Figure 10-13. Click Submit to commit the profile configuration.
Figure 10-11 Setting general parameters for the 802.1x user's authentication and
authorization profile
Figure 10-12 Setting common task parameters for the 802.1x user's authentication
and authorization profile
Figure 10-13 Setting RADIUS attribute parameters for the 802.1x user's
authentication and authorization profile
5. Add an access policy to bind the user to an authentication and authorization profile.
a. Create an access service and choose Access Policies > Access Services > Create.
b. Configure the access service. Set the communication mode to Network Access and
specify the user access protocol, as shown in Figure 10-14 and Figure 10-15.
NOTE
The S series switches support the first five user access protocols.
c. Choose Access Policies > Access Services > Service Selection Rules to create a
rule, as shown in Figure 10-16.
d. Configure the rule. Set the authentication mode to RADIUS and add attributes
according to Figure 10-17.
You can choose Access Policies > Access Services > Service Selection Rules to
prepare the attributes that you want to add.
# Run the display access-user username admin1 command to view the granted right.
l An 802.1x user logs in to the switch.
# Run the test-aaa command on the switch to test whether the user can pass RADIUS
authentication.
[Switch] test-aaa user1@huawei.com Huawei@1234 radius-template 1
# The 802.1x user starts the 802.1x client on the PC, and enters the user name
user1@huawei.com and password Huawei@1234. If the user name and password are
correct, the client displays a successful authentication message. The user can access the
network.
# After the 802.1x user goes online, run the display access-user access-type dot1x
command on the switch to view the user information. The Dynamic VLAN and
Dynamic ACL number(Effective) fields indicate the VLAN and ACL delivered by the
RADIUS server.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 100
#
telnet server enable
#
acl number 3000
#
radius-server template 1
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
domain default_admin
authentication-scheme sch1
radius-server 1
domain huawei.com
authentication-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.6.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid untagged vlan 30
authentication dot1x
dot1x authentication-method eap
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-22, an HWTACACS server is deployed on a network, and the
administrator Telnets to the device to remotely manage it. The specific requirements are as
follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. The device performs HWTACACS authentication for the administrator first. If the
HWTACACS server does not respond, the device performs local authentication.
3. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.
Figure 10-22 Configuring authentication for Telnet login users (HWTACACS and local
authentication)
GE1/0/2
VLANIF20
10.1.6.10/24
Management
NetworkGE1/0/1
Admin VLANIF10 Switch HWTACACS Server
10.1.2.10/24 10.1.6.6/24
Username: user1@huawei.com
Password: Huawei@1234
Configuration Roadmap
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the user
access type to Telnet, and setting the user level to 15.
4. Configure HWTACACS authentication, including creating an HWTACACS server
template, an AAA authentication scheme, and a service scheme, and applying the
schemes to a domain.
NOTE
This example only provides the configurations on the device. Ensure that the required parameters have been
set on the HWTACACS server, for example, device's IP address, shared key, and user information.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.2.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.6.10 24
[Switch-Vlanif20] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login
uses to 15 (The value range varies according to product versions and models). By
default, the maximum number of Telnet users is 5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for
the VTY user view to AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] quit
default, users can log in through any method in versions earlier than V200R007
and cannot log in through any method in V200R007 and later versions).
[Switch-aaa] local-user user1@huawei.com privilege level 15 //Set the user level
of user1@huawei.com to 15. The user can use the commands of level 15 and lower
levels.
[Switch-aaa] quit
# Apply the AAA authentication scheme, HWTACACS server template, and service scheme
to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] hwtacacs-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Choose Start > Run on your computer running Windows operating system and enter cmd
to open the cmd window. Run the telnet command and enter the user name
user1@huawei.com and password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1@huawei.com
Password:***********
<Switch>//The administrator successfully logs in.
# Shut down the interface connected to the HWTACACS authentication server, to disconnect
the device from the HWTACACS server. Choose Start > Run on your computer and enter
cmd to open the cmd window. Run the telnet command and enter the user name
user1@huawei.com and password Huawei@1234 to log in to the device through Telnet. You
can successfully log in to the device, indicating that the device performs local authentication
when the HWTACACS server does not respond.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
telnet server enable
#
hwtacacs-server template 1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server shared-key cipher %^%#q(P3<qAXm=Pq).G8bgq@"sbFOf%0k%umgQJ3#MF3%^
%#
#
aaa
authentication-scheme sch1
authentication-mode hwtacacs local
service-scheme sch1
admin-user privilege level 15
domain huawei.com
authentication-scheme sch1
service-scheme sch1
hwtacacs-server 1
local-user user1@huawei.com password irreversible-cipher %^%#+bxGT|w}~J-
FHdDG"R8"($BX%XF/R1uba0UwL0).&r"Z#zbz*2G1$%6)Rd/V%^%#
local-user user1@huawei.com privilege level 15
local-user user1@huawei.com service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
return
contain domain names. If a user name contains a domain name, the user belongs to this
domain; otherwise, the user belongs to the default domain. If most users on a network belong
to the same domain, you can configure this domain as the default domain so that these users
do not need to enter the domain name when logging in to the device.
Default domains fall into default administrative domain and default common domain.
No
NOTE
You can modify the configuration of the default domains by default, but cannot delete the default domains by
default.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-24, the administrator Telnets to the device and remotely manages the
device after passing AAA local authentication, and 802.1x users log in to the device through
802.1x clients after passing RADIUS authentication. Therefore, both AAA local
authentication and RADIUS authentication need to be configured on the device.
1. The administrator must enter correct user name and password to Telnet to the device.
After logging in to the device, the administrator can run all the commands at levels 0-15.
2. 802.1x users must enter correct user names and passwords to log in to the device.
3. The administrator and 802.1x users do not need to enter domain names when logging in.
M anagem ent G E 1 /0 /1
N e tw o rk V L A N IF 2 0
1 0 .1 .2 .1 0 /2 4 G E 1 /0 /2
A d m in
V L A N IF 3 0
U se rn a m e : u se r1 1 0 .1 .6 .1 0 /2 4
P a ssw o rd : H u a w e i@ 1 2 3 4
S w itch R A D IU S S e rve r
1 0 .1 .6 .6 /2 4
G E 1 /0 /3
A cc e ss
V L A N IF 1 0
N e tw o rk
1 0 .1 .3 .1 0 /2 4
8 0 2 .1 x u s e r
U se rn a m e : Jo h n
P a ss w o rd : H e llo @ 5 6 7 8
Configuration Roadmap
1. Allow the administrator to Telnet to the device.
a. Enable the Telnet service.
b. Set the authentication method for Telnet login users to AAA.
c. Configure AAA local authentication, including creating a local user, setting the user
access type to Telnet, and setting the user level to 15.
2. Allow 802.1x users to log in to the device through RADIUS authentication.
a. Enable 802.1x authentication on the interface.
b. Configure RADIUS authentication, including creating a RADIUS server template,
an AAA authentication scheme, and a service scheme, and applying the schemes to
the default common domain.
NOTE
This example only provides the configurations on the device. Ensure that the required parameters have been
set on the RADIUS server, for example, device's IP address, shared key, and the creating user.
Procedure
Step 1 Configure interfaces and assign IP addresses.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.3.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.6.10 24
[Switch-Vlanif30] quit
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 20
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/1
Step 2 Configure AAA local authentication for the administrator to Telnet to the device.
# Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login
uses to 15 (The value range varies according to product versions and models). By
default, the maximum number of Telnet users is 5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for
the VTY user view to AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the user using the
default administrative domain default_admin. By default, the default administrative domain uses the
authentication scheme default and accounting scheme default.
l Authentication scheme default: local authentication
l Accounting scheme default: non-accounting
Step 3 Configure RADIUS authentication for 802.1x users to log in to the device.
# Configure the RADIUS server template to implement communication between the device
and the RADIUS server.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP
address and port number of the RADIUS authentication server.
[Switch-radius-1] radius-server shared-key cipher Hello@1234 //Specify the
shared key of the RADIUS server, which must be the same as that configured on the
RADIUS server.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo radius-server
user-name domain-included command on the device so that the packets sent from the device to the
RADIUS server do not contain domain names.
# Configure an AAA authentication scheme and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit
# Apply the AAA authentication scheme, RADIUS server template, and service scheme to the
default common domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme sch1
[Switch-aaa-domain-default] service-scheme sch1
[Switch-aaa-domain-default] radius-server 1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
NOTE
After the common mode is changed to unified mode, restart the device to make the configuration take effect.
By default, the unified mode is used.
# Choose Start > Run on your computer running Windows operating system and enter cmd
to open the cmd window. Run the telnet command and enter the user name user1 and
password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1
Password:***********
<Switch>//The administrator successfully logs in.
# Run the test-aaa command to test whether an 802.1x user can pass the authentication.
[Switch] test-aaa liming Hello@5678 radius-template 1
# A user starts the 802.1x client on a terminal, and enters the user name liming and password
Hello@5678 for authentication. If the user name and password are correct, an authentication
success message is displayed on the client page. The user can access the network.
# After the user goes online, you can run the display access-user access-type dot1x
command to check online 802.1x user information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
telnet server enable
#
authentication-profile name p1 //Available only in V200R009 and later versions
dot1x-access-profile d1
authentication mode multi-authen max-user 100
#
radius-server template 1
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
service-scheme sch1
admin-user privilege level 15
domain default
authentication-scheme sch1
service-scheme sch1
radius-server 1
local-user user1 password irreversible-cipher %^%#,G8c3$Xso~0qP~%Bz/hY5~IR)oN~
$8}UEJ59Ho{C\U</DW6:w,q{4Q!r}!:H%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.3.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.6.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
authentication dot1x //Available only in the versions earlier than V200R009
authentication-profile p1 //Available only in V200R009 and later versions
#
user-interface maximum-vty 15
user-interface vty 0 14
authentication-mode aaa
protocol inbound telnet
#
dot1x-access-profile name d1 //Available only in V200R009 and later versions
#
return
802.1x authentication ensures high security; however, it requires that 802.1x client software
be installed on user terminals, resulting in inflexible network deployment. Another two NAC
authentication methods have their advantages and disadvantages: MAC address authentication
does not require client software installation, but MAC addresses must be registered on an
authentication server. Portal authentication also does not require client software installation
and provides flexible deployment, but it has low security.
As a result, 802.1x authentication is applied to scenarios with new networks, centralized user
distribution, and strict information security requirements. In addition, 802.1x authentication
supports MAC address bypass authentication so that the dumb terminals on 802.1x
authentication networks can be connected after passing authentication.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l If 802.1x authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
Command Function
Networking Requirements
As shown in Figure 10-25, the terminals in an office are connected to the company's internal
network through the Switch. Unauthorized access to the internal network can damage the
company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
U ser R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
……
G E 1 /0 /1 G E 1 /0 /2
In tra n e t
VLAN 10 VLAN 20
U se r L A N S w itch S w itch
P rin te r
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Configure 802.1x authentication on the Switch.
a. Enable 802.1x authentication to control network access rights of the employees in
the office.
b. Enable MAC address bypass authentication to authenticate terminals (such as
printers) that cannot install 802.1x authentication client software.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
In this example, the LAN switch exists between the access switch Switch and users. To ensure that
users can pass 802.1x authentication, you must configure the EAP packet transparent transmission
function on the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following
operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the
LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol transparent transmission function.
l Method 2: This method is recommended when a large number of users exist or high network
performance is required.
1. Run the following commands in the system view:
l undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
l bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
l bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
l bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
l bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add GE1/0/1 to
VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are
added to VLAN 10.
# On the Switch, set GE1/0/2 connecting to the RADIUS server as an access interface, and
add GE1/0/2 to VLAN 20.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server
template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the user name in
the format of user@isp1, the user is authenticated in the authentication domain isp1. If the
user name does not carry the domain name or carries a nonexistent domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
3. If the user name and password are correct, an authentication success message is
displayed on the client page. The user can access the network.
4. After the user goes online, you can run the display access-user command on the device
to check the online 802.1x user information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
dot1x mac-bypass
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Related Content
Videos
Configure 802.1x Authentication
management. Another two NAC authentication methods have their advantages and
disadvantages: 802.1x authentication ensures high security, but it requires that 802.1x client
software be installed on user terminals, causing inflexible network deployment. Portal
authentication also does not require client software installation and provides flexible
deployment, but it has low security.
MAC address authentication is applied to access authentication scenarios of dumb terminals
such as printers and fax machines.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l The mac-authen command cannot be used together with the following commands on the
same interface.
Command Function
Networking Requirements
As shown in Figure 10-26, the terminals in the physical access control department are
connected to the company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of key
information assets. Therefore, the administrator requires that the Switch should control the
users' network access rights to ensure internal network security.
Figure 10-26 Configuring MAC address authentication to control internal user access
Printer
RADIUS Server
192.168.2.30
Physical access
control
department
GE1/0/1 GE1/0/2
Network
……
VLAN 10 VLAN 20
LAN Switch Switch
Printer
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable MAC address authentication so that the Switch can control network access rights
of the dumb terminals in the physical access control department.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add GE1/0/1 to
VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are
added to VLAN 10.
# On the Switch, set GE1/0/2 connecting to the RADIUS server as an access interface, and
add GE1/0/2 to VLAN 20.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server
template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the user name in
the format of user@isp1, the user is authenticated in the authentication domain isp1. If the
user name does not carry the domain name or carries a nonexistent domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
2. After the user starts the terminal, the device automatically obtains the terminal MAC
address and uses it as the user name and password for authentication.
3. The user can access the network after the authentication succeeds.
4. After the user goes online, you can run the display access-user command on the device
to check the online MAC address authentication user information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
mac-authen
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
mac-authen
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Portal authentication cannot ensure high security, but it does not require client software
installation and provides flexible deployment. Another two NAC authentication methods have
their advantages and disadvantages: 802.1x authentication ensures high security, but it
requires that 802.1x client software be installed on user terminals, causing inflexible network
deployment. MAC address authentication does not require client software installation, but
Portal authentication is applied to scenarios where a large number of scattered users such as
company visitors move frequently.
Configuration Notes
This example applies to all S12700 versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-27, the terminals in the visitor area are connected to the company's
internal network through the Switch. Unauthorized access to the internal network can damage
the company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
Visitor
RADIUS Server
192.168.2.30
Visitor area
GE1/0/1 GE1/0/2
Network
……
VLAN 10 VLAN 20
LAN Switch Switch
Portal Server
192.168.2.20
Visitor
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Configure Portal authentication so that the device can control network access rights of
the visitors in the visitor areas.
a. Create and configure a Portal server template to ensure normal information
exchange between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add GE1/0/1 to
VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are
added to VLAN 10.
# On the Switch, set GE1/0/2 connecting to the RADIUS server as an access interface, and
add GE1/0/2 to VLAN 20.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server
template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the user name in
the format of user@isp1, the user is authenticated in the authentication domain isp1. If the
user name does not carry the domain name or carries a nonexistent domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal server.
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the
DHCP server is upstream connected to Switch, use the portal free-rule command to create authentication-
free rules and ensure that the DHCP server is included in the authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream
connected to Switch, you also need to create authentication-free rules and ensure that the DNS server is
included in the authentication-free rules.
3. If the user name and password are correct, an authentication success message is
displayed on the Portal authentication page. The user can access the network.
4. After the user goes online, you can run the display access-user command on the device
to check the online Portal authentication user information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^
%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
web-auth-server abc direct
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l If 802.1x authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
Networking Requirements
As shown in Figure 10-28, the terminals in an office are connected to the company's internal
network through the Switch. Unauthorized access to the internal network can damage the
company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
Employee
RADIUS Server
192.168.2.30
Employee
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable 802.1x authentication to control network access rights of the employees in the
office.
3. Configure the user access mode to multi-authen and set the maximum number of access
users to 100, so the device can control the network access rights of each user
independently.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
In this example, the LAN switch exists between the access switch Switch and users. To ensure that users
can pass 802.1x authentication, you must configure the EAP packet transparent transmission function on
the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the
LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol transparent transmission function.
l Method 2: This method is recommended when a large number of users exist or high network
performance is required.
1. Run the following commands in the system view:
l undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
l bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
l bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
l bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
l bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, configure the interface GE1/0/1 connected to users as an access interface
and add the interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs based on the site requirements. In this example, users are
added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an
access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create an AAA authentication scheme abc and configure the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server
template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user
name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user
name does not contain the domain name or contains an invalid domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
After the common mode and unified mode are switched, you must save the configuration and restart the
device to make each function in the new configuration mode take effect.
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication dot1x
authentication mode multi-authen max-user 100
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Related Content
Videos
In MAC address authentication, client software does not need to be installed on user
terminals, but MAC addresses must be registered on servers, resulting in complex
management. Another two NAC authentication methods have their advantages and
disadvantages: 802.1x authentication ensures high security, but it requires that 802.1x client
software be installed on user terminals, causing inflexible network deployment. Portal
authentication also does not require client software installation and provides flexible
deployment, but it has low security.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l The mac-authen command cannot be used together with the following commands on the
same interface.
Command Function
Networking Requirements
As shown in Figure 10-29, the terminals in the physical access control department are
connected to the company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of key
information assets. Therefore, the administrator requires that the Switch should control the
users' network access rights to ensure internal network security.
Figure 10-29 Configuring MAC address authentication to control internal user access
Printer
RADIUS Server
192.168.2.30
Physical access
control
department GE1/0/1 GE1/0/2 Network
VLAN 10 VLAN 20
……
Printer
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable MAC address authentication so that the Switch can control network access rights
of the dumb terminals in the physical access control department.
3. Configure the user access mode to multi-authen and set the maximum number of access
users to 100, so the device can control the network access rights of each user
independently.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# On the Switch, configure the interface GE1/0/1 connected to users as an access interface
and add the interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs based on the site requirements. In this example, users are
added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an
access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server
template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user
name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user
name does not contain the domain name or contains an invalid domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
After the common mode and unified mode are switched, you must save the configuration and restart the
device to make each function in the new configuration mode take effect.
3. The user can access the network after the authentication succeeds.
4. After the user goes online, you can run the display access-user access-type mac-authen
command on the device to check the online MAC address authentication user
information.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication mac-authen
authentication mode multi-authen max-user 100
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Portal authentication cannot ensure high security, but it does not require client software
installation and provides flexible deployment. Another two NAC authentication methods have
their advantages and disadvantages: 802.1x authentication ensures high security, but it
requires that 802.1x client software be installed on user terminals, causing inflexible network
deployment. MAC address authentication does not require client software installation, but
MAC addresses must be registered on an authentication server, resulting in complex
management.
Portal authentication is applied to scenarios where a large number of scattered users such as
company visitors move frequently.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-30, the terminals in the visitor area are connected to the company's
internal network through the Switch. Unauthorized access to the internal network can damage
the company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
V isito r
R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
V isito r a re a
G E 1 /0 /1 G E 1 /0 /2 N e tw o rk
VLAN 10 VLAN 20
……
L A N S w itch S w itc h
P o rta l S e rve r
V isito r 1 9 2 .1 6 8 .2 .2 0
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable Portal authentication so that the Switch can control network access rights of the
visitors in the visitor areas.
3. Configure a Portal server template so that the device can communicate with the Portal
server.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure network
communication.
# On the Switch, configure the interface GE1/0/1 connected to users as an access interface
and add the interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs based on the site requirements. In this example, users are
added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an
access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create an AAA authentication scheme abc and configure the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server
template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user
name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user
name does not contain the domain name or contains an invalid domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
NOTE
After the common mode and unified mode are switched, you must save the configuration and restart the
device to make each function in the new configuration mode take effect.
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal server.
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the
DHCP server is upstream connected to Switch, use the authentication free-rule command to create
authentication-free rules and ensure that the DHCP server is included in the authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream
connected to Switch, you also need to create authentication-free rules and ensure that the DNS server is
included in the authentication-free rules.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^
%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication portal
authentication mode multi-authen max-user 100
web-auth-server abc direct
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 10-31, the terminals in a company are connected to the company's
internal network through the Switch. Unauthorized access to the internal network can damage
the company's service system and cause leakage of key information assets. Therefore, the
administrator requires that the Switch should control the users' network access rights to ensure
internal network security.
Figure 10-31 Configuring multiple authentication modes to control internal user access
U se r
R A D IU S S e rve r
1 9 2 .1 6 8 .2 .3 0
…… G E 1 /0 /1 G E 1 /0 /2 N e tw o rk
VLAN 10 VLAN 20
U se r L A N S w itch S w itc h
P o rta l S e rve r
1 9 2 .1 6 8 .2 .2 0
P rin te r
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain. Bind the RADIUS server template and AAA scheme to the authentication
domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable 802.1x authentication, MAC address authentication, and Portal authentication so
that the Switch can control network access rights of the internal employees, dumb
terminals, and visitors. In addition, configure 802.1x authentication to take precedence
because there are more employees than dumb terminals and visitors.
3. Configure the user access mode to multi-authen and set the maximum number of access
users to 100, so the device can control the network access rights of each user
independently.
4. Configure a Portal server template so that the device can communicate with the Portal
server.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure network
communication.
# On the Switch, configure the interface GE1/0/1 connected to users as an access interface
and add the interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
NOTE
Configure the interface type and VLANs based on the site requirements. In this example, users are
added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an
access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server
template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user
name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user
name does not contain the domain name or contains an invalid domain name, the user is
authenticated in the default domain.
[Switch] domain isp1
Step 3 Configure 802.1x authentication, MAC address authentication, and Portal authentication on
the Switch.
# Switch the NAC mode to unified mode.
[Switch] authentication unified-mode
NOTE
After the common mode and unified mode are switched, you must save the configuration and restart the
device to make each function in the new configuration mode take effect.
# Enable 802.1x authentication, MAC address authentication, and Portal authentication on the
interface GE1/0/1.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] authentication dot1x mac-authen portal
[Switch-GigabitEthernet1/0/1] authentication mode multi-authen max-user 100
[Switch-GigabitEthernet1/0/1] quit
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal server.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^
%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication dot1x mac-authen portal
authentication mode multi-authen max-user 100
web-auth-server abc direct
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
802.1x authentication ensures high security; however, it requires that 802.1x client software
be installed on user terminals, resulting in inflexible network deployment. Another two NAC
authentication methods have their advantages and disadvantages: MAC address authentication
does not require client software installation, but MAC addresses must be registered on an
authentication server. Portal authentication also does not require client software installation
and provides flexible deployment, but it has low security.
As a result, 802.1x authentication is applied to scenarios with new networks, centralized user
distribution, and strict information security requirements.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l After enabling NAC on an interface, you cannot run the following commands on the
interface. Similarly, after running the following commands on an interface, you cannot
enable NAC on the interface.
Command Function
Command Function
Networking Requirements
As shown in Figure 10-32, terminals in a company's offices are connected to the company's
internal network through the Switch. Unauthorized access to the internal network can damage
the company's service system and cause leakage of key information. Therefore, the
administrator requires that the Switch should control users' network access rights to ensure
internal network security.
The 802.1x authentication is configured and the RADIUS server is used to authenticate user
identities, to meet the company's high security requirements.
Employee
RADIUS Server
VLANIF10 VLANIF20 192.168.2.30
192.168.1.10/24 192.168.2.10/24
Employee
Configuration Roadmap
The configuration roadmap is as follows:
l Before performing operations in this example, ensure that user access terminals and the server can
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch
and server are not provided here.
l In this example, the LAN switch exists between the access switch Switch and users. To ensure that
users can pass 802.1x authentication, you must configure the EAP packet transparent transmission
function on the LAN switch.
l Method 1: The S5700 is used as an example of the LAN switch. Perform the following
operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure
the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the
interface connecting to users and the interface connecting to the access switch to enable
the Layer 2 protocol transparent transmission function.
l Method 2: This method is recommended when a large number of users exist or high network
performance is required.
1. Run the following commands in the system view:
l undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
l bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
l bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
l bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
l bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE1/0/1 connecting the Switch to users as an access interface and add the
interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.10 24
[Switch-Vlanif10] quit
# Configure GE1/0/2 connecting the Switch to the RADIUS server as an access interface and
add the interface to VLAN 20.
# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
abc and RADIUS server template rd1 to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei2012 have been configured on the RADIUS server.
[Switch] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeed.
NOTE
By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server
supports EAP; otherwise, the server cannot process 802.1x authentication request packets.
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1x access profile d1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] access-domain huawei.com force
# Bind the authentication profile p1 to GE1/0/1 and enable 802.1x authentication on the
interface.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] authentication-profile p1
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
dot1x-access-profile d1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
radius-server template rd1
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
radius-server authentication 192.168.2.30 1812 weight 80
#
dot1x-access-profile name d1
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
Related Content
Videos
In MAC address authentication, client software does not need to be installed on user
terminals, but MAC addresses must be registered on servers, resulting in complex
management. Another two NAC authentication methods have their advantages and
disadvantages: 802.1x authentication ensures high security, but it requires that 802.1x client
software be installed on user terminals, causing inflexible network deployment. Portal
authentication also does not require client software installation and provides flexible
deployment, but it has low security.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l After enabling NAC on an interface, you cannot run the following commands on the
interface. Similarly, after running the following commands on an interface, you cannot
enable NAC on the interface.
Command Function
Command Function
Networking Requirements
As shown in Figure 10-33, terminals in a company's physical access control department are
connected to the company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of key
information. Therefore, the administrator requires that the Switch should control users'
network access rights to ensure internal network security.
Because dumb terminals (such as printers) in the physical access control department cannot
have the authentication client installed, MAC address authentication needs to be configured
on the Switch. MAC addresses of terminals are used as user information and sent to the
RADIUS server for authentication. When users connect to the network, authentication is not
required.
Printer
RADIUS Server
VLANIF10 VLANIF20 192.168.2.30
Physical 192.168.1.10/24 192.168.2.10/24
access control
department GE1/0/1 GE1/0/2
Intranet
VLAN 10 VLAN 20
……
Printer
Configuration Roadmap
The configuration roadmap is as follows:
3. Configure MAC address authentication so that the Switch can control network access
rights of the dumb terminals in the physical access control department. The configuration
includes:
a. Configure a MAC access profile.
b. Configure an authentication profile.
c. Enable MAC address authentication on an interface.
NOTE
l Before performing operations in this example, ensure that user access terminals and the server can
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch
and server are not provided here.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
# Configure GE1/0/1 connecting the Switch to users as an access interface and add the
interface to VLAN 10.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.10 24
[Switch-Vlanif10] quit
# Configure GE1/0/2 connecting the Switch to the RADIUS server as an access interface and
add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.10 24
[Switch-Vlanif20] quit
# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
abc and RADIUS server template rd1 to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei2012 have been configured on the RADIUS server.
[Switch] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeed.
NOTE
NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication. Ensure that the formats of the user name and password for MAC address
authentication configured on the RADIUS server are the same as those configured on the access device.
[Switch] mac-access-profile name m1
[Switch-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] mac-access-profile m1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
# Bind the authentication profile p1 to GE1/0/1 and enable MAC address authentication on
the interface.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] authentication-profile p1
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
mac-access-profile m1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
radius-server template rd1
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
radius-server authentication 192.168.2.30 1812 weight 80
#
mac-access-profile name m1
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
Portal authentication cannot ensure high security, but it does not require client software
installation and provides flexible deployment. Another two NAC authentication methods have
their advantages and disadvantages: 802.1x authentication ensures high security, but it
requires that 802.1x client software be installed on user terminals, causing inflexible network
deployment. MAC address authentication does not require client software installation, but
MAC addresses must be registered on an authentication server, resulting in complex
management.
Portal authentication is applied to scenarios where a large number of scattered users such as
company visitors move frequently.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Switch Software Mapping Search.
l After enabling NAC on an interface, you cannot run the following commands on the
interface. Similarly, after running the following commands on an interface, you cannot
enable NAC on the interface.
Command Function
Networking Requirements
As shown in Figure 10-34, terminals in a company's visitor area are connected to the
company's internal network through the Switch. Unauthorized access to the internal network
can damage the company's service system and cause leakage of key information. Therefore,
the administrator requires that the Switch should control users' network access rights to ensure
internal network security.
Because visitors move frequently, Portal authentication is configured and the RADIUS server
is used to authenticate user identities.
RADIUS Server
/Portal Server
VLANIF10 VLANIF20 192.168.2.30
Visitor 192.168.2.10/24
192.168.1.10/24
Visitor
Configuration Roadmap
The configuration roadmap is as follows:
l Before performing operations in this example, ensure that user access terminals and the server can
communicate.
l This example only provides the configuration of the Switch. The configurations of the LAN Switch and
server are not provided here.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
# Configure GE1/0/1 connecting the Switch to users as an access interface and add the
interface to VLAN 10.
# Configure GE1/0/2 connecting the Switch to the RADIUS server as an access interface and
add the interface to VLAN 20.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.10 24
[Switch-Vlanif20] quit
# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
abc and RADIUS server template rd1 to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei2012 have been configured on the RADIUS server.
[Switch] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeed.
NOTE
NOTE
Ensure that the port number configured on the device is the same as the port number used by the Portal server.
# Configure the authentication profile p1, bind the Portal access profile web1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] portal-access-profile web1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
NOTE
In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the DHCP server
is on the upstream network of the Switch, configure an authentication-free rule to allow packets from the
network segment of the DHCP server to pass through. If the URL to the Portal server needs to be resolved by
the DNS server that is on the upstream network of the Switch, configure an authentication-free rule to allow
packets from the network segment of the DNS server to pass through.
# Bind the authentication profile p1 to GE1/0/1 and enable Portal authentication on the
interface.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] authentication-profile p1
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
portal-access-profile web1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
radius-server template rd1
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
server-ip
192.168.2.30
port
50200
#
portal-access-profile name
web1
web-auth-server abc
direct
#
aaa
authentication-scheme abc
authentication-mode radius
domain huawei.com
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the Portal server and RADIUS
server in this example. For the Agile Controller, the minimum version required is
V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS and Portal servers to pass. You
do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control employees' network
access rights and allow only authorized users to access the network.
The enterprise has the following requirements:
l The authentication operations should be simple. The authentication system only
performs access authorization. Minimum client software is installed on user terminals.
l To facilitate network reconstruction and reduce investments, the enterprise requires the
authentication point be deployed on the core switch.
l A unified identity authentication mechanism is used to authenticate all terminals
accessing the campus network and deny access from unauthorized terminals.
l R&D employees can connect only to public servers (such as the web and DNS servers)
of the enterprise before the authentication, and can connect to both the intranet (code
library and issue tracking system) and Internet after being authenticated.
l Marketing employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect only to the Internet
after being authenticated.
G E 0 /0 /1 G E 0 /0 /1
VLAN Plan
Core switch Number of the ACL for R&D You need to enter this ACL
employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
the Agile Controller.
Number of the ACL for marketing You need to enter this ACL
employees' post-authentication number when configuring
domain: 3002 authorization rules and results on
the Agile Controller.
Agile Controller Host name: access.example.com Users can use the domain name to
access the Portal server.
Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. Configure Portal authentication on the core switch to implement user access control.
Configure parameters for connecting to the RADIUS server and those for connecting to
the Portal server, enable Portal authentication, and configure network access rights for
the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add user accounts to the Agile Controller.
c. Add a switch to the Agile Controller and configure related parameters to ensure
normal communication between the Agile Controller and switch.
d. Add authorization results and authorization rules to grant different access rights to
R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the
R&D department. The configuration for SwitchB, the access switch connecting to the
marketing department, is similar to that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D
department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the
aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save //Save the configuration.
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme
acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting
mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the
authentication scheme auth to the domain.
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting
scheme acco to the domain.
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server
template policy to the domain.
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.
5. Configure network access rights for the pre-authentication domain and post-
authentication domain.
[SwitchD] authentication free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the DNS server before
the authentication.
[SwitchD] authentication free-rule 2 destination ip 172.16.1.3 mask
255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the web server before
the authentication.
[SwitchD] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002 //Configure the post-authentication domain for
marketing employees.
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent
marketing employees from accessing the code library.
[SwitchD-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0 //Prevent
marketing employees from accessing the issue tracking system.
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to
access other resources.
[SwitchD-acl-adv-3002] quit
[SwitchD] quit
<SwitchD> save //Save the configuration.
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add a switch to the Agile Controller and configure related parameters to ensure normal
communication between the Agile Controller and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Parameter Value Description
Name SW -
Portal Key Admin@123 It must be the same as the Portal shared key
configured on the switch.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24
d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D
employee authorization. The configuration procedure for marketing employees is the
same, except that the network resources the two types of employees can access are
different.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and configure resources that R&D employees can access
after authentication and authorization.
b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter Value Description
Department R&D -
l After an employee is authenticated, run the display access-user command on the switch.
The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the employee department (The configuration file
of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
vlan batch 103 to 104
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.example.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
authentication portal
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Portal authentication applies to the users who are sparsely distributed and move frequently,
for example, guests of a company.
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the Portal server and RADIUS
server in this example. For the Agile Controller, the minimum version required is
V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS and Portal servers to pass. You
do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control employees' network
access rights and allow only authorized users to access the network.
l R&D employees can connect only to public servers (such as the web and DNS servers)
of the enterprise before the authentication, and can connect to both the intranet (code
library and issue tracking system) and Internet after being authenticated.
l Marketing employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect only to the Internet
after being authenticated.
In te rn e t
P re -a u th e n tic a tio n
d o m a in
C o re s w itc h
A g ile C o n tro lle r W eb
D N S s e rv e r
(in c lu d e s P o rta l a n d s e rv e r
R A D IU S s e rv e rs)
A g g re g a tio n s w itc h G E 1 /0 /3
P o s t-a u th e n tic a tio n
S w itc h C
G E 1 /0 /1 d o m a in
G E 1 /0 /2
C ode
Is s u e tra c k in g
c o n fig u ra tio n
G E 0 /0 /2 G E 0 /0 /2 s y s te m
base
S w itc h A A c c e s s s w itc h S w itc h B
G E 0 /0 /1 G E 0 /0 /1
M a rk e tin g
R & D D e p t.
D e p t.
A u th e n tic a tio n p o in t
PC PC L a p to p PC
VLAN Plan
Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
the Agile Controller.
Number of the ACL for marketing You need to enter this ACL
employees' post-authentication number when configuring
domain: 3002 authorization rules and results on
the Agile Controller.
Agile Controller Host name: access.example.com Users can use the domain name to
access the Portal server.
Configuration Roadmap
1. Configure the access switch and aggregation switch to ensure network connectivity.
2. Configure Portal authentication on the aggregation switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those for
connecting to the Portal server, enable Portal authentication, and configure network
access rights for the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add user accounts to the Agile Controller.
c. Add a switch to the Agile Controller and configure related parameters to ensure
normal communication between the Agile Controller and switch.
d. Add authorization results and authorization rules to grant different access rights to
R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the
R&D department. The configuration for SwitchB, the access switch connecting to the
marketing department, is similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D
department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the
aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save //Save the configuration.
5. Configure network access rights for the pre-authentication domain and post-
authentication domain.
[SwitchC] authentication free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the DNS server before
the authentication.
[SwitchC] authentication free-rule 2 destination ip 172.16.1.3 mask
255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the web server before
the authentication.
[SwitchC] acl 3001 //Configure the post-authentication domain for R&D
employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access
all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002 //Configure the post-authentication domain for
marketing employees.
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent
marketing employees from accessing the code library.
[SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0 //Prevent
marketing employees from accessing the issue tracking system.
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to
access other resources.
[SwitchC-acl-adv-3002] quit
[SwitchC] quit
<SwitchC> save //Save the configuration.
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add a switch to the Agile Controller and configure related parameters to ensure normal
communication between the Agile Controller and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Parameter Value Description
Name SW -
Portal Key Admin@123 It must be the same as the Portal shared key
configured on the switch.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24
d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D
employee authorization. The configuration procedure for marketing employees is the
same, except that the network resources the two types of employees can access are
different.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and configure resources that R&D employees can access
after authentication and authorization.
b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter Value Description
Department R&D -
l After an employee is authenticated, run the display access-user command on the switch.
The command output shows that the employee is online.
----End
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
web-auth-server portal_huawei direct
authentication portal
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
web-auth-server portal_huawei direct
authentication portal
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 102
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 103
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the RADIUS server in this
example. For the Agile Controller, the minimum version required is V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS server to pass. You do not need
to configure authentication-free rules for the server on the switch.
l If NAC authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized access and
protect information security, an enterprise requests users to pass identity authentication and
security check before they access the enterprise network. Only authorized users are allowed to
access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the enterprise network
only after passing authentication.
To provide high security for the network, you are advised to configure the 802.1x
authentication function on access switches and connect a single centralized authentication
server to the aggregation switch in bypass mode. MAC address authentication needs to be
configured for dumb terminals.
Data Plan
Item Data
Configuration Roadmap
1. Configure the access switches, including the VLANs interfaces belong to, parameters for
connecting to the RADIUS server, enabling NAC authentication, and access right to the
post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch
(SwitchA), and Agile Controller server.
2. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add an account to the Agile Controller.
c. Add switches to the Agile Controller.
d. Configure authentication rules, authorization results, and authorization rules on the
Agile Controller.
Procedure
Step 1 Configure the access switches. This example uses SwitchC to describe the configuration. The
domain configuration on SwitchD is the same as that on SwitchC.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1 //Configure the interface
connected to fixed terminals.
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2 //Configure the interface
connected to dumb terminals.
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 10
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3 //Configure the interface
connected to SwitchA.
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/3] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 192.168.30.30 24 //Configure the IP address
used to communicate with the Controller.
2. Create and configure a RADIUS server template, an AAA authentication scheme, and an
authentication domain.
# Create an AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit
# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[SwitchC-aaa-accounting-acco1] quit
# Create an authentication domain isp, and bind the AAA authentication scheme abc,
accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchC-aaa] domain isp
[SwitchC-aaa-domain-isp] authentication-scheme abc
[SwitchC-aaa-domain-isp] accounting-scheme acco1
[SwitchC-aaa-domain-isp] radius-server rd1
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit
# Configure isp as the global default domain. During access authentication, enter a user
name in the format user@isp to perform AAA authentication in the domain isp. If the
user name does not contain a domain name or contains an invalid domain name, the user
is authenticated in the default domain.
[SwitchC] domain isp
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and
restart the device to make the configuration take effect.
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add switches to the Agile Controller so that the switches can communicate with the
Agile Controller.
a. Choose Resource > Device > Device Management.
b. Click Permission Control Device Group in the navigation tree, and click and
Add SubGroup to create a device group Switch.
c. Click the device group in the navigation tree and select ALL Device. Click Add to
add network access devices.
d. Set connection parameters on the Add Device page.
This example uses SwitchC to describe the configuration procedure. The
configuration on SwitchD is the same as that on SwitchC except that the IP
addresses are different.
Name SwitchC -
Device Huawei -
Series Quidway series
switch
e. Click Permission Control Device Group in the navigation tree, select SwitchC,
and click Move to move SwitchC to the Switch group. The configuration on
SwitchD is the same as that on SwitchC.
4. Add an authentication rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule and click Add to create an authentication rule.
b. Configure basic information for the authentication rule.
Parameter Value Description
Name Access -
authentication
rule
After a user passes the authentication, authorization phase starts. The Agile Controller
grants the user access rights based on the authorization rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click Add to create an authorization rule.
b. Configure basic information for the authorization rule.
Authorization Post-authentication -
Result domain
----End
Configuration Notes
l This example applies to all S12700 versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the RADIUS server in this
example. For the Agile Controller, the minimum version required is V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS server to pass. You do not need
to configure authentication-free rules for the server on the switch.
l If NAC authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized access and
protect information security, an enterprise requests users to pass identity authentication and
security check before they access the enterprise network. Only authorized users are allowed to
access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the enterprise network
only after passing authentication.
l The enterprise has no more than 1000 employees. A maximum of 2000 users, including
guests, access the network every day.
l Dumb terminals, such as IP phones and printers, are connected to the enterprise network.
To reduce network reconsutrction investment, you are advised to configure the 802.1x
authentication function on the aggregation switch and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address authentication
needs to be configured for dumb terminals.
Data Plan
Item Data
Configuration Roadmap
1. Configure the aggregation switch, including the VLANs interfaces belong to, parameters
for connecting to the RADIUS server, enabling NAC authentication, and access right to
the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch
(SwitchA), and Agile Controller server.
2. Configure the access switches, including the VLANs and 802.1x transparent
transmission.
Procedure
Step 1 Configure the aggregation switch.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 1/0/1 //Configure the interface
connected to SwitchC.
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2 //Configure the interface
connected to SwitchD.
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/6 //Configure the interface
connected to the server.
[SwitchA-GigabitEthernet1/0/6] port link-type trunk
[SwitchA-GigabitEthernet1/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management
IP address for SwitchA. This IP address is used when SwitchA is added to
Agile Controller.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway
address for terminal users.
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.10 //
Configure a route to the network segment where the pre-authentication domain
resides.
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.10 //
Configure a route to the network segment where the post-authentication domain
resides.
2. Create and configure a RADIUS server template, an AAA authentication scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit
# Create an AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that
the RADIUS server can maintain account status, such as login, log-off and forced log-
off.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[SwitchA-aaa-accounting-acco1] quit
# Create an authentication domain isp, and bind the AAA authentication scheme abc,
accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication, enter a user
name in the format user@isp to perform AAA authentication in the domain isp. If the
user name does not contain a domain name or contains an invalid domain name, the user
is authenticated in the default domain.
[SwitchA] domain isp
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and
restart the device to make the configuration take effect.
# Configure the interface connected to users as an access interface and add the interface
to VLAN 200.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 200
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit
# Configure the interface connected to the upstream network as a trunk interface and
configure the to allow VLAN 200.
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
[SwitchC-GigabitEthernet0/0/3] quit
2. Configure the device to transparently transmit 802.1x packets. This example uses
SwitchC to describe the configuration. The configuration on SwitchD is the same as that
on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and
users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that
SwitchA can perform 802.1x authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac
0180-c200-0003 group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit
– Method 2: This method is recommended when a large number of users exist or high
network performance is required.
[SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to method 2.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] quit
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add switches to the Agile Controller so that the switches can communicate with the
Agile Controller.
a. Choose Resource > Device > Device Management.
b. Click Permission Control Device Group in the navigation tree, and click and
Add SubGroup to create a device group Switch.
c. Click the device group in the navigation tree and select ALL Device. Click Add to
add network access devices.
d. Set connection parameters on the Add Device page.
Name SwitchA -
Device Huawei -
Series Quidway series
switch
e. Click Permission Control Device Group in the navigation tree, select SwitchC,
and click Move to move SwitchA to the Switch group. The configuration on
SwitchD is the same as that on SwitchC.
4. Add an authentication rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule and click Add to create an authentication rule.
b. Configure basic information for the authentication rule.
Name Access -
authentication
rule
After a user passes the authentication, authorization phase starts. The Agile Controller
grants the user access rights based on the authorization rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click Add to create an authorization rule.
b. Configure basic information for the authorization rule.
Authorization Post-authentication -
Result domain
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
domain isp
#
radius-server template rd1
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A]
(%^%#
radius-server authentication 192.168.100.100 1812 weight 80
radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme acco1
accounting-mode radius
accounting realtime 15
domain isp
authentication-scheme abc
accounting-scheme acco1
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 200
authentication dot1x mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
authentication dot1x mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
return
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the Portal server and RADIUS
server in this example. For the Agile Controller, the minimum version required is
V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS and Portal servers to pass. You
do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control employees' network
access rights and allow only authorized users to access the network.
The enterprise has the following requirements:
l The authentication operations should be simple. The authentication system only
performs access authorization. Minimum client software is installed on user terminals.
l To facilitate network reconstruction and reduce investments, the enterprise requires the
authentication point be deployed on the core switch.
l A unified identity authentication mechanism is used to authenticate all terminals
accessing the campus network and deny access from unauthorized terminals.
l R&D employees can connect only to public servers (such as the web and DNS servers)
of the enterprise before the authentication, and can connect to both the intranet (code
library and issue tracking system) and Internet after being authenticated.
l Marketing employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect only to the Internet
after being authenticated.
G E 0 /0 /1 G E 0 /0 /1
VLAN Plan
Core switch Number of the ACL for R&D You need to enter this ACL
employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
the Agile Controller.
Number of the ACL for marketing You need to enter this ACL
employees' post-authentication number when configuring
domain: 3002 authorization rules and results on
the Agile Controller.
Agile Controller Host name: access.example.com Users can use the domain name to
access the Portal server.
Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. Configure Portal authentication on the core switch to implement user access control.
Configure parameters for connecting to the RADIUS server and those for connecting to
the Portal server, enable Portal authentication, and configure network access rights for
the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add user accounts to the Agile Controller.
c. Add a switch to the Agile Controller and configure related parameters to ensure
normal communication between the Agile Controller and switch.
d. Add authorization results and authorization rules to grant different access rights to
R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the
R&D department. The configuration for SwitchB, the access switch connecting to the
marketing department, is similar to that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D
department
[SwitchA-GigabitEthernet0/0/1] port link-type access
4. Enable Portal authentication and configure network access rights for users in the pre-
authentication domain and post-authentication domain.
# Configure an authentication-free rule profile and specify network access rights for
users in the pre-authentication domain.
[SwitchD] free-rule-template name default_free_rule
[SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2
mask 255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the DNS server before
the authentication.
[SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3
mask 255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the web server before
the authentication.
[SwitchD-free-rule-default_free_rule] quit
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add a switch to the Agile Controller and configure related parameters to ensure normal
communication between the Agile Controller and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Parameter Value Description
Name SW -
Portal Key Admin@123 It must be the same as the Portal shared key
configured on the switch.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24
d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D
employee authorization. The configuration procedure for marketing employees is the
same, except that the network resources the two types of employees can access are
different.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and configure resources that R&D employees can access
after authentication and authorization.
b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter Value Description
Department R&D -
l After an employee is authenticated, run the display access-user command on the switch.
The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the employee department (The configuration file
of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
vlan batch 103 to 104
#
authentication-profile name p1
portal-access-profile web1
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.example.com:8080/portal
source-ip 172.16.1.254
#
portal-access-profile name web1
web-auth-server portal_huawei layer3
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
authentication-profile p1
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Portal authentication applies to the users who are sparsely distributed and move frequently,
for example, guests of a company.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the Portal server and RADIUS
server in this example. For the Agile Controller, the minimum version required is
V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS and Portal servers to pass. You
do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control employees' network
access rights and allow only authorized users to access the network.
l R&D employees can connect only to public servers (such as the web and DNS servers)
of the enterprise before the authentication, and can connect to both the intranet (code
library and issue tracking system) and Internet after being authenticated.
l Marketing employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect only to the Internet
after being authenticated.
In te rn e t
P re -a u th e n tic a tio n
d o m a in
C o re s w itc h
A g ile C o n tro lle r W eb
D N S s e rv e r
(in c lu d e s P o rta l a n d s e rv e r
R A D IU S s e rv e rs)
A g g re g a tio n s w itc h G E 1 /0 /3
P o s t-a u th e n tic a tio n
S w itc h C
G E 1 /0 /1 d o m a in
G E 1 /0 /2
C ode
Is s u e tra c k in g
c o n fig u ra tio n
G E 0 /0 /2 G E 0 /0 /2 s y s te m
base
S w itc h A A c c e s s s w itc h S w itc h B
G E 0 /0 /1 G E 0 /0 /1
M a rk e tin g
R & D D e p t.
D e p t.
A u th e n tic a tio n p o in t
PC PC L a p to p PC
VLAN Plan
Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
the Agile Controller.
Number of the ACL for marketing You need to enter this ACL
employees' post-authentication number when configuring
domain: 3002 authorization rules and results on
the Agile Controller.
Agile Controller Host name: access.example.com Users can use the domain name to
access the Portal server.
Configuration Roadmap
1. Configure the access switch and aggregation switch to ensure network connectivity.
2. Configure Portal authentication on the aggregation switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those for
connecting to the Portal server, enable Portal authentication, and configure network
access rights for the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add user accounts to the Agile Controller.
c. Add a switch to the Agile Controller and configure related parameters to ensure
normal communication between the Agile Controller and switch.
d. Add authorization results and authorization rules to grant different access rights to
R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the
R&D department. The configuration for SwitchB, the access switch connecting to the
marketing department, is similar.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D
department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the
aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save //Save the configuration.
4. Enable Portal authentication and configure network access rights for users in the pre-
authentication domain and post-authentication domain.
# Set the NAC mode to unified.
[SwitchC] authentication unified-mode //Set the NAC mode to unified. By
default, the switch works in unified mode. After changing the NAC mode from
common to unified, save the configuration and restart the switch to make the
configuration take effect.
# Configure an authentication-free rule profile and specify network access rights for
users in the pre-authentication domain.
[SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2
mask 255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the DNS server before
the authentication.
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3
mask 255.255.255.255 //Configure authentication-free rules for Portal
authentication users, so that these users can access the web server before
the authentication.
[SwitchC-free-rule-default_free_rule] quit
[SwitchC-acl-adv-3002] quit
[SwitchC] quit
<SwitchD> save //Save the configuration.
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add a switch to the Agile Controller and configure related parameters to ensure normal
communication between the Agile Controller and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Parameter Value Description
Name SW -
Portal Key Admin@123 It must be the same as the Portal shared key
configured on the switch.
Allowed IP 192.168.0.1/24; -
Addresses 192.168.1.1/24
d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D
employee authorization. The configuration procedure for marketing employees is the
same, except that the network resources the two types of employees can access are
different.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and configure resources that R&D employees can access
after authentication and authorization.
b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter Value Description
Department R&D -
l After an employee is authenticated, run the display access-user command on the switch.
The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
Overview
On a NAC network, the 802.1x, MAC address, and Portal authentication modes are
configured on the user access interfaces of a device to meet various authentication
requirements. Users can access the network using any authentication mode.
If multiple authentication modes are enabled, the authentication modes take effect in the
sequence they are configured. In addition, after multiple authentication modes are deployed,
users can be authenticated in different modes by default and assigned different network rights
accordingly by the device.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Huawei's Agile Controller in V100R001C00 functions as the RADIUS server in this
example. For the Agile Controller, the minimum version required is V100R001C00.
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller server.
l By default, the switch allows the packets from RADIUS server to pass. You do not need
to configure authentication-free rules for the server on the switch.
l If NAC authentication is enabled on an interface, the following commands cannot be
used on the same interface.
Command Function
Command Function
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized access and
protect information security, an enterprise requests users to pass identity authentication and
security check before they access the enterprise network. Only authorized users are allowed to
access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the enterprise network
only after passing authentication.
The enterprise network has the following characteristics:
l The access switches on the network do not support 802.1x authentication.
l The enterprise network has a small size and does not have branch networks.
l The enterprise has no more than 1000 employees. A maximum of 2000 users, including
guests, access the network every day.
l Dumb terminals, such as IP phones and printers, are connected to the enterprise network.
To reduce network reconsutrction investment, you are advised to configure the 802.1x
authentication function on the aggregation switch and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address authentication
needs to be configured for dumb terminals.
Data Plan
Item Data
Item Data
Configuration Roadmap
1. Configure the aggregation switch, including the VLANs interfaces belong to, parameters
for connecting to the RADIUS server, enabling NAC authentication, and access right to
the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch
(SwitchA), and Agile Controller server.
2. Configure the access switches, including the VLANs and 802.1x transparent
transmission.
3. Configure the Agile Controller:
a. Log in to the Agile Controller.
b. Add an account to the Agile Controller.
c. Add switches to the Agile Controller.
Procedure
Step 1 Configure the aggregation switch.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be
forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 1/0/1 //Configure the interface
connected to SwitchC.
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2 //Configure the interface
connected to SwitchD.
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/6 //Configure the interface
connected to the server.
[SwitchA-GigabitEthernet1/0/6] port link-type trunk
[SwitchA-GigabitEthernet1/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management
IP address for SwitchA. This IP address is used when SwitchA is added to
Agile Controller.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway
address for terminal users.
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.10 //
Configure a route to the network segment where the pre-authentication domain
resides.
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.10 //
Configure a route to the network segment where the post-authentication domain
resides.
2. Create and configure a RADIUS server template, an AAA authentication scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit
# Create an AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that
the RADIUS server can maintain account status, such as login, log-off and forced log-
off.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time
# Create an authentication domain isp, and bind the AAA authentication scheme abc,
accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication, enter a user
name in the format user@isp to perform AAA authentication in the domain isp. If the
user name does not contain a domain name or contains an invalid domain name, the user
is authenticated in the default domain.
[SwitchA] domain isp
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and
restart the device to make the configuration take effect.
By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server
supports EAP; otherwise, the server cannot process 802.1x authentication request packets.
[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] quit
# Configure the interface connected to users as an access interface and add the interface
to VLAN 200.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 200
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit
# Configure the interface connected to the upstream network as a trunk interface and
configure the to allow VLAN 200.
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
[SwitchC-GigabitEthernet0/0/3] quit
2. Configure the device to transparently transmit 802.1x packets. This example uses
SwitchC to describe the configuration. The configuration on SwitchD is the same as that
on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and
users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that
SwitchA can perform 802.1x authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac
0180-c200-0003 group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol
802.1X enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit
– Method 2: This method is recommended when a large number of users exist or high
network performance is required.
[SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to method 2.
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-
protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] quit
c. Click the User tab in the operation area on the right. Then click Add under the User
tab, and add the user A.
e. On the User tab page, select user A and click Transfer to add user A to the R&D
department.
3. Add switches to the Agile Controller so that the switches can communicate with the
Agile Controller.
a. Choose Resource > Device > Device Management.
b. Click Permission Control Device Group in the navigation tree, and click and
Add SubGroup to create a device group Switch.
c. Click the device group in the navigation tree and select ALL Device. Click Add to
add network access devices.
d. Set connection parameters on the Add Device page.
Name SwitchA -
Device Huawei -
Series Quidway series
switch
e. Click Permission Control Device Group in the navigation tree, select SwitchC,
and click Move to move SwitchA to the Switch group. The configuration on
SwitchD is the same as that on SwitchC.
4. Add an authentication rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule and click Add to create an authentication rule.
b. Configure basic information for the authentication rule.
Name Access -
authentication
rule
After a user passes the authentication, authorization phase starts. The Agile Controller
grants the user access rights based on the authorization rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click Add to create an authorization rule.
b. Configure basic information for the authorization rule.
Authorization Post-authentication -
Result domain
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name p1
dot1x-access-profile d1
mac-access-profile m1
#
domain isp
#
radius-server template rd1
radius-server shared-key cipher %#%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A]
(%#%#
radius-server authentication 192.168.100.100 1812 weight 80
radius-server accounting 192.168.100.100 1813 weight 80
#
dot1x-access-profile name d1
#
mac-access-profile name m1
mac-authen username fixed A-123 password cipher %#%#'Fxw8E,G-81(A3U<^HH9Sj
\:&hTdd>R>HILQYLtW%#%#
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme acco1
accounting-mode radius
accounting realtime 15
domain isp
authentication-scheme abc
accounting-scheme acco1
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 200
authentication-profile p1
#
iinterface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
authentication-profile p1
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 200
l2protocol-tunnel user-defined-protocol 802.1x enable
#
return
Overview
After an 802.1x user is successfully authenticated on a RADIUS server, the server sends
authorization information to the access device of the user. When the Agile Controller
functions as the RADIUS server, it can deliver multiple authorization parameters.
l ACL-based authorization is classified into ACL number-based (static ACL-based) and
dynamic ACL-based authorization.
– ACL number: If ACL number delivery is configured on the server, the authorization
information sent to the access device includes the ACL number. The access device
matches ACL rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
– Dynamic ACL: The server delivers rules in an ACL to the device. Users can access
network resources controlled using this ACL. The ACL and ACL rules must be
configured on the server. The ACL does not need to be configured on the device.
The RADIUS attribute used for dynamic ACL delivery is Huawei extended
RADIUS attribute (26-82) HW-Data-Filter.
l Dynamic VLAN: If dynamic VLAN delivery is configured on the server, the
authorization information sent to the access device includes the VLAN attribute. After
the access device receives the authorization information, it changes the VLAN of the
user to the delivered VLAN.
The delivered VLAN does not change or affect the interface configuration. The delivered
VLAN, however, takes precedence over the VLAN configured on the interface. That is,
the delivered VLAN takes effect after the authentication succeeds, and the configured
VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.
NOTE
The following uses ACL number and dynamic VLAN delivery as an example. The configuration differences
between ACL number delivery and dynamic ACL delivery are described in notes.
Configuration Notes
l This example applies to V200R007C20, V200R009 and later versions.
l NOTE
To know details about software mappings, see Version Mapping Search for Huawei Campus
Switches.
l Making VLAN-based authorization take effect has the following requirements on the
link type and access control mode of the authentication interface:
– If the interface link type is hybrid and the interface has been added to a VLAN in
untagged mode, the access control mode can be MAC address-based or interface-
based.
– If the interface link type is access or trunk, the access control mode can only be
interface-based.
Networking Requirements
As shown in Figure 10-42, a large number of employees' terminals in a company connect to
the intranet through GE0/0/1 on SwitchA. To ensure network security, the administrator needs
to control network access rights of terminals. The requirements are as follows:
l Before passing authentication, terminals can access the public server (with IP address
192.168.40.1), and download the 802.1x client or update the antivirus database.
l After passing authentication, terminals can access the service server (with IP address
192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
192.168.20.10-192.168.20.100).
Intranet
Agile Controller
IP address: 192.168.30.1
Service server
GE0/0/3 IP address: 192.168.50.1
SwitchA
Laboratory GE0/0/2
VLAN20 GE0/0/1
VLAN10
Employees terminals
Data Plan
Resources accessible to users Access rights to the public server are configured using
before authentication an authentication-free rule. The name of the
authentication-free rule profile is default_free_rule.
Resources accessible to users Access rights to the laboratory are granted using a
after authentication dynamic VLAN. The VLAN ID is 20.
Access rights to the service server are granted using an
ACL number. The ACL number is 3002.
Configuration Roadmap
1. Configure the access switch, including the VLANs interfaces belong to, parameters for
connecting to the RADIUS server, enabling NAC, and network access rights users obtain
after passing authentication.
NOTE
In this example, ensure that reachable routes exist between SwitchA, SwitchB, servers, laboratory, and
employees' terminals.
2. Configure the Agile Controller.
a. Log in to the Agile Controller.
b. Add an account to the Agile Controller.
c. Add switches to the Agile Controller.
d. Configure authorization results and authorization rules on the Agile Controller.
Procedure
Step 1 Configure access switch SwitchA.
1. Create VLANs and configure the allowed VLANs on interfaces to ensure network
connectivity.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface
connecting to employees' terminals.
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface
connecting to the laboratory.
[SwitchA-GigabitEthernet0/0/2] port link-type hybrid
[SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3 //Configure the interface
connecting to SwitchB.
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface loopback 1
2. Create and configure a RADIUS server template, an AAA authentication scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.30.1 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.30.1 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@123
[SwitchA-radius-rd1] quit
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15
[SwitchA-aaa-accounting-acco1] quit
# Create the authentication domain huawei, and bind the AAA authentication scheme
abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme abc
[SwitchA-aaa-domain-huawei] accounting-scheme acco1
[SwitchA-aaa-domain-huawei] radius-server rd1
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit
NOTE
By default, the unified mode is enabled. Before changing the NAC mode, you must save the
configuration. After the mode is changed and the device is restarted, functions of the newly confiugred
mode take effect.
# Configure the authentication profile p1, bind the 802.1x access profile d1 and
authentication-free rule profile default_free_rule to the authentication profile, specify
the domain huawei as the forcible authentication domain in the authentication profile,
and set the user access mode to multi-authen.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] free-rule-template default_free_rule
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] authentication mode multi-authen
[SwitchA-authen-profile-p1] quit
# Bind the authentication profile p1 to GE0/0/1 and enable 802.1x authentication on the
interface.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] authentication-profile p1
[SwitchA-GigabitEthernet0/0/1] quit
5. Configure the authorization parameter ACL 3002 for users who pass authentication.
NOTE
In dynamic ACL mode, this step does not need to be configured on the device.
[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0
[SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0
[SwitchA-acl-adv-3002] rule 3 deny ip destination any
[SwitchA-acl-adv-3002] quit
c. Click the User tab in the operation area on the right, and then click Add under the
User tab to add a user A.
e. In the User tab, select user A. Click Transfer to add user A to the department
R&D.
3. Add switches to the Agile Controller so that the switches can communicate with the
Agile Controller.
Choose Resource > Device > Device Management. Click Add in the operation area on
the right. Set connection parameters on the Add Device page.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and click Add to create an authorization result.
b. Configure basic information for the authorization result.
Parameter Value Description
b. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and click Add to create an authorization result.
c. Configure basic information for the authorization result.
Parameter Value Description
Dynamic 3002 -
ACL
After a user passes authentication, authorization phase starts. The Agile Controller grants
the user access rights based on the authorization rule.
a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click Add to create an authorization rule.
b. Configure basic information for the authorization rule.
----End
Overview
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through PCs
and guests connect to the network through mobile phones. The administrator has created local
accounts for the employees so that they can use the local accounts to pass authentication. For
guest accounts, the administrator needs to configure the Service Manager to enable guests to
complete authentication using GooglePlus, Facebook or Twitter accounts.
Configuration Notes
l The RADIUS authentication and accounting shared keys and Portal shared key on the
switch must be the same as those on the Agile Controller.
l Huawei's Agile Controller functions as the RADIUS server in this example. For the
Agile Controller, the minimum version required is V100R002C00SPC105.
l By default, the switch allows the packets sent to RADIUS and Portal servers to pass
through. You do not need to configure an authentication-free rule for the packets on the
switch.
l Service data forwarding modes are classified into tunnel forwarding mode and direct
forwarding mode. The tunnel forwarding mode is used in this example.
– In tunnel forwarding mode, the management VLAN and service VLAN cannot be
the same.
– In direct forwarding mode, do not configure the management VLAN and service
VLAN to be the same. You are advised to configure port isolation on the switch
interface directly connected to the AP. If port isolation is not configured, many
broadcast packets will be transmitted in VLANs or WLAN users on different APs
can directly communicate at Layer 2.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
In Figure 10-43, a switch functions as the AC and connects to the AP through a PoE switch.
The PoE switch provides power for the AP. You can configure WLAN services on the AC to
provide wireless access services for users.
AP
STA STA
Management VLAN:VLAN100
Service VLAN:VLAN101
IP address: 192.168.30.2 -
Configuration Roadmap
1. Configure network connectivity.
2. Set the NAC mode of the AC to unified.
3. Configure parameters for the AC to communicate with the Agile Controller (RADIUS
server).
4. Configure Portal authentication.
5. Configure the AP to go online.
6. Configure STAs to go online.
7. Configure the Agile Controller and social media authentication server.
Procedure
Step 1 Configure network connectivity.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
# On the AC, add GE1/0/1 connected to SwitchA to VLAN 100, add GE1/0/3 connected to
the Agile Controller to VLAN 102, and add GE1/0/2 connected to the Internet to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit
# Configure the AC as a DHCP server based on interface address pools. VLANIF 100 assigns
IP addresses to the AP and VLANIF 101 assigns IP addresses to STAs.
[AC] dhcp enable //Enable DHCP.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an address pool on VLANIF
100 to assign IP addresses to the AP.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.20.1 24 //Configure an address pool on
VLANIF 101 to assign IP addresses to STAs.
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Step 3 Configure parameters for the AC to communicate with the Agile Controller (RADIUS server).
[AC] radius-server template policy //Create the RADIUS server template policy.
[AC-radius-policy] radius-server authentication 192.168.30.2 1812 source ip-
address 192.168.30.1 //Configure the IP address and port number of the RADIUS
authentication server.
[AC-radius-policy] radius-server accounting 192.168.30.2 1813 source ip-address
192.168.30.1 //Configure the IP address and port number of the RADIUS
accounting server.
[AC-radius-policy] radius-server shared-key cipher Admin@123 //Set the
# Configure parameters for the AC to communicate with the Agile Controller (Portal server).
[AC] web-auth-server portal_huawei //Configure the Portal server template
portal_huawei.
[AC-web-auth-server-portal_huawei] server-ip 192.168.30.2 //Configure the IP
address of the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 192.168.30.1 //Configure the IP
address for the device to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200 //Set the destination port number
in the packets sent by the AC to the Portal server to 50200, which is the same as
the port number in the packets received by the Portal server. The default port
number in the packets sent by the switch is 50100. You must manually change the
port number to 50200 for adaptation to the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure the
shared key for communication with the Portal server. The shared key must be the
same as that configured on the Portal server.
[AC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //
Configure the URL of the Portal authentication page. access.example.com is the
host name of the Portal server. To ensure more secure and quick authentication
page push, you are advised to use the domain name mode. However, you need to
configure the mapping between the domain name access.example.com and the IP
address of the DNS server on the DNS server in advance.
[AC-web-auth-server-portal_huawei] quit
[AC] web-auth-server listening-port 2000 //Configure the port number used to
process Portal packets on the device. The default port number is 2000. If this
port number is changed on the server, you must also change the port number on the
switch accordingly.
[AC] portal quiet-period //Enable the quiet function for Portal authentication.
If the number of times that an authentication user fails to be authenticated
within 60 seconds exceeds the configured value, the device discards packets from
the user for a period of time to prevent impact on the system caused by frequent
authentication failures.
[AC] portal quiet-times 5 //Configure the maximum number of authentication
failures within 60 seconds before the device quiets a Portal authentication user.
[AC] portal timer quiet-period 240 //Set the quiet period for Portal
authentication to 240 seconds.
# Configure the AC to allow users to access resources of the social media authentication
server before authentication.
[AC] acl 6000
[AC-acl-ucl-6000] rule 1 permit ip destination fqdn www.googleapis.com //
Configure the switch to allow packets sent to the Google server to pass through
before authentication.
[AC-acl-ucl-6000] rule 2 permit ip destination fqdn apis.google.com //Configure
the switch to allow packets sent to the Google server to pass through before
authentication.
[AC-acl-ucl-6000] rule 3 permit ip destination fqdn connect.facebook.net //
Configure the switch to allow packets sent to the Facebook server to pass through
before authentication.
[AC-acl-ucl-6000] rule 4 permit ip destination fqdn api.twitter.com //Configure
the switch to allow packets sent to the Twitter server to pass through before
authentication.
[AC-acl-ucl-6000] rule 5 permit ip destination fqdn abs.twimg.com //Configure
the switch to allow packets sent to the Twitter server to pass through before
authentication.
[AC-acl-ucl-6000] rule 6 permit ip destination fqdn mobile.twitter.com //
Configure the switch to allow packets sent to the Twitter server to pass through
before authentication.
[AC-acl-ucl-6000] rule 7 permit ip destination fqdn twitter.com //Configure the
switch to allow packets sent to the Twitter server to pass through before
authentication.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create the security profile wlan-security and set the security policy to open system
authentication.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open //Set the security policy to
open.
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID name to wlan-net.
# Create the VAP profile wlan-vap, configure the service data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel forwarding.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //By default, the VLAN ID
is 1. Set the VLAN ID to 101.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Step 7 Configure the Agile Controller and social media authentication server. For details, see Agile
Controller-Campus Product Documentation - Example for Configuring Guest Access
Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).
Step 8 Verify the configuration.
After completing the configuration, run the display vap ssid wlan-net command. If the
Status field displays ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 1 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Manually search for the WLAN with the SSID wlan-net. After completing the WeChat
authentication process as prompted, run the display station ssid wlan-net command on the
AC. The command output shows that the user has successfully connected to the WLAN wlan-
net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
192.168.20.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name p1
portal-access-profile web1
free-rule-template default_free_rule
#
domain portal
#
dhcp enable
#
authentication-profile name p1
portal-access-profile web1
free-rule-template default_free_rule
#
radius-server template policy
radius-server shared-key cipher %^%#v@)#XkYybF19}~4&3(rDX%va0:#G>0MDrOF^B;D+
%^%#
radius-server authentication 192.168.30.2 1812 source ip-address
192.168.30.1 weight 80
radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1
weight 80
#
acl number 3001
rule 1 permit ip
#
acl number 6000
rule 1 permit ip destination fqdn www.googleapis.com
rule 2 permit ip destination fqdn apis.google.com
rule 3 permit ip destination fqdn connect.facebook.net
rule 4 permit ip destination fqdn api.twitter.com
rule 5 permit ip destination fqdn abs.twimg.com
rule 6 permit ip destination fqdn mobile.twitter.com
rule 7 permit ip destination fqdn twitter.com
#
free-rule-template name default_free_rule
free-rule acl 6000
#
web-auth-server portal_huawei
server-ip 192.168.30.2
port 50200
shared-key cipher %^%#vB3l&dt|S!59SdGIdcT"mwAQ!4[#Y-#{IBGbI[l:%^%#
url http://access.example.com:8080/portal
source-ip 192.168.30.1
#
portal-access-profile name web1
web-auth-server portal_huawei direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.20.1 255.255.255.0
authentication-profile p1
dhcp select interface
#
interface Vlanif102
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 102
#
portal timer quiet-period 240
portal quiet-times 5
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l The following describes the applicable product models and versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 11-1, HostA is dual-homed to SwitchA and SwitchB through the switch.
To ensure nonstop service transmission, a VRRP group in active/standby mode needs to be
configured on SwitchA and SwitchB.
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it preempts to be the master to transmit data after a preemption
delay of 20s.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to ensure
network connectivity.
2. Configure a VRRP group on SwitchA and SwitchB. Set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic, and set the preemption delay to
20s on SwitchA. Set a lower priority for SwitchB so that SwitchB functions as the
backup.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The configurations
of SwitchB and SwitchC are similar to the configuration of SwitchA, and are not mentioned
here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 300
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type hybrid
[SwitchA-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 300
[SwitchA-Vlanif300] ip address 192.168.1.1 24
[SwitchA-Vlanif300] quit
# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and are
not mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# After the configuration is complete, run the display vrrp command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display ip routing-table command on SwitchA and SwitchB. The command output
shows that a direct route to the virtual IP address exists in the routing table of SwitchA and an
OSPF route to the virtual IP address exists in the routing table of SwitchB. The command
output on SwitchA and SwitchB is as follows:
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 10
# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is in Master state.
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40
# After 20s, run the display vrrp command on SwitchA to view the VRRP status. The
command output shows that SwitchA is in Master state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
Relevant Information
Video
Configuring VRRP
The load balancing mode differs from the active/standby mode in the following ways:
l Multiple VRRP groups need to be created, and the master in each VRRP group can be
different.
l A VRRP device can join multiple VRRP groups and has different priorities in different
VRRP groups.
Configuration Notes
l VRRP groups must use different virtual IP addresses. The virtual IP address of a VRRP
group must be on the same network segment as the IP address of the interface where the
VRRP group is configured.
l Ensure that each device of the same VRRP group is configured with the same VRID.
l The following describes the applicable product models and versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 11-2, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch. To reduce the load of data traffic on SwitchA, HostA uses SwitchA as the default
gateway to connect to the Internet, and SwitchB functions as the backup gateway. HostC uses
SwitchB as the default gateway to connect to the Internet, and SwitchA functions as the
backup gateway. This implements load balancing.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 11-2 Networking diagram for configuring a VRRP group in load balancing mode
Configuration Roadmap
A VRRP group in load balancing mode is used to implement load balancing. The
configuration roadmap is as follows:
Procedure
Step 1 Configure devices to ensure network connectivity.
# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and are
not mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.50.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and
the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.10.111
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default
priorith of a device in a VRRP group is 100. Change the priority of the master to
be higher than that of the backup.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the
master to prevent service interruptions on an unstable network where devices in
the VRRP group preempt to be the master.
[SwitchA-Vlanif100] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.10.111
[SwitchB-Vlanif100] quit
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB] interface vlanif 500
[SwitchB-Vlanif500] vrrp vrid 2 virtual-ip 10.1.50.111
[SwitchB-Vlanif500] vrrp vrid 2 priority 120 //The default
priorith of a device in a VRRP group is 100. Change the priority of the master to
be higher than that of the backup.
[SwitchB-Vlanif500] vrrp vrid 2 preempt-mode timer delay 20 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the
master to prevent service interruptions on an unstable network where devices in
the VRRP group preempt to be the master.
[SwitchB-Vlanif500] quit
[SwitchA] interface vlanif 500
[SwitchA-Vlanif500] vrrp vrid 2 virtual-ip 10.1.50.111
[SwitchA-Vlanif500] quit
# After the configuration is complete, run the display vrrp command on SwitchB. You can
see that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
[SwitchB] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 300 500
#
interface Vlanif100
ip address 10.1.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.50.111
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 500
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 500
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l Multiple VRRP groups can monitor a BFD session, and a VRRP group can monitor a
maximum of eight BFD sessions simultaneously.
l The following describes the applicable product models and versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 11-3, hosts on a LAN are dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is the
master.
When SwitchA or a link between SwitchA and SwitchB is faulty, VRRP packets are sent after
VRRP negotiation is complete. To speed up link switchovers, deploy a BFD session on the
link and associate the VRRP group with the BFD session. When the interface on the master or
the link fails, the BFD session rapidly detects the fault and notifies the VRRP group of the
fault. After receiving the notification, the VRRP group performs a rapid active/standby
switchover. The backup becomes the Master and takes over traffic. This reduces the impact of
the fault on service transmission.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Figure 11-3 Association between VRRP and BFD to implement a rapid active/standby
switchover
V R R P V R ID 1
V ir tu a l IP A d d r e s s :
1 0 .1 .1 .3 /2 4 G E 1 /0 /1 M a s te r
V L A N IF 1 0 0 S w itc h A
1 0 .1 .1 .1 /2 4
H o s tA
G E 1 /0 /1
S w itc h In te r n e t
G E 1 /0 /2
H o s tB G E 1 /0 /1
V L A N IF 1 0 0 S w itc h B
1 0 .1 .1 .2 /2 4 B a c k u p B F D p a c k e ts
Configuration Roadmap
Association between VRRP and BFD is used to implement a rapid active/standby switchover.
The configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to ensure
network connectivity.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the master, its
priority is 120, and the preemption delay is 20s. SwitchB functions as the backup and
uses the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of the
VRRP group.
4. Configuration association between BFD and VRPP on SwitchB. When the link is faulty,
an active/standby switchover can be performed rapidly.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of
SwitchB is similar to that of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/2] quit
# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example. The
configuration of SwitchB is similar to that of SwitchA.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Run the display bfd session command on SwitchA and SwitchB. You can see that the BFD
session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Initialize
state, SwitchB becomes the Master, and the associated BFD session becomes Down.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] shutdown
[SwitchA-GigabitEthernet1/0/1] quit
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA restores to be the master, SwitchB restores to be the backup, and the associated BFD
session is in Up state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.3
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.3
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
discriminator local 1
discriminator remote 2
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.3
vrrp vrid 1 track bfd-session 2 increased 40
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif100
discriminator local 2
discriminator remote 1
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 11-4, the user hosts are dual-homed to SwitchA and SwitchB through the
switch. The requirements are as follows:
l The hosts use SwitchA as the default gateway to connect to the Internet. When SwitchA
or the downlink/uplink fails, SwitchB functions as the gateway to implement gateway
backup.
l The bandwidth of the link between SwitchA and SwitchB is increased to implement link
backup and improve link reliability.
l After SwitchA recovers, it becomes the gateway within 20s.
Figure 11-4 Networking of association between VRRP and the interface status
A g g re g a tio n la y e r C o re la y e r
S w itc h A
M a s te r
VLAN 101~ G E 1 /0 /1
G E 1 /0 /2 1 9 2 .1 6 8 .1 .1 /2 4
VLAN 116
G E 1 /0 /3 G E 1 /0 /1
G E 1 /0 /1 G E 1 /0 /4 1 9 2 .1 6 8 .1 .2 /2 4
E th -T ru n k1
G E 1 /0 /3
...
S w itc h S w itc h C In te rn e t
1 7 2 .1 6 .1 .1 /2 4
G E 1 /0 /4 G E 1 /0 /2
G E 1 /0 /2
G E 1 /0 /3 1 9 2 .1 6 8 .2 .2 /2 4
VLAN 165~ G E 1 /0 /1
VLAN 180 G E 1 /0 /2
1 9 2 .1 6 8 .2 .1 /2 4
S w itc h B
Backup
Configuration Roadmap
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an example. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 400
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 to 180
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 10.1.1.2 24
[SwitchA-Vlanif11] quit
[SwitchA] interface vlanif 12
[SwitchA-Vlanif12] ip address 10.1.2.2 24
[SwitchA-Vlanif12] quit
[SwitchA] interface vlanif 13
[SwitchA-Vlanif13] ip address 10.1.3.2 24
[SwitchA-Vlanif13] quit
[SwitchA] interface vlanif 14
[SwitchA-Vlanif14] ip address 10.1.4.2 24
[SwitchA-Vlanif14] quit
[SwitchA] interface vlanif 15
[SwitchA-Vlanif15] ip address 10.1.5.2 24
[SwitchA-Vlanif15] quit
[SwitchA] interface vlanif 400
[SwitchA-Vlanif400] ip address 192.168.1.1 24
[SwitchA-Vlanif400] quit
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and are
not mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and the
preemption delay to 20s.
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchA-Vlanif11] vrrp vrid 1 priority
120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that
of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay
20 //The device in a VRRP group uses the immediate
preemption mode by default. Change the preemption delay of the master to prevent
traffic interruptions when the master and backup frequently preempt the bandwith
on an unstable network.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced
100 //Associate the VRRP group with the uplink interface. Set the decreased
priority to ensure that the priority of the backup is higher than the priority of
the master. Then an active/stadnby switchover can be triggered.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/2 reduced
100 //Associate the VRRP group with the downlink interface. Set the decreased
priority to ensure that the priority of the backup is higher than the priority of
the master. Then an active/stadnby switchover can be triggered.
[SwitchA-Vlanif11] vrrp advertise send-mode
301 //Specify VLAN 301 where VRRP packets
are transmitted to save the network bandwidth.
[SwitchA-Vlanif11] quit
[SwitchA] interface vlanif 12
[SwitchA-Vlanif12] vrrp vrid 2 virtual-ip 10.1.2.1
[SwitchA-Vlanif12] vrrp vrid 2 priority 120
[SwitchA-Vlanif12] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif12] vrrp advertise send-mode 302
[SwitchA-Vlanif12] quit
[SwitchA] interface vlanif 13
[SwitchA-Vlanif13] vrrp vrid 3 virtual-ip 10.1.3.1
[SwitchA-Vlanif13] vrrp vrid 3 priority 120
[SwitchA-Vlanif13] vrrp vrid 3 preempt-mode timer delay 20
[SwitchA-Vlanif13] vrrp vrid 3 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif13] vrrp vrid 3 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif13] vrrp advertise send-mode 303
[SwitchA-Vlanif13] quit
[SwitchA] interface vlanif 14
[SwitchA-Vlanif14] vrrp vrid 4 virtual-ip 10.1.4.1
[SwitchA-Vlanif14] vrrp vrid 4 priority 120
[SwitchA-Vlanif14] vrrp vrid 4 preempt-mode timer delay 20
[SwitchA-Vlanif14] vrrp vrid 4 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif14] vrrp vrid 4 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif14] vrrp advertise send-mode 304
[SwitchA-Vlanif14] quit
[SwitchA] interface vlanif 15
[SwitchA-Vlanif15] vrrp vrid 5 virtual-ip 10.1.5.1
[SwitchA-Vlanif15] vrrp vrid 5 priority 120
[SwitchA-Vlanif15] vrrp vrid 5 preempt-mode timer delay 20
[SwitchA-Vlanif15] vrrp vrid 5 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif15] vrrp vrid 5 track interface gigabitethernet 1/0/2 reduced 100
[SwitchA-Vlanif15] vrrp advertise send-mode 305
[SwitchA-Vlanif15] quit
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
# Run the display vrrp command on SwitchB. You can see that SwitchB is the backup.
VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Backup
state, SwitchB enters the Master state, and the associated interface becomes Down.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] shutdown
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.3
Send VRRP packet to subvlan : 301
PriorityRun : 20
PriorityConfig : 120
MasterPriority : 100
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : DOWN
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.3
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA restores to be the master and SwitchB the backup, and the associated interface is in
Up state.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
Track IF : GigabitEthernet1/0/2 Priority reduced : 100
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
[SwitchB] display vrrp 1
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable
#
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
access-vlan 117 to 132 302
vlan 13
aggregate-vlan
access-vlan 133 to 148 303
vlan 14
aggregate-vlan
access-vlan 149 to 164 304
vlan 15
aggregate-vlan
access-vlan 165 to 180 305
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 1 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.1
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
vrrp vrid 2 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 2 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 302
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.3.1
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 20
vrrp vrid 3 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 3 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 303
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.4.1
vrrp vrid 4 priority 120
vrrp vrid 4 preempt-mode timer delay 20
vrrp vrid 4 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 4 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 304
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.5.1
vrrp vrid 5 priority 120
vrrp vrid 5 preempt-mode timer delay 20
vrrp vrid 5 track interface gigabitethernet1/0/1 reduced 100
vrrp vrid 5 track interface gigabitethernet1/0/2 reduced 100
vrrp advertise send-mode 305
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301 to 305
mode lacp
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 400
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301 to 305
mode lacp
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 180
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 200 300 400
#
stp disable
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 400
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 300
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
VRRP Overview
Generally, all hosts on the same network segment have the same default route with the
gateway address as the next hop address. The hosts use the default route to send packets to the
gateway and the gateway forwards the packets to other network segments. When the gateway
fails, the hosts with the same default route cannot communicate with external networks.
Configuring multiple egress gateways is a commonly used method to improve system
reliability. However, route selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual router
without changing the networking, and uses the virtual router IP address as the default gateway
address to implement gateway backup. When the gateway fails, VRRP selects a new gateway
to transmit service traffic to ensure reliable communication.
Configuration Notes
l VRRP groups must use different virtual IP addresses. The virtual IP address of a VRRP
group must be on the same network segment as the IP address of the interface where the
VRRP group is configured.
l Ensure that each device of the same VRRP group is configured with the same VRID.
Networking Requirements
As shown in Figure 11-5, SwitchA and SwitchB are egress gateways of the campus network;
SwitchC and SwitchD are core switches. The multicast source connects to the campus
network through a router. Key nodes on the network work in redundancy mode to improve
network reliability, and the egress gateways and core switches are fully meshed to implement
link redundancy. The egress gateways and core switches must be configured to enable
multicast data to be reliably transmitted to the downstream network.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
IP n e tw o rk
V R R P V R ID 1
V irtu a l IP A d d re ss
1 0 .1 .1 .2 5 3
V R R P V R ID 2 S w itch B
V irtu a l IP A d d re ss G E 1 /0 /0 G E 1 /0 /0
1 0 .1 .1 .2 5 4 G E 2 /0 /1 G E 2 /0 /1
L o o p b a ck1 L o o p b a ck1
1 0 .1 0 .1 .1 /3 2 G E 2 /0 /2 G E 2 /0 /2 1 0 .2 .2 .2 /3 2
G E 3 /0 /1 G G E 2 /0 /3 G E 2 /0 /3
E3 /2
C a m p u s e g re ss /0 /0 G E 3 /0 /1
S w itch A /2 E3
G
G
/2 E3
S w itch C 0 /0
C o re la ye r
E 3/ / 2 G E 3 /0 /1
G E 3 /0 /1 G G E 2 /0 /1 G E 2 /0 /1
L o o p b a ck1 G E 2 /0 /2 G E 2 /0 /2 L o o p b a ck1
1 0 .3 .3 .3 /3 2 1 0 .4 .4 .4 /3 2
V R R P V R ID 1 G E 2 /0 /3 G E 2 /0 /3
G E 1 /0 /0 G E 1 /0 /0
V irtu a l IP A d d re ss
1 0 .1 .6 .2 5 3 S w itch D
V R R P V R ID 2
V irtu a l IP A d d re ss
1 0 .1 .6 .2 5 4
A g g re g a tio n la ye r
A cce ss la ye r
A p p lica tio n la ye r
H o stA H o stB
E th -T ru n k in te rfa ce
Configuration Roadmap
To ensure reliable multicast data transmission, configure the Virtual Router Redundancy
Protocol (VRRP) and Bidirectional Forwarding Detection (BFD) on the egress gateways and
core switches. To ensure normal multicast forwarding, configure a multicast protocol on the
egress gateways and core switches.
1. Configure link aggregation groups between SwitchA and SwitchB, and between SwitchC
and SwitchD to ensure fast and reliable exchange of VRRP packets.
2. Create VLANs on the switches and add their interfaces to respective VLANs. Configure
IP addresses for the corresponding VLANIF interfaces to make local network segments
reachable.
3. Configure the Open Shortest Path First (OSPF) protocol on the switches to ensure
reachable routes between them. OSPF routes load balance unicast traffic between the
egress gateways and core switches to reduce loads of links that transmit multicast and
unicast data simultaneously.
4. Configure a VRRP group between SwitchA and SwitchB and a VRRP group between
SwitchC and SwitchD to ensure reliable multicast forwarding. The VRRP groups
implement load balancing for unicast traffic to reduce loads of links that transmit
multicast and unicast data simultaneously.
5. Configure a multicast protocol on the switches to ensure normal multicast data
forwarding.
6. Configure BFD for OSPF and BFD for PIM on the switches to enable the switches to
quickly detect link failures, realizing fast convergence of unicast and multicast routes.
Procedure
1. Configure link aggregation groups on the switches.
# Create Eth-Trunks and add member interfaces to the Eth-Trunks on the campus egress
gateway and core devices.
<SwitchA> system-view
[SwitchA] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
interfaces GE2/0/1 through GE2/0/3 to it.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchA-Eth-Trunk1] quit
<SwitchB> system-view
[SwitchB] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
interfaces GE2/0/1 through GE2/0/3 to it.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchB-Eth-Trunk1] quit
<SwitchC> system-view
[SwitchC] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
interfaces GE2/0/1 through GE2/0/3 to it.
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchC-Eth-Trunk1] quit
<SwitchD> system-view
[SwitchD] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member
interfaces GE2/0/1 through GE2/0/3 to it.
[SwitchD-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
[SwitchD-Eth-Trunk1] quit
By default, an Eth-Trunk works in manual load balancing mode, and all active interfaces
load balance traffic.
2. Create VLANs, add interfaces to respective VLANs, and configure IP addresses for
corresponding VLANIF interfaces.
a. Create VLANs and add interfaces to the VLANs on the campus egress gateway and
core devices. The configurations on SwitchB, SwitchC, and SwitchD are similar to
the configuration on SwitchA, and are not mentioned here.
[SwitchA] vlan batch 100 200 301 302
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port link-type trunk //Set the link
type of the interface to trunk, which is not the default link type.
[SwitchA-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface gigabitethernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-type trunk //Set the link
type of the interface to trunk, which is not the default link type.
[SwitchA-GigabitEthernet3/0/1] port trunk allow-pass vlan 301
[SwitchA-GigabitEthernet3/0/1] quit
[SwitchA] interface gigabitethernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port link-type trunk //Set the link
type of the interface to trunk, which is not the default link type.
[SwitchA-GigabitEthernet3/0/2] port trunk allow-pass vlan 302
[SwitchA-GigabitEthernet3/0/2] quit
b. Configure IP addresses for Layer 3 interfaces on the campus egress gateway and
core devices. The configurations on SwitchB, SwitchC, and SwitchD are similar to
the configuration on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100 //Create VLANIF100.
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 301 //Create VLANIF301.
[SwitchA-Vlanif301] ip address 10.1.2.1 24
[SwitchA-Vlanif301] quit
[SwitchA] interface vlanif 302 //Create VLANIF302.
[SwitchA-Vlanif302] ip address 10.1.3.1 24
[SwitchA-Vlanif302] quit
[SwitchA] interface loopback 1 //Create LoopBack1.
[SwitchA-LoopBack1] ip address 10.10.1.1 32
[SwitchA-LoopBack1] quit
3. Configure OSPF.
# Enable OSPF on the campus egress gateway and core devices, add the devices to area
0, and advertise local network segments in area 0. The configurations on SwitchB,
SwitchC, and SwitchD are similar to the configuration on SwitchA, and are not
mentioned here.
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that
the interface running OSPF is the one connected to the 10.1.1.0 network
segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255 //Specify that
the interface running OSPF is the one connected to the 10.1.2.0 network
segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that
the interface running OSPF is the one connected to the 10.1.3.0 network
segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0 //Specify that
the interface running OSPF is the one connected to the 10.10.1.1 network
segment and that the interface belongs to Area 0.
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Configure SwitchB.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP
group 1 on VLANIF100 and set the virtual IP address of the VRRP group to
10.1.1.253.
[SwitchB-Vlanif100] quit
b. Create VRRP group 2 on campus egress gateway devices SwitchA and SwitchB.
Set the priority of SwitchB to 120 and the preemption delay to 20 seconds. Retain
the default priority of SwitchA. Therefore, SwitchB becomes the master device and
SwitchA becomes the backup device of VRRP group 1.
# Configure SwitchA.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP
group 2 on VLANIF100 and set the virtual IP address of the VRRP group to
10.1.1.254.
[SwitchA-Vlanif100] quit
# Configure SwitchB.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP
group 2 on VLANIF100 and set the virtual IP address of the VRRP group to
10.1.1.254.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120 //Set the priority of
VLANIF100 in VRRP group 2 to 120.
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20 //Set
the preemption delay of VLANIF100 in VRRP group 2 to 20 seconds.
[SwitchB-Vlanif100] quit
# Configure SwitchB.
[SwitchB] multicast routing-enable //Enable multicast routing
globally.
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[SwitchB-Vlanif100] quit
[SwitchB] interface vlanif 303
[SwitchB-Vlanif303] pim sm //Enable PIM-SM on VLANIF303.
[SwitchB-Vlanif303] quit
[SwitchB] interface vlanif 304
[SwitchB-Vlanif304] pim sm //Enable PIM-SM on VLANIF304.
[SwitchB-Vlanif304] quit
[SwitchB] interface loopback 1
[SwitchB-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB-LoopBack1] quit
# Configure SwitchC.
# Configure SwitchD.
[SwitchD] multicast routing-enable //Enable multicast routing
globally.
[SwitchD] interface vlanif 400
[SwitchD-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchD-Vlanif400] igmp enable //Enable IGMP on VLANIF400.
[SwitchD-Vlanif400] quit
[SwitchD] interface vlanif 302
[SwitchD-Vlanif302] pim sm //Enable PIM-SM on VLANIF302.
[SwitchD-Vlanif302] quit
[SwitchD] interface vlanif 303
[SwitchD-Vlanif303] pim sm //Enable PIM-SM on VLANIF303.
[SwitchD-Vlanif303] quit
[SwitchD] interface loopback 1
[SwitchD-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchD-LoopBack1] quit
b. Configure dynamic RP function on the core devices SwitchC and SwitchD that
aggregate multicast traffic.
# Configure Loopback1 of SwitchC as a C-BSR and a C-RP.
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 1 //Configure Loopback1 as a C-BSR
interface.
[SwitchC-pim] c-rp loopback 1 //Configure Loopback1 as a C-RP
interface.
[SwitchC-pim] quit
6. Configure BFD.
a. Enable global BFD on the campus egress gateway and core devices. Global BFD
must be enabled before you configure BFD for OSPF and BFD for PIM. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the configuration
on SwitchA, and are not mentioned here.
[SwitchA] bfd //Enable BFD globally.
[SwitchA-bfd] quit
b. Enable BFD for OSPF on the campus egress gateway and core devices. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the configuration
on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ospf bfd enable //Enable BFD for OSPF on
VLANIF100.
[SwitchA-Vlanif100] quit
c. Enable BFD for PIM on the campus egress gateway and core devices. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the configuration
on SwitchA, and are not mentioned here.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] pim bfd enable //Enable BFD for PIM on VLANIF100.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 301
[SwitchA-Vlanif301] pim bfd enable //Enable BFD for PIM on VLANIF301.
[SwitchA-Vlanif301] quit
[SwitchA] interface vlanif 302
[SwitchA-Vlanif302] pim bfd enable //Enable BFD for PIM on VLANIF302.
[SwitchA-Vlanif302] quit
The display eth-trunk 1 command outputs on SwitchB, SwitchC, and SwitchD are
similar to the command output on SwitchA.
– Verify the VRRP configuration.
# Run the display vrrp command on SwitchA. The command output shows that
SwitchA is the master device in VRRP group 1 and the backup device in VRRP
group 2.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.253
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-12-31 10:34:23 UTC-08:00
Last change time : 2012-12-31 10:34:26 UTC-08:00
-----
Routing Tables: Public
Destinations : 15 Routes : 18
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif100
Upstream neighbor: 10.1.1.3
RPF prime neighbor: 10.1.1.3
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif303
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
[SwitchD] display pim routing-table
VPN-Instance: public net
Total 0 (*, G) entry; 1 (S, G) entry
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Upstream interface: Vlanif303
Upstream neighbor: 10.1.4.1
RPF prime neighbor: 10.1.4.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif400
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
The display ospf bfd session all command outputs on SwitchB, SwitchC, and
SwitchD are similar to the command output on SwitchA.
# Run the display pim bfd session command on SwitchA. The command output
shows that PIM BFD sessions have been successfully set up.
[SwitchA] display pim bfd session
VPN-Instance: public net
Total 4 BFD session Created
Configuration Files
l Configuration file of campus egress gateway SwitchA
#
sysname SwitchA
#
vlan batch 100 200 301 to 302
#
multicast routing-enable
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.253
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 2 virtual-ip 10.1.1.254
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif301
ip address 10.1.2.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif302
ip address 10.1.3.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 500
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 400
stp disable
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
interface GigabitEthernet2/0/3
eth-trunk 1
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 303
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 302
#
interface LoopBack1
ip address 10.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.4.4.4 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
11.2.1 Example for Associating the BFD Session Status with the
Interface Status
BFD Overview
A network device must detect a communication fault between adjacent devices quickly so that
measures can be taken immediately and service interruptions can be prevented. In practice,
hardware detection is used to detect link faults. For example, Synchronous Digital Hierarchy
(SDH) alarms are used to report link faults. However, not all media can provide the hardware
detection mechanism. Applications use the Hello mechanism of the upper-layer routing
protocol to detect faults. The detection duration is more than 1 second, which is too long for
some applications. If no routing protocol is deployed on a small-scale Layer 3 network, the
Hello mechanism cannot be used.
BFD provides fast fault detection independent of media and routing protocols. With the
millisecond-level fault detection and switching, BFD is suitable for scenarios that are
sensitive to the packet loss and delay.
Configuration Notes
l The local discriminator of the local system and the remote discriminator of the remote
system must be the same. If the local discriminator of the local system and the remote
discriminator of the remote system are different, a static BFD session cannot be set up.
After the local discriminator and the remote discriminator are configured, you cannot
modify them.
l If a BFD session is bound to the default multicast address, the local discriminator and the
remote discriminator must be different.
l If the WTR time is set, set the same WTR time at both ends. Otherwise, when the BFD
session status changes at one end, applications at both ends detect different BFD session
statuses.
l The following describes the applicable product models and versions.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 11-6, SwitchA is directly connected to SwitchB at the network layer and
Layer 2 transmission devices, SwitchC and SwitchD, are deployed between them. It is
required that SwitchA and SwitchB fast detect link faults of the Layer 2 transmission devices
to trigger fast route convergence.
Figure 11-6 Associating the BFD session status with the interface status
V L A IN F 1 0 V L A IN F 1 0
1 0 .1 .1 .1 /2 4 1 0 .1 .1 .2 /2 4
G E 1 /0 /1 G E 1 /0 /1
S w itc h A S w itc h C S w itc h D S w itc h B
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a BFD session on SwitchA and SwitchB to detect faults on the link between
SwitchA and SwitchB.
2. Configure association between the BFD session status and interface status on SwitchA
and SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later
versions, the default link type of an interface is not hybrid, you need to
configure it manually.
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.1 24
[SwitchA-Vlanif10] quit
# Enable BFD on SwitchB and establish a BFD session named btoa between SwitchB and
SwitchA.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/1 //
Configure a BFD session named btoa.
# After the configuration is complete, run the display bfd session all verbose command on
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id : 3 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 255
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
[SwitchA-bfd-session-atob] quit
# Configure association between the BFD session status and the interface status on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status
[SwitchB-bfd-session-btoa] quit
Run the shutdown command on GE1/0/1 of SwitchB to make the BFD session go Down.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] shutdown
[SwitchB-GigabitEthernet1/0/1] quit
Run the display bfd session all verbose and display interface gigabitethernet 1/0/1
commands on SwitchA. You can see that the BFD session status is Down, and the status of
GE1/0/1 is UP (BFD status down).
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet1/0/1
FSM Board Id : 3 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 10
Actual Tx Interval (ms): 13000 Actual Rx Interval (ms): 13000
Local Detect Multi : 3 Detect Interval (ms) : 30
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 255
Proc interface status : Enable Process PST : Disable
WTR Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : Control Detection Time Expired
Bind Application : IFNET
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
NOTE
The display interface gigabitethernet 1/0/1 command displays information that you need to concern
and "..." indicates that information is omitted.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
bfd atob bind peer-ip default-ip interface GigabitEthernet1/0/1
discriminator local 10
discriminator remote 20
process-interface-status
commit
#
return
Configuration Notes
l In this example, the local user password is in irreversible-cipher mode, indicating that
the password is encrypted using the irreversible algorithm. Unauthorized users cannot
obtain the plain-text password through decryption. Therefore, this algorithm has a higher
security.
l This example, excluding the password encryption mode, applies to all versions and
models.
Networking Requirements
As shown in Figure 12-1, the Switch functions as an FTP server. The requirements are as
follows:
l All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server
anytime.
l All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at
the specified period of time.
l Other users are not allowed to access the FTP server.
The routes between the Switch and subnets are reachable. You need to configure the Switch to
limit user access to the FTP server.
FTP Server
PC2
Network
172.16.107.111/24
Switch
172.16.104.110/24
PC3
10.10.10.1/24
Procedure
Step 1 Configure a time range.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an
absolute time range for an ACL.
[Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time
range for an ACL. The ftp-access time range is the overlap of the two time ranges.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot connect to the
FTP server.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
FTP server enable
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31
#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
aaa
local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!
R7M_d^!o{*@N9g'e0baw#%^%#
local-user huawei privilege level 15
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
return
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP
addresses, destination addresses, IP protocol types, TCP source/destination port numbers,
UDP source/destination port numbers, fragment information, and time ranges. Compared with
a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For
example, if you want to filter packets based on source and destination IP addresses, configure
an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can
filter the packets from users to the specified server and thus restrict access to the specified
server based on time range.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 1, the departments of an enterprise are connected through the Switch. The
R&D and marketing departments cannot access the salary query server at 10.164.9.9 in work
hours (08:00 to 17:30), whereas the president office can access the server at anytime.
Figure 12-2 Using ACLs to control access to the specified server in the specified time range
L A N S w it c h A
V LA N 10
S a la r y q u e r y s e r v e r
G E 1 /0 /1 1 0 .1 6 4 .9 .9 /2 4
V L A N IF 1 0
P r e s id e n t o ffic e 1 0 .1 6 4 .1 .1 /2 4 G E 2 /0 /1
1 0 .1 6 4 .1 .0 /2 4 V L A N IF 1 0 0
L A N S w it c h B 1 0 .1 6 4 .9 .1 /2 4
V LA N 20 G E 1 /0 /2
In te rn e t
V L A N IF 2 0
1 0 .1 6 4 .2 .1 /2 4 S w it c h R o u te r
M a r k e tin g
1 0 .1 6 4 .2 .0 /2 4 G E 1 /0 /3
V L A N IF 3 0
VLAN30 1 0 .1 6 4 .3 .1 /2 4
L A N S w it c h C
R&D
1 0 .1 6 4 .3 .0 /2 4
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure the time range, advanced ACL, and ACL-based traffic classifier to filter
packets from users to the server in the specified time range. In this way, you can restrict
the access of different users to the server in the specified time range.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to
VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1
and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and
GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20,
VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 100
[Switch] interface gigabitethernet 1/0/1
# Configure an ACL for the R&D department to access the salary query server.
[Switch] acl 3003
[Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime //Prevent the R&D department from accessing
the salary query server in the time range satime.
[Switch-acl-adv-3003] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier.
[Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic
classifier.
[Switch-classifier-c_rd] quit
Associate the traffic classifier c_market with the traffic behavior b_market.
[Switch-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy.
[Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the
traffic classifier c_rd with the traffic behavior b_rd.
[Switch-trafficpolicy-p_rd] quit
# Packets from the R&D department to the server are received by GE1/0/3; therefore, apply
the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic
policy to the inbound direction of an interface.
[Switch-GigabitEthernet1/0/3] quit
Classifier: c_rd
Precedence: 10
Operator: OR
Rule(s) : if-match acl 3003
Behavior: b_market
Deny
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
-------------------------------------------------
Policy Name:
p_market
Policy Index:
0
Classifier:c_market
Behavior:b_market
-------------------------------------------------
*interface GigabitEthernet1/0/2
traffic-policy p_market
inbound
slot 1 :
success
-------------------------------------------------
-------------------------------------------------
Policy Name:
p_rd
Policy Index:
1
Classifier:c_rd
Behavior:b_rd
-------------------------------------------------
*interface
GigabitEthernet1/0/3
traffic-policy p_rd
inbound
slot 1 :
success
-------------------------------------------------
# The R&D and marketing departments cannot access the salary query server in work hours
(08:00 to 17:30).
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market match-order config
classifier c_market behavior b_market
traffic policy p_rd match-order config
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy p_market inbound
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy p_rd inbound
#
interface GigabitEthernet2/0/1
Related Information
Support Community
ACL Application
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 12-3, the Switch that functions as the gateway is connected to PCs. The
administrator wants to block network access of PC1 after detecting that PC1 (00e0-
f201-0101) is an unauthorized user.
Figure 12-3 Using Layer 2 ACLs to block network access of the specified users
G E 2 /0 /1 G E 1 /0 /1
PC1
In te rn e t
0 0 e 0 -f2 0 1 -0 1 0 1
S w itc h A S w itc h R o u te r
PC2
0 0 e 0 -f2 0 1 -0 1 0 2
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets from MAC
address 00e0-f201-0101 (preventing the user with this MAC address from accessing the
network).
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Configure an ACL.
# Configure a Layer 2 ACL to meet the preceding requirement.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 4000
[Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff //Reject
the packets from source MAC address 00e0-f201-0101.
[Switch-acl-L2-4000] quit
-------------------------------------------------
Policy Name:
tp1
Policy Index:
0
Classifier:tc1
Behavior:tb1
-------------------------------------------------
*interface
GigabitEthernet2/0/1
traffic-policy tp1
inbound
slot 2 :
success
-------------------------------------------------
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or precedence 5
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface GigabitEthernet2/0/1
traffic-policy tp1 inbound
#
return
Reflective ACL implements unidirectional access control. An external host can access an
internal host only after the internal host accesses the external host first. Therefore, reflective
ACL protects enterprises' internal networks against attacks initiated by external users.
In this example, an advanced reflective ACL is used to prevent the servers on the Internet
from actively establishing UDP connections with internal hosts. The external servers can
establish UDP connections with internal hosts only after the internal hosts connect to the
external servers first. Reflective ACL implements unidirectional access control between
internal and external networks.
Configuration Notes
This example applies to all S12700 versions.
Networking Requirements
As shown in Figure 12-4, Switch functions as the gateway to connect PCs to the Internet.
There are reachable routes among the devices. To ensure internal network security, the
administrator allows servers on the Internet to establish UDP connections with internal PCs
only after the internal PCs have established UDP connections with the external servers.
PC2
10.1.1.3/24
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure an advanced ACL based on which the device will generate a reflective ACL.
2. Configure the reflective ACL function to allow internal PC1 to establish a UDP
connection with a server on the Internet and prevent the external server from actively
establishing a UDP connection with internal hosts.
Procedure
Step 1 Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass.
[Switch-acl-adv-3000] quit
The preceding information will be displayed only after internal hosts have established UDP
connections with external servers. The preceding information shows that a reflective ACL has
been generated on GE2/0/1 for the UDP packets between PC1 and server (192.168.1.2), and
provides packet statistics.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
acl number 3000
rule 5 permit udp
#
interface GigabitEthernet2/0/1
traffic-reflect outbound acl 3000
#
return
You can configure a time range and associate the time range with an ACL rule to filter
packets based on time. In this way, you can specify different policies for users in different
time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic policy
module so that the device can filter packets from internal users to the Internet in the specified
time range. As a result, users can access the Internet only in the specified time range.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 12-5, the departments of an enterprise are connected through the Switch.
The enterprise allows all employees to access the Internet on work days (Monday to Friday),
and only the managers to access the Internet on weekends (Saturday and Sunday).
Figure 12-5 Allowing certain users to access the Internet in the specified time range
L A N S w itc h A
VLAN 10
G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 /2 4
R & D : 1 0 .1 .1 .0 /2 4
R & D m a n a g e r’s h o s t: G E 2 /0 /1
1 0 .1 .1 .1 1 In te rn e t
S w itc h R o u te r
G E 1 /0 /2
VLAN 20 V L A N IF 2 0
L A N S w itc h B 1 0 .1 .2 .1 /2 4
M a rk e tin g : 1 0 .1 .2 .0 /2 4
M a rk e tin g m a n a g e r’s
h o st: 1 0 .1 .2 .1 2
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure the time range, basic ACL, and ACL-based traffic classifier to filter packets
from internal users to the Internet and thus allow only certain users to access the Internet
in the specified time range.
2. Configure a traffic behavior to permit the packets that match the ACL permit rule.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add
it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior tb1 //Create a traffic behavior.
[Switch-behavior-tb1] quit
# Packets from internal hosts are forwarded to the Internet through GE2/0/1; therefore, apply
the traffic policy tp1 to the outbound direction of GE2/0/1.
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic
policy to the outbound direction of an interface.
[Switch-GigabitEthernet2/0/1] quit
# Only the managers (10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access
the Internet on Saturday and Sunday.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
time-range rest-time 00:00 to 23:59 off-day
#
acl number 2001
rule 5 permit source 10.1.1.11 0
rule 10 permit source 10.1.2.12 0
rule 15 deny time-range rest-time
#
traffic classifier tc1 operator or precedence 5
if-match acl 2001
#
traffic behavior tb1
permit
#
traffic policy tp1 match-order config
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP
addresses, destination addresses, IP protocol types, TCP source/destination port numbers,
UDP source/destination port numbers, fragment information, and time ranges. Compared with
a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For
example, if you want to filter packets based on source and destination IP addresses, configure
an advanced ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the device can
filter the packets between different network segments and thus restrict mutual access between
network segments.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 1, the departments of an enterprise are connected through the Switch. To
facilitate network management, the administrator allocates the IP addresses on two network
segments to the R&D and marketing departments respectively. In addition, the administrator
adds the two departments to different VLANs for broadcast domain isolation. The Switch
needs to restrict mutual access between two network segments to ensure information security.
Figure 12-6 Using advanced ACLs to restrict mutual access between network segments
L A N S w it c h A
V LA N 10
G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 / 2 4
R&D
1 0 .1 .1 .0 /2 4 G E2 /0 /1
In te rn e t
S w it c h R o u te r
V LA N 20 G E1 /0 /2
V L A N IF 2 0
1 0 .1 .2 .1 / 2 4
L A N S w it c h B
M a r k e tin g
1 0 .1 .2 .0 /2 4
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure an advanced ACL and ACL-based traffic classifier to filter the packets
exchanged between R&D and marketing departments.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
# Create advanced ACL 3002 and configure rules for the ACL to block the packets from the
marketing department to the R&D department.
[Switch] acl 3002
[Switch-acl-adv-3002] rule deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255 //Prevent the marketing department from accessing the R&D department.
[Switch-acl-adv-3002] quit
# The two network segments where the R&D and marketing departments reside cannot access
each other.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
acl number 3001
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
acl number 3002
rule 5 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
traffic classifier tc1 operator or precedence 5
if-match acl 3001
if-match acl 3002
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy tp1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy tp1 inbound
#
return
Related Content
Videos
Configure ACL
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as
source IP addresses, fragment information, and time ranges. If you only need to filter packets
based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the traffic policy module so that the device can
filter the packets from internal hosts to the Internet and thus prevent internal hosts from
accessing the Internet.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 12-7, the departments of an enterprise are connected through the Switch.
The Switch needs to prevent some hosts of the R&D and marketing departments from
accessing the Internet to protect information security of the enterprise.
Figure 12-7 Using an ACL to prevent internal hosts from accessing the Internet
L A N S w itc h A
VLAN 10 G E 1 /0 /1
V L A N IF 1 0
1 0 .1 .1 .1 /2 4
R & D : 1 0 .1 .1 .0 /2 4
D e n ie d IP a d d re ss : 1 0 .1 .1 .1 1 G E 2 /0 /1
In te rn e t
S w itc h R o u te r
G E 1 /0 /2
VLAN 20 V L A N IF 2 0
1 0 .1 .2 .1 /2 4
L A N S w itc h B
M a rke tin g : 1 0 .1 .2 .0 /2 4
D e n ie d IP a d d re ss : 1 0 .1 .2 .1 2
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure a basic ACL and ACL-based traffic classifier to filter packets from the
specified hosts of the R&D and marketing departments.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them to VLAN
10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk interface and add
it to both VLAN 10 and VLAN 20.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet2/0/1] quit
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.1 24
[Switch-Vlanif20] quit
Classifier: tc1
Precedence: 5
Operator: OR
Rule(s) : if-match acl 2001
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
acl number 2001
rule 5 deny source 10.1.1.11 0
rule 10 deny source 10.1.2.12 0
#
traffic classifier tc1 operator or precedence 5
if-match acl 2001
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy tp1 outbound
#
return
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on source IP
addresses, destination addresses, IP protocol types, TCP source/destination port numbers,
UDP source/destination port numbers, fragment information, and time ranges. Compared with
a basic ACL, an advanced ACL is more accurate, flexible, and provides more functions. For
example, if you want to filter packets based on source and destination IP addresses, configure
an advanced ACL.
In this example, an advanced ACL is applied to the traffic policy module so that the device
can filter the packets from external hosts to internal servers and thus restrict access of external
hosts to internal servers.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 12-8, the departments of an enterprise are connected through the Switch.
The enterprise allows only internal hosts to access the financial server, but prevents external
hosts from accessing the server.
Figure 12-8 Using an ACL to prevent external hosts from accessing internal servers
L A N S w itc h A F in a n cia l se rve r
1 0 .1 6 4 .4 .4 /2 4
VLAN 10 G E 1 /0 /1
V L A N IF 1 0
1 0 .1 6 4 .1 .1 /2 4 G E 2 /0 /1
P re sid e n t o ffice :
1 0 .1 6 4 .1 .0 /2 4 V L A N IF 1 0 0
L A N S w itc h B 1 0 .1 6 4 .4 .1 /2 4
G E 1 /0 /2
VLAN 20 In te rn e t
V L A N IF 2 0
1 0 .1 6 4 .2 .1 /2 4 S w itc h R o u te r
M a rke tin g :
1 0 .1 6 4 .2 .0 /2 4
G E 1 /0 /3
V L A N IF 3 0
VLAN 30 1 0 .1 6 4 .3 .1 /2 4
L A N S w itc h C
R&D:
1 0 .1 6 4 .3 .0 /2 4
Configuration Roadmap
The following configurations are performed on the Switch. The configuration roadmap is as
follows:
1. Configure an advanced ACL and ACL-based traffic classifier to filter the packets from
external hosts to the financial server and thus prevent external hosts from accessing this
server.
2. Configure a traffic behavior to permit the packets that match the ACL permit rule.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add GE2/0/1 to
VLAN 100, and assign IP addresses to VLANIF interfaces. The configurations on GE 1/0/1
and VLANIF 10 are used as an example here. The configurations on GE1/0/2, GE1/0/3, and
GE2/0/1 are similar to the configurations on GE 1/0/1, and the configurations on VLANIF 20,
VLANIF 30, and VLANIF 100 are similar to the configurations on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 100
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
[Switch-Vlanif10] quit
# Create advanced ACL 3002 and configure rules to allow the packets from the president
office, R&D department, and marketing department to reach the financial server and block the
packets from external hosts to the financial server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination
10.164.4.4 0.0.0.0 //Allow the president office to access the financial server.
[Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination
10.164.4.4 0.0.0.0 //Allow the marketing department to access the financial
server.
[Switch-acl-adv-3002] rule permit ip source 10.164.3.0 0.0.0.255 destination
10.164.4.4 0.0.0.0 //Allow the R&D department to access the financial server.
[Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent
other users from accessing the financial server.
[Switch-acl-adv-3002] quit
# Configure the traffic classifier c_network to classify the packets that match ACL 3002.
[Switch] traffic classifier c_network //Create a traffic classifier.
[Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the
traffic classifier.
[Switch-classifier-c_network] quit
# Configure the traffic behavior b_network and set the action to permit (default value).
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic behavior.
[Switch] traffic behavior b_network //Create a traffic behavior.
[Switch-behavior-b_network] quit
-------------------------------------------------
Policy Name:
p_network
Policy Index:
0
Classifier:c_network
Behavior:b_network
-------------------------------------------------
*interface GigabitEthernet2/0/1
traffic-policy p_network
outbound
slot 2 :
success
-------------------------------------------------
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3002
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0
rule 10 permit ip source 10.164.2.0 0.0.0.255 destination 10.164.4.4 0
rule 15 permit ip source 10.164.3.0 0.0.0.255 destination 10.164.4.4 0
rule 20 deny ip destination 10.164.4.4 0
#
traffic classifier c_network operator or precedence 5
if-match acl 3002
#
traffic behavior b_network
permit
#
traffic policy p_network match-order config
classifier c_network behavior b_network
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100
traffic-policy p_network outbound
#
return
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the packet
matching conditions. These conditions include source addresses, destination addresses, and
port numbers of packets.
An ACL is a packet filter that filters packets based on rules. A device with an ACL
configured matches packets based on the rules to obtain the packets of a certain type, and then
decides to forward or discard these packets according to the policies used by the service
module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL, and
Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on information such as
source IP addresses, fragment information, and time ranges. If you only need to filter packets
based on source IP addresses, you can configure a basic ACL.
In this example, a basic ACL is applied to the SNMP module so that only the specified NMS
can access the switch. This improves switch security.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 12-9, a new switch is added to an enterprise's network, and uses
SNMPv1 to communicate with the NMS. To improve switch security, the switch can only be
managed by the existing NMS on the network.
NMS Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the
switch.
2. Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
3. Configure a community name based on which the switch permits access of the NMS.
4. Configure a trap host and enable the switch to automatically send traps to the NMS.
5. Add the switch to the NMS. The community name configured on the switch must be the
same as that used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
Step 1 Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] snmp-agent sys-info version v1 //By default, SNMPv3 is supported.
Step 2 Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0 //Allow only the NMS with
IP address 10.1.1.1 to access the device.
[Switch-acl-basic-2001] rule deny
[Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Specify that the accessible
MIB view contains iso.
Step 3 Configure a community name based on which the switch permits access of the NMS.
[Switch] snmp-agent community write adminnms01 mib-view isoview acl 2001 //
Configure a community name and apply the ACL to make the access control function
take effect.
Step 4 Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //
Enable all trap functions on the switch. By default, only some trap functions are
enabled. You can run the display snmp-agent trap all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname adminnms01 v1 //Configure a trap host. By default, traps are sent by
UDP port 162.
NOTE
The parameter settings on the NMS must be the same as those on the switch; otherwise, the NMS cannot
manage the switch.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.1 0
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-
h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view isoview acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view included isoview iso
snmp-agent trap enable
#
return
Compared with the static MAC address entry and user-bind used to bind users statically, port
security dynamically binds users to interfaces.
Compared with DHCP snooping that also dynamically binds users to interface, port security is
easier to configure. In addition, port security can limit the number of access users.
Configuration Notes
l After MAC address limiting is configured on an interface, port security cannot be
configured on the interface.
l This example applies to all versions and products.
Networking Requirements
As shown in Figure 12-10, PC1, PC2, and PC3 connect to the company network through the
switch. To improve user access security, port security is enabled on the interface of the switch
so that external users cannot use their PCs to access the company network.
In t r a n e t
S w it c h A
S w it c h
G E 1 /0 /1 G E 1 /0 /3
G E 1 /0 /2
VLAN 10
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure port security and enable the sticky MAC function so that MAC address entries
are not lost after the device configuration is saved and the device restarts.
Procedure
Step 1 Create a VLAN on the switch and add interfaces to the VLAN. The configurations of GE1/0/2
and GE1/0/3 are similar to the configuration of 1/0/1, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10 //Create VLAN 10.
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //The link type of the
interface connected to the PC must be access. The default link type of an
interface is not access, so you need to manually configure the link type of the
interface.
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 2 Configure port security on GE1/0/1. The configurations of GE1/0/2 and GE1/0/3 are similar
to the configuration of GE1/0/1, and are not mentioned here.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security enable //Enable port security.
[Switch-GigabitEthernet1/0/1] port-security mac-address sticky //The sticky MAC
function can be enabled only after port security is enabled.
[Switch-GigabitEthernet1/0/1] port-security max-mac-num 1 //After port security
is enabled, an interface can learn only one secure MAC address entry by default.
If one user needs to be limited, ignore this configuration.
NOTE
l An interface can learn only one secure MAC address entry by default. If multiple PCs connect to the
company network using one interface, run the port-security max-mac-num command to change the
maximum number of secure MAC addresses.
l If a PC connects to the switch using an IP phone, set the maximum number of secure MAC
addresses to 3 because the IP phone occupies two MAC address entries and the PC occupies one
MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different.
The two VLANs are used to transmit voice and data packets respectively.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
return
CSS Overview
A cluster switch system (CSS), also called a cluster, is a logical switch consisting of two
clustering-capable switches. In addition to high forwarding performance, CSS technology
provides high reliability and scalability on a network, while simplifying network
management.
l High reliability: Member switches in a CSS work in redundancy mode. Link redundancy
can also be implemented between member switches through link aggregation.
l High scalability: Switches can set up a CSS to increase the number of ports, bandwidth,
and packet processing capabilities.
l Simplified configuration and management: After two switches set up a CSS, they are
virtualized into one device. You can log in to the CSS from either member switch to
configure and manage the entire CSS.
S12700s set up a CSS using CSS cards in SFUs. In this connection mode, member switches
are connected using dedicated CSS cards in SFUs and cluster cables. This technology is
called Cluster Switch System Generation 2 (CSS2). In addition to the existing CSS features,
CSS2 supports 1+N backup of MPUs.
1+N backup of MPUs enables a CSS to run stably as long as one MPU of any chassis in the
CSS is working normally. Compared with the service port connection mode in which each
chassis must have at least one MPU working normally, CSS2 is more reliable. Compared with
the MPU-mounted CSS card connection mode in which each chassis must have two MPUs
installed, CSS2 is more flexible.
After a CSS is set up, you are advised to perform the following configurations:
l To simplify network configuration, increase uplink bandwidth, and improve reliability,
configure inter-device Eth-Trunks in the CSS, connect downstream devices to the CSS in
dual-homing mode, and add uplink and downlink ports of the CSS to the Eth-Trunks.
l Configure the multi-active detection (MAD) function in the CSS. Two member switches
in a CSS use the same IP address and MAC address (CSS system MAC address).
Therefore, after the CSS splits, two CSSs may use the same IP address and MAC
address. To prevent this situation, a mechanism is required to check for IP address and
MAC address collision after a split. MAD is a CSS split detection protocol. When a CSS
splits due to a link failure, MAD provides split detection, multi-active handling, and fault
recovery mechanisms to minimize the impact of a CSS split on services.
MAD can be implemented in direct or relay mode. The direct and relay modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for a CSS
when an inter-device Eth-Trunk is configured in the CSS. The direct mode occupies
additional ports, and these ports can only be used for MAD after being connected using
common cables. Compared with the direct mode, the relay mode does not occupy
additional ports.
Whether a No
License Is
Required
Hardware l Two member switches of the same or different models can form a CSS.
Configurati For example, two S12704s can form a CSS; one S12708 and one
on S12712 can form a CSS.
l Each chassis must have at least one MPU and one SFU installed. You
are advised to install at least two SFUs and two CSS cards in each
chassis. (An S12704 can have a maximum of two SFUs and two CSS
cards installed.)
l The SFUs in one chassis must be of the same model. The SFUs in two
chassis can be of different models; however, the same model is
recommended.
Networking Requirements
An enterprise needs to build a network has a reliable core layer and simple structure to
facilitate configuration and management.
To meet requirements of the enterprise, S12708 core switches SwitchA and SwitchB set up a
CSS using CSS cards in SFUs. SwitchA is the master switch, and SwitchB is the standby
switch. Figure 13-1 shows the network topology. Aggregation switches connect to the CSS
through Eth-Trunks, and the CSS connects to the upstream network through an Eth-Trunk.
Network
SwitchE
GE1/0/1 GE1/0/2
Eth-Trunk 10
CSS Link
Eth-Trunk
Configuration Roadmap
The configuration roadmap is as follows:
1. Install CSS cards on SwitchA and SwitchB, and connect cluster cables.
2. Set the CSS connection mode on SwitchA and SwitchB and set their CSS IDs to 1 and 2
and CSS priorities to 100 and 10 respectively. These configurations ensure that SwitchA
has a higher probability to become the master switch.
3. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
becomes the master switch.
4. Check whether a CSS is set up successfully.
5. Configure uplink and downlink Eth-Trunks for the CSS to improve forwarding
bandwidth and reliability.
6. Configure MAD to minimize the impact of a CSS split on the network.
Procedure
Step 1 Install hardware modules.
The following describes only the rule for connecting cluster cables between two member
switches. If you also need to install MPUs and CSS cards and learn about installation details,
see the Switch Cluster Setup Guide.
Connect cables according to the connection rules. Figure 13-2 shows the connection rules of
EH1D2VS08000 CSS cards (on the S12708). The connection rules of CSS cards on the
S12712 or S12704 are the same as those on the S12708.
CSS
USB SYNC
RST
ACT RUN/ALM
10 CSS
USB SYNC
RST
ACT RUN/ALM
10
MASTER MASTER
S12700 S12700
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
ID 2 ID 2
CLK2
09
CLK2
09
CLK1 CLK1
CSS CSS
RST RST
USB SYNC ACT RUN/ALM USB SYNC ACT RUN/ALM
MASTER MASTER
08 08
07 07
06 06
05 05
14 14
LINK/ALM OFL RUN/ALM LINK/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08
13 13
LINK/ALM OFL RUN/ALM LINK/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08
12 12
LINK/ALM OFL RUN/ALM LINK/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08
11 11
OFL RUN/ALM OFL RUN/ALM
MASTER MASTER
ET1D2
1 2 3 4 5 6 7 8
ET1D2
1 2 3 4 5 6 7 8
ET1D2
ET1D2
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
SFUD000
SFUD000
SFUD000
SFUD000
VS08 VS08
04 04
S12700 RUN/ALM S12700 RUN/ALM
03 03
S12700 RUN/ALM S12700 RUN/ALM
02 02
01 01
INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT INPUT
OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT
ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM ALARM
NOTE
l One CSS card can only be connected to one CSS card in the other chassis but not the local chassis.
l A port in group 1 of a CSS card can be connected to any port in group 1 of the CSS card on the other
chassis. The requirements for ports in group 2 are the same.
l The two chassis must be connected by one cluster cable at least.
l It is recommended that you connect the same number of cluster cables to the CSS cards (if not, the
total cluster bandwidth will be affected) and connect CSS ports on the two member switches based
on port numbers.
l If the SFU model used in the member switches is ET1D2SFUD000, it is recommended that the
number of cluster cables connected to each CSS card be an even number.
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Retain the default CSS connection mode (CSS
card connection) and the default CSS ID 1, and set the CSS priority to 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css priority 100
# Configure the CSS function on SwitchB. Retain the default CSS connection mode (CSS
card connection), and set the CSS ID to 2 and CSS priority to 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css id 2
[SwitchB] set css priority 10
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows the card status and CSS status of both member switches,
indicating that the CSS has been set up successfully.
# Check whether CSS links are normal.
<SwitchA> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/11/0/1 10G 10G 2/11/0/1
2 1/11/0/2 10G 10G 2/11/0/2
3 1/11/0/3 10G 10G 2/11/0/3
4 1/11/0/4 10G 10G 2/11/0/4
5 1/11/0/5 10G 10G 2/11/0/5
6 1/11/0/6 10G 10G 2/11/0/6
7 1/11/0/7 10G 10G 2/11/0/7
8 1/11/0/8 10G 10G 2/11/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
The command output shows that all the CSS links are working normally, indicating that the
CSS has been set up successfully.
Step 5 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
<SwitchA> system-view
[SwitchA] sysname CSS //Rename the CSS.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
[CSS] interface gigabitethernet 2/1/0/4
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10
[CSS-GigabitEthernet2/1/0/4] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to SwitchC to the
Eth-Trunk.
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 20
[CSS-GigabitEthernet1/1/0/3] quit
[CSS] interface gigabitethernet 2/1/0/5
[CSS-GigabitEthernet2/1/0/5] eth-trunk 20
[CSS-GigabitEthernet2/1/0/5] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to SwitchD to the
Eth-Trunk.
[CSS] interface eth-trunk 30
[CSS-Eth-Trunk30] quit
[CSS] interface gigabitethernet 1/1/0/5
[CSS-GigabitEthernet1/1/0/5] eth-trunk 30
[CSS-GigabitEthernet1/1/0/5] quit
[CSS] interface gigabitethernet 2/1/0/3
[CSS-GigabitEthernet2/1/0/3] eth-trunk 30
[CSS-GigabitEthernet2/1/0/3] return
Step 6 Configure the MAD function. The following procedure configures MAD in relay mode and
configures SwitchC as the relay agent.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] mad detect mode relay
[CSS-Eth-Trunk20] quit
[CSS] quit
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
interface Eth-Trunk10
#
interface Eth-Trunk20
mad detect mode relay
#
interface Eth-Trunk30
#
interface GigabitEthernet1/1/0/3
eth-trunk 20
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet1/1/0/5
eth-trunk 30
#
interface GigabitEthernet2/1/0/3
eth-trunk 30
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/5
eth-trunk 20
#
return
interface GigabitEthernet1/0/2
eth-trunk 30
#
return
Related Content
Tool
CSS Assistant
Configuration Notes
l The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series
cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.
l This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 14-1:
l CE1 connects to the headquarters R&D area of a company, and CE3 connects to the
branch R&D area. CE1 and CE3 belong to vpna.
l CE2 connects to the headquarters non-R&D area, and CE4 connects to the branch non-
R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure communication
between the headquarters and branch while isolating data between the R&D area and non-
R&D area.
CE1 CE3
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
VLANIF10 GE1/0/0 GE2/0/0 VLANIF40
10.1.1.2/24 VLANIF30 VLANIF60 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE3/0/0 3.3.3.9/32
GE3/0/0
GE2/0/0 VLANIF30 P VLANIF60 GE2/0/0
VLANIF20 172.1.1.1/24 172.2.1.2/24 VLANIF50
AS: 100
10.2.1.2/24 10.4.1.2/24
VPN Backbone
GE1/0/0 GE1/0/0
VLANIF20 VLANIF50
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PEs to ensure IP connectivity on the backbone
network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to establish MPLS
LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target of vpna to
111:1 and the VPN target of vpnb to 222:2. This configuration allows users in the same
VPN to communicate with each other and isolates users on different VPNs. Bind the PE
interfaces connected to CEs to the corresponding VPN instances to provide access for
VPN users.
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and P can communicate with
each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 172.2.1.1 24
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 40 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 40
[PE2-GigabitEthernet1/0/0] quit
After the configuration is complete, OSPF neighbor relationships are established between PE1
and P, and between PE2 and P. Run the display ospf peer command. The command output
shows that the neighbor status is Full. Run the display ip routing-table command. The
command output shows that PEs have learned the routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to
establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
Step 3 Configure VPN instances on PEs and bind the interfaces connected to CEs to the VPN
instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance vpna
[PE2-Vlanif40] ip address 10.3.1.2 24
[PE2-Vlanif40] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance vpnb
[PE2-Vlanif50] ip address 10.4.1.2 24
[PE2-Vlanif50] quit
# Assign IP addresses to the interfaces on the CE1 connecting to the headquarters R&D area
according to Figure 14-1. The configuration procedure is not provided here. The
configuration on CE2, CE3, and CE4 is similar to the configuration on CE1 and is not
mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
the PEs to check the configuration of VPN instances. Each PE can ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP addresses by setting
-a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address
command to ping the a remote CE. If the source IP address is not specified, the ping fails.
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1 connecting to the headquarters R&D area. The configuration on CE2, CE3,
and CE4 is similar to the configuration on CE1 and is not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on the PEs. The command output shows that BGP peer relationships have been established
between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on the PEs. The command output shows that BGP peer relationships have been
established between the PEs.
[PE1] display bgp peer
PrefRcv
CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
For example, CE1 connecting to the headquarters R&D area can ping CE3 connecting to the
branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to the branch non-R&D area at
10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1 router-id 1.1.1.9
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 router-id 2.2.2.9
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 40 50 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 50
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.4.1.1 as-number 65440
#
ospf 1 router-id 3.3.3.9
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of CE1 connecting to the headquarters R&D area
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
#
return
Configuration Notes
l This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
The headquarters and branches of a company need to communicate through MPLS VPN, and
two services of the company must be isolated. To reduce hardware costs, the company wants
the branch to connect to the PE through one CE.
As shown in Figure 14-2, the networking requirements are as follows:
l CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2 belongs to
vpnb.
l The MCE connects to vpna and vpnb of the branch through SwitchA and SwitchB.
Users in the same VPN need to communicate with each other, but users in different VPNs
must be isolated.
SwitchA
GE1/0/0 GE1/0/0
VLANIF10 VLANIF60
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9./32 GE3/0/0
VLANIF10 VPN VLANIF60
10.1.1.2/24 Backbone 10.3.1.2/24
MCE
Loopback1 PE1 PE2
1.1.1.9./32 GE3/0/0 GE1/0/0
GE2/0/0 GE1/0/0
GE2/0/0 VLANIF30 VLANIF30 VLANIF100 GE4/0/0
VLANIF100
VLANIF20 172.1.1.1/24 172.1.1.2/24 10.5.1.2/24 VLANIF70
10.5.1.1/24
10.2.1.2/24 VLANIF200 VLANIF200 10.4.1.2/24
10.6.1.1/24 10.6.1.2/24
GE1/0/0 GE1/0/0
VLANIF20 VLANIF70
10.2.1.1/24 10.4.1.1/24
SwitchB
CE2
GE2/0/0
vpnb
VLANIF10
192.168.2.2/24
vpnb
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between PEs so that they can communicate and configure MP-IBGP to
exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces and
loopback interfaces according to Figure 14-2.
# Configure PE1. The configuration on PE2, CE1, CE2, MCE, SwitchA and SwitchB is
similar to the configuration on PE1 and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname PE1
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, PEs can obtain Loopback1 address of each other.
The information displayed on PE2 is used as an example.
[PE2] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the MPLS LDP session between the PEs is in Operational
state.
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1 and CE2
to the VPN instances respectively. On PE2, bind the interface connected to the MCE to the
VPN instances.
# Configure PE1.
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both //Add the RT value
100:1 to routes exported from the VPN instance vpna to MP-BGP. Only the routes
with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna //Bind the interface to vpna.
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit
# Configure PE2.
[PE2] vlan batch 60 70
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 60 70
[PE2-GigabitEthernet2/0/0] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip binding vpn-instance vpna
[PE2-Vlanif60] ip address 10.3.1.3 24
[PE2-Vlanif60] quit
[PE2] interface vlanif 70
[PE2-Vlanif70] ip binding vpn-instance vpnb
[PE2-Vlanif70] ip address 10.4.1.3 24
[PE2-Vlanif70] quit
Step 5 Configure VPN instances on the MCE and bind the interfaces connected to SwitchA and
SwitchB to the VPN instances respectively.
<HUAWEI> system-view
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 60 70
[MCE-GigabitEthernet1/0/0] quit
[MCE] interface gigabitethernet 3/0/0
[MCE-GigabitEthernet3/0/0] port link-type trunk
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet3/0/0] quit
[MCE] interface gigabitethernet 4/0/0
[MCE-GigabitEthernet4/0/0] port link-type trunk
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE-GigabitEthernet4/0/0] quit
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE] interface vlanif 70
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1 and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100 //Establish an EBGP peer relationship
between PE1 and CE1 and import VPN routes.
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
After the configuration is complete, run the display bgp vpnv4 all peer command on PE1.
The command output shows that PE1 has established an IBGP peer relationship with PE2 and
EBGP peer relationships with CE1 and CE2. The peer relationships are in Established state.
[PE1] display bgp vpnv4 all peer
Routing Tables:
vpna
Destinations : 3 Routes :
3
The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it to vpnb so
that routes learned by RIP are added to the routing table of vpnb.
l # Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The configuration
is not provided here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 70
[SwitchB] interface gigabitethernet 1/0/0
[SwitchB-GigabitEthernet1/0/0] port link-type trunk
[SwitchB-GigabitEthernet1/0/0] port trunk allow-pass vlan 70
[SwitchB-GigabitEthernet1/0/0] quit
[SwitchB] interface vlanif 70
[SwitchB-Vlanif70] ip address 10.4.1.1 24
[SwitchB-Vlanif70] quit
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
Routing Tables:
vpnb
Destinations : 3 Routes :
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks on PE2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE
to PE1.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp //Import BGP routes to OSPF 100 in vpna between
the PE and MCE, so that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp //Import BGP routes to OSPF 200 in vpnb between
the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100 //Import OSPF 100 to BGP so that PE2 adds
the VPNv4 prefix to routes and uses MP-iBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200 //Import OSPF 200 to BGP so that PE2 adds
the VPNv4 prefix to routes and uses MP-iBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit
After the configuration is complete, run the display ip routing-table vpn-instance command
on the MCE to view the routes to the remote CEs.
Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can communicate
with each other.
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE
#
vlan batch 60 70
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
#
interface Vlanif60
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 60 70
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 60
#
interface GigabitEthernet4/0/0
port link-type trunk
port trunk allow-pass vlan 70
#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
vpn-instance-capability simple
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
import-route ospf 200
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return
Configuration Notes
l If multicast VPN in multicast domain (MD) mode is used on switches, the PIM-SM SSM
model cannot be used on the public network.
l Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.
l Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.
l Interfaces on the following interface cards cannot be configured as member interfaces of
Eth-Trunk multicast loopback interfaces: X1E series interface cards.
Networking Requirements
As shown in Figure 14-3, a company deploys two services, data of which is transmitted in
multicast mode. The VPN site blue using service A and the VPN site white using service B
both connect to the backbone network through the MCE devices. Multicast VPN in MD mode
can be deployed to meet the multicast service requirements of the company. This
configuration can isolate data of different services and reduces multicast traffic loads on the
public network.
VPN Blue
GE2/0/1
VLANIF101 CE1
192.168.11.1/24
GE1/0/1
VLANIF100
192.168.1.2/24
Source2 192.168.12.1/24
VLANIF201 192.168.1.1/24
GE2/0/1 VLANIF100
CE2 192.168.2.1/24 GE1/0/1
VLANIF200
VPN White GE1/0/2 GE1/0/2 MCE1
VLANIF200
192.168.2.2/24 GE1/0/0
VLANIF20 VLANIF10
10.1.2.2/24 10.1.1.2/24
10.1.5.2/24 10.1.6.2/24
VLANIF50 VLANIF60
GE1/0/0 192.168.4.2/24
GE1/0/2 VLANIF400
MCE2 VPN White
VLANIF400 GE1/0/2
GE1/0/1 192.168.4.1/24 CE4 GE2/0/1
VLANIF300 VLANIF401
192.168.3.1/24 192.168.14.1/24
192.168.3.2/24 HostB
VLANIF300
GE1/0/1
192.168.13.1/24
CE3 VLANIF301
GE2/0/1
VPN Blue
HostA
Configuration Roadmap
The configuration roadmap is as follows:
3. Enable multicast routing and PIM on all the devices. Configure the multicast function in
the public network between the PE and P devices. Configure the multicast function in the
VPN instances between PE and MCE devices, and between the MCE and CE devices.
Procedure
Step 1 Configure BGP/MPLS IP VPN.
1. Configure the Open Shortest Path First (OSPF) protocol on the backbone network to
allow communication between the provider edge devices (PE1 and PE2) and
intermediate device P.
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 0 //Create a loopback interface.
[PE1-LoopBack0] ip address 1.1.1.1 32
[PE1-LoopBack0] quit
[PE1] router id 1.1.1.1 //Set the router ID of PE1 to 1.1.1.1 for route
management.
[PE1] vlan batch 30
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 30 //Create a VLANIF interface.
[PE1-Vlanif30] ip address 10.1.3.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the
interface running OSPF is the one connected to the 10.1.3.0 network segment
and that the interface belongs to Area 0.
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.
After the configuration is complete, OSPF neighbor relationships can be set up between
PE1, P, and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can
see that the neighbors are in Full state. Run the display ip routing-table command, and
you can see that PE devices have learned the routes to Loopback0 of each other.
2. Enable basic MPLS capabilities and MPLS LDP on the provider edge devices PE1 and
PE2 to set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1 //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.
After the configuration is complete, LDP sessions can be set up between PE1 and P and
between P and PE2. Run the display mpls ldp session command on the PE and P
devices, and you can see that LDP session is in Operational state.
3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationship between the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100 //Create BGP peer 3.3.3.3 and set
its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable //Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 3.3.3.3.
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100 //Create BGP peer 1.1.1.1 and set
its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable ///Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 1.1.1.1.
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command on the
PE devices. You can see that a BGP peer relationship has been set up between PE1 and
PE2 and is in Established state.
4. Create VPN instances blue and white on the provider edge devices PE1 and PE2, and
aggregate egress devices MCE1 and MCE2 for branches, to connect each service site's
egress CE to the PE devices through the MCE devices.
# Configure PE1.
[PE1] ip vpn-instance blue //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
export VPN target list and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the
export VPN target list and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance
blue.
[PE1-Vlanif10] ip address 10.1.1.1 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance blue to
VLANIF20 so that VLANIF20 becomes a private network interface of VPN instance
white.
[PE1-Vlanif20] ip address 10.1.2.1 24
[PE1-Vlanif20] quit
# Configure MCE1.
[MCE1] ip vpn-instance blue //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
export VPN target list and import VPN target list of VPN instance blue.
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
instance white to 200:1.
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1] interface gigabitethernet 1/0/1
[MCE1-GigabitEthernet1/0/1] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1-GigabitEthernet1/0/1] quit
[MCE1] interface gigabitethernet 1/0/2
[MCE1-GigabitEthernet1/0/2] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[MCE1-GigabitEthernet1/0/2] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance
blue.
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1] interface vlanif 20
[MCE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance white
to VLANIF20 so that VLANIF20 becomes a private network interface of VPN
instance white.
[MCE1-Vlanif20] ip address 10.1.2.2 24
[MCE1-Vlanif20] quit
[MCE1] interface vlanif 100
[MCE1-Vlanif100] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF100 so that VLANIF100 becomes a private network interface of VPN
instance blue.
[MCE1-Vlanif100] ip address 192.168.1.1 24
[MCE1-Vlanif100] quit
[MCE1] interface vlanif 200
[MCE1-Vlanif200] ip binding vpn-instance white //Bind VPN instance white
to VLANIF200 so that VLANIF200 becomes a private network interface of VPN
instance white.
[MCE1-Vlanif200] ip address 192.168.2.1 24
[MCE1-Vlanif200] quit
# Configure PE2.
[PE2] ip vpn-instance blue //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
# Configure MCE2.
[MCE2] ip vpn-instance blue //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
export VPN target list and import VPN target list of VPN instance blue.
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
instance white to 200:1.
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2-vpn-instance-white] quit
[MCE2] vlan batch 50 60 300 400
[MCE2] interface gigabitethernet 1/0/0
[MCE2-GigabitEthernet1/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
[MCE2-GigabitEthernet1/0/0] quit
[MCE2] interface gigabitethernet 1/0/1
[MCE2-GigabitEthernet1/0/1] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
[MCE2-GigabitEthernet1/0/1] quit
[MCE2] interface gigabitethernet 1/0/2
[MCE2-GigabitEthernet1/0/2] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 400
[MCE2-GigabitEthernet1/0/2] quit
[MCE2] interface vlanif 50
[MCE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF50 so that VLANIF50 becomes a private network interface of VPN instance
blue.
[MCE2-Vlanif50] ip address 10.1.5.2 24
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60
[MCE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white
5. Configure OSPF on the provider edge devices PE1 and PE2, branches' aggregate egress
devices MCE1 and MCE2, and each service site's egress CE. Import VPN routes to the
OSPF routing table.
# Configure PE1.
[PE1] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE1-ospf-2] import-route bgp //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the
interface running OSPF is the one connected to the 10.1.1.0 network segment
and that the interface belongs to Area 0.
[PE1-ospf-2-area-0.0.0.0] quit
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE1-ospf-3] import-route bgp //Import BGP routes.
[PE1-ospf-3] area 0
[PE1-ospf-3-area-0.0.0.0] network 10.1.2.0 0.0.0.255 //Specify that the
interface running OSPF is the one connected to the 10.1.2.0 network segment
and that the interface belongs to Area 0.
[PE1-ospf-3-area-0.0.0.0] quit
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE1-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white
[PE1-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit
# Configure MCE1.
[MCE1] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[MCE1-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop
detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.1.0 network
segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.1.0 network
segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[MCE1-ospf-2] area 0
# Configure PE2.
[PE2] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE2-ospf-2] import-route bgp //Import BGP routes.
[PE2-ospf-2] area 0
[PE2-ospf-2-area-0.0.0.0] network 10.1.5.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.5.0 network
segment and that the interface belongs to Area 0.
[PE2-ospf-2-area-0.0.0.0] quit
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE2-ospf-3] import-route bgp //Import BGP routes.
[PE2-ospf-3] area 0
[PE2-ospf-3-area-0.0.0.0] network 10.1.6.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.6.0 network
segment and that the interface belongs to Area 0.
[PE2-ospf-3-area-0.0.0.0] quit
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE2-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white.
[PE2-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit
# Configure MCE2.
[MCE2] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[MCE2-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop
detection.
[MCE2-ospf-1] area 0
[MCE2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.5.0 network
segment and that the interface belongs to Area 0.
[MCE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.3.0 network
segment and that the interface belongs to Area 0.
[MCE2-ospf-1-area-0.0.0.0] quit
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[MCE2-ospf-2] area 0
[MCE2-ospf-2] vpn-instance-capability simple //Disable OSPF routing loop
detection.
[MCE2-ospf-2-area-0.0.0.0] network 10.1.6.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.6.0 network
segment and that the interface belongs to Area 0.
[MCE2-ospf-2-area-0.0.0.0] network 192.168.4.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.3.0 network
segment and that the interface belongs to Area 0.
[MCE2-ospf-2-area-0.0.0.0] quit
[MCE2-ospf-2] quit
After the configuration is complete, run the display ip routing-table vpn-instance vpn-
instance-name command on the PE or MCE devices. You can see that the local PE or
MCE device has a VPN route to the remote PE. Run the display ip routing-table
protocol ospf command on the CE devices. You can see that CE1 and CE3 have learned
routes to each other, and CE2 and CE4 have learned routes to each other.
Step 2 Configure multicast loopback interfaces, share-group addresses, and MTIs for VPN instances
on the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE1-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE1-Eth-Trunk10] quit
[PE1] ip vpn-instance blue
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE2-Eth-Trunk10] quit
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing
in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel
0 //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to
multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback
0 //Configure the MTI to use the address of Loopback0 as the default address.
[PE2-vpn-instance-blue-af-ipv4] quit
[PE2-vpn-instance-blue] quit
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable //Enable multicast routing
in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel
10 //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it
to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback
0 //Configure the MTI to use the address of Loopback0 as the default address.
[PE2-vpn-instance-white-af-ipv4] quit
[PE2-vpn-instance-white] quit
Step 3 Configure the multicast function on the public and private networks.
1. Configure the multicast function on the public network.
Enable PIM-SM on the public network. Configure Loopback0 of the provider's
intermediate device P as a candidate bootstrap router (C-BSR) and candidate rendezvous
point (C-RP) on the public network.
# Configure PE1.
[PE1] multicast routing-enable //Enable multicast routing globally.
[PE1] interface vlanif 30
[PE1-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1] interface loopback 0
[PE1-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[PE1-LoopBack0] quit
# Configure PE2.
[PE2] multicast routing-enable //Enable multicast routing globally.
[PE2] interface vlanif 40
[PE2-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[PE2-Vlanif40] quit
[PE2] interface loopback 0
[PE2-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[PE2-LoopBack0] quit
# Configure P.
[P] multicast routing-enable //Enable multicast routing globally.
[P] interface vlanif 30
[P-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P] interface vlanif 40
[P-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P] interface loopback 0
[P-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0 //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0 //Configure Loopback0 as a C-RP interface.
# Configure MCE1.
[MCE1] multicast routing-enable //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE1-vpn-instance-white] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] pim sm //Enable PIM-SM on VLANIF10.
[MCE1-Vlanif10] quit
# Configure PE2.
[PE2] interface vlanif 50
[PE2-Vlanif50] pim sm //Enable PIM-SM on VLANIF50.
[PE2-Vlanif50] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] pim sm //Enable PIM-SM on VLANIF60.
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] multicast routing-enable //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE2-vpn-instance-white] quit
[MCE2] interface vlanif 50 //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60 //Enable PIM-SM on VLANIF60.
[MCE2-Vlanif60] pim sm
[MCE2-Vlanif60] quit
[MCE2] interface vlanif 300 //Enable PIM-SM on VLANIF300.
[MCE2-Vlanif300] pim sm
[MCE2-Vlanif300] quit
[MCE2] interface vlanif 400 //Enable PIM-SM on VLANIF400.
[MCE2-Vlanif400] pim sm
[MCE2-Vlanif400] quit
----End
Configuration Files
l Configuration file of provider edge PE1
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif30
#
return
l Configuration file of provider edge PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
multicast routing-enable
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif50
ip binding vpn-instance blue
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif60
ip binding vpn-instance white
ip address 10.1.6.1 255.255.255.0
pim sm
#
interface Eth-Trunk10
service type multicast-tunnel
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
interface GigabitEthernet3/0/5
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
interface MTunnel0
ip binding vpn-instance blue
#
interface MTunnel10
ip binding vpn-instance white
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.4.0 0.0.0.255
#
ospf 2 vpn-instance blue
import-route bgp
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
ospf 3 vpn-instance white
import-route bgp
area 0.0.0.0
network 10.1.6.0 0.0.0.255
#
return
l Configuration file of provider intermediate device P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 40
#
multicast routing-enable
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
port link-type trunk
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 400
#
ospf 1 vpn-instance blue
vpn-instance-capability simple
area 0.0.0.0
network 10.1.5.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
ospf 2 vpn-instance white
vpn-instance-capability simple
area 0.0.0.0
network 10.1.6.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return
l Configuration file of CE1, egress for a site of service A
#
sysname CE1
#
vlan batch 100 to 101
#
multicast routing-enable
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
pim sm
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 101
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
l Configuration file of CE2, egress for a site of service B
#
sysname CE2
#
vlan batch 200 to 201
#
multicast routing-enable
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif201
ip address 192.168.12.1 255.255.255.0
pim sm
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet2/0/1
#
return
Generally, all hosts on the same network segment have the same default route with the
gateway address as the next hop address. The hosts use the default route to send packets to the
gateway and the gateway forwards the packets to other network segments. When the gateway
fails, the hosts with the same default route cannot communicate with external networks.
Configuring multiple egress gateways is a common method to improve system reliability.
However, route selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual router
without changing the networking, and uses the virtual router IP address as the default gateway
address to implement gateway backup. When the master in the virtual router fails, VRRP uses
a backup to transmit service traffic.
It is recommended that you set the preemption delay of the backup in a VRRP group to 0,
configure the master in preemption mode, and set the preemption delay to be longer than 15s.
These settings allow a period of time for status synchronization between the uplink and
downlink on an unstable network. If the preceding settings are not used, two masters may
coexist and user devices may learn incorrect address of the master. As a result, traffic is
interrupted.
l Preemption mode: A backup preempts to be the master when its priority is higher than
the master.
l Non-preemption mode: As long as the master is working properly, the backup with a
higher priority cannot become the master.
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series
cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.
l This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 14-4, CE1 and CE2 belongs to vpna, and CE1 is dual-homed to PE1 and
PE2 through the switch. The requirements are as follows:
l Normally, CE1 uses PE1 as the default gateway to communicate with CE2. When PE1
becomes faulty, PE2 takes over PE1, implementing gateway redundancy.
l After PE1 recovers, it preempts to be the master to transmit data after a preemption delay
of 20s.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled and VLANIF
interfaces of switches are used to construct a Layer 3 ring network, an interface on the network may be
blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
VRRP is configured to implement gateway redundancy on the L3VPN. The configuration
roadmap is as follows:
2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can be
established to transmit VPN data.
3. Configure VPN instances on PEs to implement connectivity between VPNs. Bind VPN
instances to PE interfaces connected to CEs so that VPN users can be connected.
4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to exchange
VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
6. Configure a loop prevention protocol on PE1, PE1, and switch to prevent loops. Here,
MSTP is used.
7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that PE1
functions as the master to forward traffic, and set the preemption delay to 20s on PE1.
Set a lower priority for PE2 so that PE2 functions as the backup.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PEs can communicate
with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 300
[PE1-vlan300] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] ip address 192.168.1.1 24
[PE1-Vlanif300] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type hybrid
[PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 200
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 200
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip address 192.168.2.1 24
[PE2-Vlanif200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] vlan batch 200 300
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type hybrid
[PE3-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE3-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type hybrid
[PE3-GigabitEthernet1/0/2] port hybrid pvid vlan 200
[PE3-GigabitEthernet1/0/2] port hybrid untagged vlan 200
[PE3-GigabitEthernet1/0/2] quit
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.3 32
[PE3-LoopBack1] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] ip address 192.168.2.2 24
[PE3-Vlanif200] quit
[PE3] interface vlanif 300
[PE3-Vlanif300] ip address 192.168.1.2 24
[PE3-Vlanif300] quit
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] quit
[PE3-ospf-1] quit
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] mpls
[PE1-Vlanif300] mpls ldp
[PE1-Vlanif300] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls
[PE2-Vlanif200] mpls ldp
[PE2-Vlanif200] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.3
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
[PE1-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] port link-type hybrid
[PE1-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/5] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip binding vpn-instance vpna
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/5
[PE2-GigabitEthernet1/0/5] port link-type hybrid
[PE2-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/5] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip binding vpn-instance vpna
[PE2-Vlanif100] ip address 10.1.1.2 24
[PE2-Vlanif100] quit
# Configure PE3.
[PE3] ip vpn-instance vpna
[PE3-vpn-instance-vpna] route-distinguisher 100:1
[PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE3-vpn-instance-vpna-af-ipv4] quit
[PE3-vpn-instance-vpna] quit
[PE3] vlan 400
[PE3-vlan400] quit
[PE3] interface gigabitethernet 1/0/3
[PE3-GigabitEthernet1/0/3] port link-type hybrid
[PE3-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[PE3-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[PE3-GigabitEthernet1/0/3] quit
[PE3] interface vlanif 400
[PE3-Vlanif400] ip binding vpn-instance vpna
[PE3-Vlanif400] ip address 172.16.1.100 24
[PE3-Vlanif400] quit
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/3
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
[CE1-GigabitEthernet1/0/3] quit
[CE1] interface vlanif 100
[CE1-Vlanif100] ip address 10.1.1.100 24
[CE1-Vlanif100] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 400
[CE2-vlan400] quit
[CE2] interface gigabitethernet 1/0/3
[CE2-GigabitEthernet1/0/3] port link-type hybrid
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[CE2-GigabitEthernet1/0/3] quit
[CE2] interface vlanif 400
[CE2-Vlanif400] ip address 172.16.1.200 24
[CE2-Vlanif400] quit
Step 4 Set up EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.111 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure CE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpna
[PE3-bgp-vpna] peer 172.16.1.200 as-number 65430
[PE3-bgp-vpna] import-route direct
[PE3-bgp-vpna] quit
[PE3-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 3.3.3.3 as-number 100
[PE2-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] peer 1.1.1.1 as-number 100
[PE3-bgp] peer 2.2.2.2 as-number 100
[PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE3-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE3-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit
Step 6 Configure MSTP to block the link between PE2 and the switch and prevent loops.
# Configure PE1 to work in MSTP mode.
# Set the path cost of the port connecting PE2 and the switch to 400000 to block the link
between PE2 and the switch.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp cost 400000
[PE2-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] quit
# After the configuration is complete, run the display stp brief command on the switch. You
can see that GE1/0/2 is the alternate port and in DISCARDING state.
[Switch] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
# Configure VRRP group 1 on PE1, and set the priority of PE1 to 120 and the preemption
delay to 20s.
[PE1] interface vlanif 100
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.
[PE1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority to 120.
[PE1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption
delay to 20s.
[PE1-Vlanif100] quit
# Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link fault.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] shutdown
[PE1-GigabitEthernet1/0/5] quit
# Run the display vrrp command on PE2 to check the VRRP status. The command output
shows that PE2 is in Master state.
[PE2] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
# Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s, run the
display vrrp command on PE1 to check the VRRP status. PE1 restores to be in Master state.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1-GigabitEthernet1/0/5] quit
[PE1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 100 300
#
stp instance 0 root primary
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 100 200
#
stp instance 0 root secondary
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
stp instance 0 cost 400000
#
interface GigabitEthernet1/0/5
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of PE3
#
sysname PE3
#
vlan batch 200 300 400
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif400
ip binding vpn-instance vpna
ip address 172.16.1.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 400
port hybrid untagged vlan 400
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 172.16.1.200 as-number 65430
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of the switch
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
stp instance 0 cost 400000
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 100
Overview
BGP/MPLS IP VPN is an MPLS-based L3VPN and it can be flexibly deployed and easily
extended, suitable for large-sized deployment. BGP/MPLS IP VPN technology can be used to
implement secure communication or isolation between branches in different locations.
Routing policies are used to filter routes and set route attributes. You can change route
attributes to change a route over which network traffic is transmitted.
BGP/MPLS IP VPN can be combined with routing policies to control the receiving and
advertisement of VPN routes, implementing mutual access between specific branch users.
Configuration Notes
l The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series
cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.
l This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 14-5, CE1 is connected to the branch Site 1, and CE2 is connected to the
branch Site 2. Site 1 and Site 2 communicate with each other over the ISP backbone network.
The enterprise requires that L3VPN users on some network segments can securely
communicate with each other to meet service requirements.
Figure 14-5 Configuring routing policies to control mutual access between L3VPN users
VPN Backbone
Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32
GE2/0/0 GE2/0/0
VLANIF100 VLANIF100
PE1 172.10.1.1/24 172.10.1.2/24 PE2
GE1/0/0 GE1/0/0
VLANIF10 VLANIF10
192.168.1.1/24 192.168.2.1/24
Configuration Roadmap
The configuration roadmap is as follows:
3. Create VPN instances on the PE devices, bind CE interfaces to the VPN instances, and
assign different VPN targets to the VPN instances to isolate users from different
branches.
4. Configure routing policies on the PE devices and change the VPN targets of routes
filtered out based on specified routing policies to implement communication between
branch users on a specified network segment.
5. Set up EBGP peer relationships between the CE and PE devices so that they can
exchange VPN routing information.
6. Configure MP-IBGP between the PE devices to enable them to exchange VPN routing
information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE devices can
communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 100
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 172.10.1.1 24
[PE1-Vlanif100] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 10 100
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip address 172.10.1.2 24
[PE2-Vlanif100] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
After the configuration is complete, run the display ospf peer command. The command
output shows that OSPF neighbor relationship has been set up between PE1 and PE2, and the
neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and you
can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] mpls
[PE1-Vlanif100] mpls ldp
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] mpls
[PE2-Vlanif100] mpls ldp
[PE2-Vlanif100] quit
After the configuration is complete, PE1 and PE2 have established LDP sessions. Run the
display mpls ldp session command, and you can view that the LDP session status is
Operational.
Step 3 Configure a VPN instance on each PE device and connect the CE devices to the PE devices.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 192.168.1.1 24
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 222:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip binding vpn-instance vpna
[PE2-Vlanif10] ip address 192.168.2.1 24
[PE2-Vlanif10] quit
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 192.168.1.2 24
[CE1-Vlanif10] quit
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 192.168.2.2 24
[CE2-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PE1 and PE2 to view VPN instance configuration. The PE devices can ping local CE devices
attached to them.
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] export route-policy vpnroute
[PE1-vpn-instance-vpna] quit
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-
equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] export route-policy vpnroute
[PE2-vpn-instance-vpna] quit
Step 5 Set up EBGP peer relationships between the PE and CE devices and import VPN routes.
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not mentioned
here.
[CE1] bgp 65410
[CE1-bgp] peer 192.168.1.1 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpna peer
command on PE1 and PE2. You can view that BGP peer relationships between PE and CE
devices have been established and are in the Established state.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PE1 and PE2. You can view that the BGP peer relationships have been
established between the PE devices and are in the Established state.
# Run the ping -vpn-instance command on PE1 and PE2. You can successfully ping the CE
site that is attached to the peer PE device.
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 100
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
export route-policy vpnroute
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 222:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
bgp 65410
peer 192.168.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.1.1 enable
#
return
After QinQ termination sub-interfaces are connected to a VLL network, the sub-interfaces on
devices terminate double VLAN tags before sending the packets to the VLL network.
QinQ termination sub-interfaces apply to scenarios where all the VLANs (such as VLAN 100
to VLAN 200) of one site need to communicate with a remote site over the VLL network or
VLAN resources of the public network need to be saved. In these scenarios, the switching
device deployed between the CE and PE devices adds the same outer VLAN tag to packets
carrying different inner VLAN tags from different CE devices. The sub-interface on the PE
device then terminates double VLAN tags in QinQ packets and sends the packets to the VLL
tunnel.
QinQ is an extension to MAN Ethernet VPN on the core VLL network. It can form an end-to-
end VPN solution to implement Layer 2 communication between geographically isolated
users.
Configuration Notes
l This example applies to all versions of the S12700.
Networking Requirements
As shown in Figure 14-6, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
You are required to configure selective QinQ on the interfaces connected to CEs so that the
Switch adds the VLAN tags specified by the carrier to the packets sent from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.
Figure 14-6 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network
Loopback1 Loopback1 Loopback1
1 .1 .1 .1 /3 2 2 .2 .2 .2 /3 2 3 .3 .3 .3 /3 2
G E 2 /0 /0 G E 1 /0 /0
PE1 PE2
G E 2 /0 /0 G E 1 /0 /0
G E 1 /0 /0 P G E 2 /0 /0
G E 2 /0 /0 G E 2 /0 /0
S w it c h 1 S w it c h 2
G E 1 /0 /0 G E 1 /0 /0
G E 1 /0 /0 G E 1 /0 /0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ termination sub-interfaces on PE interfaces connected to the switches to
implement VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 14-6.
# Configure CE1 to ensure that packets sent from CE1 to Switch1 carry single VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to Switch2 carry single VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.10.10.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
# Configure the P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a
fixed switch, first run the qinq vlan-translation enable command to enable VLAN
translation.
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn the route to the Loopback1 interface of each other. The display on PE1 is used as an
example:
[PE1] display ospf peer
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
The display on PE1 is used as an example:
[PE1] display mpls ldp session
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Configuration Notes
l The SA series cards cannot be used in this example. The X1E series cards of V200R007
and later versions can be used in this example.
l This example applies to all versions of the S12700 switches.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 14-7:
l An ISP provides both VPLS and L3VPN services.
l CE1 connected to the headquarters of enterprise A and CE3 connected to a branch
belong to the same VPLS to transmit Layer 2 services. CE1 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.
l CE2 connected to the headquarters of enterprise B and CE4 connected to a branch
belong to the same VPLS to transmit Layer 2 services. CE2 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.
Figure 14-7 Networking for deploying BGP/MPLS IP VPN and VPLS on one ISP network
G E 1 /0 /0 G E 1 /0 /0
V L A N IF 1 0 CE1 V L A N IF 1 0 CE3
1 0 .1 .1 .1 /2 4 1 0 .3 .1 .1 /2 4
L o o p b a ck1
2 .2 .2 .9 /3 2
G E 1 /0 /0 G E 1 /0 /0 G E 2 /0 /0 G E 1 /0 /0
PE1 V L A N IF 3 0 V L A N IF 6 0 PE2
L o o p b a ck1 1 7 2 .1 .1 .2 /2 4 1 7 2 .2 .1 .1 /2 4 L o o p b a ck1
1 .1 .1 .9 /3 2 G E 3 /0 /0 3 .3 .3 .9 /3 2
G E 3 /0 /0
V L A N IF 3 0 P V L A N IF 6 0
G E 2 /0 /0 1 7 2 .1 .1 .1 /2 4 1 7 2 .2 .1 .2 /2 4 G E 2 /0 /0
AS: 100
VPN Backbone
G E 2 /0 /0 G E 2 /0 /0
S w itc h 1 S w itc h 2
G E 1 /0 /0 G E 1 /0 /0
G E 1 /0 /0 G E 1 /0 /0
CE2 V L A N IF 2 0 V L A N IF 2 0 CE4
1 0 .2 .1 .1 /2 4 1 0 .4 .1 .1 /2 4
vpnb vpnb
v s i2 v s i2
AS: 65420 A S : 65440
Data Plan
GigabitEthernet1/0/0.2
GigabitEthernet2/0/0.2
GigabitEthernet1/0/0.2
GigabitEthernet2/0/0.2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PE devices to ensure IP connectivity on the
backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the P and PE devices to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure BGP/MPLS IP VPN. Configure L3VPN instances vpna and vpnb on PE1 and
PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb to 222:2. This
configuration allows users in the same VPN to communicate with each other and isolates
users of different VPNs. Configure dot1q termination sub-interfaces for single-tagged
packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for double-
tagged packets sent from CE2 and CE4.
5. Configure the VPLS service. Create VPLS VSI instances on PE1 and PE2. In each VSI
instance, specify BGP as the signaling protocol, and set the RD, VPN target and site.
Bind sub-interfaces to VSI instances so that the sub-interfaces function as AC interfaces
to provide access for VPLS users. Configure dot1q termination sub-interfaces for single-
tagged packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for
double-tagged packets sent from CE2 and CE4.
6. Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
7. Set up EBGP peer relationships between the CE and PE devices so that they can
exchange VPN routing information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE and P devices can
communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type hybrid
[PE1-GigabitEthernet3/0/0] port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0] port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.
<HUAWEI> system-view
[HUAWEI] sysname P
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type hybrid
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 172.2.1.2 24
[PE2-Vlanif60] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up between PE1,
P, and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can view that
the neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and
you can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
The display on PE1 is used as an example:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command on PE1, P, and PE2, and
you can view that the LDP session status is Operational. Run the display mpls ldp lsp
command, and you can view information about the established LDP LSPs.
The display on PE1 is used as an example:
Step 3 Configure L3VPN instances on the PE devices. Configure dot1q termination sub-interfaces
for single-tagged packets from vpna. Configure QinQ termination sub-interfaces for double-
tagged packets from vpnb. (Layer 3 service users are identified by VLAN 10 and VLAN 20,
and the PE devices use VLAN 10 and VLAN 100 to identify Layer 3 services.)
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type hybrid
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 2/0/0.1
[PE1-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 20
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 20
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.1] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PE1 and PE2 to view VPN instance configuration. The PE devices can ping local CE devices
attached to them.
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
Interfaces : Vlanif10
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4096
Log Interval : 5
Step 4 Create VPLS VSI instances on PE1 and PE2. In each VSI instance, specify BGP as the
signaling protocol, and set the RD, VPN target and site. Bind sub-interfaces to VSI instances
so that the sub-interfaces function as AC interfaces to provide access for VPLS users.
Configure dot1q termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent from CE2 and
CE4. (The CE devices use VLAN 11 and VLAN 21 to identify Layer 2 service users, and the
PE devices use VLAN 11 and VLAN 200 to identify Layer 2 services.)
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vsi vsi1 auto
[PE1-vsi-vsi1] pwsignal bgp
[PE1-vsi-vsi1-bgp] route-distinguisher 101:1
[PE1-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity
[PE1-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity
[PE1-vsi-vsi1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi1-bgp] quit
[PE1-vsi-vsi1] quit
[PE1] vsi vsi2 auto
[PE1-vsi-vsi2] pwsignal bgp
[PE1-vsi-vsi2-bgp] route-distinguisher 101:2
[PE1-vsi-vsi2-bgp] vpn-target 200:1 import-extcommunity
[PE1-vsi-vsi2-bgp] vpn-target 200:1 export-extcommunity
[PE1-vsi-vsi2-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi2-bgp] quit
[PE1-vsi-vsi2] quit
[PE1] interface gigabitethernet 1/0/0.2
[PE1-GigabitEthernet1/0/0.2] dot1q termination vid 11
[PE1-GigabitEthernet1/0/0.2] l2 binding vsi vsi1
[PE1-GigabitEthernet1/0/0.2] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] vsi vsi1 auto
[PE2-vsi-vsi1] pwsignal bgp
[PE2-vsi-vsi1-bgp] route-distinguisher 201:1
[PE2-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity
[PE2-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity
[PE2-vsi-vsi1-bgp] site 2 range 5 default-offset 0
[PE2-vsi-vsi1-bgp] quit
[PE2-vsi-vsi1] quit
[PE2] vsi vsi2 auto
[PE2-vsi-vsi2] pwsignal bgp
[PE2-vsi-vsi2-bgp] route-distinguisher 201:2
[PE2-vsi-vsi2-bgp] vpn-target 200:1 import-extcommunity
[PE2-vsi-vsi2-bgp] vpn-target 200:1 export-extcommunity
[PE2-vsi-vsi2-bgp] site 2 range 5 default-offset 0
[PE2-vsi-vsi2-bgp] quit
[PE2-vsi-vsi2] quit
[PE2] interface gigabitethernet 1/0/0.2
[PE2-GigabitEthernet1/0/0.2] dot1q termination vid 11
[PE2-GigabitEthernet1/0/0.2] l2 binding vsi vsi1
[PE2-GigabitEthernet1/0/0.2] quit
[PE2] interface gigabitethernet 2/0/0.2
[PE2-GigabitEthernet2/0/0.2] qinq termination pe-vid 200 ce-vid 21
[PE2-GigabitEthernet2/0/0.2] l2 binding vsi vsi2
[PE2-GigabitEthernet2/0/0.2] quit
Step 5 Set up EBGP peer relationships between the PE and CE devices and import L3VPN routes to
BGP.
# Configure CE1 connecting to the headquarters of enterprise A. The configurations of CE2,
CE3, and CE4 are similar to that of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp]quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on the PE devices. You can view that BGP peer relationships between PE and CE devices
have been established and are in the Established state.
Take the BGP peer relationship between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] vpls-family
[PE1-bgp-af-vpls] peer 3.3.3.9 enable
[PE1-bgp-af-vpls] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] vpls-family
[PE2-bgp-af-vpls] peer 1.1.1.9 enable
[PE2-bgp-af-vpls] quit
[PE2-bgp] quit
Step 7 Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 100 200
[Switch1] interface gigabitethernet 2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 21 stack-vlan 200
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan batch 100 200
[Switch2] interface gigabitethernet 2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet 1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
CE devices in the same VPN instance can successfully ping each other, whereas CE devices
in different VPN instances cannot.
For example, CE1 connecting to the headquarters of enterprise A can successfully ping CE3
connecting to a branch at 10.3.1.1 but cannot ping CE4 connecting to the headquarters of
enterprise B at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Run the display vsi name vsi2 verbose command on PE1, and you can view that vsi2 has a
PW to PE2 and is in Up state.
[PE1] display vsi name vsi2 verbose
BGP RD : 101:2
SiteID/Range/Offset : 1/5/0
Import vpn target : 200:1
Export vpn target : 200:1
Remote Label Block : 35845/5/0
Local Label Block : 0/35845/5/0
**PW Information:
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
route-distinguisher 201:1
vpn-target 100:1 import-extcommunity
vpn-target 100:1 export-extcommunity
site 2 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
route-distinguisher 201:2
vpn-target 200:1 import-extcommunity
vpn-target 200:1 export-extcommunity
site 2 range 5 default-offset 0
#
mpls ldp
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet1/0/0.2
dot1q termination vid 11
l2 binding vsi vsi1
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.2
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 20 to 21
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
l Configuration file of CE3 connecting to a branch of enterprise A
#
sysname CE3
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 11
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
l Configuration file of CE4 connecting to a branch of enterprise B
#
sysname CE4
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 20 to 21
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
l Configuration file of Switch1
#
sysname Switch1
#
vlan batch 100 200
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 100 200
port vlan-stacking vlan 20 stack-vlan 100
port vlan-stacking vlan 21 stack-vlan 200
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 100 200
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
----End
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
An enterprise has a small-scale branch network. The enterprise needs to deploy WLAN
services for mobile office so that its employees can access the enterprise internal network
anywhere and anytime.
As shown in Figure 15-1, the AC connects to APs through a PoE switch, and the PoE switch
provides power for APs. The WLAN service is configured on the AC, and delivered to APs.
In te rn e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
VLAN 100
G E 0 /0 /2
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, Switch, and upstream device to implement Layer 2
interconnection.
2. Configure the AC as a DHCP server to assign IP addresses to STAs and the AP from an
IP address pool of an interface.
3. Configure AC system parameters, including the country code, AC ID, carrier ID, and
source interface used by the AC to communicate with the AP.
4. Set the AP authentication mode and add the AP to an AP region.
5. Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
WLAN.
a. Configure a WMM profile and radio profile on the AP, retain the default settings of
the WMM profile and radio profile, bind the WMM profile to the radio profile to
enable STAs to communicate with the AP.
b. Configure a WLAN-ESS interface so that radio packets can be sent to the WLAN
service module after reaching the AC.
c. Configure a security profile and traffic profile on the AP, retain the default settings
of the security profile and traffic profile, configure a service set, bind the WLAN-
ESS interface, security profile, and traffic profile to apply security policies and QoS
policies to STAs.
d. Configure a VAP and deliver VAP parameters to the AP so that STAs can access the
Internet through the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the
MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of service set to
101. By default, the VLAN ID of service set is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel.
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a
radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit
[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
When an STA detects the wireless network test and associates with it, the wireless PC is
allocated an IP address. You need to enter the pre-shared key to access the wireless network.
You can run the display station assoc-info command on the AC. The command output shows
that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
9021-55dc-3e17 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|
C"%@%@ encryption-method ccmp
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-2, an enterprise's AC connects to the egress gateway Router of the
campus network and connects to APs through a PoE switch. The PoE switch provides power
to APs.
The enterprise requires a WLAN with SSID test so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses on 10.10.10.0/24 to users and manage users on the AC.
In te rn e t
R o u te r G E 2 /0 /0
G E 1 /0 /2 V L A N IF 1 0 2
VLAN 102 1 0 .2 3 .1 0 2 .1
AC
G E 1 /0 /1
VLAN 100
G E 0 /0 /2
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, and upstream device to implement network interconnection.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure the WLAN service so that users can connect to the Internet through the
WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for
DHCP relay to 10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
# Check the AP type ID after obtaining the MAC address of the AP.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the
MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of service set to
101. By default, the VLAN ID of service set is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel.
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a
radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit
After the configuration is complete, run the display vap ap 0 radio 0 command. The
command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
0 0 1 - - 1 60DE-4476-E360 service
----------------------------------------------------------------------
Total: 1
When an STA detects the wireless network test and associates with it, the wireless PC is
allocated an IP address. You need to enter the pre-shared key to access the wireless network.
You can run the display station assoc-info command on the AC. The command output shows
that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
9021-55dc-3e17 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 10.11.10.1
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|
C"%@%@ encryption-method ccmp
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
Networking Requirements
A hospital needs to deploy a wired and a wireless network in the hospital building to meet
service requirements. To make management and maintenance easy, the administrator requires
that wired and wireless users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and wireless users
roam under the same AC.
As shown in Figure 15-3, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors respectively. In each room, the AP2010DN is deployed to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches and directly provide power to
connected APs.
To facilitate network planning and management, the access switches are only used to
transparently transmit data at Layer 2, and all gateways are configured on the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and PCs.
Figure 15-3 Networking diagram for configuring unified access for wired and wireless users
In te rn e t
R o u te r
Data Planning
AP103 - - AP103 is an
AP5030DN and
deployed in the
corridor on the first
floor to provide
wireless access.
AP203 - - AP203 is an
AP5030DN and
deployed in the
corridor on the
second floor to
provide wireless
access.
Country code CN -
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
VLANIF202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/4 of the S5700-1 and S5700-2 to VLAN 100
(management VLAN), interfaces GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 201 (VLAN
for wired service packets), and interfaces GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 202
(VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs, and
you are also advised to configure port isolation on these interfaces to reduce broadcast
packets. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar.
For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
# On the AC, add GE1/0/1 connected to the S5700-1 to VLAN 100 and VLAN 201, GE1/0/2
connected to the S5700-2 to VLAN 100 and VLAN 202, GE1/0/4 connected to the upper-
layer network to VLAN 300, and GE1/0/3 connected to the Agile Controller to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit
# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //Configure an interface address pool to allocate IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to allocate IP
addresses to STAs on the first floor.
Step 3 Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Bind the Portal server template to the WLAN-ESS interface, enable Portal authentication
for wireless users, and configure non-authentication for wired users.
[AC] interface wlan-ess 1
[AC-Wlan-Ess1] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Wlan-Ess1] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess1] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess1] web-auth-server portal1 direct //Bind the Portal server template
portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess1] quit
[AC] interface wlan-ess 2
[AC-Wlan-Ess2] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Wlan-Ess2] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess2] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess2] web-auth-server portal1 direct //Bind the Portal server template
portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess2] quit
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline according to the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 38 mac 60de-4476-e320 //Add the AP2010DN
offline with the MAC address 60de-4476-e320 and AP ID 101.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 102 type-id 38 mac 60de-4476-e340 //Add the AP2010DN
offline with the MAC address 60de-4476-e340 and AP ID 102.
[AC-wlan-ap-102] quit
[AC-wlan-view] ap id 103 type-id 35 mac dcd2-fc04-b520 //Add the AP5030DN
offline with the MAC address dcd2-fc04-b520 and AP ID 103.
[AC-wlan-ap-103] quit
[AC-wlan-view] ap id 201 type-id 38 mac 60de-4476-e360 //Add the AP2010DN
offline with the MAC address 60de-4476-e360 and AP ID 201.
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202 type-id 38 mac 60de-4476-e380 //Add the AP2010DN
offline with the MAC address 60de-4476-e380 and AP ID 202.
[AC-wlan-ap-202] quit
[AC-wlan-view] ap id 203 type-id 35 mac dcd2-fc04-b540 //Add the AP5030DN
offline with the MAC address dcd2-fc04-b540 and AP ID 203.
[AC-wlan-ap-203] quit
[AC-wlan-view] ap id 203
[AC-wlan-ap-203] region-id 2
[AC-wlan-ap-203] quit
# Power on the APs and run the display ap all command to check the AP running status. If
the AP State field displays as normal, the APs are online on the AC.
[AC-wlan-view] display ap all
All AP(s) information:
Normal[6],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
101 AP2010DN 60de-4476-e320 0/1 normal ap-101
102 AP2010DN 60de-4476-e340 0/1 normal ap-102
103 AP5030DN dcd2-fc04-b520 0/1 normal ap-103
201 AP2010DN 60de-4476-e360 0/2 normal ap-201
202 AP2010DN 60de-4476-e380 0/2 normal ap-202
203 AP5030DN dcd2-fc04-b540 0/2 normal ap-203
------------------------------------------------------------------------------
Total number: 6,printed: 6
# Configure the AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass through.
[AC-wlan-view] ap id 101
[AC-wlan-ap-101] lineate-port ethernet 0 pvid vlan 201 //The downlink interface
of the AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID
for the interface. VLAN 201 is used to transmit wired service packets of the
first floor.
[AC-wlan-ap-101] lineate-port ethernet 0 vlan untagged 201 //The downlink
interface of the AP2010DN is used to connect wired terminals. Add the interface
to VLAN 201 in untagged mode.
[AC-wlan-ap-101] lineate-port ethernet 1 pvid vlan 201
[AC-wlan-ap-101] lineate-port ethernet 1 vlan untagged 201
[AC-wlan-ap-101] lineate-port gigabitethernet 0 vlan tagged 201 //The uplink
interface of the AP2010DN is used to connect to the upper-layer devices. Add the
interface to VLAN 201 in tagged mode.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 102
[AC-wlan-ap-102] lineate-port ethernet 0 pvid vlan 201
[AC-wlan-ap-102] lineate-port ethernet 0 vlan untagged 201
[AC-wlan-ap-102] lineate-port ethernet 1 pvid vlan 201
[AC-wlan-ap-102] lineate-port ethernet 1 vlan untagged 201
[AC-wlan-ap-102] lineate-port gigabitethernet 0 vlan tagged 201
[AC-wlan-ap-102] quit
[AC-wlan-view] ap id 201
[AC-wlan-ap-201] lineate-port ethernet 0 pvid vlan 202 //The downlink interface
of the AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID
for the interface. VLAN 202 is used to transmit wired service packets of the
second floor.
[AC-wlan-ap-201] lineate-port ethernet 0 vlan untagged 202
[AC-wlan-ap-201] lineate-port ethernet 1 pvid vlan 202
[AC-wlan-ap-201] lineate-port ethernet 1 vlan untagged 202
[AC-wlan-ap-201] lineate-port gigabitethernet 0 vlan tagged 202
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202
[AC-wlan-ap-202] lineate-port ethernet 0 pvid vlan 202
[AC-wlan-ap-202] lineate-port ethernet 0 vlan untagged 202
[AC-wlan-ap-202] lineate-port ethernet 1 pvid vlan 202
[AC-wlan-ap-202] lineate-port ethernet 1 vlan untagged 202
[AC-wlan-ap-202] lineate-port gigabitethernet 0 vlan tagged 202
[AC-wlan-ap-202] quit
# Create the radio profile radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to
fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the
radio to fixed.
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create service sets floor1 and floor2, and bind the service VLANs, WLAN-ESS interfaces,
security profile, and traffic profile to the service sets. Set the forwarding mode to tunnel
forwarding.
[AC-wlan-view] service-set name floor1 id 1 //Create the service set floor1.
[AC-wlan-service-set-floor1] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-service-set-floor1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-floor1] security-profile name security //Bind the security
profile security.
[AC-wlan-service-set-floor1] traffic-profile name traffic //Bind the traffic
profile traffic.
[AC-wlan-service-set-floor1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-floor1] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding. The default forwarding mode is direct forwarding.
[AC-wlan-service-set-floor1] user-isolate //Configure Layer 2 isolation for
users connected to the same VAP.
[AC-wlan-service-set-floor1] quit
[AC-wlan-view] service-set name floor2 id 2
[AC-wlan-service-set-floor2] ssid hospital-wlan //Set the SSID to hospital-wlan.
All service sets must be configured with the same SSID, which is one of the
prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] wlan-ess 2
[AC-wlan-service-set-floor2] security-profile name security //Bind the security
profile security. All service sets must have the same security profile bound,
which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] traffic-profile name traffic
[AC-wlan-service-set-floor2] service-vlan 102
[AC-wlan-service-set-floor2] forward-mode tunnel
[AC-wlan-service-set-floor2] user-isolate
[AC-wlan-service-set-floor2] quit
# STAs discover the WLAN with the SSID hospital-wlan and associate with the WLAN. The
STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless
network. Run the display station assoc-info command on the AC. The command output
shows that the STAs have connected to the WLAN hospital-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
e019-1dc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
hospital-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs and PCs obtain IP addresses and connect to the network normally.
----End
Configuration Files
l Configuration file of the S5700-1 connected to wired users
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
return
l Configuration file of the S5700-2 connected to wireless users
#
sysname S5700-2
#
vlan batch 100 202
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %#%#ut)92(w\&0@UJ}J7}^3Z9x`9~Y$`2D1AGwDQ[+S.
%#%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2
weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2
weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %#
%#[m1~SG]5CAzg~K35!b^Wa';{=+k_40Q\YK~}UX6T%#%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50200
shared-key cipher %#%#^B],0yW|oJ1;j:U&`%}(=@2t*]e.$TOVrx@(I6rT%#%#
url http://10.23.200.1:8080/portal
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 300
#
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
domain name portal1 force
domain name portal1
authentication portal
web-auth-server portal1 direct
#
interface Wlan-Ess2
port trunk allow-pass vlan 101 to 102
domain name portal1 force
domain name portal1
authentication portal
web-auth-server portal1 direct
#
capwap source interface vlanif100
#
wlan
ap-region id 1
ap-region-name floor1
ap-region id 2
ap-region-name floor2
ap id 101 type-id 38 mac 60de-4476-e320
region-id 1
lineate-port ethernet 0 pvid vlan 201
lineate-port ethernet 0 vlan untagged 201
service-set id 1 wlan 1
ap 201 radio 0
radio-profile id 1
power-level 10
service-set id 2 wlan 1
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
service-set id 2 wlan 1
ap 203 radio 0
radio-profile id 1
channel 20MHz 11
power-level 10
service-set id 2 wlan 1
ap 203 radio 1
radio-profile id 1
channel 20MHz 157
power-level 10
service-set id 2 wlan 1
#
return
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
Networking Requirements
A city needs to deploy the wireless smart city project and requires that Portal authentication
be used for wireless users in the coverage area of the wireless network. Since a large number
of wireless users exist, high wireless service performance and Portal authentication
performance are required.
As shown in Figure 15-4, the S9700 core switch functions as the gateway for STAs and APs
and as the DHCP server to assign IP addresses to STAs and APs. The S9700 connects to APs
through PoE access switches S5700-1 and S5700-2. The AC and APs are located on a Layer 3
network. The AC is the X series card on the S9700 and connected to the S9700 through Eth-
Trunk in bypass mode.
To facilitate network planning and management, the access switches are only used to
transparently transmit data at Layer 2.
Figure 15-4 Networking diagram for configuring WLAN services for a wireless city project
In te rn e t
R o u te r
C o n tro lle r
AC
G E 2 /0 /1 G E 1 /0 /4
G E 1 /0 /5 G E 1 /0 /3
G E 1 /0 /6 G E 1 /0 /2
G E 2 /0 /2 G E 1 /0 /1
S9700
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /3 G E 0 /0 /2 G E 0 /0 /3
Data Planning
Country code CN -
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and APs.
3. Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management VLAN) and
VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs, and you are
also advised to configure port isolation on these interfaces to reduce broadcast packets.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 10 101
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to
reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-2 to VLAN 20 (management VLAN) and
VLAN 102 (service VLAN). Set PVIDs for interfaces directly connected to APs, and you are
also advised to configure port isolation on these interfaces to reduce broadcast packets.
[HUAWEI] sysname S5700-2
[S5700-2] vlan batch 20 102
[S5700-2] interface gigabitethernet 0/0/1
[S5700-2-GigabitEthernet0/0/1] port link-type trunk
[S5700-2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/1] quit
[S5700-2] interface gigabitethernet 0/0/2
[S5700-2-GigabitEthernet0/0/2] port link-type trunk
[S5700-2-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/2] port trunk pvid vlan 20 //Set a PVID for the
interface directly connected to the AP.
[S5700-2-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to
reduce broadcast packets.
[S5700-2-GigabitEthernet0/0/2] quit
[S5700-2] interface gigabitethernet 0/0/3
[S5700-2-GigabitEthernet0/0/3] port link-type trunk
[S5700-2-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/3] port trunk pvid vlan 20
[S5700-2-GigabitEthernet0/0/3] port-isolate enable
[S5700-2-GigabitEthernet0/0/3] quit
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN 101,
GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3 connected to the
Controller to VLAN 300, GE1/0/4 connected to the upper-layer network to VLAN 101 and
VLAN 102, and GE1/0/5 and GE1/0/6 connected to the AC to Eth-Trunk 1. Add Eth-Trunk 1
to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700] interface gigabitethernet 1/0/2
[S9700-GigabitEthernet1/0/2] port link-type trunk
[S9700-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 102
[S9700-GigabitEthernet1/0/2] quit
[S9700] interface gigabitethernet 1/0/3
[S9700-GigabitEthernet1/0/3] port link-type trunk
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700-GigabitEthernet1/0/3] quit
[S9700] interface gigabitethernet 1/0/4
[S9700-GigabitEthernet1/0/4] port link-type trunk
[S9700-GigabitEthernet1/0/4] port trunk allow-pass vlan 101 102
[S9700-GigabitEthernet1/0/4] quit
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and
GE1/0/6 to Eth-Trunk1.
[S9700-Eth-Trunk1] quit
# On the S9700, configure VLANIF 100 for communication with the AC and VLANIF 300
for communication with the Controller.
[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24 //Configure an IP address for
communication between the S9700 and AC.
[S9700-Vlanif100] quit
[S9700] interface vlanif300
[S9700-Vlanif300] ip address 10.23.30.10 24 //Configure an IP address for
communication between the S9700 and Controller.
[S9700-Vlanif300] quit
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1 and add Eth-
Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2
to Eth-Trunk1.
[AC-Eth-Trunk1] quit
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global address
pool.
[S9700] dhcp enable
[S9700] interface vlanif 10 //Configure a global address pool to assign IP
addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700-Vlanif10] quit
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 3 ip-address 10.23.100.1 //Since
a Layer 3 network is deployed between the AC and APs, configure Option43 to
advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
[S9700] interface vlanif 20 //Configure a global address pool to assign IP
addresses to AP201 and AP202.
[S9700-Vlanif20] description manage_ap2
[S9700-Vlanif20] ip address 10.23.20.1 24
[S9700-Vlanif20] dhcp select global
[S9700-Vlanif20] quit
[S9700] ip pool manage_ap2
[S9700-ip-pool-manage_ap2] gateway-list 10.23.20.1
[S9700-ip-pool-manage_ap2] network 10.23.20.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap2] option 43 sub-option 3 ip-address 10.23.100.1 //Since
a Layer 3 network is deployed between the AC and APs, configure Option43 to
advertise the AC¡¯s IP address to the APs.
[S9700-ip-pool-manage_ap2] quit
[S9700] interface vlanif 101 //Configure a global IP address pool to assign IP
addresses to STAs connected to AP101 and AP102.
[S9700-Vlanif101] description manage_area1_sta
[S9700-Vlanif101] ip address 10.23.101.1 24
[S9700-Vlanif101] dhcp select global
[S9700-Vlanif101] quit
[S9700] ip pool manage_area1_sta
[S9700-ip-pool-manage_area1_sta] gateway-list 10.23.101.1
[S9700-ip-pool-manage_area1_sta] network 10.23.101.0 mask 255.255.255.0
[S9700-ip-pool-manage_area1_sta] quit
[S9700] interface vlanif 102 //Configure a global IP address pool to assign IP
addresses to STAs connected to AP201 and AP202.
[S9700-Vlanif102] description manage_area2_sta
[S9700-Vlanif102] ip address 10.23.102.1 24
[S9700-Vlanif102] dhcp select global
[S9700-Vlanif102] quit
[S9700] ip pool manage_area2_sta
[S9700-ip-pool-manage_area2_sta] gateway-list 10.23.102.1
Step 3 Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1.
[AC-radius-radius1] radius-server authentication 10.23.30.1 1812 source ip-
address 10.23.100.1 weight 80 //Configure the active RADIUS authentication
server 1 and authentication port 1812. The AC uses the IP address 10.23.100.1 to
communicate with the active RADIUS authentication server 1.
[AC-radius-radius1] radius-server authentication 10.23.30.2 1812 source ip-
address 10.23.100.1 weight 80 //Configure the active RADIUS authentication
server 2 and authentication port 1812. The AC uses the IP address 10.23.100.1 to
communicate with the active RADIUS authentication server 2.
[AC-radius-radius1] radius-server authentication 10.23.30.3 1812 source ip-
address 10.23.100.1 weight 20 //Configure the standby RADIUS authentication
server, with the weight value lower than the active authentication server. Set
the authentication port number to 1812. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS authentication server.
[AC-radius-radius1] radius-server accounting 10.23.30.1 1813 source ip-address
10.23.100.1 weight 80 //Configure the active RADIUS accounting server 1 to
collect user login and logout information and set the accounting port number to
1813. The AC uses the IP address 10.23.100.1 to communicate with the active
RADIUS accounting server 1.
[AC-radius-radius1] radius-server accounting 10.23.30.2 1813 source ip-address
10.23.100.1 weight 80 //Configure the active RADIUS accounting server 2 to
collect user login and logout information and set the accounting port number to
1813. The AC uses the IP address 10.23.100.1 to communicate with the active
RADIUS accounting server 2.
[AC-radius-radius1] radius-server accounting 10.23.30.3 1813 source ip-address
10.23.100.1 weight 20 //Configure the standby RADIUS accounting server, with
the weight value lower than the active accounting server. Set the accounting port
number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the
standby RADIUS accounting server.
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS
automatic detection interval to 30s. The default value is 60s.
[AC-radius-radius1] quit
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time
accounting and set the accounting interval to 15 minutes. By default, real-time
accounting is disabled.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Bind the Portal server templates to service VLANIF interfaces to enable Portal
authentication.
[AC] vlan batch 101 102
[AC] interface vlanif 101
[AC-Vlanif101] domain name portal1 force //Configure the forcible user domain
portal1.
[AC-Vlanif101] domain name portal1 //Configure the default user domain portal1.
[AC-Vlanif101] authentication portal //Configure Portal authentication.
[AC-Vlanif101] web-auth-server portal1 portal3 layer3 //Bind the Portal server
templates portal1 and portal3.
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] domain name portal1 force
[AC-Vlanif102] domain name portal1
[AC-Vlanif102] authentication portal
[AC-Vlanif102] web-auth-server portal2 portal3 layer3
[AC-Vlanif102] quit
# Check the AP type IDs after obtaining the MAC addresses of the APs.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline according to the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 19 mac 60de-4476-e320 //Add the AP6010DN-AGN
offline with the MAC address 60de-4476-e320 and AP ID 101.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 102 type-id 19 mac 60de-4476-e340 //Add the AP6010DN-AGN
offline with the MAC address 60de-4476-e340 and AP ID 102.
[AC-wlan-ap-102] quit
[AC-wlan-view] ap id 201 type-id 19 mac 60de-4476-e360 //Add the AP6010DN-AGN
offline with the MAC address 60de-4476-e360 and AP ID 201.
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202 type-id 19 mac 60de-4476-e380 //Add the AP6010DN-AGN
offline with the MAC address 60de-4476-e380 and AP ID 202.
[AC-wlan-ap-202] quit
region 2.
[AC-wlan-ap-region-2] ap-region-name area2
[AC-wlan-ap-region-2] quit
[AC-wlan-view] ap id 201
[AC-wlan-ap-201] region-id 2
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202
[AC-wlan-ap-202] region-id 2
[AC-wlan-ap-202] quit
# Power on the APs and run the display ap all command to check the AP running status. If
the AP State field displays as normal, the APs are online on the AC.
[AC-wlan-view] display ap all
All AP(s) information:
Normal[4],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
101 AP6010DN-AGN 60de-4476-e320 0/1 normal ap-101
102 AP6010DN-AGN 60de-4476-e340 0/1 normal ap-102
201 AP6010DN-AGN 60de-4476-e360 0/2 normal ap-201
202 AP6010DN-AGN 60de-4476-e380 0/2 normal ap-202
------------------------------------------------------------------------------
Total number: 4,printed: 4
# Create the radio profile radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to
fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the
radio to fixed.
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create service sets area1 and area2, and bind the service VLANs, WLAN-ESS interfaces,
security profile, and traffic profile to the service sets. Set the forwarding mode to direct
forwarding.
[AC-wlan-view] service-set name area1 id 1 //Create the service set area1.
[AC-wlan-service-set-area1] ssid city-wlan //Set the SSID to city-wlan.
[AC-wlan-service-set-area1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-area1] security-profile name security //Bind the security
profile security.
[AC-wlan-service-set-area1] traffic-profile name traffic //Bind the traffic
profile traffic.
[AC-wlan-service-set-area1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-area1] forward-mode direct-forward //Set the forwarding
mode to direct forwarding (default setting).
[AC-wlan-service-set-area1] user-isolate //Configure Layer 2 isolation for users
connected to the same VAP.
[AC-wlan-service-set-area1] quit
[AC-wlan-view] service-set name area2 id 2
[AC-wlan-service-set-area2] ssid city-wlan //Set the SSID to city-wlan. All
service sets must be configured with the same SSID, which is one of the
prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] wlan-ess 2
[AC-wlan-service-set-area2] security-profile name security //Bind the security
profile security. All service sets must have the same security profile bound,
which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] traffic-profile name traffic
[AC-wlan-service-set-area2] service-vlan 102
[AC-wlan-service-set-area2] forward-mode direct-forward
[AC-wlan-service-set-area2] user-isolate
[AC-wlan-service-set-area2] quit
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN. The
STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless
network. Run the display station assoc-info command on the AC. The command output
shows that the STAs have connected to the WLAN city-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
e019-1dc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
city-wlan
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
l Configuration file of the S5700-1 connected to wired users
#
sysname S5700-1
#
vlan batch 10 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
return
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool manage_area2_sta
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
description manage_ap1
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
description manage_ap2
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
description manage_area1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
description manage_area2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
radius-server template radius1
#
capwap source interface vlanif100
#
wlan
ap-region id 1
ap-region-name area1
ap-region id 2
ap-region-name area2
ap id 101 type-id 19 mac 60de-4476-e320
region-id 1
ap id 102 type-id 19 mac 60de-4476-e340
region-id 1
ap id 201 type-id 19 mac 60de-4476-e360
region-id 2
ap id 202 type-id 19 mac 60de-4476-e380
region-id 2
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
service-set name area1 id 1
wlan-ess 1
ssid city-wlan
user-isolate
traffic-profile id 1
security-profile id 1
service-vlan 101
service-set name area2 id 2
wlan-ess 2
ssid city-wlan
user-isolate
traffic-profile id 1
security-profile id 1
service-vlan 102
radio-profile name radio id 1
channel-mode fixed
power-mode fixed
wmm-profile id 1
ap 101 radio 0
radio-profile id 1
power-level 10
service-set id 1 wlan 1
ap 101 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
service-set id 1 wlan 1
ap 102 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
service-set id 1 wlan 1
ap 102 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
service-set id 1 wlan 1
ap 201 radio 0
radio-profile id 1
power-level 10
service-set id 2 wlan 1
ap 201 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
service-set id 2 wlan 1
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
service-set id 2 wlan 1
ap 202 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
service-set id 2 wlan 1
#
return
Configuration Notes
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-5, the enterprise's AC connects to the egress gateway (Router) and
RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID of test
is available for wireless users and terminals to access network resources. The gateway also
functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network segment for
STAs. The AC controls and manages STAs.
The WLAN authentication client cannot be installed on wireless devices providing public
services, such as wireless printers and phones, so use MAC address authentication. The
RADIUS server authenticates wireless devices using their MAC addresses. No authentication
is required when STAs access the WLAN, facilitating the use of WLAN services.
Figure 15-5 Networking diagram for configuring MAC address authentication on the wireless
side
In te rn e t
R o u te r
G a te w a y
G E 2 /0 /0 R A D IU S S e rve r
G E 1 /0 /2 1 0 .1 2 .1 0 .1 :1 8 1 2
G E 1 /0 /3
AC
G E 1 /0 /1
G E 0 /0 /2
S w itch A
G E 0 /0 /1
AP
STA STA
Data Planning
AP region ID 10
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN. This example uses
default configurations.
2. Configure a RADIUS server template and apply it to an AAA domain
3. Configure MAC address authentication on the WLAN-ESS interface to authenticate
STAs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE1/0/2 that connects the AC to the RADIUS server to VLAN 103.
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for
DHCP relay to 10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.10.10.0 24 10.11.10.2 //Configure a route on the
Router destined for the network segment 10.10.10.0/24.
2. Globally configure user names in MAC address authentication without the delimiter "-"
(default setting).
3. Test whether a STA can be authenticated using RADIUS authentication. In MAC address
authentication, STA's MAC address is used as the user name and password.
[AC] test-aaa 001122334455 001122334455 radius-template radius_huawei
Info: Account test succeed.
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the
MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service
set to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding.
[AC-wlan-service-set-test] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Configuration file of the Router
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 103
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server authentication 10.12.10.1 1812 weight 80
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9`ocp<^c"q%
%#%
undo radius-server user-name domain-included
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 103
#
interface WLAN-ESS1
port trunk allow-pass vlan 101
authentication mac-authen
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
Configuration Notes
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-6, the AC deployed in an open place connects to the egress gateway
(Router), RADIUS server, and Portal server, and connects to the AP through SwitchA. The
WLAN with the SSID of test is available for users to access network resources. The gateway
also functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network
segment for STAs. The AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks. To facilitate access to
the WLAN, use the default security policy on the AC. STAs are not authenticated and data is
not encrypted. To uniformly manage STAs and allow only paid users to access the Internet,
configure Portal authentication on the AC. Any user who attempts to access the Internet is
redirected to the Portal authentication web page. A paid user connects to the Internet after
entering the user name and password, and the RADIUS server starts accounting. An unpaid
user must pay for the WLAN service and use the obtained user name and password to
complete Portal authentication. Generally, the Portal authentication web page provides the
paying function.
Figure 15-6 Networking diagram for configuring Portal authentication on the wireless side
P o rta l S e rve r
In te rn e t
R o u te r 1 0 .1 3 .1 0 .1
网关
G E 2 /0 /0
G E 1 /0 /2 R A D IU S S e rve r
G E 1 /0 /4
G E 1 /0 /3
AC
G E 1 /0 /1 1 0 .1 2 .1 0 .1
G E 0 /0 /2 A u th e n tica tio n p o rt: 1 8 1 2
A cco u n tin g p o rt: 1 8 1 3
S w itch A
G E 0 /0 /1
AP
STA STA
Data planning
AP region ID 10
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN. This example uses
default configurations.
2. Configure a RADIUS server template, apply it to an AAA domain, and use a RADIUS
server to authenticate STAs' identities and perform accounting.
3. Configure Portal authentication. Hypertext Transfer Protocol (HTTP) request packets
from a user are redirected to the web page of the Portal server. After the user enters
identity information, the STA sends the user identity information to the RADIUS server.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit
# Add GE1/0/4 that connects the AC to the Portal server to VLAN 104.
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 104
[AC-GigabitEthernet1/0/4] quit
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for
DHCP relay to 10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the
MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service
set to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to
tunnel forwarding.
[AC-wlan-service-set-test] quit
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a
radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
[AC-wlan-radio-0/0] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
sysname AC
#
vlan batch 100 to 104
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server authentication 10.12.10.1 1812 weight 80
radius-server accounting 10.12.10.1 1813 weight 80
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9`ocp<^c"q%
%#%
#
web-auth-server test
server-ip 10.13.10.1
port 50100
shared-key cipher %#%#Q"r\<Ei]o@"%dKN@Y(i,:nj2IY$e>=mXxg8Cdb]0%#%#
url http://10.13.10.1
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme radius_huawei
accounting-mode radius
domain huawei.com
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface Vlanif104
ip address 10.13.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 104
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
permit-domain name huawei.com
domain name huawei.com force
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
Networking Requirements
As shown in Figure 15-7, a WLAN containing three APs (AP1, AP2, and AP3) is deployed
on the campus network. The three APs join AP region 10.
Users expect that three APs can automatically adjust their channels and power to reduce
interference and achieve optimal WLAN performance.
STA
AP1
GE0/0/1
VLAN 100
GE0/0/2 GE0/0/4
STA
VLAN 100 VLAN 100
Internet
AP2 SwitchA AC
GE1/0/1 GE1/0/4
STA GE0/0/3
VLAN 100 VLAN 100 VLAN 101
AP3
STA
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
2. Configure schedule mode radio calibration for APs to enable the APs to dynamically
adjust channels and power so that the APs work at optimal performance.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the APs and AC can transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 to VLAN
100 (management VLAN).
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure the AC as the DHCP server to allocate IP addresses to the APs from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Set the AP authentication mode to MAC address authentication (default setting). Add the
AP offline according to the AP type ID. Assume that the AP type is AP6010DN-AGN and the
MAC addresses of the APs are 60de-4476-e360, dcd2-fc04-b500, and dcd2-fc96-e4c0
respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3 type-id 19 mac dcd2-fc96-e4c0
[AC-wlan-ap-3] quit
# After powering on the three APs, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
Set the channel mode and power mode to auto in the radio profile (default settings).
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
[AC-wlan-service-set-test] quit
# Set the radio calibration mode to schedule, configure the device to start radio calibration at
3:00 a.m. every day.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# Enable radio calibration in the radio profile view. By default, radio calibration is enabled in
the radio profile view.
# Commit the configuration.
[AC-wlan-view] commit ap 1
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y[AC-wlan-view] commit ap 2
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y[AC-wlan-view] commit ap 3
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
14cf-9208-9abf 1 0 1 test
------------------------------------------------------------------------------
Total stations: 1
You can run the display statistics calibrate ap 1 radio 0 command on AC to check
radio calibration statistics on AP1.
[AC-wlan-view] display statistics calibrate ap 1 radio 0
-----------------------------------------------------------------------
Signal environment deterioration :
1
Power calibration :
1
Channel calibration :
0
-----------------------------------------------------------------------
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
Networking Requirements
As shown in Figure 15-8, AP1 and AP2 connect to the AC through SwitchA and join AP
region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, reducing WLAN service quality. The enterprise wants STAs to be balanced on the two
APs to prevent one AP from being heavily loaded.
Internet
GE1/0/3
VLAN101
AC
GE1/0/1
GE0/0/3 VLAN100
VLAN100
SwitchA
GE0/0/1 GE0/0/2
VLAN100 VLAN100
AP1 AP2
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the WLAN service so that users can connect to the Internet through the
WLAN.
2. Configure session-based static load balancing to prevent new STAs from associating
with heavily-loaded APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the APs and AC can transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a WMM profile named wmm and retain the default settings in the profile.
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
Set the channel mode to fixed.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The
default value is auto.
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set
to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel forwarding.
[AC-wlan-service-set-test] quit
Step 8 Configure a load balancing group, add AP1 and AP2 to the load balancing group, and set the
load balancing mode of the group to session-based load balancing.
[AC-wlan-view] load-balance-group name huawei //Create load balancing group
huawei.
[AC-wlan-load-group-huawei] member ap-id 1 radio-id 0 //Add AP1 radio 0 to load
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded only when the network between the AC and APs is added to
the management VLAN and the network between the AC and upper-layer network
is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l Radio traffic statistics packets are sent and received together with Echo packets. In this
example, traffic-based dynamic load balancing is used. You are advised to set the
CAPWAP heartbeat detection interval to 30s to 60s so that the radio traffic statistics can
be updated in a timely manner.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-9, AP1 and AP2 connecting to the AC through SwitchA are dual-band
APs and join AP region 10. STAs in AP region 10 support 2.4 GHz and 5 GHz frequency
bands. Both 2.4 GHz and 5 GHz WLANs need to be deployed in AP region 10.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, reducing WLAN service quality. The enterprise wants STAs to be balanced on the two
APs to prevent one AP from being heavily loaded.
Internet
GE1/0/3
VLAN101
AC
GE1/0/1
GE0/0/3 VLAN100
VLAN100
SwitchA
GE0/0/1 GE0/0/2
VLAN100 VLAN100
AP1 AP2
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the WLAN service so that users can connect to the Internet through the
WLAN.
2. Configure traffic-based dynamic load balancing to prevent new STAs from associating
with heavily-loaded APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the APs and AC can transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a WMM profile named wmm and retain the default settings in the profile.
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
Set the channel mode to fixed.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The
default value is auto.
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default settings in the profile.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Name the SSID test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set
to 101. The default value is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel forwarding.
[AC-wlan-service-set-test] quit
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] radio-profile name radio
[AC-wlan-radio-2/1] channel 40mhz-plus 149
[AC-wlan-radio-2/1] service-set name test
[AC-wlan-radio-2/1] quit
------------------------------------------------------------------------------
Sta-load-balance enable :
Yes
Sta-load-balance mode :
Traffic
Sta-load-balance session gap threshold :
4
Sta-load-balance traffic gap threshold :
25
Sta-load-balance associate threshold :
10
------------------------------------------------------------------------------
l If a new STA requests to connect to one of the four VAPs in AP region 10, the AC uses a
dynamic load balancing algorithm to determine whether to allow access from the STA. If
the load difference between the requested VAP and the lowest load is larger than 25%,
the AC rejects the association request of the STA. If the STA continues sending
association requests to the VAP for more than 10 times, the AC allows the STA to
associate with the VAP.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 101
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
region-id 10
ap id 2 type-id 19 mac dcd2-fc04-b500 sn 210235555310CC000094
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
sta-load-balance
enable
sta-load-balance mode
traffic
sta-load-balance traffic gap
25
sta-load-balance associate-threshold 10
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 11
service-set id 1 wlan 1
ap 1 radio
1
radio-profile id
1
channel 40MHz-plus
157
service-set id 1 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 1
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 149
service-set id 1 wlan 1
#
return
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client ip-
address enable command in the service set view.
Networking Requirements
As shown in Figure 15-10, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The default security policy (WEP open system authentication) is used.
User data is forwarded through tunnels.
The department requires that services should not be interrupted when an STA moves from
AP1 to AP2.
Figure 15-10 Networking diagram for configuring non-fast roaming between APs in the same
service VLAN
In te rn e t
G E 1 /0 /3
VLAN 101
AC
G E 1 /0 /1
VLAN 100 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID : te st Roam S S ID : te st
Channel 1 Channel 6
STA STA
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The default security policy is used and access authentication is not required, which
shortens the roaming switchover time. Configure non-fast roaming between APs in the
same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC
so that the APs and AC can transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of service set to
101. By default, the VLAN ID of service set is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode
to tunnel.
[AC-wlan-service-set-test] quit
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info
ap 2 command on the AC to check the STA access information. The STA is associated with
AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
Roaming between APs in the same service VLAN is classified into fast roaming and non-fast
roaming. Non-fast roaming technology is used when an STA uses a non-WPA2-802.1x
security policy. If an STA uses WPA2-802.1x but does not support fast roaming, the STA still
needs to complete 802.1x authentication before roaming between two APs. When the user
uses the WPA2-802.1x security policy and supports fast roaming, the user does not need to
perform 802.1x authentication again during roaming and only needs to perform key
negotiation. In this case, fast roaming reduces the roaming delay and improves the WLAN
service experience.
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client ip-
address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in the VAP
profile view.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-11, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The security policy WPA2-802.1X is used. User data is forwarded
through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 15-11 Networking diagram for configuring fast roaming between APs in the same
service VLAN
In te rn e t
G E 1 /0 /3
VLAN 101
G E 1 /0 /4
VLAN 102 R A D IU S se rve r
AC
1 9 2 .1 6 8 .0 .2 /2 4
G E 1 /0 /1
V L A N 1 0 0 G E 0 /0 /3
VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
S w itch A
AP1 AP2
S S ID : te st S S ID : te st
Roam
Channel 1 Channel 6
STA STA
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the
same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC
so that the APs and AC can transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs, and configure
VLANIF 102 to allow the AC to communicate with the RADIUS server.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Specify the IP address and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure
the shared key of a RADIUS server
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication
scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the
authentication mode to radius.
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure
an authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS
server template for the domain.
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the authentication user
name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method
ccmp //Configure WPA2 802.1x authentication and encryption.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security profile, and
traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
[AC-wlan-service-set-test] quit
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name test
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name test
[AC-wlan-radio-2/0] quit
b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
l Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID test. Set the authentication mode to WPA2-
Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP type to
PEAP and click Settings. In the displayed dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the
WLAN with the SSID test in the coverage area of AP1, run the display station assoc-info ap
1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info
ap 2 command on the AC to check the STA access information. The STA is associated with
AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %#%#`z0u2h-7qBdp(x:|E]|#62(s!J~(}*DNPx<+Bbr!
%#%
radius-server authentication 192.168.0.2 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk pvid vlan 102
port trunk allow-pass vlan 102
#
interface Wlan-Ess1
port trunk allow-pass vlan 101
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 60de-4476-e360 sn 190901007618
region-id 10
ap id 2 type-id 19 mac dcd2-fc04-b500 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 1 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 1
#
return
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client ip-
address enable command in the service set view.
Networking Requirements
As shown in Figure 15-12, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The default security policy (WEP open system authentication) is used. User
data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 15-12 Networking diagram for configuring non-fast roaming between APs in different
service VLANs
In te rn e t
G E 1 /0 /3
VLAN 101
VLAN 102
AC
G E 1 /0 /1
VLAN 100 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID : te st S S ID : te st
Channel 1 Roam Channel 6
STA STA
M anagem ent VLAN : VLAN 100 M anagem ent VLAN : VLAN 100
S e rvice V L A N : V L A N 1 0 1 S e rvice V L A N : V L A N 1 0 2
A P re g io n ID : 1 0 A P re g io n ID : 1 0
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The default security policy is used and access authentication is not required, which
shortens the roaming switchover time. Configure non-fast roaming between APs in
different service VLANs to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC
so that the APs and AC can transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-gigabitethernet0/0/3] port link-type trunk
[SwitchA-gigabitethernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-gigabitethernet0/0/3] quit
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.12.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
# Check the AP type IDs after obtaining the MAC addresses of the APs.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel
forwarding.
[AC-wlan-service-set-huawei-1] quit
[AC-wlan-view] service-set name huawei-2
[AC-wlan-service-set-huawei-2] ssid test
[AC-wlan-service-set-huawei-2] wlan-ess 1
[AC-wlan-service-set-huawei-2] service-vlan 102
[AC-wlan-service-set-huawei-2] security-profile name security
[AC-wlan-service-set-huawei-2] traffic-profile name traffic
[AC-wlan-service-set-huawei-2] forward-mode tunnel
[AC-wlan-service-set-huawei-2] quit
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name huawei-1
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name huawei-2
[AC-wlan-radio-2/0] quit
After the configuration is complete, the STA can connect to the WLAN with the SSID test in
the coverage area of AP1.
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the
WLAN with the SSID test in the coverage area of AP1, run the display station assoc-info ap
1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info
ap 2 command on the AC to check the STA access information. The STA is associated with
AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 60de-4476-e360 sn 190901007618
region-id 10
ap id 2 type-id 19 mac dcd2-fc04-b500 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|
C"%@%@ encryption-method ccmp
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
service-set name huawei-2 id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 102
radio-profile name radio id 1
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 0 wlan 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
service-set id 1 wlan 2
#
return
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client ip-
address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in the VAP
profile view.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 15-13, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The security policy WPA2-802.1X is used. User data is forwarded through
tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 15-13 Networking diagram for configuring fast roaming between APs in different
service VLANs
In te rn e t
G E 1 /0 /3
VLAN 101 G E 1 /0 /4
VLAN 102 R A D IU S
AC se rve r 1 9 2 .1 6 8 .0 .2 /2 4
G E 1 /0 /1
V L A N 1 0 0 G E 0 /0 /3
S w itch A VLAN 100
G E 0 /0 /1 G E 0 /0 /2
VLAN 100 VLAN 100
AP1 AP2
S S ID : te st Roam S S ID : te st
Channel 1 C hannel 6
STA STA
M anagem ent VLAN: VLAN 100 M anagem ent VLAN: VLAN 100
S e rvice V L A N : V L A N 1 0 1 S e rvice V L A N : V L A N 1 0 2
A P re g io n ID : 1 0 A P re g io n ID : 1 0
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2-802.1X is used and access authentication is required, which
results in longer roaming switchover time. Configure fast roaming between APs in the
same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC as a DHCP server to assign IP addresses to the STAs and APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC
so that the APs and AC can transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-gigabitethernet0/0/3] port link-type trunk
[SwitchA-gigabitethernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-gigabitethernet0/0/3] quit
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs,
and configure VLANIF 103 to allow the AC to communicate with the RADIUS server.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
NOTE
After domain huawei.com is configured, the domain name is added to the authentication user
name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
# Set the AP authentication mode to MAC address authentication (default setting). Add the
APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-
AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500 respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
# After powering on AP1 and AP2, run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
[AC-wlan-view] display ap all
All AP information:
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-1
2 AP6010DN-AGN dcd2-fc04-b500 0/10 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method
ccmp //Configure WPA2 802.1x authentication and encryption.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Configure service sets for AP1 and AP2, and set the data forwarding mode to tunnel
forwarding.
# Configure a VAP.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name huawei-1
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name huawei-2
[AC-wlan-radio-2/0] quit
After the configuration is complete, the STA can connect to the WLAN with the SSID test in
the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and
password. If the authentication succeeds, the STA can connect to the Internet. Configure the
STA according to the configured authentication mode PEAP.
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the
WLAN with the SSID test in the coverage area of AP1, run the display station assoc-info ap
1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
When the STA moves from the coverage of AP1 to AP2, run the display station assoc-info
ap 2 command on the AC to check the STA access information. The STA is associated with
AP2.
<HUAWEI> display station assoc-info ap 2
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
0025-86aa-0d1c 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the
STA roaming track.
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 60de-4476-e360 2012/12/23 14:40:37
2 0 dcd2-fc04-b500 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
dhcp select interface
#
interface Vlanif103
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 103
#
interface Wlan-Ess0
port trunk allow-pass vlan 101 to
102
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
interface Wlan-Ess1
port trunk allow-pass vlan 101 to 102
authentication dot1x
dot1x authentication-method eap
permit-domain name huawei.com
domain name huawei.com force
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 1 type-id 19 mac 60de-4476-e360 sn 190901007618
region-id 10
ap id 2 type-id 19 mac dcd2-fc04-b500 sn 190901007619
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
Both WDS and Mesh technologies can implement wireless bridging between APs. A WDS
network supports a maximum of three hops (for example, a WDS link established along a root
node, a middle node, and a leaf node is a three-hop link), whereas a Mesh network supports a
maximum of eight hops. A WDS network has a tree topology and does not support link
redundancy between nodes. A Mesh network has a Mesh topology and supports link
redundancy between nodes. Therefore, a Mesh network is more reliable than a WDS network.
You can choose WDS or Mesh technology to deploy wireless bridging between APs
according to your needs.
Configuration Notes
l The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the WDS function.
Networking Requirements
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A can
connect to SwitchA through cables, but AP2 in Area B and AP3 in Area C cannot. The
enterprise needs to provide Internet access for WLAN users in the three areas and wired users
in Area C, as shown in Figure 15-14.
IP b a ckb o n e
n e tw o rk
AC
AP3 AP2 AP1 G E 1 /0 /0
(le a f) (m id d le ) (ro o t) G E 0 /0 /2
G E 0 /0 /1
STA
S w itch A
S w itch
STA
A re a C A re a B A re a A
L2
n e tw o rk STA STA
: W ire le ss virtu a l lin k
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of the APs
used as WDS bridges. The following table provides the data plan for this example.
NOTE
The APs used in this example are AP6010DN-AGN.
Service VLANs: 101, 102, 103, 104, The WDS bridges must
105, 106 allow packets of service
l Area A: VLAN 101 for WLAN VLANs to which Area A,
services Area B, and Area C belong.
l Area B: VLAN 102 for WLAN
services
l Area C: VLAN 103 for WLAN
services
l Area C: VLANs 104, 105, and 106
on AP3 wired interfaces
Radio profile Name: rp01 and rp02 Use radio profile rp02 for
the WDS service and radio
profile rp01 for basic
WLAN service.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the AC,
SwitchA, and AP1.
2. Configure the WDS function to allow AP2 and AP3 to connect to the AC using wireless
links.
3. Configure the basic WLAN service to provide Internet access service for WLAN users in
Area A, Area B, and Area C.
Procedure
Step 1 Connect AC and AP1.
# Configure the access switch SwitchA. Add GE0/0/1 on SwitchA to VLAN 100
(management VLAN), and the PVID of GE0/0/1 is VLAN 100. Configure GE0/0/1 and
GE0/0/2 to allow packets from VLANs 100 to 106 to pass through.
NOTE
Configure port isolation on GE0/0/1 that connects SwitchA and AP. Otherwise, unnecessary packets are
broadcast in the VLAN or WLAN users of different APs can communicate with each other at Layer 2.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 to 106
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 106
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the port isolation
group is not specified, the interface is added to port isolation group 1 by
default.
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# Set the NAC mode to unified mode on the AC (default setting). Configure GE1/0/0 to allow
packets from VLANs 100 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 to 106
[AC] interface gigabitEthernet 1/0/0
[AC-GigabitEthernet1/0/0] port link-type trunk
[AC-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 106
[AC-GigabitEthernet1/0/0] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID 0. AP
regions 101, 102, and 103 are used as an example here.
[AC-wlan-view] ap-region id 101
[AC-wlan-ap-region-101] quit
[AC-wlan-view] ap-region id 102
[AC-wlan-ap-region-102] quit
[AC-wlan-view] ap-region id 103
[AC-wlan-ap-region-103] quit
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By default,
an AP is added to region 0. This example adds the three APs to regions 101, 102, and 103
respectively.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 101
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2
[AC-wlan-ap-2] region-id 102
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3
[AC-wlan-ap-3] region-id 103
[AC-wlan-ap-3] quit
# Create a radio profile rp02 for the WDS bridges, set the channel mode to fixed and retain
the default settings for other parameters, and bind the WMM profile wp01 to the radio profile.
The default channel mode is auto, but the fixed mode must be used in this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed // The APs along the WDS link
must use the same channel, so the fixed mode must be used.
[AC-wlan-radio-prof-rp02] quit
# Create the bridge whitelists bw01 and bw02. By default, no bridge whitelist is created. This
example uses whitelist bw01 for the root node and whitelist bw02 for the middle node to
control connection between neighboring APs.
[AC-wlan-view] bridge-whitelist name bw01
[AC-wlan-br-whitelist-bw01] peer ap mac 0046-4b59-1d20 // The middle AP
needs to connect to the root AP, so AP2's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw01] quit
[AC-wlan-view] bridge-whitelist name bw02
[AC-wlan-br-whitelist-bw02] peer ap mac 0046-4b59-1d40 // The leaf AP needs
to connect to the middle AP, so AP3's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw02] quit
# Bind the radio profile rp02 to radio 1 of AP1, set the bridge mode of radio 1 to root, and
bind the bridge whitelist bw01 to radio 1. By default, no bridge whitelist is bound to a radio.
This example binds bridge whitelist bw01 to the root AP's radio.
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] bridge enable mode root
[AC-wlan-radio-1/1] bridge-whitelist name bw01
[AC-wlan-radio-1/1] bridge whitelist enable
[AC-wlan-radio-1/1] quit
# Bind the radio profile rp02 to radio 1 of AP2, set the bridge mode of radio 1 to middle, and
bind the bridge whitelist bw02 to radio 1. By default, no bridge whitelist is bound to a radio.
This example binds bridge whitelist bw02 to the middle AP's radio.
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] radio-profile name rp02
[AC-wlan-radio-2/1] bridge enable mode middle
[AC-wlan-radio-2/1] bridge-whitelist name bw02
# Bind AP3 radio 1 to the radio profile rp02 and set the wireless bridge working mode to leaf.
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] radio-profile name rp02
[AC-wlan-radio-3/1] bridge enable mode leaf
[AC-wlan-radio-3/1] quit
# After the preceding configurations are complete, power on the APs. If the APs have been
powered on, restart the root AP to make the configuration take effect. Run the display ap all
and display bridge-link all commands on the AC to check whether the APs work properly
and whether WVLs are successfully established. If the WVLs are displayed and the status of
all the APs are normal, the management bridge is successfully established.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 0046-4b59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 0046-4b59-1d20 0/102 normal ap-2
3 AP6010DN-AGN 0046-4b59-1d40 0/103 normal ap-3
------------------------------------------------------------------------------
Total number: 3,printed: 3
[AC-wlan-view] display bridge-link all
------------------------------------------------------------------------------
AP ID AP MAC Radio ID Coverage Distance(100m) Channel Bridge Work
Mode
Peer AP MAC Peer AP ID Peer AP Status RSSI(dBm) Max RSSI(dBm)
------------------------------------------------------------------------------
1 0046-4b59-1ee0 1 3 149 root
0046-4b59-1d20 2 normal -33 -32
2 0046-4b59-1d20 1 3 149 middle
0046-4b59-1ee0 1 normal -31 -31
2 0046-4b59-1d20 1 3 149 middle
0046-4b59-1d40 3 normal -33 -32
3 0046-4b59-1d40 1 3 149 leaf
0046-4b59-1d20 2 normal -31 -31
------------------------------------------------------------------------------
Total: 4
NOTE
The AP that establishes the bridge on a WDS network supports only WPA2+PSK+CCMP.
[AC] wlan
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher
huawei123 encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a bridge profile with the name bp01 and identifier ChinaNet01, and bind the bridge
profile to the security profile sp01.
[AC-wlan-view] bridge-profile name bp01
[AC-wlan-bridge-prof-bp01] bridge-name ChinaNet01
[AC-wlan-bridge-prof-bp01] vlan tagged 101 to 106 // Allow packets of
service VLANs to pass.
[AC-wlan-bridge-prof-bp01] security-profile name sp01
[AC-wlan-bridge-prof-bp01] quit
# Create a bridge VAP on AP1 radio 1 and bind the radio to the bridge profile. Create a
service VAP on AP1 radio 0 and bind the radio to the radio profile and service set.
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name rp01
[AC-wlan-radio-1/0] service-set name ss01
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] bridge-profile name bp01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 // Radios that establish a WDS
link must use the same channel and bandwidth. Here, the radios use 40 Mhz
bandwidth and channel 157.
[AC-wlan-radio-1/1] quit
# Create a bridge VAP on AP2 radio 1 and bind the radio to the bridge profile. Create a
service VAP on AP2 radio 0 and bind the radio to the radio profile and service set.
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name rp01
[AC-wlan-radio-2/0] service-set name ss02
[AC-wlan-radio-2/0] quit
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] bridge-profile name bp01
[AC-wlan-radio-2/1] channel 40mhz-plus 157
[AC-wlan-radio-2/1] quit
# Create a bridge VAP on AP3 radio 0 and bind the radio to the bridge profile. Create a
service VAP on AP3 radio 0 and bind the radio to the radio profile and service set.
[AC-wlan-view] ap 3 radio 0
[AC-wlan-radio-3/0] radio-profile name rp01
[AC-wlan-radio-3/0] service-set name ss03
[AC-wlan-radio-3/0] quit
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] bridge-profile name bp01
[AC-wlan-radio-3/1] channel 40mhz-plus 157
[AC-wlan-radio-3/1] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the configurations take
effect.
The AP parameters configured on the AC take effect only after they are delivered to the APs.
[AC-wlan-view] commit ap 3
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
[AC-wlan-view] commit ap 2
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
[AC-wlan-view] commit ap 1
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
WLAN users in areas A, B, and C and wired users in area C can access the Internet.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 to 106
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 106
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 106
#
return
region-id 103
lineate-port gigabitethernet 0 mode endpoint
lineate-port gigabitethernet 0 vlan tagged 104 to 106
wmm-profile name wp01 id 0
traffic-profile name tp01 id 0
security-profile name sp01 id 0
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\
{QFUWb
%@%@ encryption-method ccmp
service-set name ss01 id 0
wlan-ess 1
ssid ChinaSer01
traffic-profile id 0
security-profile id 0
service-vlan 101
service-set name ss02 id 1
wlan-ess 2
ssid ChinaSer02
traffic-profile id 0
security-profile id 0
service-vlan 102
service-set name ss03 id 2
wlan-ess 3
ssid ChinaSer03
traffic-profile id 0
security-profile id 0
service-vlan 103
bridge-profile name bp01 id 0
bridge-name ChinaNet01
security-profile id 0
vlan tagged 101 to 106
radio-profile name rp01 id 0
wmm-profile id 0
radio-profile name rp02 id 1
channel-mode
fixed
wmm-profile id 1
bridge-whitelist name bw01 id 0
peer ap mac 0046-4b59-1d20
bridge-whitelist name bw02 id 1
peer ap mac 0046-4b59-1d40
ap 1 radio 0
radio-profile id 0
service-set id 0 wlan 1
ap 1 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode root
bridge whitelist enable
bridge-whitelist id 0
bridge-profile id 0
ap 2 radio 0
radio-profile id 0
service-set id 1 wlan 1
ap 2 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode middle
bridge whitelist enable
bridge-whitelist id 1
bridge-profile id 0
ap 3 radio 0
radio-profile id 0
service-set id 2 wlan 1
ap 3 radio 1
radio-profile id 1
channel 40MHz-plus 157
bridge enable mode leaf
bridge-profile id 0
#
return
Both WDS and Mesh technologies can implement wireless bridging between APs. A WDS
network supports a maximum of three hops (for example, a WDS link established along a root
node, a middle node, and a leaf node is a three-hop link), whereas a Mesh network supports a
maximum of eight hops. A WDS network has a tree topology and does not support link
redundancy between nodes. A Mesh network has a Mesh topology and supports link
redundancy between nodes. Therefore, a Mesh network is more reliable than a WDS network.
You can choose WDS or Mesh technology to deploy wireless bridging between APs
according to your needs.
Configuration Notes
l The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the Mesh function.
l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac
APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP4030DN, AP4130DN, AP5030DN, AP8030DN,
AP8130DN, and AP5130DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or later.
l It is recommended that you deploy no more than 40 Mesh nodes on a Mesh network.
l WDS and Mesh technologies cannot be used on the same network.
l If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l The following table lists applicable products and versions.
Networking Requirements
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A can
connect to the access switch (SwitchA) through a wired link, but AP2 in Area B and AP3 in
Area C cannot. A WMN needs to be deployed in the three areas to connect AP2 and AP3 to
the enterprise network, as shown in Figure 15-15.
AC
AP3 AP2 AP1 G E 1 /0 /1
(M P ) (M P ) (M P P ) G E 0 /0 /2
G E 0 /0 /1
STA
S w itch A
S w itch
STA
A re a C A re a B A re a A
L2
n e tw o rk STA
: M e sh lin k
Data Plan
Before configuring the Mesh service, determine the types and MAC addresses of the APs
used as Mesh nodes. The following table provides the data plan for this example.
NOTE
The APs used in this example are AP6010DN-AGN.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the AC,
SwitchA, and AP1.
2. Configure the Mesh function to enable AP2 and AP3 to connect to the AC through Mesh
links.
3. Configure the basic WLAN service to provide Internet access service for WLAN users in
Area A, Area B, and Area C.
Procedure
Step 1 Connect AP1 to the AC.
# Configure SwitchA. Add GE0/0/1 of SwitchA to management VLAN 100, set the PVID to
VLAN 100, and configure GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 and
VLANs 102 to 106 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects SwitchA to AP1. If port isolation is not
configured, unnecessary packets are broadcast in the VLANs or WLAN users connected to different APs can
communicate with each other at Layer 2.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 102 to 106
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 to 106
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the isolation group
is not specified for an interface, the interface is added to isolation group 1.
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitEthernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 to 106
[SwitchA-GigabitEthernet0/0/2] quit
# Set the NAC mode to unified mode on the AC (default setting). Configure GE1/0/1 to allow
packets from VLAN 100 and VLANs 102 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 102 to 106
[AC] interface gigabitEthernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 102 to 106
[AC-GigabitEthernet1/0/1] quit
# Configure the Ethernet interfaces that connect APs to SwitchA to allow packets from
VLAN102 to VLAN106 to pass through.
NOTE
If MPP Ethernet interfaces are not configured to allow packets carrying service VLAN tags to pass through,
communication fails.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] lineate-port gigabitethernet 0 vlan tagged 102 to 106
[AC-wlan-ap-1] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID 0. AP
regions 101, 102, and 103 are used as an example here.
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By default,
an AP is added to region 0. This example adds the three APs to regions 101, 102, and 103
respectively.
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 101
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2
[AC-wlan-ap-2] region-id 102
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3
[AC-wlan-ap-3] region-id 103
[AC-wlan-ap-3] quit
# Create a WMM profile named wp01 and retain the default settings in the profile.
[AC-wlan-view] wmm-profile name wp01 id 1
[AC-wlan-wmm-prof-wp01] quit
# Create a radio profile rp02, set the channel mode to fixed and retain the default settings for
other parameters, and bind the WMM profile wp01 to the radio profile. The default channel
mode is auto, but the fixed mode must be used in this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed //The APs along the mesh link
must use the same channel, so the fixed mode is used here.
[AC-wlan-radio-prof-rp02] quit
# Create a Mesh whitelist mesh01. By default, no Mesh whitelist is created. This example
uses Mesh whitelist mesh01 for the Mesh nodes.
[AC-wlan-view] mesh-whitelist name mesh01
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1d20
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1d40
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 0046-4b59-1ee0 //Configure the
whitelists according to your needs. In this example, whitelists can be created
among three APs to ensure robustness of the mesh network, so the MAC addresses of
three APs are added to mesh01.
[AC-wlan-mesh-whitelist-mesh01] quit
# Create security profile sp01, set the security and authentication policy to WPA2-PSK, set
the authentication key to 12345678, and set the encryption mode to CCMP.
NOTE
On a WMN, the APs that connect to each other wirelessly support only security policy WPA2+PSK+CCMP.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher
12345678 encryption-method ccmp
[AC-wlan-sec-prof-sp01] quit
# Create a Mesh profile mesh01. Set the Mesh network ID to ChinaNet01, bind the security
profile sp01 to the Mesh profile, and retain the default settings of other parameters.
[AC-wlan-view] mesh-profile name mesh01
[AC-wlan-mesh-prof-mesh01] mesh-id ChinaNet01
# Create a Mesh VAP on radio 1 of AP1 and set the role of radio 1 to MPP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio.
[AC-wlan-view] ap 1 radio 1
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] mesh-role mesh-portal
[AC-wlan-radio-1/1] mesh-whitelist name mesh01
[AC-wlan-radio-1/1] mesh-profile name mesh01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Radios setting up a Mesh link
must use the same channel and bandwidth. This example uses 40 Mhz bandwidth and
channel 157.
[AC-wlan-radio-1/1] quit
# Create a Mesh VAP on radio 1 of AP2 and set the role of radio 1 to MP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio. Create a service VAP on radio 0 of
AP2 and bind radio profile rp01 and service set ss02 to radio 0.
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name rp01
[AC-wlan-radio-2/0] service-set name ss02
[AC-wlan-radio-2/0] quit
[AC-wlan-view] ap 2 radio 1
[AC-wlan-radio-2/1] radio-profile name rp02
[AC-wlan-radio-2/1] mesh-role mesh-node
[AC-wlan-radio-2/1] mesh-whitelist name mesh01
[AC-wlan-radio-2/1] mesh-profile name mesh01
[AC-wlan-radio-2/1] channel 40mhz-plus 157
[AC-wlan-radio-2/1] quit
# Create a Mesh VAP on radio 1 of AP3 and set the role of radio 1 to MP, and bind the Mesh
whitelist mesh01 and Mesh profile mesh01 to the radio. Create a service VAP on radio 0 of
AP3 and bind radio profile rp01 and service set ss03 to radio 0.
[AC-wlan-view] ap 3 radio 0
[AC-wlan-radio-3/0] radio-profile name rp01
[AC-wlan-radio-3/0] service-set name ss03
[AC-wlan-radio-3/0] quit
[AC-wlan-view] ap 3 radio 1
[AC-wlan-radio-3/1] radio-profile name rp02
[AC-wlan-radio-3/1] mesh-role mesh-node
[AC-wlan-radio-3/1] mesh-whitelist name mesh01
[AC-wlan-radio-3/1] mesh-profile name mesh01
[AC-wlan-radio-3/1] channel 40mhz-plus 157
[AC-wlan-radio-3/1] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the configurations take
effect.
# Run the display ap all command on the AC to check whether the status of APs is normal
and run the display mesh-link all command on the AC to check whether Mesh links have
been established. If the command output shows that APs are in normal state and displays
Mesh link information, APs have established Mesh links.
[AC-wlan-view] display ap all
All AP information:
Normal[3],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 0046-4b59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 0046-4b59-1d20 0/102 normal ap-2
3 AP6010DN-AGN 0046-4b59-1d40 0/103 normal ap-3
------------------------------------------------------------------------------
Total number: 3
[AC-wlan-view] display mesh-link all
----------------------------------------------------------------------
AP ID Radio ID Mesh-link ID WLAN ID Peer AP ID Mesh Role
----------------------------------------------------------------------
1 1 0 16 3 mesh-portal
1 1 1 16 2 mesh-portal
2 1 0 16 3 mesh-node
2 1 1 16 1 mesh-node
3 1 0 16 1 mesh-node
3 1 1 16 2 mesh-node
----------------------------------------------------------------------
Total: 6
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 102 to 106
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102 to 106
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102 to 106
#
return
radio-profile id 0
service-set id 1 wlan 1
ap 3 radio 1
radio-profile id 1
channel 40MHz-plus 157
mesh-whitelist id 0
mesh-profile id 0
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
----End
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
An enterprise has a small-scale branch network. The enterprise needs to deploy WLAN
services for mobile office so that its employees can access the enterprise internal network
anywhere and anytime.
As shown in Figure 16-1, the AC connects to APs through a PoE switch, and the PoE switch
provides power for APs. The WLAN service is configured on the AC, and delivered to APs.
In te rn e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA
Data Planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, Switch, and upstream device to implement Layer 2
interconnection.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require the same
configuration can be added to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //
Configure security policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 16-2, an enterprise's AC connects to the egress gateway Router of the
campus network and connects to APs through a PoE switch. The PoE switch provides power
to APs.
The enterprise requires a WLAN with SSID wlan-net so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses on 10.23.101.0/24 to users and manage users on the AC.
In te rn e t
R o u te r G E 2 /0 /0
G E 1 /0 /2 V L A N IF 1 0 2
VLAN 102 1 0 .2 3 .1 0 2 .1
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
PoE
S w itch A
G E 0 /0 /1
VLAN 100
AP
STA STA
Data Planning
Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to APs, and the
server router functions as the DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, and upstream device to implement network interconnection.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure the WLAN service so that users can connect to the Internet through the
WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address
for DHCP relay to 10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
Networking Requirements
A hospital needs to deploy a wired and a wireless network in the hospital building to meet
service requirements. To make management and maintenance easy, the administrator requires
that wired and wireless users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and wireless users
roam under the same AC.
As shown in Figure 16-3, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors respectively. In each room, the AP2010DN is deployed to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches and directly provide power to
connected APs.
To facilitate network planning and management, the access switches are only used to
transparently transmit data at Layer 2, and all gateways are configured on the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and PCs.
Figure 16-3 Networking diagram for configuring unified access for wired and wireless users
In te rn e t
R o u te r
Data Planning
AP103 - - AP103 is an
AP5030DN and
deployed in the
corridor on the first
floor to provide
wireless access.
AP203 - - AP203 is an
AP5030DN and
deployed in the
corridor on the
second floor to
provide wireless
access.
l Name: ap-group2
l Referenced profiles:
VAP profile wlan-vap2,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
VLANIF202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/4 of the S5700-1 and S5700-2 to VLAN 100
(management VLAN), interfaces GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 201 (VLAN
for wired service packets), and interfaces GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 202
(VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs, and
you are also advised to configure port isolation on these interfaces to reduce broadcast
packets. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar.
For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit
# On the AC, add GE1/0/1 connected to the S5700-1 to VLAN 100 and VLAN 201, GE1/0/2
connected to the S5700-2 to VLAN 100 and VLAN 202, GE1/0/4 connected to the upper-
layer network to VLAN 300, and GE1/0/3 connected to the Agile Controller to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit
# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //Configure an interface address pool to allocate IP
addresses to APs.
Step 3 Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible
user domain portal1.
[AC-authen-profile-portal1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [6]
----------------------------------------------------------------------------------
---------------
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 10S
102 60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 15S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP6010DN-AGN nor 0 23S
201 60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP6010DN-AGN nor 0 45S
202 60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP6010DN-AGN nor 0 49S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP6010DN-AGN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6
# Configure the AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass through.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2010DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2010DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-102] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-201] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-202] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-202] quit
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
# STAs discover the WLAN with the SSID hospital-wlan and associate with the WLAN. The
STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless
network. Run the display station all command on the AC. The command output shows that
the STAs have connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network normally.
----End
Configuration Files
l Configuration file of the S5700-1 connected to wired users
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
return
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Networking Requirements
A city needs to deploy the wireless smart city project and requires that Portal authentication
be used for wireless users in the coverage area of the wireless network. Since a large number
of wireless users exist, high wireless service performance and Portal authentication
performance are required.
As shown in Figure 16-4, the S9700 core switch functions as the gateway for STAs and APs
and as the DHCP server to assign IP addresses to STAs and APs. The S9700 connects to APs
through PoE access switches S5700-1 and S5700-2. The AC and APs are located on a Layer 3
network. The AC is the X series card on the S9700 and connected to the S9700 through Eth-
Trunk in bypass mode.
To facilitate network planning and management, the access switches are only used to
transparently transmit data at Layer 2.
Figure 16-4 Networking diagram for configuring WLAN services for a wireless city project
In te rn e t
R o u te r
C o n tro lle r
AC
G E 2 /0 /1 G E 1 /0 /4
G E 1 /0 /5 G E 1 /0 /3
G E 1 /0 /6 G E 1 /0 /2
G E 2 /0 /2 G E 1 /0 /1
S9700
G E 0 /0 /1 G E 0 /0 /1
S 5 7 0 0 -1 S 5 7 0 0 -2
G E 0 /0 /2 G E 0 /0 /3 G E 0 /0 /2 G E 0 /0 /3
Data Planning
l Name: ap-group2
l Referenced profiles:
VAP profile wlan-vap2,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
l Name: portal2
l Referenced profiles:
Portal server templates
portal2 and portal3
l Name: portal2
l Referenced profile:
Portal access profile
portal2
VLANIF102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700, and AC to
communicate with upper-layer devices.
2. Configure the S9700 as a DHCP server to assign IP addresses to the STAs and APs.
3. Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management VLAN) and
VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs, and you are
also advised to configure port isolation on these interfaces to reduce broadcast packets.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 10 101
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to
reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-2 to VLAN 20 (management VLAN) and
VLAN 102 (service VLAN). Set PVIDs for interfaces directly connected to APs, and you are
also advised to configure port isolation on these interfaces to reduce broadcast packets.
[HUAWEI] sysname S5700-2
[S5700-2] vlan batch 20 102
[S5700-2] interface gigabitethernet 0/0/1
[S5700-2-GigabitEthernet0/0/1] port link-type trunk
[S5700-2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/1] quit
[S5700-2] interface gigabitethernet 0/0/2
[S5700-2-GigabitEthernet0/0/2] port link-type trunk
[S5700-2-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/2] port trunk pvid vlan 20 //Set a PVID for the
interface directly connected to the AP.
[S5700-2-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to
reduce broadcast packets.
[S5700-2-GigabitEthernet0/0/2] quit
[S5700-2] interface gigabitethernet 0/0/3
[S5700-2-GigabitEthernet0/0/3] port link-type trunk
[S5700-2-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/3] port trunk pvid vlan 20
[S5700-2-GigabitEthernet0/0/3] port-isolate enable
[S5700-2-GigabitEthernet0/0/3] quit
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN 101,
GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3 connected to the
Controller to VLAN 300, GE1/0/4 connected to the upper-layer network to VLAN 101 and
VLAN 102, and GE1/0/5 and GE1/0/6 connected to the AC to Eth-Trunk 1. Add Eth-Trunk 1
to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700] interface gigabitethernet 1/0/2
[S9700-GigabitEthernet1/0/2] port link-type trunk
[S9700-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 102
[S9700-GigabitEthernet1/0/2] quit
[S9700] interface gigabitethernet 1/0/3
[S9700-GigabitEthernet1/0/3] port link-type trunk
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700-GigabitEthernet1/0/3] quit
[S9700] interface gigabitethernet 1/0/4
[S9700-GigabitEthernet1/0/4] port link-type trunk
[S9700-GigabitEthernet1/0/4] port trunk allow-pass vlan 101 102
[S9700-GigabitEthernet1/0/4] quit
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
# On the S9700, configure VLANIF 100 for communication with the AC and VLANIF 300
for communication with the Controller.
[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24 //Configure an IP address for
communication between the S9700 and AC.
[S9700-Vlanif100] quit
[S9700] interface vlanif300
[S9700-Vlanif300] ip address 10.23.30.10 24 //Configure an IP address for
communication between the S9700 and Controller.
[S9700-Vlanif300] quit
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1 and add Eth-
Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2
to Eth-Trunk1.
[AC-Eth-Trunk1] quit
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global address
pool.
[S9700] dhcp enable
[S9700] interface vlanif 10 //Configure a global address pool to assign IP
addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700-Vlanif10] quit
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 3 ip-address 10.23.100.1 //Since
a Layer 3 network is deployed between the AC and APs, configure Option43 to
advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
[S9700] interface vlanif 20 //Configure a global address pool to assign IP
addresses to AP201 and AP202.
[S9700-Vlanif20] description manage_ap2
[S9700-Vlanif20] ip address 10.23.20.1 24
[S9700-Vlanif20] dhcp select global
[S9700-Vlanif20] quit
[S9700] ip pool manage_ap2
[S9700-ip-pool-manage_ap2] gateway-list 10.23.20.1
[S9700-ip-pool-manage_ap2] network 10.23.20.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap2] option 43 sub-option 3 ip-address 10.23.100.1 //Since
a Layer 3 network is deployed between the AC and APs, configure Option43 to
advertise the AC¡¯s IP address to the APs.
[S9700-ip-pool-manage_ap2] quit
[S9700] interface vlanif 101 //Configure a global IP address pool to assign IP
addresses to STAs connected to AP101 and AP102.
Step 3 Configure a RADIUS server template, and configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1.
[AC-radius-radius1] radius-server authentication 10.23.30.1 1812 source ip-
address 10.23.100.1 weight 80 //Configure the active RADIUS authentication
server 1 and authentication port 1812. The AC uses the IP address 10.23.100.1 to
communicate with the active RADIUS authentication server 1.
[AC-radius-radius1] radius-server authentication 10.23.30.2 1812 source ip-
address 10.23.100.1 weight 80 //Configure the active RADIUS authentication
server 2 and authentication port 1812. The AC uses the IP address 10.23.100.1 to
communicate with the active RADIUS authentication server 2.
[AC-radius-radius1] radius-server authentication 10.23.30.3 1812 source ip-
address 10.23.100.1 weight 20 //Configure the standby RADIUS authentication
server, with the weight value lower than the active authentication server. Set
the authentication port number to 1812. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS authentication server.
[AC-radius-radius1] radius-server accounting 10.23.30.1 1813 source ip-address
10.23.100.1 weight 80 //Configure the active RADIUS accounting server 1 to
collect user login and logout information and set the accounting port number to
1813. The AC uses the IP address 10.23.100.1 to communicate with the active
RADIUS accounting server 1.
[AC-radius-radius1] radius-server accounting 10.23.30.2 1813 source ip-address
10.23.100.1 weight 80 //Configure the active RADIUS accounting server 2 to
collect user login and logout information and set the accounting port number to
1813. The AC uses the IP address 10.23.100.1 to communicate with the active
RADIUS accounting server 2.
[AC-radius-radius1] radius-server accounting 10.23.30.3 1813 source ip-address
10.23.100.1 weight 20 //Configure the standby RADIUS accounting server, with
the weight value lower than the active accounting server. Set the accounting port
number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the
standby RADIUS accounting server.
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS
automatic detection interval to 30s. The default value is 60s.
[AC-radius-radius1] quit
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-202] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]
----------------------------------------------------------------------------------
---------------
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 10S
102 60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 15S
201 60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP6010DN-AGN nor 0 45S
202 60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP6010DN-AGN nor 0 49S
----------------------------------------------------------------------------------
---------------
Total: 4
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to city-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid city-wlan //Set the SSID to city-wlan.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode direct-forward //Set the service
forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode direct-forward //Set the service
forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN. The
STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless
network. Run the display station all command on the AC. The command output shows that
the STAs have connected to the WLAN city-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 city-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network normally.
----End
Configuration Files
l Configuration file of the S5700-1 connected to wired users
#
sysname S5700-1
#
vlan batch 10 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1
#
return
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool manage_area2_sta
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
description manage_ap1
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
description manage_ap2
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
description manage_area1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
description manage_area2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 101
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
interface GigabitEthernet2/0/2
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
ssid-profile name default
vap-profile name wlan-vap1
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
regulatory-domain-profile name domain1
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name radio-2g
rrm-profile rrm1
radio-5g-profile name radio-5g
rrm-profile rrm1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap1 wlan 1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 1
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
radio 2
radio-2g-profile radio-2g
radio-5g-profile radio-5g
vap-profile wlan-vap2 wlan 1
ap-id 101 ap-mac 60de-4476-e320 ap-sn 210235419610CB002000
ap-name ap-101
ap-group ap-group1
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 102 ap-mac 60de-4476-e340 ap-sn 210235419610CB003333
ap-name ap-102
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
ap-id 201 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 202 ap-mac 60de-4476-e380 ap-sn 210235419610CB002299
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
#
return
Configuration Notes
l In this example, MAC address authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 16-5, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements, configure MAC address authentication to authenticate dumb terminals such as
wireless network printers and wireless phones that cannot have an authentication client
installed. MAC addresses of terminals are used as user information and sent to the RADIUS
server for authentication. When users connect to the WLAN, authentication is not required.
Figure 16-5 Networking diagram for configuring MAC address authentication on the wireless
side
R A D IU S se rve r
1 0 .2 3 .2 0 0 .1 :1 8 1 2
In tra n e t
G E 1 /0 /2
VLAN 101
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
S w itch A
G E 0 /0 /1
VLAN 100
AP
a re a _ 1
STA STA
M anagem ent VLAN: VLAN 100
S e rvice V L A N : V L A N 1 0 1
Context
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Item Data
Authenticati l Name: p1
on profile l Bound profile: MAC access profile m1
l Forcible authentication domain: huawei.com
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a MAC access profile to manage MAC access control parameters.
4. Configure an authentication profile to manage NAC configuration.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
A user can access a known Portal authentication website and enter a user name and password
for authentication. This mode is called active authentication. If a user attempts to access other
external networks through HTTP, the device forcibly redirects the user to the Portal
authentication website for Portal authentication. This mode is called forcible authentication.
Configuration Notes
l In this example, Portal authentication is used. To ensure network security, configure an
appropriate security policy according to service requirements.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
Networking Requirements
As shown in Figure 16-6, there are a large number of STAs on an enterprise network. A
WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for guests. A WLAN with the SSID employee is deployed in office
areas to provide wireless access services for employees.
To ensure network security, the enterprise needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network. Considering the
mobility feature of a large number of STAs, the administrator decides to configure Portal
authentication on the AC at Layer 3 network to control access.
Figure 16-6 Networking diagram for configuring Portal authentication on the wireless side
In tra n e t
R o u te r
G E 2 /0 /0
V L A N IF 2 0 1 : 1 0 .6 7 .2 0 1 .1 /2 4
S e rve r a re a (P o rta l, R A D IU S , D N S ...)
G E 1 /0 /3 G E 1 /0 /2 G E 1 /0 /1
V L A N IF 2 0 1 : 1 0 .6 7 .2 0 1 .2 /2 4 V L A N IF 2 0 0 VLAN 200
1 0 .4 5 .2 0 0 .2 /2 4 1 0 .4 5 .2 0 0 .1 /2 4
S w itc h _ B
G E 1 /0 /1 AC
V L A N IF 1 0 0 : 1 0 .2 3 .1 0 0 .1 /2 4
V L A N IF 1 0 1 : 1 0 .2 3 .1 0 1 .1 /2 4
V L A N IF 1 0 2 : 1 0 .2 3 .1 0 2 .1 /2 4
G E 0 /0 /5
S w itc h _ A
G E 0 /0 /1 G E 0 /0 /4
G E 0 /0 /2
G E 0 /0 /3
Context
Item Data
DHCP server The router functions as the DHCP server to assign IP addresses
to the STAs and APs.
Name: employee
Bound profile: VAP profile employee and regulatory domain
profile domain1
Name: employee
SSID name: employee
Item Data
Name: employee
l Forwarding mode: tunnel forwarding
l Service VLAN: VLANs in the VLAN pool
l Bound profile: SSID profile employee, security profile wlan-
security, and authentication profile p1
NOTE
l In this example, Switch_A is a Huawei modular switch, and Switch_B is a Huawei fixed switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, a lot of broadcast domains are created if you configure the direct forwarding mode. To
reduce the number of broadcast domains, set the data forwarding mode to tunnel forwarding.
l Configurations of RADIUS server parameters and Portal server parameters must be the same as the
configurations on the peer RADIUS server and Portal server. Configure the parameters as required.
l To ensure that the router and servers can communicate with each other, configure routes on the
RADIUS server and Portal server to the router.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a Portal server profile.
4. Configure a Portal access profile to manage access control parameters for Portal
authentication users.
5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters for STAs to access the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure networking
parameters.
# Configure access switch Switch_A. Add GE0/0/1 to GE0/0/5 to VLAN 100 (management
VLAN). Interfaces GE0/0/1 to GE0/0/4 have the same configuration. GE0/0/1 is used as an
example here.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/5] quit
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100, GE1/0/2 to VLANs
101, 102, and 200, and GE1/0/3 to VLAN 201.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101 102 200 201
[Switch_B] interface gigabitethernet 1/0/1
[Switch_B-GigabitEthernet1/0/1] port link-type trunk
[Switch_B-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet1/0/1] quit
[Switch_B] interface gigabitethernet 1/0/2
[Switch_B-GigabitEthernet1/0/2] port link-type trunk
[Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 102 200
[Switch_B-GigabitEthernet1/0/2] quit
[Switch_B] interface gigabitethernet 1/0/3
[Switch_B-GigabitEthernet1/0/3] port link-type trunk
[Switch_B-GigabitEthernet1/0/3] port trunk allow-pass vlan 201
[Switch_B-GigabitEthernet1/0/3] quit
# Create VLANIF interfaces VLANIF 100 to VLANIF 102, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 are gateways of STAs. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with the router.
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] quit
[Switch_B] interface vlanif 101
[Switch_B-Vlanif101] ip address 10.23.101.1 24
[Switch_B-Vlanif101] quit
[Switch_B] interface vlanif 102
[Switch_B-Vlanif102] ip address 10.23.102.1 24
[Switch_B-Vlanif102] quit
[Switch_B] interface vlanif 200
[Switch_B-Vlanif200] ip address 10.45.200.2 24
[Switch_B-Vlanif200] quit
[Switch_B] interface vlanif 201
[Switch_B-Vlanif201] ip address 10.67.201.2 24
[Switch_B-Vlanif201] quit
# On the AC, add GE1/0/1 connected to Switch_B to VLAN 101, VLAN 102, and VLAN
200.
[HUAWEI] sysname AC
[AC] vlan batch 101 102 200
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.45.200.1 24
[AC-Vlanif200] quit
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
# Add GE2/0/0 on the router to VLAN 201 and configure an IP address for VLANIF 201 so
that the router can communicate with Switch_B.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 201
[Router] interface vlanif 201
[Router-Vlanif201] ip address 10.67.201.1 24
[Router-Vlanif201] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 201
[Router-GigabitEthernet2/0/0] quit
# Configure a default route on Switch_B with the outbound interface as the router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
# Configure routes from the AC to APs with the next hop as Switch_B's VLANIF 200.
[AC] ip route-static 10.23.100.0 24 10.45.200.2
# Configure the router as a DHCP server to assign IP addresses to APs and STAs.
NOTE
In this example, the AP and AC are on different network segments. To notify the AP of the AC's IP address
so that the AP can go online at Layer 3, configure Option 43 in the address pool used by the AP.
[Router] dhcp enable
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 10.23.101.0 mask 24
[Router-ip-pool-sta1] gateway-list 10.23.101.1
[Router-ip-pool-sta1] dns-list 172.16.1.2
[Router-ip-pool-sta1] quit
[Router] ip pool sta2
[Router-ip-pool-sta2] network 10.23.102.0 mask 24
[Router-ip-pool-sta2] gateway-list 10.23.102.1
[Router-ip-pool-sta2] dns-list 172.16.1.2
[Router-ip-pool-sta2] quit
[Router] interface vlanif 201
[Router-Vlanif201] dhcp select global
[Router-Vlanif201] quit
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is retained, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on the router.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] quit
# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name lobby-1
[AC-wlan-ap-0] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name lobby-2
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name office2-1
[AC-wlan-ap-2] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9660
[AC-wlan-ap-3] ap-name office2-2
[AC-wlan-ap-3] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] quit
# After an AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [4]
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
------------
0 60de-4474-9640 office2-1 employee 10.23.100.253 AP6010DN-AGN nor 0 2H:
30M:1S
1 60de-4474-9660 office2-2 employee 10.23.100.251 AP6010DN-AGN nor 0 2H:
35M:2S
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP6010DN-AGN nor 0 2H:
29M:29S
3 60de-4476-e380 lobby-2 guest 10.23.100.252 AP6010DN-AGN nor 0 2H:
34M:11S
----------------------------------------------------------------------------------
------------
Total: 4
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 1
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-employee] quit
----End
Configuration Files
l Configuration file of Switch_A
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Configuration file of Switch_B
#
sysname Switch_B
#
vlan batch 100 to 102 200 201
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.67.201.1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.67.201.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.67.201.1
#
interface Vlanif200
ip address 10.45.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102 200
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
#
return
l Configuration file of the router
#
sysname Router
#
vlan batch 201
#
dhcp enable
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.45.200.1
#
ip pool sta1
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
dns-list 172.16.1.2
#
ip pool sta2
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
dns-list 172.16.1.2
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
#
return
l Configuration file of the AC
#
sysname AC
#
vlan batch 101 to 102 200
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
access-domain huawei.com portal force
#
vlan pool sta-pool
vlan 101 to 102
#
radius-server template
radius_huawei
#
web-auth-server
abc
server-ip
172.16.1.1
port
50200
%#
url https://172.16.1.1:8443/
portal
#
portal-access-profile name
portal1
web-auth-server abc
layer3
#
aaa
authentication-scheme
radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 101 to 102 200
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-security
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile guest
security-profile wlan-security
authentication-profile p1
vap-profile name employee
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile employee
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name guest
regulatory-domain-profile domain1
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
ap-group name employee
regulatory-domain-profile domain1
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
ap-id 0 ap-mac 60de-4476-e360
ap-name lobby-1
ap-group guest
ap-id 1 ap-mac 60de-4476-e380
ap-name lobby-2
ap-group guest
Configuration Notes
l In this example, MAC address authentication is used. To ensure network security,
configure an appropriate security policy according to your network requirements.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Networking Requirements
Users can run the send command to send messages to user interfaces. To meet service
requirements, the company needs to deploy an identity authentication system to implement
access control on all employees who attempt to connect to the company network. Only
authorized users can connect to the company network.
Because visitors move frequently, Portal authentication is configured and the RADIUS server
is used to authenticate user identities.
To facilitate network access, the company decides to configure MAC address-prioritized
Portal authentication. If a user goes offline after passing Portal authentication for the first
time, the user can go online again within a certain period (60 minutes for example) without
entering the user name and password again.
Intranet
DNS Server
192.168.3.1
VLANIF101
192.168.2.1/24 GE1/0/2
STA GE0/0/1 VLAN101
……
Data Plan
Item Data
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authenticati l Name: p1
on profile l Referenced profiles: Portal access profile web1 and MAC access profile
m1
l Forcible authentication domain for users: huawei.com
Item Data
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and AP can go online.
2. Configure WLAN service parameters for STAs to access the WLAN.
3. Configure AAA on the AC to implement identity authentication on access users through
the RADIUS server. The configuration includes configuring a RADIUS server template,
an AAA scheme, and an authentication domain, and binding the RADIUS server
template and AAA scheme to the authentication domain.
4. Configure MAC address-prioritized Portal authentication. The configuration includes
configuring a Portal server template, a Portal access profile, a MAC access profile, an
authentication-free rule profile, and an authentication profile, and binding the
authentication profile to an interface.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
6. Configure the Agile Controller.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can exchange CAPWAP packets.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to
management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC's upstream interfaces to transparently transmit service VLAN packets and communicate
with upstream network devices.
# Add GE1/0/2 of the AC connected to an upper-layer device to VLAN 101 (service VLAN).
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.1.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.2.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. In this example,
the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is located. For example, if the AP
with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 192.168.1.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
abc and RADIUS server template rd1 to the domain.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme abc
[AC-aaa-domain-huawei.com] radius-server rd1
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Check whether a user can pass RADIUS authentication. (The test user test and password
Huawei2012 have been configured on the RADIUS server.)
[AC] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeed.
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the Portal access profile web1, MAC access
profile m1, and authentication-free rule profile default_free_rule to the authentication
profile, specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100
[AC-authen-profile-p1] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the data forwarding mode and service VLANs,
and bind the security profile, authentication profile, and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
For details on how to log in to the Agile Controller, add user accounts and switches to the
Agile Controller, and configure authorization results and authorization rules on the Agile
Controller, see 10.6.1 Example for Configuring Portal Authentication to Control Internal
User Access to the Enterprise Network (Authentication Point on Core Switch). The
configurations are not described here.
3. Click OK.
User l A user can only access the Agile Controller server and DNS server
authenticatio before successful authentication.
n l The user authentication page is pushed to the user when the user
attempts to visit an Internet website. After the user enters the correct
user name and password, the requested web page is displayed.
l After the authentication succeeds, run the display access-user command
on the AC to view information about online users.
A user The user authentication page is pushed to the user when the user attempts to
disconnects visit an Internet website. After the user enters the correct user name and
from the password, the requested web page is displayed.
wireless
network and
reconnects
to the
network 65
minutes
later.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 101
#
authentication-profile name p1
mac-access-profile m1
portal-access-profile web1
free-rule-template default_free_rule
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
radius-server template rd1
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l When configuring radio calibration, set the channel mode and power mode of an AP that
needs radio calibration to auto.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
l The following table lists applicable products and versions.
Networking Requirements
As shown in Figure 16-8, a large number of APs are deployed in an office building. The APs
connect to the AC through Switch_A to provide wireless services for users.
It will be a heavy workload to manually configure radio parameters (such as the channel) for
the APs one by one. The enterprise IT department requires that the AC automatically allocate
channels to the APs based on radio environments to simplify network deployment.
STA
AP1
GE0/0/1
VLAN 100
GE0/0/2 GE0/0/4
STA
VLAN 100 VLAN 100
Internet
AP2 SwitchA AC
GE1/0/1 GE1/0/4
STA GE0/0/3
VLAN 100 VLAN 100 VLAN 101
AP3
STA
Configuration Roadmap
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure radio calibration so that the AC can automatically allocate the optimal
working channels to the APs.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on SwitchA to VLAN 100 (management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
-----
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
-----
0 60de-4476-e360 area_1 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 5M:
2S
1 dcd2-fc04-b500 area_2 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 5M:
4S
----------------------------------------------------------------------------------
-----
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //
Configure security policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is manual.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
l # Run the display radio all command on the AC to check radio calibration results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
----------------------------------------------------------------------
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU
----------------------------------------------------------------------
1 area_2 0 2.4G bgn on 1/20M 28/28 1 10%
1 area_2 1 5G an on 149/20M 29/29 0 15%
0 area_1 0 2.4G bgn on 6/20M 28/28 1 15%
0 area_1 1 5G an on 153/20M 29/29 0 49%
----------------------------------------------------------------------
Total:4
l # Radio calibration stops one hour after the radio calibration is manually triggered. The
following configuration steps are not provided in the configuration file. After that, you
can perform either of the following configurations:
– (Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration in off-peak hours, for example, between 00:00 am and
06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption,
continue?[Y/N]:y
– Manually fix the working channels of APs: disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the network.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption,
continue?[Y/N]:y
----End
Configuration Files
l Configuration file of the SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
return
Static load balancing can be used in scenarios such as conference rooms. For example, if two
APs are deployed in a conference room, you can add the two APs to a load balancing group to
prevent heavy load on a single AP.
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l Each load balancing group supports a maximum of three APs.
l A load balancing group is a set of radios. A radio can join only one load balancing
group. If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band. That is, a dual-band AP can join two load balancing groups.
l All APs in a load balancing group work on the same frequency band (2.4 GHz or 5
GHz). AP radios in a load balancing group must have different channels configured and
work on different channels.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Networking Requirements
As shown in Figure 16-9, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.
In te rn e t
R o u te r
G E 2 /0 /0
G E 1 /0 /2 VLAN 102
VLAN 102
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
G E 0 /0 /1 G E 0 /0 /3
VLAN 100 VLAN 100
S w itch A
AP: AP:
a re a _ 1 a re a _ 2
M anagem ent VLAN : VLAN 100 M anagem ent VLAN : VLAN 100
S e rvice V L A N : V L A N 1 0 1 S e rvice V L A N : V L A N 1 0 1
Configuration Roadmap
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Item Data
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels. This example configures the radio calibration function.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on SwitchA to VLAN 100 (management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address
for DHCP relay to 10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
-----
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
-----
0 60de-4476-e360 area_1 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 5M:
2S
1 dcd2-fc04-b500 area_2 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 5M:
4S
----------------------------------------------------------------------------------
-----
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //
Configure security policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP with a light load based on the configured load
balancing group.
----End
Configuration Files
l Configuration file of the SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
return
Configuration Notes
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l Radio traffic statistics packets are sent and received together with Echo packets. In this
example, traffic-based dynamic load balancing is used. You are advised to set the
CAPWAP heartbeat detection interval to 30s to 60s so that the radio traffic statistics can
be updated in a timely manner.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Networking Requirements
As shown in Figure 16-10, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.
In te rn e t
R o u te r
G E 2 /0 /0
G E 1 /0 /2 VLAN 102
VLAN 102
AC
G E 1 /0 /1
G E 0 /0 /2 VLAN 100
VLAN 100
G E 0 /0 /1 G E 0 /0 /3
VLAN 100 VLAN 100
S w itch A
AP: AP:
a re a _ 1 a re a _ 2
M anagem ent VLAN : VLAN 100 M anagem ent VLAN : VLAN 100
S e rvice V L A N : V L A N 1 0 1 S e rvice V L A N : V L A N 1 0 1
Configuration Roadmap
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Item Data
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure dynamic load balancing to prevent one AP from being heavily loaded.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels. This example configures the radio calibration function.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the
AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
Step 3 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1 //Set the DHCP server address
for DHCP relay to 10.23.102.1, which resides on Router.
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
-----
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
-----
0 60de-4476-e360 area_1 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 5M:
2S
1 dcd2-fc04-b500 area_2 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 5M:
4S
----------------------------------------------------------------------------------
-----
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes //
Configure security policy WPA2+PSK+AES.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding
mode to tunnel.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101.
By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-dynamic to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-dynamic to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g
[AC-wlan-ap-group-ap-group1] quit
l When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP with a light load according to the
information reported by APs.
----End
Configuration Files
l Configuration file of the SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface gigabitethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
allows an STA to move between two APs that connect to the same AC and belong to the same
service VLAN without service interruption.
Roaming between APs in the same service VLAN is classified into fast roaming and non-fast
roaming. Non-fast roaming technology is used when an STA uses a non-WPA2-802.1x
security policy. If an STA uses WPA2-802.1x but does not support fast roaming, the STA still
needs to complete 802.1x authentication before roaming between two APs. When the user
uses the WPA2-802.1x security policy and supports fast roaming, the user does not need to
perform 802.1x authentication again during roaming and only needs to perform key
negotiation. In this case, fast roaming reduces the roaming delay and improves the WLAN
service experience.
Configuration Notes
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In this example, the security policy is WPA2-PSK-AES. To ensure network security,
choose an appropriate security policy according to your network configurations.
l In the service data forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not advised to
configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interface directly connects to
APs. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel,
and then forwarded to the AC. The AC then forwards the packets to the upper-layer
network or APs. Therefore, service packets and management packets can be
normally forwarded as long as the network between the AC and APs is added to the
management VLAN and service VLAN and the network between the AC and
upper-layer network is added to the service VLAN.
– In direct forwarding mode, service packets are not encapsulated into a CAPWAP
tunnel, but are directly forwarded to the upper-layer network or APs. Therefore,
service packets and management packets can be normally forwarded only when the
network between the AC and APs is added to the management VLAN and the
network between APs and upper-layer network is added to the service VLAN.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in Configuration Guide — WLAN AC > WLAN QoS
Configuration.
Networking Requirements
A small enterprise needs to provide WLAN services for employees. Since the WLAN needs
to cover only a small area, one AC is deployed to manage APs. To differentiate department
management, employees are assigned different subnets by department. The enterprise expects
that users can move within the enterprise with nonstop service transmission.
In te rn e t
AC
G E 0 /0 /1 G E 0 /0 /2
G E 0 /0 /2 G E 0 /0 /2
S w itch _ 1 S w itch _ 2
G E 0 /0 /1 G E 0 /0 /1
AP_1 AP_2
Roam
STA STA
Data planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
3. Configure basic WLAN services so that users can connect to the wireless network.
Procedure
Step 1 Configure the switches and the AC so that the AC can communicate with the APs.
#On Switch_1, create VLAN 100 (management VLAN). Add GE0/0/1 connected to AP_1
and GE0/0/2 connected to AC to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 (management VLAN). Add GE0/0/1 connected to AP_2
and GE0/0/2 connected to AC to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
# On the AC, add GE0/0/1 connected to Switch_1 and GE0/0/2 connected to Switch_2 to
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 to 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/2] quit
Step 2 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure the AC as the DHCP server to allocate IP addresses to APs from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101 and VLANIF 102.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
# Import APs offline on the AC and add APs to AP group ap-group1. Assume that the type of
AP_1 and AP_2 is AP6010DN-AGN and their MAC addresses are 60de-4476-e360 and dcd2-
fc04-b500 respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
----
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
----
0 60de-4476-e360 ap1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0
15S
1 dcd2-fc04-b500 ap2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0
10S
----------------------------------------------------------------------------------
----
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1, set the data forwarding mode and service VLANs, and
apply the security profile wlan-security and SSID profile wlan-ssid to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] quit
# Bind VAP profile wlan-vap1 to AP group ap-group1, and apply the VAP profiles to radio 0
and radio 1 of the APs.
The AC automatically delivers WLAN service configuration to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command to check VAP
information. If Status in the command output is displayed as ON, the VAPs have been
successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 ap1 0 1 60DE-4476-E360 ON WPA2-PSK 0
wlan-net
0 ap1 1 1 60DE-4476-E370 ON WPA2-PSK 0
wlan-net
0 ap2 0 1 DCD2-FC04-B500 ON WPA2-PSK 0
wlan-net
0 ap2 1 1 DCD2-FC04-B510 ON WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 ap1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 ap1 1
60de-4476-e360 2016/02/07 17:48:30 -57/-58 46/65
L2 10.23.100.1 ap2 1
dcd2-fc04-b500 2016/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Configuration file of Switch_1
#
sysname Switch_1
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap1
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain
ap-group name ap-group1
regulatory-domain-profile domain
radio 0
vap-profile wlan-vap1 wlan 1
radio 1
vap-profile wlan-vap1 wlan 1
ap-id 0 ap-mac 60de-4476-e360
ap-name ap1
ap-group ap-group1
ap-id 1 ap-mac dcd2-fc04-b500
ap-name ap2
ap-group ap-group1
#
return
l Root: A root AP connects to an AC using a wired link and connects to a middle or leaf
AP using an uplink wireless link.
l Middle: A middle AP is an intermediate node between an upstream root AP and a
downstream leaf AP. It connects to the root and leaf APs using wireless links.
l Leaf: A leaf AP connects to a root or middle AP using an uplink wireless link.
Both WDS and Mesh technologies can implement wireless bridging between APs. A WDS
network supports a maximum of three hops (for example, a WDS link established along a root
node, a middle node, and a leaf node is a three-hop link), whereas a Mesh network supports a
maximum of eight hops. A WDS network has a tree topology and does not support link
redundancy between nodes. A Mesh network has a Mesh topology and supports link
redundancy between nodes. Therefore, a Mesh network is more reliable than a WDS network.
You can choose WDS or Mesh technology to deploy wireless bridging between APs
according to your needs.
Configuration Notes
l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac
APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or later.
l When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single WDS
network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
– Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
l WDS and Mesh technologies cannot be used on the same network.
l If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.
l The following table lists applicable products and versions.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. In the office environment, AP_1
in Area A can be connected to the AC through a network cable; AP_2 and AP_3 in Area B
can be connected through a cable but cannot be connected to the AC in wired mode; Area C is
near Area B but AP_4 in Area C cannot be connected to the AC through a network cable
either. The enterprise requires that APs be connected to each other in back-to-back WDS
mode and go online on the AC to provide network services for STAs in VLAN 101, as shown
in Figure 16-12:
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of the APs
used as WDS bridges. The following table provides the data plan for this example.
NOTE
The APs used in this example are AP6010DN-AGN.
WDS l wds-net1 (WDS profile used by AP_1): WDS mode root, referenced
profile WDS whitelist wds-list1, permitting access only from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root, referenced
WDS whitelist wds-list2, permitting access only from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4): referencing no WDS
whitelist
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100 (management
VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to
allow packets from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure aggregation switch Switch_A. Configure GE0/0/1 to allow packets from VLAN
100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to pass
through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
# Configure GE1/0/1 of the AC to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitEthernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
# Configure access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets from
the service and management VLANs to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit
Step 2 Configure Switch_A to assign IP addresses to STAs and the AC to assign IP addresses to APs.
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group wds-leaf1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group wds-root2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 60de-4476-e360
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group wds-leaf2
Warning: This operation may cause AP reset. If the country code changes, it will
# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP6010DN-
AGN. coverage distance indicates the radio coverage distance parameter. By default, the
radio coverage distance parameter is 3 (unit: 100 meters). In this example, the radio coverage
distance parameter is set to 4. You can configure the parameter according to actual situations.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157 //Configure the
channel and bandwidth for WDS links. All WDS links on the same WDS network must
be configured with the same channel and bandwidth.
[AC-wlan-group-radio-wds-root1/1] coverage distance 4 //After the radio
coverage distance parameter is configured based on distances between APs, the APs
will automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter.
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
[AC-wlan-ap-group-wds-leaf2] quit
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the security
policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure a WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net //Only WDS VAPs with the same
WDS name can set up WDS links.
[AC-wlan-wds-prof-wds-net1] wds-mode root
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net2
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
[AC-wlan-wds-prof-wds-net2] security-profile wds-sec
[AC-wlan-wds-prof-wds-net2] vlan tagged 101
[AC-wlan-wds-prof-wds-net2] quit
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS mode to
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net3
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
[AC-wlan-wds-prof-wds-net3] security-profile wds-sec
[AC-wlan-wds-prof-wds-net3] vlan tagged 101
[AC-wlan-wds-prof-wds-net3] quit
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
[AC-wlan-ap-group-wds-root1] quit
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
[AC-wlan-ap-group-wds-root2] quit
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-ap-group-wds-leaf1] quit
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State displays as nor, APs have gone online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]
--------------------------------------------------------------------------------
------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
------
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP6010DN-AGN nor 0
20M:16S
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP6010DN-AGN nor 0
17S
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP6010DN-AGN nor 0
3M:55S
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP6010DN-AGN nor 0
2M:55S
--------------------------------------------------------------------------------
----
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 3 157 root normal -44 -40 0 3 50
45/49/-
AP_2 AP_1 1 3 157 leaf normal -38 -36 0 49 57
36/31/57
AP_3 AP_4 1 3 149 root normal -11 -7 0 1 83
81/80/-
AP_4 AP_3 1 3 149 leaf normal -4 -4 0 0 91
90/85/-
--------------------------------------------------------------------------------
-----------------
Total: 4
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
ap-name
AP_4
ap-group wds-
leaf2
#
return
Both WDS and Mesh technologies can implement wireless bridging between APs. A WDS
network supports a maximum of three hops (for example, a WDS link established along a root
node, a middle node, and a leaf node is a three-hop link), whereas a Mesh network supports a
maximum of eight hops. A WDS network has a tree topology and does not support link
redundancy between nodes. A Mesh network has a Mesh topology and supports link
redundancy between nodes. Therefore, a Mesh network is more reliable than a WDS network.
You can choose WDS or Mesh technology to deploy wireless bridging between APs
according to your needs.
Configuration Notes
l The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the Mesh function.
l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac
APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP4030DN, AP4130DN, AP5030DN, AP8030DN,
AP8130DN, and AP5130DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or later.
l It is recommended that you deploy no more than 40 Mesh nodes on a Mesh network.
l WDS and Mesh technologies cannot be used on the same network.
l If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.
l How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface { loopback
loopback-number | vlanif vlan-id } command in the WLAN view.
– In V200R007 and V200R008, run the capwap source interface { loopback
loopback-number | vlanif vlan-id } command in the system view.
l The following table lists applicable products and versions.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. Restricted by geographical
locations, the AP in Area A can be deployed in wired mode, but wired deployment of APs is
costly in Area B and Area C. The enterprise requires that APs be deployed in Area B and
Area C at low cost.
As shown in Figure 16-13, a Mesh network is deployed to connect AP_2 and AP_3 to AP_1
through Mesh links, which can reduce network construction cost.
Data Plan
Before configuring the Mesh service, determine the types and MAC addresses of the APs
used as Mesh nodes. The following table provides the data plan for this example.
NOTE
The APs used in this example are AP6010DN-AGN.
AP Type MAC
Item Data
Item Data
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Configure GE1/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp //Configure an AP group for MPPs.
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp //Configure an AP group for MPs.
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e360
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Configure radio parameters for Mesh nodes. Radio 1 of the AP6010DN-AGN is used as an
example. coverage distance indicates the radio coverage distance parameter, which is 3 (unit:
100 m) by default. In this example, the radio coverage distance parameter is set to 4. You can
configure the parameter according to actual situations.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157 //Configure the
channel and bandwidth for Mesh links. All Mesh links on the same Mesh network
must be configured with the same channel and bandwidth.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4 //After the radio
coverage distance parameter is configured based on distances between APs, the APs
will automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter.
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
[AC-wlan-ap-group-mesh-mp] quit
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set the Mesh role of AP_1 to mesh-portal. AP_2 and AP_3 use the
default Mesh role mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net //Only Mesh VAPs with the
same Mesh network ID can set up Mesh links.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 4 157 portal normal -30 -27 0 12 67
62/65/-
AP_1 AP_3 1 4 157 portal normal -26 -24 0 12 71
67/68/-
AP_3 AP_2 1 4 157 node normal -19 -3 0 5 77
66/76/-
AP_3 AP_1 1 4 157 node normal -32 -4 0 26 64
55/63/-
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac 60de-4476-e360
peer-ap mac dcd2-fcf6-76a0
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn
210235554710CB000042
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 type-id 19 ap-mac 60de-4476-e360 ap-sn
210235557610DB000046
ap-name
AP_2
ap-group mesh-mp
ap-id 3 type-id 19 ap-mac dcd2-fcf6-76a0 ap-sn
210235419610D2000097
ap-name
AP_3
ap-group mesh-mp
#
return
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-1, a company has three services: data query, email processing, and file
transfer. The three services have different priorities. When HostA and HostB access servers of
the three services, data query, email processing, and file transfer need to be processed in
descending order of priority. Priority re-marking and queue scheduling can be configured on
the switch to meet the preceding requirement.
HostB
FTP server
192.168.1.12
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure traffic classifiers to classify packets based on servers' IP addresses.
2. Configure traffic behaviors and define priority re-marking.
3. Configure a traffic policy and bind the traffic policy to the traffic classifiers and traffic
behaviors, and apply the traffic policy to GE1/0/1 in the inbound direction to re-mark
priorities of incoming packets.
4. Configure PQ on GE1/0/2. PQ schedules packets in descending order of priority.
Procedure
Step 1 Configure ACLs to classify packets based on servers' IP addresses.
# Configure advanced ACL 3001 to classify packets with the destination IP address of
192.168.1.10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule permit ip destination 192.168.1.10 0.0.0.0
[SwitchA-acl-adv-3001] quit
# Configure advanced ACL 3002 to classify packets with the destination IP address of
192.168.1.11.
[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule permit ip destination 192.168.1.11 0.0.0.0
[SwitchA-acl-adv-3002] quit
# Configure advanced ACL 3003 to classify packets with the destination IP address of
192.168.1.12.
# Configure a traffic classifier named mailserver to match packets with the destination IP
address of 192.168.1.11.
[SwitchA] traffic classifier mailserver operator and
[SwitchA-classifier-mailserver] if-match acl 3002 //Configure the device to
match packets with the destination IP address of 192.168.1.11.
[SwitchA-classifier-mailserver] quit
# Configure a traffic classifier named ftpserver to match packets with the destination IP
address of 192.168.1.12.
[SwitchA] traffic classifier ftpserver operator and
[SwitchA-classifier-ftpserver] if-match acl 3003 //Configure the device to match
packets with the destination IP address of 192.168.1.12.
[SwitchA-classifier-ftpserver] quit
# Configure a traffic behavior named mailserver to re-mark packets destined for 192.168.1.11
with 3.
[SwitchA] traffic behavior mailserver
[SwitchA-behavior-mailserver] remark local-precedence 3 //Configure the device
to re-mark the local priority of packets destined for 192.168.1.11 with 3.
[SwitchA-behavior-mailserver] quit
# Configure a traffic behavior named ftpserver to re-mark packets destined for 192.168.1.12
with 2.
[SwitchA] traffic behavior ftpserver
[SwitchA-behavior-ftpserver] remark local-precedence 2 //Configure the device to
re-mark the local priority of packets destined for 192.168.1.12 with 2.
[SwitchA-behavior-ftpserver] quit
Step 4 Configure a traffic policy and bind the traffic classifiers and traffic behaviors to the traffic
policy.
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier dbserver behavior dbserver
[SwitchA-trafficpolicy-policy1] classifier mailserver behavior mailserver
[SwitchA-trafficpolicy-policy1] classifier ftpserver behavior ftpserver
[SwitchA-trafficpolicy-policy1] quit
Step 5 Apply the traffic policy to GE1/0/1 to re-mark priorities of incoming packets.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] traffic-policy policy1 inbound //Apply the
# Check the traffic policy record. The traffic policy has been successfully applied to GE1/0/1.
[SwitchA] display traffic-policy applied-record policy1
-------------------------------------------------
Policy Name: policy1
Policy Index: 0
Classifier:dbserver Behavior:dbserver
Classifier:mailserver Behavior:mailserver
Classifier:ftpserver Behavior:ftpserver
-------------------------------------------------
*interface GigabitEthernet1/0/1
traffic-policy policy1 inbound
slot 1 : success
-------------------------------------------------
Policy total applied times: 1.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
acl number 3001
rule 5 permit ip destination 192.168.1.10 0
acl number 3002
rule 5 permit ip destination 192.168.1.11 0
acl number 3003
rule 5 permit ip destination 192.168.1.12 0
#
traffic classifier dbserver operator and
if-match acl 3001
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-2, the Switch connects to the router through GE2/0/1, enterprise
departments 1 and 2 are connected to the Switch through GE1/0/1 and GE1/0/2 and access the
Internet through the Switch and router.
Only data services are transmitted on the network, so services do not need to be differentiated.
With finite network bandwidth, bandwidth of each department in the enterprise needs to be
limited. Enterprise department 1 requires the CIR of 8 Mbit/s and PIR of 10 Mbit/s, and
enterprise department 2 requires the CIR of 5 Mbit/s and PIR of 8 Mbit/s.
N e tw o rk
R o u te r
G E 2 /0 /1 T ra ffic
d ire ctio n
G E 1 /0 /1 G E 1 /0 /2
S w itc h
S w itch A S w itch B
D e p a rtm e n t 1 D e p a rtm e n t 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that users can access the Internet through the
Switch.
2. Create different CAR profiles and configure the CIRs and PIRs in the CAR profiles, and
apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in the inbound direction
to limit the rate of packets from different enterprise departments.
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLAN 100 and VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE1/0/1, GE1/0/2, and GE2/0/1 as trunk interfaces, and add GE1/0/1 to VLAN
100, GE1/0/2 to VLAN 200, and GE2/0/1 to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the
interface to trunk. The defalt link type of the interface is not trunk.
# Send traffic at rates of 6000 kbit/s, 9000 kbit/s, and 11000 kbit/s to GE1/0/1 and GE1/0/2,
and run the display qos car statistics command to view traffic statistics. When packets are
sent to GE1/0/1 and GE1/0/2 at a rate of 6000 kbit/s, all packets are forwarded. When packets
are sent to GE1/0/1 and GE1/0/2 at a rate of 9000 kbit/s, all packets on GE1/0/1 are forwarded
and some packets on GE1/0/2 are discarded. When packets are sent to GE1/0/1 and GE1/0/2
at a rate of 11000 kbit/s, some packets on both GE1/0/1 and GE1/0/2 are discarded.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 100 200
#
qos car car1 cir 8192 pir 10240 cbs 1024000 pbs 1280000
qos car car2 cir 5120 pir 8192 cbs 640000 pbs 1024000
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
qos car inbound car1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
qos car inbound car2
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
Relevant Information
Video
Overview
In a traffic policy, access control list (ACL) rules can be used to classify packets. ACLs fall
into basic, advanced, and Layer 2 ACLs. A basic ACL defines rules based on the source IP
address, fragment flag, and time range. Traffic policing is configured in the traffic behavior to
limit the rate of matched packets.
An Access Control List (ACL) consists of one or a set of rules. The rules determine whether
packets match conditions such as source addresses, destination addresses, and port numbers of
packets.
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-3, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. Some servers are deployed in VLAN 10 and high bandwidth is
required; employees need to access the Internet in VLAN 20 only and there are no high
requirements of bandwidth. The company purchases the leased line of 10 Mbit/s from a
carrier. The company requires the bandwidth for Internet access of employees in VLAN 20 in
the range of 2 Mbit/s to 4 Mbit/s, and traffic of which the rate exceeds 4 Mbit/s is discarded.
GigabitEthernet VLAN 20 - -
1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. Configure an ACL on the Switch to match traffic from a specified network segment.
3. Configure a traffic classifier on the Switch to classify packets based on the ACL.
4. Configure a traffic behavior on the Switch to limit the rate of matched traffic.
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic classifier
and traffic behavior, and apply the traffic policy to GE1/0/1 connected to SwitchA in the
inbound direction to implement rate limiting.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the
interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the
interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the
interface to VLAN 10 and VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
Configure the IP address of 10.1.20.1/24 for the interface of the router connected to the
switch.
# Configure an ACL on the Switch to match traffic from network segment 192.168.2.0/24.
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255
[Switch-acl-adv-3000] quit
# Configure a traffic classifier on the Switch to classify packets based on the ACL.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] quit
# Configure a traffic behavior on the Switch to limit the rate of matched traffic.
[Switch] traffic behavior b1
[Switch-behavior-b1] car cir 2048 pir 4096 //Set the CIR to 2 Mbit/s and PIR to
4 Mbit/s.
[Switch-behavior-b1] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 connected to
SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
car cir 2048 pir 4096 cbs 256000 pbs 512000 mode color-blind green pass
yellow pass red discard
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
Relevant Information
Video
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-4, enterprise users connect to external network devices through
GE2/0/1 of the switch.
During work hours from 8:30 to 18:00, the Internet access rate of employees needs to be
limited within 4 Mbit/s.
Figure 17-4 Networking for configuring rate limiting in a specified time range
IP : 1 9 2 .1 6 8 .1 .1 0 /2 4
H o stA
IP : 1 9 2 .1 6 8 .1 .1 1 /2 4 G E 1 /0 /1 G E 2 /0 /1
In te rn e t
H o stB LSW S w itch R o u te r
IP : 1 9 2 .1 6 8 .1 .1 2 /2 4
E n te rp rise
ca m p u s n e tw o rk T ra ffic d ire ctio n
H o stC
Configuration Roadmap
The traffic policy based on the time range is used to implement rate limiting. The
configuration roadmap is as follows:
1. Configure interfaces so that enterprise users can access the Internet through the Switch.
2. Configure a time range and reference the time range in an ACL.
3. Configure an ACL to match traffic passing the device in the specified time range.
4. Configure a traffic policy to limit the rate of packets matching ACL rules.
5. Apply the traffic policy to GE1/0/1 in the inbound direction.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them to VLAN
10.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet2/0/1] quit
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
NOTE
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24, and
configure a sub-interface on the interface to terminating the VLAN.
Step 2 Create a periodic time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day //Define the work
hours.
Step 3 Configure ACL 2001 and define three rules to limit the bandwidth of packets from
192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range
working_time //Limit the rate of packets from 192.168.1.10 at work hours.
[Switch-acl-basic-2001] rule permit source 192.168.1.11 0 time-range
working_time //Limit the rate of packets from 192.168.1.11 at work hours.
[Switch-acl-basic-2001] rule permit source 192.168.1.12 0 time-range
working_time //Limit the rate of packets from 192.168.1.12 at work hours.
[Switch-acl-basic-2001] quit
Step 6 Configure a traffic policy and apply the traffic policy to GE1/0/1 in the inbound direction.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 2001
rule 5 permit source 192.168.1.10 0 time-range working_time
rule 10 permit source 192.168.1.11 0 time-range working_time
rule 15 permit source 192.168.1.12 0 time-range working_time
#
traffic classifier c1 operator or precedence 5
if-match acl 2001
#
traffic behavior b1
permit
car cir 4096 pir 4096 cbs 770048 pbs 1282048 mode color-blind green pass yellow
pass red discard
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
In this example, traffic classifiers are configured based on VLAN IDs and different CIR
values are configured so that the device allocates different bandwidth to service flows.
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-5, the Switch connects to the router through GE2/0/1, and the
enterprise connects to the Internet through the Switch and router.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100
respectively.
Traffic policing needs to be configured on the Switch to police packets of different services so
that traffic is limited within a proper range and bandwidth of each service is guaranteed.
Voice, video, and data services have QoS requirements in descending order of priority. The
Switch needs to re-mark DSCP priorities in different service packets so that the downstream
router processes them based on priorities, ensuring QoS of different services.
Table 17-6 describes the QoS requirements.
Phone
VLAN 120
PC G E 1 /0 /1 G E 2 /0 /1
N e tw o rk
VLAN 100 LSW S w itch R o u te r
TV
E n te rp rise
ca m p u s n e tw o rk T ra ffic d ire ctio n
VLAN 110
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and configure interfaces so that the enterprise can access the Internet
through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN IDs.
3. Configure traffic behaviors on the Switch to limit the rate of packets and re-mark DSCP
priorities of packets.
4. Configure a traffic policy on the Switch, bind traffic behaviors and traffic classifiers, and
apply the traffic policy to the interface on the Switch connected to the LSW.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 100, VLAN
110, and VLAN 120.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet2/0/1] quit
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy p1 on the Switch, bind the traffic classifiers and traffic behaviors to
the traffic policy, and apply the traffic policy to GE1/0/1 in the inbound direction to police
packets from the enterprise and re-mark the packet priorities.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] classifier c3 behavior b3
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
Classifier: c3
Precedence: 15
Operator: AND
Rule(s) : if-match vlan-id 100
Classifier: c1
Precedence: 5
Operator: AND
Rule(s) : if-match vlan-id 120
Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
Permit
Committed Access Rate:
CIR 4000 (Kbps), PIR 10000 (Kbps), CBS 500000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Remark:
Remark DSCP af13
Statistic: enable
Classifier: c1
Operator: AND
Behavior: b1
Permit
Committed Access Rate:
CIR 2000 (Kbps), PIR 10000 (Kbps), CBS 250000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Remark:
Remark DSCP ef
Statistic: enable
# Check information about the traffic policy that is applied to the interface. GE1/0/1 is used as
an example.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 100 110 120
#
traffic classifier c1 operator and precedence 5
if-match vlan-id 120
traffic classifier c2 operator and precedence 10
if-match vlan-id 110
traffic classifier c3 operator and precedence 15
if-match vlan-id 100
#
traffic behavior b1
permit
car cir 2000 pir 10000 cbs 250000 pbs 1250000 mode color-blind green pass yellow
pass red discard
remark dscp ef
statistic enable
traffic behavior b2
permit
car cir 4000 pir 10000 cbs 500000 pbs 1250000 mode color-blind green pass yellow
pass red discard
remark dscp af33
statistic enable
traffic behavior b3
permit
car cir 4000 pir 10000 cbs 500000 pbs 1250000 mode color-blind green pass yellow
pass red discard
remark dscp af13
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
#
return
Relevant Information
Video
Configure VLAN-based Rate Limiting
finite bandwidth. Traffic policing is configured on the headquarters edge device to limit the
packet sending rate. In this situation, traffic shaping can be configured on the branch edge
device to cache excess packets, preventing packet loss.
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-6, the Switch is connected to the router through GE2/0/1. The 802.1p
priorities of voice, video, and data services are 6, 5, and 2, and these services can reach
residential users through the router and Switch. The transmission rate of traffic from the
enterprise campus network is higher than the transmission rate of traffic from the router;
therefore, jitter may occur on GE2/0/1. The requirements are as follows to prevent jitter and
ensure bandwidth of services:
Phone
8021p=6
PC G E 1 /0 /1 G E 2 /0 /1
N e tw o r k
TV
E n te r p r is e
c a m p u s n e tw o r k T r a ffic d ir e c tio n
8021p=5
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that users can access the Internet through the
Switch.
2. Configure priority mapping to map 802.1p priorities of different service packets to
PHBs.
3. Configure traffic shaping on an interface to limit the total bandwidth of the interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of voice,
video, and data services.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 10.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet2/0/1] quit
NOTE
On the router, set the IP address of the interface connected to the Switch to 10.10.10.1/24, and configure
a sub-interface on the interface to terminating the VLAN.
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, and 2 to PHBs CS7, EF, and
AF2 respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb cs7 //Map 802.l priorities in
different service flows to PHBs so that the service flows enter different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb ef
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af2
[Switch-dsdomain-ds1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] trust upstream ds1
[Switch-GigabitEthernet1/0/1] quit
# Configure traffic shaping on an interface of the Switch to limit the CIR of the interface to
10000 kbit/s.
# After the configuration is complete, the CIR of packets sent from GE2/0/1 is 10000 kbit/s;
the CIR of the voice service packets is 3000 kbit/s and PIR is 5000 kbit/s; the CIR of the
video service packets is 5000 kbit/s and the PIR is 8000 kbit/s; the CIR of the data service
packets is 2000 kbit/s and the PIR is 3000 kbit/s.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
diffserv domain ds1
8021p-inbound 6 phb cs7 green
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
trust upstream ds1
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
qos lr cir 10000 cbs 1250000 outbound
qos queue 2 shaping cir 2000 pir 3000
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-7, the Switch is connected to the router through GE2/0/1. The 802.1p
priorities of voice, video, and data services from the Internet are 6, 5, and 2, and these
services can reach residential users through the router and Switch. On the Switch, the rate of
GE2/0/1 (inbound interface) is higher than the rates of GE1/0/1 and GE1/0/2 (outbound
interfaces), so congestion may occur on the two outbound interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to Table 17-9 and Table 17-10.
Video Yellow 60 80 20
Data Red 40 60 40
Voice EF 0
Data AF1 50
In te rn e t
R o u te r
G E 2 /0 /1
G E 1 /0 /1 G E 1 /0 /2
S w itc h
PC TV
8 0 2 .1 p = 2 LSW LSW 8 0 2 .1 p = 5
8 0 2 .1 p = 5 8 0 2 .1 p = 6 8 0 2 .1 p = 2 8 0 2 .1 p = 6
TV Phone PC Phone
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VLAN for each interface so that devices can communicate with each other
at the link layer.
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different service
packets to PHBs and colors, and bind the DiffServ domain to the inbound interface of the
Switch.
3. Configure a WRED profile on the Switch and apply the WRED profile to the outbound
interfaces.
4. Set scheduling parameters of each queue on the outbound interface of the Switch.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each other at the
link layer.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 5 6
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet2/0/1] quit
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, 2 to PHBs of EF, AF3, and AF1
and colors of green, yellow, and red respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green //Create a DiffServ domain to
map 802.1p priorities of different service packets to PHBs so that packets enter
different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
[Switch-dsdomain-ds1] quit
# Create a WRED profile wred1 on the Switch and set scheduling parameters in the WRED
profile.
# Apply the WRED profile wred1 to GE1/0/1 and GE1/0/2 on the Switch.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] qos wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 3 wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 1 wred wred1
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] qos wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 3 wred wred1
[Switch-GigabitEthernet1/0/2] qos queue 1 wred wred1
[Switch-GigabitEthernet1/0/2] quit
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-inbound 6 phb ef green
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 5 to 6
qos wred wred1
qos pq 5 to 7 drr 0 to 4
qos queue 1 drr weight 50
qos queue 3 drr weight 100
qos queue 1 wred wred1
qos queue 3 wred wred1
qos queue 5 wred wred1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 5 to 6
qos wred wred1
qos pq 5 to 7 drr 0 to 4
qos queue 1 drr weight 50
qos queue 3 drr weight 100
qos queue 1 wred wred1
qos queue 3 wred wred1
qos queue 5 wred wred1
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 5 to 6
trust upstream ds1
trust 8021p inner
#
return
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-8, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. Servers are deployed in VLAN 10 to provide services for internal and
external users, and office services of employees are transmitted in VLAN 20. The company
requires that employees in VLAN 20 access only servers in VLAN 10 during the working
time (8:00 to 18:00).
Figure 17-8 Preventing employees from accessing the Internet at the specified time
R o u te rA
1 0 .1 .2 0 .1 /2 4
VLAN 10
1 9 2 .1 6 8 .1 .0 /2 4 G E 1 /0 /1 G E 1 /0 /2
G E 0 /0 /3 N e tw o rk
G E 1 /0 /1
VLAN 20 S w itch A S w itch G E 1 /0 /3
1 9 2 .1 6 8 .2 .0 /2 4 G E 1 /0 /2
R o u te rB
1 0 .1 .3 0 .1 /2 4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. On the Switch, configure a time range 8:00-18:00 from Monday to Friday so that the
device can control traffic based on the time range.
3. On the Switch, configure an ACL to match the traffic when employees in VLAN 20
access servers in VLAN 10 based on the time range,
4. Configure a traffic classifier on the Switch to classify packets based on the ACL.
5. Configure a traffic behavior on the Switch to permit matched traffic to pass through.
6. Configure a traffic policy on the Switch, bind the traffic policy to the traffic classifier
and traffic behavior, and apply the traffic policy to the inbound direction of GE1/0/1
connected to SwitchA so that employees in VLAN 20 cannot access the Internet during
the working time and can access the Internet during the non-working time.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the
interface to trunk.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the
interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the
interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the
interface to VLAN 10 and VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
Step 6 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 connected to
SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
NOTE
If the time of the device is within the defined time range, the time range in the ACL rule is displayed as
Active; otherwise, the time range in the ACL rule is displayed as Inactive.
# Employees in VLAN 20 cannot access the public network during the working time, and can
access servers in VLAN 10.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 40
#
time-range worktime 08:00 to 18:00 working-day
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0
0.0.0.255 time-range worktime
rule 10 deny ip source 192.168.2.0 0.0.0.255 time-range worktime
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif40
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 40
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
ip route-static 0.0.0.0 0.0.0.0 10.1.30.1
#
return
Ping packets are ICMP packets, so you can define ICMP in an advanced ACL to match ping
packets. When a traffic policy is used to collect statistics on ping packets, an ACL is used to
classify packets and the traffic statistics action is defined for matched packets. The statistics
results helps locate faults.
l If the numbers of received and forwarded ping packets on a device are the same, ping
packets are forwarded normally and no packet loss occurs. If the number of received
ping packets is larger than the number of forwarded ping packets, packet loss occurs on
the device.
l If the number of received ping packets is equal to the number of received ping packets
on an interface, ping packets are forwarded normally and no packet loss occurs on the
link of the interface. If the number of sent ping packets is larger than the number of
received ping packets on the interface, packet loss occurs on the link of the interface. In
this case, the remote device needs to be configured to collect packet statistics for fault
location.
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-9, the PC cannot access the server. The device where data flows pass
needs to be configured to collect statistics on ping packets so that the fault point can be
located.
GE1/0/1 GE1/0/2
VLAN 10 VLAN 10
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to ensure network connectivity.
2. Configure ACLs to match ICMP packets exchanged between the PC and server.
3. Configure traffic classifiers to classify packets based on the ACLs.
4. Configure traffic behaviors and define the traffic statistics action.
5. Configure traffic policies, bind the traffic classifiers and traffic behaviors to the traffic
policies, and apply the traffic policies to inbound and outbound directions of GE1/0/1
and GE1/0/2 of the Switch.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10 //Create VLAN 10.
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Set the link type of the
interface to access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 10
[Switch-GigabitEthernet1/0/2] quit
# Configure the PC's gateway address 10.1.1.2/24 for the interface of the router connected to
the Switch, and configure the IP address 10.1.2.1/24 for the interface of the router connected
to the server.
Step 2 Configure ACLs.
# Configure ACL rules on the Switch to match ICMP packets exchanged between the PC and
server.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit icmp source 10.1.1.1 0 destination 10.1.2.10
0 //Configure an ACL rule to permit packets from the PC to the server.
[Switch-acl-adv-3001] quit
[Switch] acl 3002
Step 5 Configure traffic policies and apply the traffic policies to interfaces.
# Create traffic policies p1 and p2 on the Switch, bind the traffic behaviors and traffic
classifiers to the traffic policies, apply the traffic policy p1 to the inbound direction of
GE1/0/1 and outbound direction of GE1/0/2, and apply the traffic policy p2 to the outbound
direction of GE1/0/1 and inbound direction of GE1/0/2.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] traffic policy p2
[Switch-trafficpolicy-p2] classifier c2 behavior b2
[Switch-trafficpolicy-p2] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] traffic-policy p2 outbound
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] traffic-policy p1 outbound
[Switch-GigabitEthernet1/0/2] traffic-policy p2 inbound
[Switch-GigabitEthernet1/0/2] quit
Policy: p2
Classifier: c2
Operator: AND
Behavior: b2
Permit
Statistic: enable
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Ping the server from the PC and check the traffic statistics in the inbound and outbound
directions of GE1/0/1 and GE1/0/2 on the Switch. Here, check the traffic statistics in the
inbound direction of GE1/0/1.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic classifier, and
Passed indicates the numbers of forwarded packets and bytes matching the traffic classifier.
The following table describes the traffic statistics.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
acl number 3001
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0
acl number 3002
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0
#
traffic classifier c1 operator and precedence 5
if-match acl 3001
traffic classifier c2 operator and precedence 10
if-match acl 3002
#
traffic behavior b1
permit
statistic enable
traffic behavior b2
permit
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
traffic policy p2 match-order config
classifier c2 behavior b2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
traffic-policy p1 inbound
traffic-policy p2 outbound
#
interface GigabitEthernet1/0/2
port link-type access
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-10, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. The network administrator wants to determine whether the host at
192.168.2.200/24 in VLAN 20 can access the server at 192.168.1.100/24 in VLAN 10.
GE0/0/3 GE1/0/2
Network
GE1/0/1
SwitchA Switch Router
VLAN 20 GE1/0/2
192.168.2.0/24
GigabitEthernet VLAN 20 - -
1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking.
2. Configure an ACL on the Switch to match specified traffic.
3. Configure a traffic classifier on the Switch to classify packets based on the ACL.
4. Configure a traffic behavior on the Switch to collect statistics on matched packets.
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic classifier
and traffic behavior, and apply the traffic policy to GE1/0/1 connected to SwitchA in the
inbound direction.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the
interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the
interface to VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the
interface to access.
[Switch-GigabitEthernet1/0/2] port default vlan 30 //Add the interface to VLAN
30.
[Switch-GigabitEthernet1/0/2] quit
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the
interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the
interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the
interface to VLAN 10 and VLAN 20.
[SwitchA-GigabitEthernet1/0/3] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 connected to
SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
Interface:
GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 1
Current status:
success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic classifier, and
Passed indicates the numbers of forwarded packets and bytes matching the traffic classifier. If
the values of Matched and Passed are not 0, the host at 192.168.2.200 in VLAN 20 has
accessed the server at 192.168.1.100 in VLAN 10.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 17-11, the Switch connects to SwitchA, and SwitchA connect to the
router. Guests can connect to the enterprise network in guest areas of office buildings 1, 2, and
3. Guests can access the public file server and the Internet, but cannot access the confidential
file server and financial department server.
G u e st a re a o f
o ffice b u ild in g 2 G E 1 /0 /1
G E 1 /0 /2 G E 1 /0 /3
1 0 .1 .2 .0 /2 4
G E 1 /0 /2 G E 1 /0 /4 G E 1 /0 /5 In te rn e t
G u e st a re a o f S w itch G E 1 /0 /1 S w itch A R o u te r
o ffice b u ild in g 3
G E 1 /0 /3 G E 1 /0 /4
1 0 .1 .3 .0 /2 4
F in a n cia l d e p a rtm e n t
E n te rp rise se rve r 1 0 .1 .7 .0 /2 4
ca m p u s n e tw o rk T ra ffic
d ire ctio n
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol so that the enterprise can
access the Internet.
2. Configure ACLs on the Switch to match packets from guest areas.
3. Configure traffic classifiers on the Switch to classify packets based on ACLs.
4. Configure traffic behaviors on the Switch to re-mark flow IDs of packets matching
ACLs.
5. Configure a traffic policy that contains flow ID re-marking on the Switch, bind the traffic
behaviors and traffic classifiers to the traffic policy, and apply the traffic policy to the
Switch globally in the inbound direction.
6. Configure traffic classifiers on the Switch to classify packets from guest areas based on
flow IDs.
7. Configure traffic behaviors on the Switch to permit or reject packets from guest areas to
implement access control.
8. Configure a traffic policy for access control on the Switch, bind the traffic behaviors and
traffic classifiers to the traffic policy, and apply the traffic policy to the interfaces on the
Switch connected to guest areas in the inbound direction.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol (the static route is used here).
# Configure the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the interface as
an access interface.
[Switch-GigabitEthernet1/0/1] port default vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port default vlan 30
[Switch-GigabitEthernet1/0/3] quit
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as
a trunk interface.
[Switch-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30 40
[Switch-GigabitEthernet1/0/4] quit
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 10.1.1.1 255.255.255.0 //Configure an IP address
for the VLANIF interface.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.1 255.255.255.0
[Switch-Vlanif30] quit
[Switch] interface vlanif 40
[Switch-Vlanif40] ip address 10.1.4.1 255.255.255.0
[Switch-Vlanif40] quit
[Switch] ip route-static 10.1.5.0 255.255.255.0 10.1.4.2 //Configure a static
route.
[Switch] ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
[Switch] ip route-static 10.1.7.0 255.255.255.0 10.1.4.2
[Switch] ip route-static 10.1.8.0 255.255.255.0 10.1.4.2
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 40 50 60 70 80 //Create VLAN 40 to VLAN 80.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk //Configure the interface as
a trunk interface.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 40 50 60 70 80
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access //Configure the interface
as an access interface.
[SwitchA-GigabitEthernet1/0/2] port default vlan 50
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 60
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type access
[SwitchA-GigabitEthernet1/0/4] port default vlan 70
[SwitchA-GigabitEthernet1/0/4] quit
[SwitchA] interface gigabitethernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] port link-type access
[SwitchA-GigabitEthernet1/0/5] port default vlan 80
[SwitchA-GigabitEthernet1/0/5] quit
[SwitchA] interface vlanif 40 //Create a VLANIF interface.
[SwitchA-Vlanif40] ip address 10.1.4.2 255.255.255.0 //Configure an IP address
for the VLANIF interface.
[SwitchA-Vlanif40] quit
[SwitchA] interface vlanif 50
[SwitchA-Vlanif50] ip address 10.1.5.1 255.255.255.0
[SwitchA-Vlanif50] quit
[SwitchA] interface vlanif 60
[SwitchA-Vlanif60] ip address 10.1.6.1 255.255.255.0
[SwitchA-Vlanif60] quit
[SwitchA] interface vlanif 70
[SwitchA-Vlanif70] ip address 10.1.7.1 255.255.255.0
[SwitchA-Vlanif70] quit
[SwitchA] interface vlanif 80
[SwitchA-Vlanif80] ip address 10.1.8.1 255.255.255.0
[SwitchA-Vlanif80] quit
[SwitchA] ip route-static 10.1.1.0 255.255.255.0 10.1.4.1 //Configure a static
route.
[SwitchA] ip route-static 10.1.2.0 255.255.255.0 10.1.4.1
[SwitchA] ip route-static 10.1.3.0 255.255.255.0 10.1.4.1
# Configure an ACL rule to match packets sent from the guest area to the financial
department server.
[Switch] acl name non-access-finance
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0
0.0.0.255 destination-port eq 20 //Configure a rule to permit FTP data packets
sent from the guest area to the financial department server.
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0
0.0.0.255 destination-port eq 21 //Configure a rule to permit FTP protocol
packets sent from the guest area to the financial department server.
[Switch-acl-adv-non-access-finance] quit
# Configure an ACL rule to match packets sent from the guest area to the public file server.
[Switch] acl name access-file
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255
destination-port eq 20 //Configure a rule to permit FTP data packets sent from
the guest area to the public file server.
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255
destination-port eq 21 //Configure a rule to permit FTP protocol packets sent
from the guest area to the public file server.
[Switch-acl-adv-access-file] quit
# Configure an ACL rule to match packets sent from the guest area to the external network.
[Switch] acl name access-internet
[Switch-acl-adv-access-internet] rule permit tcp destination-port eq 80
[Switch-acl-adv-access-internet] quit
mark the flow ID of packets sent from the guest area to the external network with
4.
[Switch-behavior-access-internet] quit
Step 5 Configure a traffic policy that contains flow ID re-marking and apply the traffic policy
globally in the inbound direction.
# Create the traffic policy flow-id on the Switch, bind the traffic classifiers and traffic
behaviors to the traffic policy, and apply the traffic policy globally in the inbound direction.
[Switch] traffic policy flow-id
[Switch-trafficpolicy-flow-id] classifier non-access-file behavior non-access-file
[Switch-trafficpolicy-flow-id] classifier non-access-finance behavior non-access-
finance
[Switch-trafficpolicy-flow-id] classifier access-file behavior access-file
[Switch-trafficpolicy-flow-id] classifier access-internet behavior access-internet
[Switch-trafficpolicy-flow-id] quit
[Switch] traffic-policy flow-id global inbound
# Configure traffic classifiers on the Switch to classify packets from guest areas based on flow
IDs.
[Switch] traffic classifier flow-id1 operator and
[Switch-classifier-flow-id1] if-match flow-id 1 //Configure the device to match
packets with the flow ID of 1, that is, packets sent from the guest area to the
confidential file server.
[Switch-classifier-flow-id1] quit
[Switch] traffic classifier flow-id2 operator and
[Switch-classifier-flow-id2] if-match flow-id 2 //Configure the device to match
packets with the flow ID of 2, that is, packets sent from the guest area to the
financial department server.
[Switch-classifier-flow-id2] quit
[Switch] traffic classifier flow-id3 operator and
[Switch-classifier-flow-id3] if-match flow-id 3 //Configure the device to match
packets with the flow ID of 3, that is, packets sent from the guest area to the
public file server.
[Switch-classifier-flow-id3] quit
[Switch] traffic classifier flow-id4 operator and
[Switch-classifier-flow-id4] if-match flow-id 4 //Configure the device to match
packets with the flow ID of 4, that is, packets sent from the guest area to the
external network.
[Switch-classifier-flow-id4] quit
Step 8 Configure a traffic policy for access control and apply the traffic policy to an interface.
# Create the traffic policy access_policy on the Switch, bind the traffic behaviors and traffic
classifiers to the traffic policy, and apply the traffic policy to GE1/0/1, GE1/0/2, and GE1/0/3
in the inbound direction to limit access of guest areas.
[Switch] traffic policy access_policy
[Switch-trafficpolicy-access_policy] classifier flow-id1 behavior flow-id1
[Switch-trafficpolicy-access_policy] classifier flow-id2 behavior flow-id2
[Switch-trafficpolicy-access_policy] classifier flow-id3 behavior flow-id3
[Switch-trafficpolicy-access_policy] classifier flow-id4 behavior flow-id4
[Switch-trafficpolicy-access_policy] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy access_policy inbound
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] traffic-policy access_policy inbound
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] traffic-policy access_policy inbound
[Switch-GigabitEthernet1/0/3] quit
Classifier: flow-id2
Precedence: 30
Operator: AND
Rule(s) : if-match flow-id 2
Classifier: flow-id3
Precedence: 35
Operator: AND
Classifier: flow-id4
Precedence: 40
Operator: AND
Rule(s) : if-match flow-id 4
Classifier: non-access-file
Precedence: 5
Operator: AND
Rule(s) : if-match acl non-access-file
Classifier: non-access-finance
Precedence: 10
Operator: AND
Rule(s) : if-match acl non-access-finance
Classifier: access-file
Precedence: 15
Operator: AND
Rule(s) : if-match acl access-file
Classifier: access-internet
Precedence: 20
Operator: AND
Rule(s) : if-match acl access-internet
Policy: access_policy
Classifier: flow-id1
Operator: AND
Behavior: flow-id1
Deny
Classifier: flow-id2
Operator: AND
Behavior: flow-id2
Deny
Classifier: flow-id3
Operator: AND
Behavior: flow-id3
Permit
Classifier: flow-id4
Operator: AND
Behavior: flow-id4
Permit
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 40
#
acl name access-internet 3996
rule 5 permit tcp destination-port eq www
acl name access-file 3997
rule 5 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp-data
rule 10 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp
acl name non-access-finance 3998
rule 5 permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq ftp-data
rule 10 permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq ftp
acl name non-access-file 3999
rule 5 permit tcp destination 10.1.5.0 0.0.0.255 destination-port eq ftp-data
rule 10 permit tcp destination 10.1.5.0 0.0.0.255 destination-port eq ftp
#
traffic classifier access-file operator and precedence 15
if-match acl access-file
traffic classifier access-internet operator and precedence 20
if-match acl access-internet
traffic classifier flow-id1 operator and precedence 25
if-match flow-id 1
traffic classifier flow-id2 operator and precedence 30
if-match flow-id 2
traffic classifier flow-id3 operator and precedence 35
if-match flow-id 3
traffic classifier flow-id4 operator and precedence 40
if-match flow-id 4
traffic classifier non-access-file operator and precedence 5
if-match acl non-access-file
traffic classifier non-access-finance operator and precedence 10
if-match acl non-access-finance
#
traffic behavior access-file
permit
remark flow-id 3
traffic behavior access-internet
permit
remark flow-id 4
traffic behavior flow-id1
deny
traffic behavior flow-id2
deny
traffic behavior flow-id3
permit
traffic behavior flow-id4
permit
traffic behavior non-access-file
permit
remark flow-id 1
traffic behavior non-access-finance
permit
remark flow-id 2
#
traffic policy access_policy match-order config
classifier flow-id1 behavior flow-id1
classifier flow-id2 behavior flow-id2
classifier flow-id3 behavior flow-id3
classifier flow-id4 behavior flow-id4
traffic policy flow-id match-order config
classifier non-access-file behavior non-access-file
classifier non-access-finance behavior non-access-finance
classifier access-file behavior access-file
classifier access-internet behavior access-internet
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
traffic-policy access_policy inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
traffic-policy access_policy inbound
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 30
traffic-policy access_policy inbound
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
ip route-static 10.1.5.0 255.255.255.0 10.1.4.2
ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
ip route-static 10.1.7.0 255.255.255.0 10.1.4.2
ip route-static 10.1.8.0 255.255.255.0 10.1.4.2
#
traffic-policy flow-id global inbound
#
return
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 40 50 60 70 80
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
#
interface Vlanif70
ip address 10.1.7.1 255.255.255.0
#
interface Vlanif80
ip address 10.1.8.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 40 50 60 70 80
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 50
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 60
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 70
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 80
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
ip route-static 10.1.2.0 255.255.255.0 10.1.4.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.1
#
return
Configuration Notes
NOTE
To know details about software mappings, see Switch Software Mapping Search.
An ACL is often used with a traffic policy. A traffic policy is bound to the traffic classifier
matching an ACL and the traffic behavior such as permit/deny associated with the traffic
classifier.
The permit/deny actions in an ACL and a traffic behavior in the traffic policy are used as
follows.
A switch permits packets by default. To reject packets between network segments, define the
packets to be rejected in the ACL. If the rule permit command is used, all packets match this
rule. If the traffic behavior defines the deny action, the switch filters all packets, causing
service interruptions.
Networking Requirements
As shown in Figure 17-12, the company has three departments that belong to VLAN 10,
VLAN 20, and VLAN 30, respectively. To ensure security, users in VLAN 10 access only
VLAN 20 but not VLAN 30. The three departments need to access the Internet, and there are
no other limitations.
GE1/0/1 10.1.20.1/24
VLAN 20 GE1/0/2 GE1/0/4 GE1/0/2
192.168.2.0/24 Network
GE1/0/1
GE1/0/3 SwitchA Switch Router
VLAN 30
192.168.3.0/24
GigabitEthernet VLAN 20 - -
1/0/2
GigabitEthernet VLAN 30 - -
1/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. Configure ACL rules on the Switch to define the data flows that are permitted or
rejected.
3. Configure a traffic classifier on the Switch to classify packets based on the ACL.
4. Configure a traffic behavior on the Switch and define the permit action (the ACL defines
the data flows that are rejected).
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic classifier
and traffic behavior, and apply the traffic policy to GE1/0/1
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.
# Configure the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the
interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30 //Add the
interface to VLAN 10, VLAN 20, and VLAN 30.
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the
interface to access.
[Switch-GigabitEthernet1/0/2] port default vlan 40 //Add the interface to VLAN
40.
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0 //Configure an IP address
for the VLANIF interface. The IP address is the gateway address of network
segment 192.168.1.0/24.
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 192.168.3.1 255.255.255.0
[Switch-Vlanif30] quit
[Switch] interface vlanif 40 //Create a VLANIF interface.
[Switch-Vlanif40] ip address 10.1.20.2 255.255.255.0 //Configure an IP address
for the VLANIF interface to connect to the router.
[Switch-Vlanif40] quit
[Switch] ip route-static 0.0.0.0 0 10.1.20.1 //Configure a static route pointing
to the external network to implement interworking.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 30 //Create VLAN 10 to VLAN 30.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the
interface to access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN
10.
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 30
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk //Set the link type of the
interface to trunk.
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy on the Switch, bind the traffic behavior and traffic classifier to the
traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 connected to
SwitchA.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
# User devices on network segment 192.168.1.0/24 can ping user devices on network segment
192.168.2.0/24, that is, users in VLAN 10 can access users in VLAN 20.
# User devices on network segment 192.168.1.0/24 cannot ping user devices on network
segment 192.168.3.0/24, that is, users in VLAN 10 cannot access users in VLAN 30.
# Users devices on network segments 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 can
ping the IP address 10.1.20.1/24 of the interface on the router, indicating that users of the
three departments can access the Internet.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20 30 40
#
acl number 3000
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0
0.0.0.255
rule 15 permit ip
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 40
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20 30
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 30
#
return
Overview of HQoS
HQoS uses multiple levels of queues to further differentiate service traffic, and provides
uniform management and hierarchical scheduling for transmission objects such as users and
services. HQoS enables network devices to control internal resources with the existing
hardware, providing QoS guarantee for advanced users while reducing network construction
cost.
Configuration Notes
Only X1E series cards support this configuration.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
Voice, video, and data services from multiple users are transmitted on an enterprise campus
network, and 802.1p priorities of voice, video, and data services are 6, 5, and 2 respectively.
Bandwidth needs to be guaranteed for the voice, video, and data services in descending order
of priority. Table 17-17 and Table 17-18 describe the configuration requirements.
Because the bandwidth is finite, the device needs to differentiate service priorities and shape
traffic from different users to provide different bandwidth. Table 17-19 describes the
configuration requirement.
Video Yellow 60 80 20
Data Red 40 60 40
Voice EF
Video AF3
Data AF1
User PIR
V id e o , d a ta , vo ice
U se r 4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that the enterprise can access the Internet
through the Switch.
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different service
packets to PHBs and colors, and bind the DiffServ domain to the inbound interface of the
Switch.
3. Configure a flow queue WRED drop profile, flow queue profile, and profile parameters
on the Switch so that the Switch provides different scheduling priorities, drop profile
parameters, and traffic shaping parameters for different services.
4. Configure ACLs on the Switch to differentiate service traffic of different users based on
VLAN IDs.
5. Configure subscriber queues and traffic shaping parameters on the Switch, and reference
the flow queue WRED drop profile and flow queue profile to implement HQoS.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 10 on SwitchA, configure GE1/0/1 and GE1/0/2 as access interfaces and add
them to VLAN 10, and configure GE2/0/1 as a trunk interface and add it to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet2/0/1] quit
# Create VLAN 20 on SwitchB, configure GE1/0/1 and GE1/0/2 as access interfaces and add
them to VLAN 20, and configure GE2/0/1 as a trunk interface and add it to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 20
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type access
[SwitchB-GigabitEthernet1/0/1] port default vlan 20
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type access
[SwitchB-GigabitEthernet1/0/2] port default vlan 20
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk allow-pass vlan 20
[SwitchB-GigabitEthernet2/0/1] quit
# Create VLAN 10 and VLAN 20 on SwitchC, configure GE1/0/1 as a trunk interface and add
it to VLAN 10 and VLAN 20, and configure GE2/0/1 as a trunk interface and add it to VLAN
10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10 20
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 2/0/1
[SwitchC-GigabitEthernet2/0/1] port link-type trunk
[SwitchC-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[SwitchC-GigabitEthernet2/0/1] quit
# Create VLAN 10 and VLAN 20 on the Switch, configure GE1/0/1, GE1/0/2, and GE2/0/1
as trunk interfaces, and add GE1/0/1 to VLAN 10, GE1/0/2 to VLAN 20, and GE2/0/1 to
VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet2/0/1] quit
Step 3 Configure a flow queue WRED drop profile and define parameters in the profile.
# Create a flow queue WRED drop profile named wred1 on the Switch and set parameters of
green, yellow, and red packets in the flow queue WRED drop profile.
[Switch] flow-wred-profile wred1 //Configure a WRED drop profile.
[Switch-flow-wred-wred1] color green low-limit 80 high-limit 100 discard-
percentage 10 //Configure a WRED drop profile, and set the upper and lower drop
threshold and maximum drop probability for green packets.
[Switch-flow-wred-wred1] color yellow low-limit 60 high-limit 80 discard-
percentage 20 //When the percentage of the yellow packet length to the queue
length reaches 60%, the device starts to discard packets with the maximum drop
probability of 20%. When the percentage of the yellow packet length to the queue
length reaches 80%, the device discards all new packets.
[Switch-flow-wred-wred1] color red low-limit 40 high-limit 60 discard-percentage
40
[Switch-flow-wred-wred1] quit
Step 4 Configure a flow queue profile and define parameters in the profile.
# Configure a flow queue profile named flow1 on the Switch, bind flow queue profile flow1
to flow queue WRED drop profile wred1, and configure different scheduling parameters.
[Switch] flow-queue-profile flow1 //Configure a flow queue profile.
[Switch-flow-queue-flow1] qos queue 5 pq flow-wred-profile wred1 //Configure PQ
scheduling for queue 5 and reference the WRED drop profile wred1.
[Switch-flow-queue-flow1] qos queue 3 wfq weight 20 flow-wred-profile wred1 //
Configure WFQ scheduling for queue 3, set the WFQ weight to 20, and reference the
WRED drop profile wred1.
[Switch-flow-queue-flow1] qos queue 1 wfq weight 10 flow-wred-profile wred1 //
Configure WFQ scheduling for queue 1, set the WFQ weight to 10, and reference the
WRED drop profile wred1.
[Switch-flow-queue-flow1] quit
# Configure subscriber queues based on ACL 4001 and ACL 4002 on the Switch and
reference flow queue profile flow1.
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] traffic-user-queue outbound acl 4001 pir 8000 flow-
queue-profile flow1 //Create a subscriber queue that references ACL 4001, set
the PIR to 8000 kbit/s, and refernece the flow queue flow1.
[Switch-GigabitEthernet2/0/1] traffic-user-queue outbound acl 4002 pir 5000 flow-
queue-profile flow1 //Create a subscriber queue that references ACL 4002, set
the PIR to 5000 kbit/s, and refernece the flow queue flow1.
[Switch-GigabitEthernet2/0/1] quit
[Switch] quit
# Check the configuration of the WRED drop profile of a flow queue, including the profile
name, upper and lower drop thresholds of green, yellow, and red packets, and maximum drop
probability.
<Switch> display flow-wred-profile name wred1
Flow-wred-profile[1]: wred1
Queue depth : 1048576
Color Low-limit High-limit Discard-percentage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Green 80 100 10
Yellow 60 80 20
Red 40 60 40
-----------------------------------------------------------------
# Check the flow queue profile configuration, including the profile name and WFQ weights.
<Switch> display flow-queue-profile name flow1
Flow-queue-profile[1]: flow1
Queue Schedule(Weight) Shaping flow-wred-profile
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 PQ None default
1 WFQ(10) None wred1
2 PQ None default
3 WFQ(20) None wred1
4 PQ None default
5 PQ None wred1
6 PQ None default
7 PQ None default
-----------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,127
| drop:
2,798,787,076
| bytes: pass:
610,796
| drop:
414,220,487,248
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
1 | packets: pass:
4,127
| drop:
5,597,436,717
| bytes: pass:
610,796
| drop:
828,420,634,116
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,127
| drop:
5,597,436,713
| bytes: pass:
610,796
| drop:
828,420,633,524
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,127
| drop:
2,798,716,293
| bytes: pass:
610,796
| drop:
414,210,011,364
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,127
| drop:
2,798,716,294
| bytes: pass:
610,796
| drop:
414,210,011,512
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
7 | packets: pass:
1,119,509,460
| drop:
1,679,210,961
| bytes: pass:
165,687,400,080
| drop:
248,523,222,228
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,125
| drop:
5,218,026
| bytes: pass:
610,500
| drop:
772,267,848
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
1 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
7 | packets: pass:
2,092,988
| drop:
3,129,165
| bytes: pass:
309,762,224
| drop:
463,116,420
--------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch
10
#
interface
GigabitEthernet1/0/1
port link-type
access
port default vlan
10
#
interface
GigabitEthernet1/0/2
port link-type
access
port default vlan
10
#
interface
GigabitEthernet2/0/1
port link-type
trunk
port trunk allow-pass vlan
10
#
return
vlan batch
20
#
interface
GigabitEthernet1/0/1
port link-type
access
port default vlan
20
#
interface
GigabitEthernet1/0/2
port link-type
access
port default vlan
20
#
interface
GigabitEthernet2/0/1
port link-type
trunk
port trunk allow-pass vlan
20
#
return
vlan batch 10
20
#
interface
GigabitEthernet1/0/1
port link-type
trunk
port trunk allow-pass vlan 10
20
#
interface
GigabitEthernet2/0/1
port link-type
trunk
port trunk allow-pass vlan 10
20
#
return
interface
GigabitEthernet2/0/1
port link-type
trunk
port trunk allow-pass vlan 10
20
traffic-user-queue outbound acl 4001 pir 8000 flow-queue-profile flow1
traffic-user-queue outbound acl 4002 pir 5000 flow-queue-profile flow1
#
return
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 18-1, the NMS server manages all devices on the network. The network
is small and not likely to be attacked, so SNMPv1 is configured on switches to communicate
with the NMS server. A new switch is added to the network. The network administrator wants
to utilize the existing network resources to manage the new switch and quickly locate as well
as rectify network faults.
Figure 18-1 Configuring a device to communicate with the NMS using SNMPv1
GE1/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the
switch.
2. Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
3. Configure a community name based on which the switch permits access of the NMS.
4. Configure a trap host and enable the switch to automatically send traps to the NMS.
5. Add the switch to the NMS. The community name configured on the switch must be the
same as that used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
Step 1 Configure SNMPv1 on the switch so that the NMS running SNMPv1 can manage the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] snmp-agent sys-info version v1 //By default, SNMPv3 is supported.
Step 2 Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0 //Allow only the NMS with
IP address 10.1.1.1 to access the device.
[Switch-acl-basic-2001] rule deny
[Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Specify that the accessible
MIB view contains iso.
Step 3 Configure a community name based on which the switch permits access of the NMS.
[Switch] snmp-agent community write adminnms01 mib-view isoview acl 2001 //
Configure a community name and apply the ACL to make the access control function
take effect.
Step 4 Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //
Enable all trap functions on the switch. By default, only some trap functions are
enabled. You can run the display snmp-agent trap all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname adminnms01 v1 //Configure a trap host. By default, traps are sent by
UDP port 162.
NOTE
The parameter settings on the NMS must be the same as those on the switch; otherwise, the NMS cannot
manage the switch.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.1 0
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-
h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view isoview acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view included isoview iso
snmp-agent trap enable
#
return
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 18-2, the NMS server manages all devices on the network. The network
is large and secure but the service traffic volume on the network is high. Therefore, devices on
the network use SNMPv2c to communicate with the NMS server. For capacity expansion, a
new switch is added to the network. The network administrator wants to utilize the existing
network resources to manage the new switch and quickly locate as well as rectify network
faults.
Figure 18-2 Configuring a device to communicate with the NMS using SNMPv2c
GE1/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SNMPv2c on the switch so that the NMS running SNMPv2c can manage the
switch.
2. Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
3. Configure a community name based on which the switch permits access of the NMS.
4. Configure a trap host and enable the switch to automatically send traps to the NMS.
5. Add the switch to the NMS. The community name configured on the switch must be the
same as that used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
Step 1 Configure SNMPv2c on the switch so that the NMS running SNMPv2c can manage the
switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] snmp-agent sys-info version v2c //By default, SNMPv3 is supported.
Step 2 Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0 //Allow only the NMS with
IP address 10.1.1.1 to access the device.
[Switch-acl-basic-2001] rule deny
[Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Specify that the accessible
MIB view contains iso.
Step 3 Configure a community name based on which the switch permits access of the NMS.
[Switch] snmp-agent community write adminnms01 mib-view isoview acl 2001 //
Configure a community name and apply the ACL to make the access control function
take effect.
Step 4 Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //
Enable all trap functions on the switch. By default, only some trap functions are
enabled. You can run the display snmp-agent trap all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname adminnms01 v2c //Configure a trap host. By default, traps are sent
by UDP port 162.
NOTE
The parameter settings on the NMS must be the same as those on the switch; otherwise, the NMS cannot
manage the switch.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.1 0
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-
h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view isoview acl 2001
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%# v2c
snmp-agent mib-view included isoview iso
snmp-agent trap enable
#
return
SNMP Overview
The Simple Network Management Protocol (SNMP) is a standard network management
protocol widely used on TCP/IP networks. SNMP uses a central computer (a network
management station) that runs network management software to manage network elements.
SNMP is available in three versions. SNMPv1 is the initial version of SNMP. It provides
authentication based on community names. SNMPv1 has a low security level, and can return
only a few error codes. SNMPv2c issued by IETF is the second release of SNMP. SNMPv2c
has enhancements to standard error codes, data types (Counter 64 and Counter 32), and
operations including GetBulk and Inform. SNMPv2c does not improve the security, so IETF
issued SNMPv3 that provides User Security Module (USM)-based authentication and
encryption and View-based Access Control Model (VACM)-based access control.
SNMPv3 is applicable to networks of various scales, especially networks that have strict
security requirements and can be managed only by authorized network administrators. For
example, SNMPv3 can be used if data between the NMS and managed device needs to be
transmitted over a public network.
Configuration Notes
This example applies to all versions and models.
Networking Requirements
As shown in Figure 18-3, the NMS server manages all devices on the network. The network
is large and is likely to be attacked. Therefore, devices on the network use SNMPv3 to
communicate with the NMS server. A new switch is added to the network. The network
administrator wants to utilize the existing network resources to manage the new switch and
quickly locate as well as rectify network faults.
Figure 18-3 Configuring a device to communicate with the NMS using SNMPv3
GE1/0/1
10.1.1.1/24 VLAN10
IP 10.1.10.2/24
Network
NMS Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage the
switch.
2. Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
3. Configure a user group and user based on which the switch permits access of the NMS.
4. Configure a trap host and enable the switch to automatically send traps to the NMS.
5. Add the switch to the NMS. The user group and user configured on the switch must be
the same as those used by the NMS; otherwise, the NMS cannot manage the switch.
Procedure
Step 1 Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage the switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] snmp-agent sys-info version v3 //By default, SNMPv3 is supported. If
SNMPv3 is not disabled, skip this command.
Step 2 Configure access control so that only the NMS with the specified IP address can perform
read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0 //Allow only the NMS with
IP address 10.1.1.1 to access the device.
[Switch-acl-basic-2001] rule deny
[Switch-acl-basic-2001] quit
# Configure the MIB view to specify the MIB objects that can be accessed by the NMS.
[Switch] snmp-agent mib-view included isoview iso //Specify that the accessible
MIB view contains iso.
Step 3 Configure a user group and user based on which the switch permits access of the NMS.
# Configure the user group group001, set the security level to privacy, and configure access
control to restrict the access of NMS to the switch.
[Switch] snmp-agent group v3 group001 privacy write-view isoview acl 2001 //
Configure a user group and apply an ACL to make the access control function take
effect.
Step 4 Configure a trap host and enable the switch to automatically send traps to the NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //
Enable all trap functions on the switch. By default, only some trap functions are
enabled. You can run the display snmp-agent trap all command to check trap status.
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname user001 v3 privacy //Configure a trap host. By default, traps are
sent by UDP port 162. The security name must be the same as the user name;
otherwise, the NMS cannot manage the device.
Configure the SNMP function on the NMS according to the NMS manual, including setting
the SNMP version to SNMPv3, configuring the user group group001 and user user001,
setting the authentication mode to SHA and authentication password to Authe@1234, setting
the encryption mode to AES256 and encryption password to Priva@1234, and setting the
SNMP connection port to port 161 (default port used by the switch). In addition, set the trap
receiving port to port 162 (default port used by the switch) so that the NMS can receive traps.
After the configurations are complete, the NMS can manage the switch and the switch can
automatically send traps to the NMS when events occur.
NOTE
The parameter settings on the NMS must be the same as those on the switch; otherwise, the NMS cannot
manage the switch.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.1 0
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent sys-info version v3
snmp-agent group v3 group001 privacy write-view isoview acl 2001
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
user001 v3 privacy
snmp-agent mib-view included isoview iso
snmp-agent usm-user v3 user001
snmp-agent usm-user v3 user001 group group001
snmp-agent usm-user v3 user001 authentication-mode sha cipher %^%#*2C
%=4LZn1L>ni9xaybHdbXFW&[c_Wv0m!0MpTj!%^%#
snmp-agent usm-user v3 user001 privacy-mode aes256 cipher %^%#i\Fv-cC(u)
+x26S2'rEX<.;V+e~nP)*.J$Ulr($/%^%#
snmp-agent trap enable
#
return
Configuration Notes
This example uses eSight V200R005C00 and switch V200R003C00. The configurations may
vary with software versions. For details, see the product manual of the corresponding version.
Networking Requirements
An enterprise administrator wants to use eSight to manage devices of the enterprise.
l The enterprise replans the network recently, and the number of devices on the entire
network increases to about 1000. It is labor-consuming if the administrator logs in to
each device to configure and manage the devices. The administrator needs to use a
network management system (NMS) to uniformly manage all the devices on the
network.
l Devices on the enterprise network belong to the R&D Dept and finance Dept, and
devices in the R&D Dept are divided into two service groups. The R&D Dept has 800
devices and the finance Dept has 200 devices. The administrator wants to manage the
devices by group, view the device status in different departments, and batch configure
services for devices in the same service group during the maintenance process.
R&D Dept A
R&D Dept B
Finance Dept
Requirement Analysis
l Enabling automatic device discovery: A large number of security devices and network
devices need to be deployed on a network. The automatic device discovery function
provided by eSight can reduce the administrator's workload, improve the operation
efficiency, and lower misoperations.
l Selecting the SNMPv2c protocol: A majority of the security devices and network devices
use SNMPv2c. SNMPv2c has higher security than SNMPv1, and is simple and easy to
configure compared with SNMPv3.
l Enabling the subnet function in topology monitoring: The subnet function in topology
monitoring enables eSight to monitor devices by area according to the subnet on which
the devices are located. The administrator can divide the enterprise network into multiple
subnets by department to implement differentiated management.
l Enabling the grouping function: During routine maintenance, the administrator needs to
batch configure devices that provide similar services. The grouping function enables
eSight to automatically add devices to different groups after grouping rules are set. The
administrator can batch perform authentication and alarm filtering operations for devices
in the same group.
Data Plan
Item Value Description
Subnet The network is divided into three One subnet on eSight can
subnets and assigned subnet IP contain up to 500 devices.
address ranges. It is recommended that the
l subnet_rda (R&D Dept A): R&D Dept with 800
192.168.11.0-192.168.12.255 devices be divided into
two subnets, and the
l subnet_rdb (R&D Dept B): finance Dept into one
192.168.31.0-192.168.32.255 subnet.
l subnet_finance (Finance Dept):
192.168.51.0-192.168.51.255
Grouping rule Five groups are divided based on the The start and end IP
service type and department. addresses are specified in
l group_rda1 (R&D Dept A, grouping rules. After
service group 1): eSight discovers the
192.168.11.0-192.168.11.255 devices, they are
automatically added to
l group_rda2 (R&D Dept A, different groups.
service group 2):
192.168.12.0-192.168.12.255
l group_rdb3 (R&D Dept B,
service group 1):
192.168.31.0-192.168.31.255
l group_rdb4 (R&D Dept B,
service group 2):
192.168.32.0-192.168.32.255
l group_finance (Finance Dept):
192.168.51.0-192.168.51.255
Configuration Roadmap
1. Configure SNMP parameters on the devices.
2. Create subnets on eSight.
3. Set grouping rules on eSight.
4. Create an SNMP template on eSight.
5. Enable eSight to discover devices using SNMP.
Prerequisites
IP addresses have been configured for devices on the network according to Data Plan, and
the devices can successfully communicate with eSight.
Procedure
Step 1 Configure SNMP parameters on the devices.
<SwitchA> system-view
[SwitchA] snmp-agent //Start the SNMP agent service.
[SwitchA] snmp-agent sys-info version v2c //Set the SNMP version to v2c.
[SwitchA] snmp-agent mib-view included View_ALL iso //Create a MIB view
View_ALL.
[SwitchA] snmp-agent community read cipher Public123 mib-view View_ALL //
Configure a read community name and set the rights of the MIB view.
[SwitchA] snmp-agent community write cipher Private123 mib-view View_ALL //
Configure a write community name and set the rights of the MIB view.
[SwitchA] snmp-agent trap source MEth0/0/1 //Specify the source interface for
sending traps. Here, a management interface is specified as the source interface.
[SwitchA] snmp-agent trap enable //Enable the trap function to report alarms.
[SwitchA] snmp-agent target-host trap address udp-domain 192.168.10.10 params
securityname Public123 v2c //Set the eSight IP address to 192.168.10.10,
securityname to Public123, and version to v2c.
4. In the dialog box that is displayed, enter the subnet name and description, and click OK.
2. In the navigation tree, choose Device Group and click next to User Defined
Groups.
3. In the Basic Information dialog box, set the group name and description.
4. Click under Dynamic Rules to set grouping rules.
a. Set the rule name to rule_01.
b. Select satisfy all conditions.
c. Set the dynamic rule to IP address startwith 192.168.11.0.
d. Click next to the dynamic rule. A line is displayed under the dynamic rule. Set
the other dynamic rule to IP address endwith 192.168.11.255.
5. Click Confirm. The first grouping rule is set. Repeat the steps to set other grouping rules
according to Data Plan.
Step 4 Create an SNMP template on eSight.
1. Choose Resource > Resource Management > Protocol Template from the main menu.
Step 5 Use the automatic device discovery function to add devices to eSight.
1. Choose Resource > Add Device > Automatic from the main menu.
2. Set Select discovery protocol to SNMP and Select discovery mode to Immediate
discovery.
3. Specify start and end IP addresses of network segments and add them to subnets.
Click Add Another Network Segment, specify start and end IP addresses of the
network segment and add it to the corresponding subnet.
4. Select Select template and select the template SNMP_v2c created in the preceding step
from the template list.
5. Select Auto add to NMS and click Start Discovery.
6. After automatic device discovery is complete, check whether all the devices matching
parameters in the template are added to eSight. Click Complete.
----End
Verification
1. Check devices on subnets.
a. Choose Monitor > Topology > Topology Management from the main menu.
b. Choose Device Group > User Defined Groups > group_rda1. Check whether all
the devices in the service group 1 of R&D Dept A are added to the group. If so, the
operations are correct. Perform similar steps to check the other four groups. If
devices are not added to the corresponding group, check whether the devices are
added to eSight and whether grouping rules are correctly set.
NetStream Overview
NetStream is a technology that collects statistics on and analyzes service traffic on networks.
NetStream facilitates accounting and network monitoring.
It has the following advantages:
l NetStream collects statistics on multiple types of information in packets. It provides
powerful statistics collection function and detailed statistical results.
l NetStream can be deployed at a low cost. No dedicated device is required to collect
traffic information and no device interface is occupied.
Original flow statistics are exported when the flow aging time expires. Statistics on every
flow are exported to the NetStream server. The NetStream server obtains detailed statistics on
every flow.
Configuration Notes
NetStream is supported by E series (except ET1D2X48SEC0), and X1E cards.
NetStream conflicts with IP Source Trail on modular switches, so do not configure them
simultaneously.
Networking Requirements
As shown in Figure 18-5, Department 1 and Department 2 connect to the Internet through
SwitchA. Network administrators want to monitor communication between the two
departments and the Internet, and perform accounting for each department.
Figure 18-5 Networking diagram for configuring original flow statistics exporting
Internet
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200 NetStream server
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
Department 1 Department 2
Configuration Roadmap
You can configure IPv4 original flow statistics exporting on GE1/0/1 of SwitchA. Configure
SwitchA to collect statistics on incoming and outgoing traffic on the interface, and to send the
statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet, and perform accounting for
each department.
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces on SwitchA.
2. Configure NetStream sampling.
3. Configure NetStream flow aging.
4. Configure original flow statistics exporting.
5. Configure the version of exported packets.
6. Enable NetStream flow statistics collection on GE1/0/1.
Procedure
Step 1 Configure IP addresses for interfaces on SwitchA according to Figure 18-5.
# Configure IP addresses for interfaces on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 300 400
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 10.1.2.1 24
[SwitchA-Vlanif200] quit
[SwitchA] interface vlanif 300
# Set the inactive aging time to 100 seconds and enable FIN- and RST-based aging.
[SwitchA] ip netstream timeout inactive 100
[SwitchA] ip netstream tcp-flag enable
# Set the source IP address of the exported packets carrying original flow statistics to
10.1.2.1, destination IP address to 10.1.2.2, and destination port number to 6000.
[SwitchA] ip netstream export source 10.1.2.1
[SwitchA] ip netstream export host 10.1.2.2 6000
# After the configuration is complete, the NetStream server can receive statistics packets from
SwitchA. Run the display ip netstream statistics command on SwitchA to view NetStream
flow statistics.
<SwitchA> display ip netstream statistics slot 1
===== Netstream statistics: =====
Origin/Flexible ingress entries : 35
Origin/Flexible ingress packets : 381920
Origin/Flexible ingress octets : 125269760
Origin/Flexible egress entries : 0
Origin/Flexible egress packets : 0
Origin/Flexible egress octets : 0
Origin/Flexible total entries : 35
Handle origin entries : 35
Handle As aggre entries : 0
Handle ProtPort aggre entries : 0
Handle SrcPrefix aggre entries : 0
Handle DstPrefix aggre entries : 0
Handle Prefix aggre entries : 0
Handle AsTos aggre entries : 0
Handle ProtPortTos aggre entries : 0
Handle SrcPreTos aggre entries : 0
Handle DstPreTos aggre entries : 0
Handle PreTos aggre entries : 0
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
ip netstream timeout inactive 100
ip netstream export version 9
ip netstream export source 10.1.2.1
ip netstream export host 10.1.2.2 6000
#
ip netstream tcp-flag enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
ip netstream inbound
ip netstream outbound
ip netstream sampler fix-packets 1200 inbound
ip netstream sampler fix-packets 1200 outbound
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid pvid vlan 400
port hybrid untagged vlan 400
#
return
NetStream Overview
NetStream is a technology that collects statistics on and analyzes service traffic on networks.
NetStream facilitates accounting and network monitoring.
In aggregation flow statistics exporting, the device summarizes the flows with the same
aggregation keywords, and obtains statistics on the aggregation flow. The aggregation flow
statistics obviously reduce bandwidth occupation.
Configuration Notes
NetStream is supported by E series (except ET1D2X48SEC0), and X1E cards.
NetStream conflicts with IP Source Trail on modular switches, so do not configure them
simultaneously.
Networking Requirements
As shown in Figure 18-6, Department 1 and Department 2 connect to the Internet through
SwitchA. Network administrators want to monitor communication between the two
departments and the Internet.
Figure 18-6 Networking diagram for configuring aggregation flow statistics exporting
Internet
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200 NetStream server
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
Department 1 Department 2
Configuration Roadmap
You can configure IPv4 aggregation flow statistics exporting on GE1/0/1 of SwitchA.
Configure SwitchA to collect statistics on incoming and outgoing traffic on the interface, and
to send the statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet.
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces on SwitchA.
2. Configure NetStream aggregation flow statistics exporting.
3. Configure the version of exported packets.
4. Enable NetStream flow statistics collection on GE1/0/1.
Procedure
Step 1 Configure IP addresses for interfaces on SwitchA according to Figure 18-6.
# Configure IP addresses for interfaces on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 300 400
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 10.1.2.1 24
[SwitchA-Vlanif200] quit
[SwitchA] interface vlanif 300
[SwitchA-Vlanif300] ip address 10.1.3.1 24
[SwitchA-Vlanif300] quit
[SwitchA] interface vlanif 400
[SwitchA-Vlanif400] ip address 10.1.4.1 24
[SwitchA-Vlanif400] quit
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
ip netstream inbound
ip netstream outbound
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid pvid vlan 400
port hybrid untagged vlan 400
#
ip netstream aggregation protocol-port
ip netstream export source 10.1.2.1
ip netstream export host 10.1.2.2 6000
enable
export version 9
#
return
NetStream Overview
NetStream is a technology that collects statistics on and analyzes service traffic on networks.
NetStream facilitates accounting and network monitoring.
It has the following advantages:
l NetStream collects statistics on multiple types of information in packets. It provides
powerful statistics collection function and detailed statistical results.
l NetStream can be deployed at a low cost. No dedicated device is required to collect
traffic information and no device interface is occupied.
In flexible flow statistics exporting, flows are set based on customized rules. You can
customize flows based on the protocol type, DSCP priority, source IP address, destination IP
address, source port number, destination port number, or flow label as required. Flexible flow
statistics are sent to the NetStream server. Compared with original flow statistics collection,
flexible flow statistics collection occupies less traffic and is more flexible.
Configuration Notes
NetStream is supported by E series (except ET1D2X48SEC0), and X1E cards.
NetStream conflicts with IP Source Trail on modular switches, so do not configure them
simultaneously.
Networking Requirements
As shown in Figure 18-7, Department 1 and Department 2 connect to the Internet through
SwitchA. Network administrators want to monitor communication between the two
departments and the Internet.
Figure 18-7 Networking diagram for configuring flexible flow statistics exporting
Internet
GE1/0/1 GE1/0/2
VLANIF100 VLANIF200 NetStream server
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
GE1/0/4
GE1/0/3
VLANIF400
SwitchA VLANIF300
10.1.4.1/24
10.1.3.1/24
Department 1 Department 2
Configuration Roadmap
You can configure IPv4 flexible flow statistics exporting on GE1/0/1 of SwitchA. Configure
SwitchA to collect statistics on incoming and outgoing traffic on the interface, and to send the
statistics to the NetStream server for further analysis. In this way, you can monitor
communication between the two departments and the Internet.
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces on SwitchA.
2. Configure a flexible flow statistics template.
3. Configure NetStream flexible flow statistics exporting.
4. Enable flexible flow statistics collection on GE1/0/1.
Procedure
Step 1 Configure IP addresses for interfaces on SwitchA according to Figure 18-7.
# Configure IP addresses for interfaces on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200 300 400
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 10.1.2.1 24
[SwitchA-Vlanif200] quit
[SwitchA] interface vlanif 300
[SwitchA-Vlanif300] ip address 10.1.3.1 24
[SwitchA-Vlanif300] quit
[SwitchA] interface vlanif 400
[SwitchA-Vlanif400] ip address 10.1.4.1 24
[SwitchA-Vlanif400] quit
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200 300 400
#
ip netstream export source 10.1.2.1
ip netstream export host 10.1.2.2 6000
#
ip netstream record test
match ip destination-address
match ip destination-port
collect counter packets
collect counter bytes
collect interface input
collect interface output
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif400
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
ip netstream inbound
ip netstream outbound
port ip netstream record test
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/4
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l This example applies to all models.
Networking Requirements
As shown in Figure 18-8, the administrative department of a company accesses the Internet
through the Switch, and the monitoring device Server is directly connected to the Switch.
Internet access traffic of the administrative department needs to be monitored through the
Server.
Internet
Switch Server
GE1/0/2
GE1/0/1
Administrative
department
Mirrored port
Local observing port
Original packets
Mirrored packets
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to
the Server.
2. Configure GE1/0/1 of the Switch as a mirrored port to copy Internet access traffic of the
administrative department to the local observing port.
Procedure
Step 1 Configure an observing port.
# Configure GE1/0/1 of the Switch as a mirrored port to copy the packets received by the
mirrored port to the local observing port.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
#
return
Related Content
Support Community
Videos
In 1:N mirroring, multiple observing ports need to be configured and connected to different
monitoring devices. Observing ports can be configured one by one or in a batch. The single
and batch configuration modes can be used simultaneously. Observing ports configured in a
batch can be bound to the same mirrored port to simplify the configuration of 1:N mirroring.
Therefore, batch configuration is recommended in 1:N mirroring.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l The following table lists the applicable products and versions of this configuration
example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 18-9, the R&D department of a company accesses the Internet through
the Switch, and monitoring devices Server1, Server2, and Server3 are directly connected to
the Switch.
Internet access traffic of the R&D department needs to be mirrored to different servers for
different monitoring and analysis purposes.
In te rn e t
S e rve r1
/4
1 /0
GE S e rve r2
S w itch
G E 1 /0 /3
G E 1 /0 /1 GE
1 /0
/2 S e rve r3
R&D
d e p a rtm e n t
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports to forward
mirrored packets to different servers.
2. Configure GE1/0/1 of the Switch as a mirrored port to copy the traffic passing through it
to different local observing ports.
Procedure
Step 1 Configure observing ports.
# Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports one by one.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface gigabitethernet 1/0/2 //Configure GE1/0/2
as a local observing port with the index 1.
[Switch] observe-port 2 interface gigabitethernet 1/0/3 //Configure GE1/0/3
as a local observing port with the index 2.
[Switch] observe-port 3 interface gigabitethernet 1/0/4 //Configure GE1/0/4
as a local observing port 3.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/2
observe-port 2 interface GigabitEthernet1/0/3
observe-port 3 interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
port-mirroring to observe-port 2 inbound
port-mirroring to observe-port 3 inbound
#
return
Related Content
Support Community
Videos
In 1:N mirroring, multiple observing ports need to be configured and connected to different
monitoring devices. Observing ports can be configured one by one or in a batch. The single
and batch configuration modes can be used simultaneously. Observing ports configured in a
batch can be bound to the same mirrored port to simplify the configuration of 1:N mirroring.
Therefore, batch configuration is recommended in 1:N mirroring.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l In 1:N mirroring, if you batch configure either inbound or outbound packets to be copied
from a mirrored port to multiple observing ports, the packets cannot be copied to other
observing ports.
l The following table lists the applicable products and versions of this configuration
example.
NOTE
To know details about software mappings, see Switch Software Mapping Search.
Networking Requirements
As shown in Figure 18-10, the R&D department of a company accesses the Internet through
the Switch, and monitoring devices Server1, Server2, and Server3 are directly connected to
the Switch.
Internet access traffic of the R&D department needs to be mirrored to different servers for
different monitoring and analysis purposes.
In te rn e t
S e rve r1
/4
1 /0
GE S e rve r2
S w itch
G E 1 /0 /3
G E 1 /0 /1 GE
1 /0
/2 S e rve r3
R&D
d e p a rtm e n t
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports to forward
mirrored packets to different servers.
2. Configure GE1/0/1 of the Switch as a mirrored port to copy the traffic passing through it
to different local observing ports.
Procedure
Step 1 Configure observing ports.
# Configure GE1/0/2 through GE1/0/4 of the Switch as local observing ports in a batch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface-range gigabitethernet 1/0/2 to gigabitethernet
1/0/4 //Configure GE1/0/2 through GE1/0/4 as local observing ports in a batch
and share the same observing port 1.
# Configure GE1/0/1 of the Switch as a mirrored port to copy the packets received by the
mirrored port to local observing ports.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-mirroring to observe-port 1 inbound //
Mirror incoming traffic on GE1/0/1 to observing port 1.
[Switch-GigabitEthernet1/0/1] return
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface-range GigabitEthernet1/0/2 to GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
#
return
Related Content
Support Community
Mirroring – an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring – an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l This example applies to all models.
Networking Requirements
As shown in Figure 18-11, three departments (science and technology department 1, science
and technology department 2, and administrative department) of a company access the
Internet through the Switch, and the monitoring device Server is directly connected to the
Switch.
Internet access traffic of the three departments needs to be monitored through the Server.
In te rn e t
S e rve r
G E 1 /0 /4
S w itch
/1 G
/0 E1
E1 /0
GE1/0/2
G /3
S c ie n c e a n d S c ie n c e a n d A d m in is tra tiv e
T e c h n o lo g y T e c h n o lo g y d e p a rtm e n t
d e p a rtm e n t 1 d e p a rtm e n t 2
M irro re d p o rt
L o c a l o b s e rv in g p o rt
O rig in a l p a c k e ts
M irro re d p a c k e ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/4 of the Switch as a local observing port to forward mirrored packets to
the Server.
2. Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy Internet
access traffic of the three departments to the local observing port.
Procedure
Step 1 Configure an observing port.
# Configure GE1/0/4 of the Switch as a local observing port.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface gigabitethernet 1/0/4 //Configure GE1/0/4
as a local observing port 1.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
#
interface GigabitEthernet1/0/2
port-mirroring to observe-port 1 inbound
#
interface GigabitEthernet1/0/3
port-mirroring to observe-port 1 inbound
#
return
Related Content
Support Community
Videos
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l In M:N mirroring, if you batch configure either inbound or outbound packets to be
copied from a mirrored port to multiple observing ports, the packets cannot be copied to
other observing ports.
l In this configuration example, observing ports are configured in a batch, so applicable
products and versions of this example are the same as 18.3.3 Example for Configuring
Local Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured in
a Batch). If observing ports are configured one by one, applicable products and versions
of the configuration example are the same as 18.3.2 Example for Configuring Local
Port Mirroring (1:N Mirroring in Which Observing Ports Are Configured One by
One).
Networking Requirements
As shown in Figure 18-12, three departments (R&D department 1, R&D department 2, and
Marketing department) of a company access the Internet through the Switch, and monitoring
devices Server1 and Server2 are directly connected to the Switch.
Internet access traffic of the three departments needs to be mirrored to different servers for
different monitoring and analysis purposes.
In te rn e t
/1 G
/0 E1
E1 /0
GE1/0/2
G /3
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/4 and GE1/0/5 of the Switch as local observing ports to forward
mirrored packets to different servers.
2. Configure GE1/0/1 through GE1/0/3 of the Switch as mirrored ports to copy the traffic
passing through the mirrored ports to different local observing ports.
Procedure
Step 1 Configure observing ports.
# Configure GE1/0/4 and GE1/0/5 of the Switch as local observing ports in a batch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface-range gigabitethernet 1/0/4 gigabitethernet
1/0/5 //Configure GE1/0/4 and GE1/0/5 as local observing ports in a batch and
share observing port 1.
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface-range GigabitEthernet1/0/4 to GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
#
interface GigabitEthernet1/0/2
port-mirroring to observe-port 1 inbound
#
interface GigabitEthernet1/0/3
port-mirroring to observe-port 1 inbound
#
return
Related Content
Support Community
Videos
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
l The vlan vlan-id parameter will be specified during the configuration of a Layer 2
remote observing port, indicating that the Layer 2 remote observing port can send
mirrored packets to the monitoring device through the specified VLAN. In this situation,
the Layer 2 remote observing port does not need to be added to the specified VLAN.
Networking Requirements
As shown in Figure 18-13, the administrative department of a company accesses the Internet
through SwitchA, and the monitoring device Server is connected to SwitchA through
SwitchB.
Internet access traffic of the administrative department needs to be monitored through the
Server.
In te rn e t
S w itch A S w itch B
G E 1 /0 /2 G E 1 /0 /2
VLAN10
G E 1 /0 /1 G E 1 /0 /1
A d m in is tra tiv e
d e p a rtm e n t
S e rve r
C o m m o n p o rt
M irro re d p o rt
R e m o te o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port to forward mirrored
packets to the specified VLAN.
2. Configure GE1/0/1 of SwitchA as a mirrored port to copy Internet access traffic of the
administrative department to the Layer 2 remote observing port.
3. Create a VLAN on SwitchB, and add ports to the VLAN to forward the mirrored packets
sent from the observing port to the Server.
Procedure
Step 1 Configure an observing port on SwitchA.
# Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port and bind the observing
port to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] observe-port 1 interface gigabitethernet 1/0/2 vlan 10 //Configure
GE1/0/2 as Layer 2 remote observing port 1, and add it to VLAN 10.
After the configuration is complete, the observing port forwards mirrored packets to VLAN
10 removing the need to add the observing port to the VLAN.
Step 2 Configure a mirrored port on SwitchA.
# Configure GE1/0/1 of SwitchA as a mirrored port to copy the packets received by the
mirrored port to the Layer 2 remote observing port.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet1/0/2 vlan 10
#
interface GigabitEthernet1/0/1
port-mirroring to observe-port 1 inbound
#
return
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Related Content
Support Community
Videos
You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and
ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules
and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
Networking Requirements
As shown in Figure 18-14, the science and technology department and administrative
department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet
or communicate with each other through the Switch. The monitoring device Server is directly
connected to the Switch.
The following traffic of the science and technology department needs to be monitored through
the Server:
l Internet access traffic
l Traffic sent to the administrative department
In te rn e t
Service flow 1
S e rvice flo w 2
S e rve r
S e rvice flo w 1
S w itch
G E 1 /0 /2
ce w 2
1
Se
/1
w
o
1/0
flo
Se ice fl
rvi
ce
GE
rv
rvi
flo
Se
w
2
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
T ra ffic fro m th e scie n ce a n d te ch n o lo g y
S e rvice flo w 1
d e p a rtm e n t to th e In te rn e t
T ra ffic fro m th e scie n ce a n d te ch n o lo g y
S e rvice flo w 2 d e p a rtm e n t to th e a d m in istra tive d e p a rtm e n t
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to
the Server.
2. Configure a traffic classifier on the Switch to match Internet access traffic and traffic
sent to the administrative department, and configure a traffic behavior to mirror traffic to
a local observing port.
3. Configure a traffic policy on the Switch, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to GE1/0/1.
Procedure
Step 1 Configure an observing port.
# Configure GE1/0/2 of the Switch as a local observing port.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface gigabitethernet 1/0/2 //Configure GE1/0/2
as a local observing port 1.
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy named p1 on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1
to monitor specified traffic of the science and technology department.
[Switch] traffic policy p1 //Create a traffic policy p1 and bind the traffic
behavior and traffic classifier to the traffic policy.
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound //Apply the traffic
policy p1 to the inbound direction of GE1/0/1.
[Switch-GigabitEthernet1/0/1] return
Operator: OR
Rule(s) : if-match acl 3000
if-match acl 3001
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/2
#
acl number 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
if-match acl 3000
if-match acl 3001
#
traffic behavior b1
permit
mirroring to observe-port 1
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface GigabitEthernet1/0/1
traffic-policy p1 inbound
#
return
Related Content
Support Community
Videos
You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and
ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules
and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
l Both Ethernet ports and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk
is configured as a mirrored port, its member ports cannot be configured as observing
ports.
Networking Requirements
As shown in Figure 18-15, the science and technology department and administrative
department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet
or communicate with each other through the Switch. The monitoring device Server is directly
connected to the Switch.
The following traffic of the science and technology department needs to be monitored through
the Server:
In te rn e t
Service flow 1
S e rvice flo w 2
S e rve r
S e rvice flo w 1
S w itch
G E 1 /0 /2
ce w 2
1
Se
/1
w
o
1/0
flo
Se ice fl
rvi
ce
GE
rv
rvi
flo
Se
w
2
M irro re d p o rt
L o ca l o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
T ra ffic fro m th e scie n ce a n d te ch n o lo g y
S e rvice flo w 1
d e p a rtm e n t to th e In te rn e t
T ra ffic fro m th e scie n ce a n d te ch n o lo g y
S e rvice flo w 2 d e p a rtm e n t to th e a d m in istra tive d e p a rtm e n t
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to
the Server.
2. Configure advanced ACLs to match two types of traffic of the science and technology
department: Internet access traffic and traffic sent to the administrative department.
3. Configure an ACL-based traffic policy on GE1/0/1 to mirror the matching traffic.
Procedure
Step 1 Configure an observing port.
ACL 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www (match-
counter 0)
ACTIONS:
mirror to observe-port 1
-----------------------------------------------------------
ACL 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-
counter 0)
ACTIONS:
mirror to observe-port 1
-----------------------------------------------------------
----End
Configuration Files
l Configuration file of the Switch
#
sysname Switch
#
observe-port 1 interface GigabitEthernet1/0/2
#
acl number 3000
rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
acl number 3001
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
interface GigabitEthernet1/0/1
traffic-mirror inbound acl 3000 to observe-port 1
traffic-mirror inbound acl 3001 to observe-port 1
#
return
Related Content
Support Community
Videos
You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and
ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules
and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring
is easy to configure but supports fewer matching rules than MQC-based traffic mirroring and
can be applied to only the inbound direction.
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
Networking Requirements
As shown in Figure 18-16, external users on the Internet access the servers of a company
through SwitchA. The antivirus monitoring device Server connects to SwitchA through
SwitchB.
The official website of the company is paralyzed because of malicious attacks. The Server
needs to remotely analyze traffic with TCP port number WWW to locate the attack source.
In te rn e t
S w itch A S w itch B
G E 1 /0 /1
VLAN 10
G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /1
D a ta
ce n te r
A n tiviru s
m o n ito rin g S e rve r
C o m m o n p o rt
M irro re d p o rt
R e m o te o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port to forward mirrored
packets to the specified VLAN.
2. Configure a traffic classifier on SwitchA to match traffic with TCP port number WWW,
and configure a traffic behavior to mirror packets to the observing port.
3. Configure a traffic policy on SwitchA, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to GE1/0/1.
4. Create a VLAN on SwitchB, and add ports to the VLAN to forward the mirrored packets
sent from the observing port to the Server.
Procedure
Step 1 Configure an observing port on SwitchA.
# Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port and bind the observing
port to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] observe-port 1 interface gigabitethernet 1/0/2 vlan 10 //Configure
GE1/0/2 as Layer 2 remote observing port 1, and add it to VLAN 10.
After the configuration is complete, the observing port forwards mirrored packets to VLAN
10 removing the need to add the observing port to the VLAN.
Step 2 Configure a traffic classifier on SwitchA.
# Create a traffic classifier c1 on SwitchA to match traffic with TCP port number WWW.
[SwitchA] acl number 3000 //Create ACL 3000 to allow the packets with the TCP
port number WWW to pass through.
[SwitchA-acl-adv-3000] rule permit tcp destination-port eq www
[SwitchA-acl-adv-3000] quit
[SwitchA] traffic classifier c1 //Create a traffic classifier c1, and match
ACL 3000.
[SwitchA-classifier-c1] if-match acl 3000
[SwitchA-classifier-c1] quit
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet1/0/2 vlan 10
#
acl number 3000
rule 5 permit tcp destination-port eq www
#
traffic classifier c1 operator or precedence 5
if-match acl 3000
#
traffic behavior b1
permit
mirroring to observe-port 1
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface GigabitEthernet1/0/1
traffic-policy p1 inbound
#
return
Related Content
Support Community
Mirroring – an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring – an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
Configuration Notes
l An observing port is dedicated to forwarding mirrored traffic. Do not configure other
services on an observing port; otherwise, mirrored traffic and other service traffic
interfere with each other.
l If the mirroring function is deployed on many ports of a device, a great deal of internal
forwarding bandwidth will be occupied, which may affect the forwarding of other
services. Additionally, if the mirrored port and observing port provide different
bandwidth, for example, 1000 Mbit/s on the mirrored port and 100 Mbit/s on the
observing port, the observing port may fail to forward all mirrored packets in a timely
manner because of insufficient bandwidth, leading to packet loss.
l On all Huawei S series modular switch models, Eth-Trunks can be configured as
observing ports.
Networking Requirements
As shown in Figure 18-17, external users on the Internet access the servers of a company
through SwitchA. The antivirus monitoring device Server connects to SwitchA through
SwitchB.
The official website of the company is paralyzed because of malicious attacks. The Server
needs to remotely analyze traffic with TCP port number WWW to locate the attack source.
In te rn e t
S w itch A S w itch B
G E 1 /0 /1
VLAN 10
G E 1 /0 /2 G E 1 /0 /2 G E 1 /0 /1
D a ta
ce n te r
A n tiviru s
m o n ito rin g S e rve r
C o m m o n p o rt
M irro re d p o rt
R e m o te o b se rvin g p o rt
O rig in a l p a cke ts
M irro re d p a cke ts
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port to forward mirrored
packets to the specified VLAN.
2. Configure an advanced ACL on SwitchA to match traffic with TCP port number WWW.
3. Configure an ACL-based traffic policy on GE1/0/1 of SwitchA to mirror the matching
traffic.
4. Create a VLAN on SwitchB, and add ports to the VLAN to forward the mirrored packets
sent from the observing port to the Server.
Procedure
Step 1 Configure an observing port on SwitchA.
# Configure GE1/0/2 of SwitchA as a Layer 2 remote observing port and bind the observing
port to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] observe-port 1 interface gigabitethernet 1/0/2 vlan 10 //Configure
GE1/0/2 as Layer 2 remote observing port 1, and add it to VLAN 10.
After the configuration is complete, the observing port forwards mirrored packets to VLAN
10 removing the need to add the observing port to the VLAN.
ACL 3000
rule 5 permit tcp destination-port eq www (match-counter 0)
ACTIONS:
mirror to observe-port 1
-----------------------------------------------------------
Observe-port 1 : GigabitEthernet1/0/2
----------------------------------------------------------------------
Stream-mirror:
----------------------------------------------------------------------
Behavior Direction Observe-port
----------------------------------------------------------------------
1 SACL - Observe-port 1
----------------------------------------------------------------------
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet1/0/2 vlan 10
#
acl number 3000
rule 5 permit tcp destination-port eq www
#
interface GigabitEthernet1/0/1
traffic-mirror inbound acl 3000 to observe-port 1
#
return
Related Content
Support Community
Mirroring – an Effective Network Monitoring Tool (Working Mechanism and
Configuration)
Mirroring – an Effective Network Monitoring Tool (Specifications)
Videos
How to Configure Port Mirroring
iPCA Overview
Packet Conservation Algorithm for Internet (iPCA) technology is used to measure IP network
performance. It directly marks service packets to implement network-level and device-level
packet loss measurements.
In the all-IP era, various services sensitive to packet loss, such as voice and video services, are
transmitted through an IP network. To detect packet loss and find out packet loss points on the
network, Huawei developed iPCA technology. Huawei iPCA has the following
characteristics:
End-to-end packet loss measurement: Statistics are collected on edge devices that are a part of
the transit network. This method is applicable to packet loss measurement for a specialized
service flow, such as a voice flow and a video flow, on an enterprise network.
Configuration Notes
l A modular switch can support iPCA only after being equipped with an X1E card.
l The prerequisite for network-level packet loss measurement is time synchronization
among all devices. Therefore, before configuring iPCA on devices, configure the
Network Time Protocol (NTP) on the devices.
l In network-level packet loss measurement, target flows can be defined by users.
l In network-level packet loss measurement, the current version can only measure known
IP unicast packets but cannot measure unknown IP unicast packets. If unknown IP
unicast packets are measured, the measurement result may be inaccurate.
l Network-level packet loss measurement is based on target flows. If the packet content is
modified (for example, NAT is performed on packets, packets are encapsulated in
tunnels, and packet priority is changed), the device cannot precisely match the packets,
so the measurement result may be inaccurate.
Networking Requirements
As shown in Figure 18-18, users in enterprise branches and headquarters encounter erratic
display and delay when using the video conference service. The enterprise wants to obtain
packet loss statistics of the video conference service and receive an alarm when the packet
loss ratio exceeds 7% so that the network administrator can adjust service deployment in a
timely manner.
Video terminal
10.2.1.0/24
GE1/0/1 GE1/0/1
WAN
Forward flow
Backward flow
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a service flow between video terminals as a target flow. It is a bidirectional
symmetrical flow, so is divided into two unidirectional flows logically.
2. Configure Switch_1 as DCP1. Bind GE1/0/1 where the target flow passes to in-point
ingress TLP of DCP1. Define instance 1 on DCP1 to collect statistics data of the target
flow from TLPs.
3. Configure Switch_2 as DCP2. Bind GE1/0/1 where the target flow passes to out-point
egress TLP of DCP2. Define instance 1 on DCP2 to collect statistics data of the target
flow from TLPs.
4. Configure Switch_2 as the MCP to aggregate statistics data from DCP1 and DCP2 and
export the statistics result. Configure packet loss alarm thresholds to help users predict
network faults. When the packet loss ratio exceeds 7%, an alarm is reported; when the
packet loss ratio falls below 5%, a clear alarm is reported.
5. Retain the default values of color bit, measurement interval, and UDP port number used
for communication between DCPs and MCP.
NOTE
Before configuring iPCA to implement end-to-end packet loss measurement, ensure that static routes or
dynamic routing protocols have been configured to implement network connectivity between Switch_1
and Switch_2.
Before configuring iPCA to implement end-to-end packet loss measurement, ensure that NTP has been
configured to implement time synchronization between Switch_1 and Switch_2.
Procedure
Step 1 Configure Switch_1 as DCP1, set the DCP ID of Switch_1 to the router ID 1.1.1.1, and
configure TLP 1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] nqa ipfpm dcp //Enable the global DCP function.
[Switch_1-nqa-ipfpm-dcp] dcp id 1.1.1.1 //Set the DCP ID to 1.1.1.1.
[Switch_1-nqa-ipfpm-dcp] instance 1 //Create measurement instance 1 on the DCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2 //Associate measurement instance
1 with an MCP.
[Switch_1-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24
destination 10.2.1.0 24 //Configure the target flow in measurement instance 1 as
a bidirectional symmetrical flow with the source address segment 10.1.1.0 and
destination address segment 10.2.1.0.
[Switch_1-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress //Set the TLP ID to 1
and configure the TLP to color the incoming target flow. The target flow arrives
at the TLP.
[Switch_1-nqa-ipfpm-dcp-instance-1] quit
[Switch_1-nqa-ipfpm-dcp] quit
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] ipfpm tlp 1 //Bind the interface to the TLP.
[Switch_1-GigabitEthernet1/0/1] quit
[Switch_1] nqa ipfpm dcp
[Switch_1-nqa-ipfpm-dcp] instance 1
[Switch_1-nqa-ipfpm-dcp-instance-1] loss-measure enable continual //Enable
continual packet loss measurement.
[Switch_1-nqa-ipfpm-dcp-instance-1] quit
[Switch_1-nqa-ipfpm-dcp] quit
Step 2 Configure Switch_2 as DCP2, set the DCP ID of Switch_2 to the router ID 2.2.2.2, and
configure TLP 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] nqa ipfpm dcp
[Switch_2-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch_2-nqa-ipfpm-dcp] instance 1
[Switch_2-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[Switch_2-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24
destination 10.2.1.0 24
[Switch_2-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress
[Switch_2-nqa-ipfpm-dcp-instance-1] quit
[Switch_2-nqa-ipfpm-dcp] quit
[Switch_2] interface gigabitethernet 1/0/1
[Switch_2-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch_2-GigabitEthernet1/0/1] quit
[Switch_2] nqa ipfpm dcp
[Switch_2-nqa-ipfpm-dcp] instance 1
[Switch_2-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[Switch_2-nqa-ipfpm-dcp-instance-1] quit
[Switch_2-nqa-ipfpm-dcp] quit
# Run the display ipfpm statistic-type loss instance 1 command on Switch_2 that functions
as the MCP to view the packet loss measurement result.
----End
Configuration Files
l Configuration file of Switch_1
#
sysname Switch_1
#
interface GigabitEthernet1/0/1
ipfpm tlp 1
#
nqa ipfpm dcp
dcp id 1.1.1.1
instance 1
mcp 2.2.2.2
flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24
tlp 1 in-point ingress
loss-measure enable continual
#
return
iPCA Overview
Packet Conservation Algorithm for Internet (iPCA) technology is used to measure IP network
performance. It directly marks service packets to implement network-level and device-level
packet loss measurements.
In the all-IP era, various services sensitive to packet loss, such as voice and video services, are
transmitted through an IP network. To detect packet loss and find out packet loss points on the
network, Huawei developed iPCA technology. Huawei iPCA has the following
characteristics:
Regional network packet loss measurement: Statistics are not collected on edge devices that
are out of the transit network. This method is applicable to packet loss measurement on a
WAN when an enterprise has multiple networks connected through the WAN or on an
enterprise campus network consisting of devices that do not support iPCA.
Configuration Notes
l A modular switch can support iPCA only after being equipped with an X1E card.
l The prerequisite for network-level packet loss measurement is time synchronization
among all devices. Therefore, before configuring iPCA on devices, configure the
Network Time Protocol (NTP) on the devices.
l In network-level packet loss measurement, target flows can be defined by users.
l In network-level packet loss measurement, the current version can only measure known
IP unicast packets but cannot measure unknown IP unicast packets. If unknown IP
unicast packets are measured, the measurement result may be inaccurate.
l Network-level packet loss measurement is based on target flows. If the packet content is
modified (for example, NAT is performed on packets, packets are encapsulated in
tunnels, and packet priority is changed), the device cannot precisely match the packets,
so the measurement result may be inaccurate.
Networking Requirements
As shown in Figure 18-19, an enterprise leases the dedicated line from the carrier to transmit
important services between headquarters and branches over the WAN. The source address
segment is 10.1.1.0/24 and destination address segment is 10.2.0.0/16. The service packets of
the enterprise need to pass a large number of public routing and switching devices of the
carrier. The enterprise considers the dedicated line expensive, and requires the packet loss
data of the WAN to request the carrier to improve service quality.
Egress
GE1/0/1 GE1/0/1
Leased Line
Switch_1 Switch_3
Branch 1 Egress
Headquarters
GE1/0/1
Egress
Switch_2
Target flow
Branch 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the important service flow (source address segment 10.1.1.0/24 and
destination address segment 10.2.0.0/16) transmitted over the dedicated line as the target
flow. It is a unidirectional service flow.
2. Configure egress devices Switch_1 and Switch_2 as DCPs. Bind GE1/0/1 where the
target flow passes to out-point ingress TLPs of DCPs. Define measurement instance 1 on
Switch_1 and Switch_2 to collect statistics data of the target flow from TLPs.
3. Configure egress device Switch_3 as a DCP. Bind GE1/0/1 where the target flow passes
to in-point egress TLP of the DCP. Define instance 1 on Switch_3 to collect statistics
data of the target flow from TLPs.
4. Configure Switch_4 in the headquarters network management center as the MCP to
collect the statistics data from DCPs. Configure packet loss alarm and clear alarm
thresholds. When the packet loss ratio exceeds 5%, an alarm is reported; when the packet
loss ratio falls below 3%, a clear alarm is reported.
5. Retain the default values of color bit, measurement interval, and UDP port number.
NOTE
Before configuring iPCA to implement regional network packet loss measurement, ensure that static
routes or dynamic routing protocols have been configured to implement network connectivity between
Switch_1, Switch_2, Switch_3, and Switch_4.
Before configuring iPCA to implement regional network packet loss measurement, ensure that NTP has
been configured to implement time synchronization between Switch_1, Switch_2, and Switch_3.
Procedure
Step 1 Configure Switch_1 as DCP1, set the DCP ID of Switch_1 to the router ID 1.1.1.1, and
configure TLP 1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
Step 2 Configure Switch_2 as DCP2, set the DCP ID of Switch_2 to the router ID 2.2.2.2, and
configure TLP 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] nqa ipfpm dcp
[Switch_2-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch_2-nqa-ipfpm-dcp] instance 1
[Switch_2-nqa-ipfpm-dcp-instance-1] mcp 4.4.4.4
[Switch_2-nqa-ipfpm-dcp-instance-1] flow forward source 10.1.1.0 24 destination
10.2.0.0 16
[Switch_2-nqa-ipfpm-dcp-instance-1] tlp 2 out-point ingress
[Switch_2-nqa-ipfpm-dcp-instance-1] quit
[Switch_2-nqa-ipfpm-dcp] quit
[Switch_2] interface gigabitethernet 1/0/1
[Switch_2-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch_2-GigabitEthernet1/0/1] quit
[Switch_